The complete leak was resulting from a chain of errors. WikiLeaks screwed up and published the entire blob where anyone could download it. Then the Guardian screwed up and published a book containing the password. Without WikiLeaks screwing up to begin with, the password disclosure by the Guardian would have been a non-incident.

Also, IMO, it really doesn't matter if he tried some mainstream outlets first, nor does it matter how WikiLeaks handled it. What matters is that the moment WikiLeaks became involved, any credibility went out the window, because they are the journalistic equivalent of a tabloid, at best. At that moment, everything became suspect—became tainted. He should have kept trying major news organizations until he found someone willing to break the story. Period.

... and it's typically reserved for egregious or malicious prosecution.

Like claiming copyright on public records. That's about as egregious as it gets.

If he'd been smart enough to send the war crime data, and ONLY that, to the Hague etc then he'd likely have fared better than by doing a bulk data dump which included so much material he couldn't have checked it all.

You're correct. He would have been caught after sending only the first handful of reports, and he probably would have been tried for only one count of espionage instead of six. And any actual crimes that folks might have uncovered in the rest of the material would never have been uncovered.

That's the problem. At a fundamental level, whistleblower protection must cover public disclosure, because (with the exception of a single isolated incident here and there) if the organization against whom the whistle is being blown were capable of policing itself, the blowing would not have been necessary in the first place; blowing the whistle to an internal auditor is pretty much guaranteed to be useless. And once you release something to the public, chances are, the government knows who you are. Therefore, you get one shot at releasing everything that needs to be released. Anyone suggesting that there's another way is really kidding himself or herself.

This is not to say that he couldn't potentially have tried to be more selective about it, but there's also a time factor involved. The longer it takes from when a crime occurs to when the public knows about it, the more likely it is that the perpetrator will get off because of statutes of limitations. Therefore, if the goal actually is ensuring that those crimes get prosecuted, the best hope is distributing the information broadly to a large group of people who can then divide and conquer. The press is remarkably good at that. The only question is whether they can be trusted to be responsible about what they disclose.

Now disclosing it to a site like Wikileaks... is a different story. His mistake was not what he disclosed, nor was his mistake disclosing it to the press. His mistake was disclosing it through a dubious organization that operates on the fringes of the law rather than going directly to a reporter at a major news organization.

With my cynic hat on, I think this might actually be good if you're a criminal. IIRC, the statute of limitations for some crimes doesn't begin ticking until someone could reasonably have discovered the crime. I could see someone arguing that the police should have been able to determine based on this evidence that the person committed a crime, and therefore the clock began ticking earlier....

Far worse than just that. The first time I read the headline (half asleep), I read it as "Florida Town Loses License Plate Camera Images For Ten Years". The data mining and privacy loss potential is enormous, so there could be an enormous reward for anyone willing to... how shall I put this... inadvertently misplace a hard drive containing that data.

Remember that the more valuable the data you store electronically, the more likely it is to be stolen and used by the bad guys. At some point the value is so great that more of the data is likely to be used by the bad guys than the good guys. This is true for pretty much any definition of good/bad guys. For example, if I were a crook who knew a crooked cop, this would be a goldmine of information. With this data, I could figure out with a reasonable degree of probability when any given family is unlikely to be home, and use that to my advantage when planning robberies to drastically reduce the amount of stake-out time needed while still minimizing my chances of getting caught. And by looking at the makes of cars, I could gain further insight into the likelihood of the house having valuables in it, allowing me to choose my next target more quickly. Heck, somebody really enterprising could turn it into a black-market data mining business for other robbers and make a small fortune in no time flat.

IMO, even if we completely ignore any risks posed by police abusing the data, the data theft risk alone from keeping this much personally identifiable tracking data on nearly every single person in the state of Florida for such a long period of time far outweighs any possible benefit it could have. Heck, the risk of keeping it for more than about a week far outweighs any practical benefit, statistically speaking. The risk of keeping it for ten years far exceeds the entire benefit of having a police force.

Unless someone who receives the source is allowed to redistribute that source, it does not qualify as an Open Source license. Open Source requires that the redistribution rights flow downstream.

Copyrighted music, unless explicitly licensed in such a way to allow further redistribution by anyone who receives a copy, is more of a "shared source" or "licensed source access" model, in which certain distributors are explicitly authorized by the copyright holder to redistribute it under certain terms, but in which that right is not conferred downstream. While this provides some of the same benefits, it does not meet the minimum criteria for being an Open Source license.

The distinction between Open Source and Free is that the latter is not allowed to be redistributed in closed (binary) form without making the source available. A non-free music license would allow you to use it, modify it, and distribute recordings (binary form) without providing sheet music. A free license would require you to provide the altered sheet music upon request.

I think the point is that encryption is useless against someone that can say, "give us the key or we'll dissappear you."

Not if you use encryption properly. Everyone who actually cares about privacy should have a CA cert. When someone asks for your public key, create a new PK pair for them on the spot and sign it with your CA cert. You now have a PK pair that you can use to communicate with them. Rotate this key frequently, and when you're done communicating with them, destroy the pair. Inform them ahead of time so that they don't send any communication with a no-longer-valid key.

With such a scheme, you should have no trouble proving that it is not possible for you to produce the key used to encrypt the communication.

Sorry but morales aside. Why not harvest organs like this that can't be harvested from volunteers (without them dying). Go China.

Why exclude Morales? I understand that she felt nothing.

Until a few hundred celebs' walls get spammed and they declare en masse that they're all moving to Google+, followed shortly thereafter by a fan exodus. Facebook might not take security seriously enough at times, but even they aren't clueless enough to think that they can ignore it entirely.

Sorry, but that's wrong. You are ignoring scalability.

In what way?

They simply do not have the time or manpower to respond to every last report of "I can haxxor" or "I was haxxored and they keep doing it".

The latter is almost invariably a problem with the user's computer, and even if it isn't, there's no possibility that the user has enough information to be helpful. However, Facebook should have the ability to flag what appears to be your own post when reporting a problem, and Facebook should at least take the time to determine whether the post occurred through password compromise, from a third-party FB app, or appears to have been actually posted by that user from a computer that had a valid cookie. Then, the system should send an automated message to the user indicating how he/she can protect him/herself from that attack in the future. This process could be entirely automated, giving the user the ability to follow up only in the case of a third-party FB app having made the post (which is likely a real security bug, or at best, an app developer violating the developer TOS).

Also, pay attention to the section which states that you are supposed to use a TEST ACCOUNT to reproduce the problem, not hack the Big Z's timeline.

Which he did, and they dismissed his bug report, so he took the only step that he thought could prove, in FB's eyes, that the flaw was legitimate.

What I find particularly interesting is how many ACs are defending Facebook in this. It almost makes me wonder if there's an astroturfing campaign going on, either officially or unofficially, by employees of either FB or a third-party firm hired to defend them. Just saying.

This bug wasn't a case of pretending to be somebody else, I don't think, but rather, a case of being able to post on a timeline where posting should not have been allowed—a permissions bug. But still, yes, they dropped the ball... into the Grand Canyon.

This. As soon as a bug bounty program is shown to not actually pay out when a real security flaw is found, it becomes a worthless program. From now on, instead of telling Facebook, the not-insignificant percentage of hackers for whom the bounty was the only reason to report it to FB will simply disclose the flaw immediately, resulting in a significant reduction in the site's security for everyone.

How can he have an IS degree if he can't even write a decent bug report?

Most universities (even in the U.S.) don't teach that skill. I'm not at all surprised. Even many fully employed software developers write terrible initial reports. My experience has been that on average, bug reports go back to the originator a couple of times just to collect the basics, and that's not including the number of times that the engineers bounce bugs back with suggestions like "Try [x] and see if that works" that are intended both to help the person get up and running and to determine the scope of the problem more fully.

Imagine you're Facebook and you're getting piles of "I can post on someone else's timeline!" Well, you can be 99.999% of those cases are probably one of user error - as in, the user reporting it could do it because the permissions said so.

Even if you're right, and 99% are bogus, there's no excuse for having a process where you choose "Not a bug" instead of "Need more information" with a request for steps to reproduce. That should be drilled into employees as the only valid response until they are relatively certain that the problem was user error. This culling was premature; you must assume that the bug *might* need investigation until it is clear that it does not. Anything less is negligence.

But the bigger problem is that there's no good way for Facebook to be certain that it wasn't user error unless the account is known (by Facebook) to have settings that should have prevented posting. That's what makes the CEO's page an obvious choice. IMO, there's also no excuse for a company the size of Facebook to not provide an account that is preconfigured to not allow posts so that if a researcher successfully posts on it, the subsequent security bug report has automatic credibility (and, hopefully, additional logging by Facebook's servers, immediate reaction from their security response team, etc.). Perhaps call the test account Zark Muckerberg.