from the drag-out-the-causation-correlator dept.
Pickens writes "Jacques Steinberg writes in the NY Times that the sluggish economy and rising costs of college have only intensified questions about whether expensive, prestigious colleges make any difference. Researchers say that alumni of the most selective colleges earn, on average, 40 percent more a year than those who graduated from the least selective public universities, as calculated 10 years after they graduated from and found that 'attendance at an elite private college significantly increases the probability of attending graduate school, and more specifically graduate school at a major research university.' But other researchers say the extent to which one takes advantage of the educational offerings of an institution may be more important, in the long run, than how prominently and proudly that institution's name is being displayed on the back windows of cars in the nation's wealthiest enclaves."
UnmaskParasites writes: "I'm an independent security researcher. Every time when I investigate hacker attacks I see thousands of compromised websites. While I can't contact every single site owner and tell them about the problem, I usually try to let the owners of larger sites (their problems affect more people) know that they have security issues. I send them brief descriptions of the problems via email or their contact forms. Unfortunately, the prevailing reaction is lack of any response (and websites remain hacked). I have slightly better results when I publish attack reviews on my blog and then refer to the blog posts when I contact owners of compromised sites. However the success rate is still below 20%, which makes me think that security is not a priority for site owners and I'm wasting my time trying to help them.
Here is a rather amusing (and at the same time sad) illustration of the issue. Site of Software & Information Industry Association (SIIA) offers up to $1 million for piracy reports. This site is hacked. Most of its pages contain cloaked spam links that promote online stores that sell pirated software. I emailed them and described the problem. I created a blogpost with screenshots illustrating the problem and referred to it in my report. SIIA didn't bother to respond, and one week later their site still promotes pirates (they are probably too busy fighting with other pirates?)
I need your advice. What is the most effective way to inform site owners about security problems and have them resolve the issues?
* Should I go on trying to contact owners of compromised sites? * Should I just report the sites? E.g. report them to Google as malicious or spammy, and let Google punish them (blacklist or remove from search index). I still prefer to give site owners a chance though. * Should I try to give them some "bad publicity" if they fail to respond to friendly notifications? Is it acceptable? (I wonder if SIIA clean up their site if this question is published on Slashdot?) * Should I just ignore them (since it's not my own problem) and hope that they'll eventually resolve issues? * What else can you suggest?"