fulldecent writes: Popular photo printing website Artisan State, which specializes in bound photo books mostly for wedding photos or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and things vendors should think about when considering security of seemingly private user content. The case study also discusses how this flaw was reported to the vendor, but unfortunately never fixed. This follows otherarticlesonSlashdot discussing security disclosure. How do you report vulnerabilities to vendors? And do you support publishing them if they are not fixed in a reasonable time?
fulldecent writes: Technology online changes fast and large organizations often make poor implementations of this technology leading to security vulnerabilities. Some of the failures are egregious like websites that use a user ID in the URL to authenticate that user, and other take a little curiosity to find. Either way, they will be found. The people on Slashdot, I feel, are more likely to want to report this to the vendor and do these things for sport. Personally I take the smaller ones and mail a letter to the vendor and then post online in a few weeks. For bigger ones I wind up in high-pressure phone calls with "private public partnership" agencies, end up signing something unfavorable and the resolution still feels bad.
So, who out there is responsibly disclosing vulnerabilities? Are you getting public credit? Are you involved in (and getting paid for?) for a technical fix? Are you feeling good about the result? Do the rules still apply for state-protected industries like banks? And which lawyers provide advice to the finders, who are just normal people and don't have money and expertise dealing with lawyers?
fulldecent writes: The New Hampshire Supreme Court heard oral arguments Wednesday in a lawsuit that calls into question the legal protections available to independent Web sites that cover news.
The case involves mortgage lender Implode-Explode, a Las Vegas-based site launched in 2007 that publishes stories about the meltdown of the mortgage industry. The court did not make a final decision on the case Wednesday, but one of its options could be to send the case back to the lower court for further review and litigation on specific points of law.
fulldecent writes: A thin Canadian woman, who has made a career of renting out her body as a clothes horse for designer garments, has taken umbrage at an anonymous blogger's description of her as a skank, ho and whore.
fulldecent writes: "It is important to make your articles are reachable to non-technical audiences. This article uses a comic to demonstrate a simple HTTP interaction and why the technical details are important. The underlying post talks about TD Ameritrade and how they are selling users' financial information to News Corp via a cross-site image fetch."
fulldecent writes: "On June 11, 2007, Verizon Online will begin the trial of a new Advanced Web Search service designed to reduce the amount of dead-end, "no file exists" or similar error messages you see and to help you quickly find the destination web site you were seeking. If you type a nonexistent or unavailable URL (e.g., www.verizon.cmo), or enter a search term, into your browser address bar, Verizon may present you with an Advanced Web Search page containing suggested links based upon the query you entered. The Advanced Web Search page would be presented instead of your receiving an NXDOMAIN or similar error message. The Verizon Advanced Web Search page may impact applications that rely on an NXDOMAIN or similar error message and may override similar browser-based search results pages. If you would prefer not to receive Advanced Web Search pages from Verizon, you should follow the opt-out instructions that are available by clicking on the "About the Search Results Page" link on any Advanced Web Search page."