My Data = My Property.
I posted a reply to a post by SirGeek.
Is the above sentence my data or yours?
I have only one FaceBook Account (that someone I deal w/ online almost forced me to get), and there, I entered a fake name and carry on my work.
I think the reason Google+ failed was - who needs another FaceBook? If one wanted FaceBook, one could always use the original & real one - why migrate to that? But you are right - trying to coax me to use Google+ from my real account was annoying. Also, if I do a Google search on my real name, I see pictures that I had uploaded into Picasso a while ago that I thought was private! So while I still have a gmail account, I use it only for mail, and absolutely nothing else. And it's one of several accounts that I use.
A person in the FCC with past in the industry can be biased in favor of their previous employers in some ways, and not so biased in others.
In other words: the bias can be unintentional or subconcious and systemic ---- For example, it can lead to certain ways of thinking about certain policies ; However, in extreme situations, they will not overtly side with their past employer when it would be obviously to unfair degree against the interests of whom you are supposed to serve.
A good outcome out of a few policy definitions cannot definitely affect this for the positive.
It can be very easy to prove bias exists, if you have an extreme enough pattern.
Proving no bias or "fair treatment" not counting more than fair weight to the corporate position of previous employers, in policymaking consideration; would be extremely difficulty (if impossible) to ever establish.
So they're trying to protect the site's reputation AND their users' security.
Sure, they take the notification seriously and are patching by all apparent counts --- i'm not doubting that they are concerned about their site's security as well.
That doesn't fully speak to the purpose of the "responsible disclosure" policy, and why they've decided to smite the researcher, however.
Groupon doesn't fear bad PR. If it was afraid of bad press, it would have folded long ago.
Possibly they don't mind bad press, but i'll bet they mind press that says their site is insecure, or that if you do businesses with them, "Your identity/credit card number might get stolen"
That's probably why they got fussy and denied the researcher's bounty, when a note that a XSS bug (without substantive details) had been published.
Sounds like maybe the "responsible disclosure" policy was about protecting the site's reputation, not their users' security.
Can you explain why?
Because there are too few of them to pose a significant risk. There is an acceptable margin of non-vaccinated people.
And the number of people who are immunocompromised, or cannot have vaccination due to legitimate medical reasons is such a small number, that they fall within the margin of acceptable risk.
The number of people attempting to avoid vaccination for the sake of convenience, Or based on unqualified hearsay or personal opinion, far exceeds the acceptable margin.
Therefore, yes, as a whole: this group of people is more infectious and a much more serious public health danger.
As a general rule, we actually have a pretty terrible success rate for people who walk in with post-grad degrees and not much other experience. The average age on our team is probably about 40, and I think about half come from CS backgrounds. I don't doubt that there are interviews out there that stray more towards demanding that somebody know exactly how to implement a quicksort, but I also think there's a tendency to classify any question that causes one problems during an interview as too computer sciency and not the part of programming that really matters. But we ask the questions we do because we think they tend to be good indicators of how well a candidate understands the ramifications of their code and can solve hard problems.
There's a lot to be said for what somebody can get out of years of experience, but given the choice between the inexperienced guy who has the capacity to solve the hard problems and the veteran of the industry that knows the tricks of the trade but will struggle on things that are involve challenging algorithms, I'd take the inexperienced guy. If you give him a couple years to gather experience, he'll be able to do everything the mediocre veteran will and more. And as long as you have some veterans on the team and decent collaboration, they can cover any gaps knowledge gaps he has in the meantime. Thus, my interview process is going to select largely for the former.
Of course that still requires me to hire or retain some veterans who can solve hard problems, but as long as you don't require them to quote from a CS textbook, they'll be able to navigate our interview process anyway. And given how hard it is to find good candidates if you're not one of the high profile tech companies, there's a decent chance you can't afford to wait to only hire candidates like that if you're looking to increase headcount.
They should disclose these vulnerabilities to build a safer Internet, not to line their pockets.
A safer internet doesn't put food on their table.
It's Groupon who is lining their pockets, when they could be building a safer internet by actually paying money for security. It's the reluctants of companies to take security seriously and spend time and money on it that leads to an unsafe internet.
And then we get dumb things like this "responsible disclosure program," which is really not about protecting users, but protecting Groupon's reputation. That is to say... it's a PR-protecting policy, not a policy for protecting users' safety. The unintentional disclosure they referenced regarding ONE of the 30 vulnerabilities didn't even reveal meaningful information about the vulnerability, therefore: Groupon was not concerned about exploit details being disclosed, but ONLY the fact that there was publicity being generated that said their site was insecure.
The researchers need the bounty proceeds to justify spending the time researching to discover them. It's the companies that are lining their pockets, by avoiding hiring people like these folks and other security professionals to do this ----- instead offering small bounties, only available if they DO discover something wrong after spending possibly thousands of hours beating around looking for something wrong.