Please create an account to participate in the Slashdot moderation system


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:Is Haselton going to jail? (Score 1) 187

No. Sorry for the confusion. To clarify:

The "forgot your password" page only confirms that whatever information you have entered, is valid information for that user. So if you enter your target's name and email address, it will confirm that there is a user on file with that name and email address -- but if you already had your target's name and email address, you knew that already.

However, the space of PINs is small enough that you can brute-force it, so when you try enough PINs, now you know that your target with that name, is using that PIN. You as the attacker can't actually retrieve the account number, because it will get sent to the email address they already have on file for that user. But now you have their PIN (which quite likely is the same 4-digit PIN they use on other services that require one).

Comment Re:Is Haselton going to jail? (Score 1) 187

I'm not saying they should disable all automated methods to retrieve your account number, just the method that requires a PIN.

Remember, I said that the "Forgot your account number?" page lets you retrieve your account number if you enter your name along with any ONE of the following:
your e-mail address
your street address
your phone number
your PIN
your password
your "old MileagePlus number"

That means if you disable the ability to retrieve it using a PIN, the only people you're locking out are people who remember their PIN but have forgotten everything else on that list, i.e., almost nobody

Comment Re:Birthday Attack (Score 1) 187

That's absolutely right, I mentioned this in the article (in the section starting with "However, if the attacker has a database of 1000 customer names...") but in the context of using it on PINs instead of passwords.

Basically, they allow really weak passwords, then any attack that works on PINs will work on passwords. (Well, almost -- even if they allow weak passwords, at least they can't force everyone to have a weak password -- they do however force all new users to choose a 4-digit PIN.)

Comment Re:You forgot to mention one thing... (Score 1) 187

That's even worse, because that means they know about this gaping hole that lets you steal other users' 4-digit PINs, and they still haven't fixed it. (It should not take long to push an update to their site that removes the "PIN" option from the "forgot your account number" page -- and it should not negatively impact their users either, since you can still retrieve your account number if you enter your name along with your address, your email address, your phone number, or your password.)

Comment Re:Obvious (Score 1) 187

Had you read the article, you might have noticed that (1) they say, "We do not allow execution of brute-force attacks on other users", which all sane English-speakers would interpret to mean they allow brute-forcing your own account, and (2) they also list "brute-force attacks" on the list of things they will pay 250,000 air miles for.

Comment Re:Why Brute Force PIN? (Score 1) 187

That's correct, this attack doesn't let you reset a user's password. It only lets you find out their 4-digit PIN, which is (1) bad in and of itself, and (2) bad because the person probably uses the same 4-digit PIN for other services that require one.

By contrast, if you enter a known first-name/last-name/phone-number combination, all the site does is tell you that's a valid combination -- but you already knew that before you entered it, so there's no attack there.

Thank you however for posting a non-deranged comment!

Comment Re:TOTALLY fair use (Score 1) 255

My point is that any time you create an original work using someone else's characters, you've already met 3 of the 4 criteria above, and if you make it free, then you've met all 4 criteria.

And yet, we do have the concept of character copyrights, which says that you cannot use someone else's copyright characters even for your own entirely original work.

So my point is that the very existence of character copyrights means that that reasoning cannot be entirely valid.

In particular, I would dispute your reasoning in this step: "How much of the original work does it copy? In this case, very little. Just the appearance of the characters. All the footage is original."

But the copyright that we're talking about is not a copyright on the original work, it's a copyright on the characters. And then the question becomes "How much of the original character did you use?" and the answer, is, essentially, 100% -- because a character either makes an appearance in your story, or they don't. (Especially in this case where the whole short film is about these characters.)

Comment Re:What the hell is up with the bias? (Score 0) 255

It's an editorial, not a news article.

Regarding "not having a clear picture of what's going on" -- the opening paragraph links to the fan-made movie, and says that Vimeo took it down but Youtube left it up. If everybody else (including the people who vehemently disagreed with me) seems to have a clear picture of what's going on, perhaps the problem is with you?

Comment Re:TOTALLY fair use (Score 2, Insightful) 255

If this were the standard, then the concept of "copyrighted characters" would be meaningless, because anybody would be free to create new works of fiction using someone else's characters, as long as it was noncommercial and used no portion of the original work.

But, the general legal consensus seems to be that character copyrights are enforceable, i.e., you are not free to create works using someone else's characters even meeting criteria 1-4 above.

Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec