That's absolutely right, I mentioned this in the article (in the section starting with "However, if the attacker has a database of 1000 customer names...") but in the context of using it on PINs instead of passwords.

Basically, they allow really weak passwords, then any attack that works on PINs will work on passwords. (Well, almost -- even if they allow weak passwords, at least they can't force everyone to have a weak password -- they do however force all new users to choose a 4-digit PIN.)

Yes. But those were for mails being sent from the peacefire.org server itself. The emails I sent to United were sent through my Gmail account, through Google's SMTP servers, so those mails are less likely to be blocked.

That's even worse, because that means they know about this gaping hole that lets you steal other users' 4-digit PINs, and they still haven't fixed it. (It should not take long to push an update to their site that removes the "PIN" option from the "forgot your account number" page -- and it should not negatively impact their users either, since you can still retrieve your account number if you enter your name along with your address, your email address, your phone number, or your password.)

Had you read the article, you might have noticed that (1) they say, "We do not allow execution of brute-force attacks on other users", which all sane English-speakers would interpret to mean they allow brute-forcing your own account, and (2) they also list "brute-force attacks" on the list of things they will pay 250,000 air miles for.

That's right, since it said "we do not allow execution of brute-force attacks on other users"

Well of course you're right, it's not sophisticated. But I think the importance of finding and fixing a given hack should be based on the damage that it can do, not how sophisticated it is. Being able to get an arbitrary user's 4-digit PIN, is bad.

As I pointed out in the article, "Bruce-force attacks" is also listed under things that they will pay out up to 250,000 air miles for: http://peacefire.org/united-bo...

That's correct, this attack doesn't let you reset a user's password. It only lets you find out their 4-digit PIN, which is (1) bad in and of itself, and (2) bad because the person probably uses the same 4-digit PIN for other services that require one.

By contrast, if you enter a known first-name/last-name/phone-number combination, all the site does is tell you that's a valid combination -- but you already knew that before you entered it, so there's no attack there.

Thank you however for posting a non-deranged comment!

My point is that any time you create an original work using someone else's characters, you've already met 3 of the 4 criteria above, and if you make it free, then you've met all 4 criteria.

And yet, we do have the concept of character copyrights, which says that you cannot use someone else's copyright characters even for your own entirely original work.

So my point is that the very existence of character copyrights means that that reasoning cannot be entirely valid.

In particular, I would dispute your reasoning in this step: "How much of the original work does it copy? In this case, very little. Just the appearance of the characters. All the footage is original."

But the copyright that we're talking about is not a copyright on the original work, it's a copyright on the characters. And then the question becomes "How much of the original character did you use?" and the answer, is, essentially, 100% -- because a character either makes an appearance in your story, or they don't. (Especially in this case where the whole short film is about these characters.)

In the article, the words "characters themselves can be protected by copyright" are linked to this page, which is written by a lawyer:
http://www.ivanhoffman.com/cha...
Ergo, thank you for calling my post interesting.

It's an editorial, not a news article.

Regarding "not having a clear picture of what's going on" -- the opening paragraph links to the fan-made movie, and says that Vimeo took it down but Youtube left it up. If everybody else (including the people who vehemently disagreed with me) seems to have a clear picture of what's going on, perhaps the problem is with you?

If this were the standard, then the concept of "copyrighted characters" would be meaningless, because anybody would be free to create new works of fiction using someone else's characters, as long as it was noncommercial and used no portion of the original work.

But, the general legal consensus seems to be that character copyrights are enforceable, i.e., you are not free to create works using someone else's characters even meeting criteria 1-4 above.

The full quote was "people whose opinions I respect and who are experts in math and economics." Whether or not I respect their opinions, surely you don't think everyone on Slashdot is an expert in math and economics.

Well, what percent of sexually explicit pictures sent by text message, are still present on the recipient's phone the next day? Almost all of them.

What percent of sexually explicit pictures sent by snapchat, are still present on the recipient's phone the next day? Probably not the majority.

Snapchat is not perfect, it's just better. Seat belts don't prevent all injuries, but you wear them anyway, don't you?

Slashdot isn't the only place I share these arguments with people; I also share them with people whose opinions I respect and who are experts in math and economics, and their feedback tends to be much more positive than the commenters on Slashdot. So I assume the proportion of such people among Slashdot readers, is not zero. (Occasionally, there are comments and posts from people who did get the point of the article and argue it on its own terms, those posts just get drowned out by people saying that the article was too long.)