> we need strong legal protections for white-hat and even grey-hat security researchers or hackers.
I have a radical idea which goes even further: we should have legaly mandated bug bounties. A law which says that if someone makes a proper disclosure of an actual exploitable security problem then your company has to pay out. Ideally we could scale the payout based on the importance of the infrastructure in question. Vulnerabilities with little lasting consequence would pay little. Serious vulnerabilities with potential to society wide physical harm could pay out a few percents of the yearly revenue of the given company. For example hacking the high score in a game would pay only little, a vulnerability which can collapse the electric grid or remotely command a car would pay a king’s ransom. Enough to incentivise a cottage industry to find problems. Hopefully resulting in a situation where the companies in question find it more profitable to find and fix the problems themselves.
I’m sure there is a potential to a lot of unintended consequences. For example i’m not sure how could we handle insider threats. One one hand insider threats are real and the companies should be protecting against them as best as they could. On the other hand it would be perverse to force companies to pay developers for vulnerabilities the developers themselves intentionally created.
> so obviously Qualcomm that it seems silly for the article to call it “company 2”
Redactions / aliases are sometimes quite transparent. When policy dictates that it must happen they do it even when it is not hard to puzzle out who the redaction / alias hides.
There is the famous interview where the NTSB was interviewing an expert in relation to the Oceangate tragedy. The expert's name was redacted, but he was described as "Co-Designer / Pilot of the Deepsea Challenger" which is already quite a specific thing. Not a lot of people can claim that. And then the interview started like this:
Q: So how did you get yourself started into submersible operations?
<redacted>: Well, I'm sure you are familiar with my film Titanic.
I'm leaving the solution as an exercise for the reader. But it is a real world "Lisa S. No, that's too obvious. Uh, let's say L. Simpson." situation.
> the loyalty an American will have for this or that foreign adversary will trend to 0
Yeah. National loyalty is not the only motivating force why someone would leak something. The common reasons why someone becomes an insider treat is MICE: Money, Ideology, Compromise, and Ego. It is not specific to immigrants.
> Imagine if this anonymous person worked with a foundation pledging to match $3.5M if said amount was raise via crowdfund.
Idk man. Thing is where i live we are already crowdfunding to maintain our pipes. It is called local taxes and water utility bills. So if anyone were to ask me for more money for the same task i’m already paying not insubstantial sums for I would be very cross with them. It is just not a good look.
Now i don’t know about Japan. Maybe they don’t pay taxes and utility bills. Somehow doubt it, but who knows.
Yeah. It has a very strong "and then everyone clapped" vibe to it.
But even if the teacher "grew very quiet" in actual fact there can be many reason behind that. The story as told tries to imply that they realised that they were wrong somehow for doing these presentations. It is also possible that they went quiet because they realised that there is no point in asking whatever they wanted to ask under such a hostile interrogation.
It is also lovely to note that the supposed interaction happened with "someone who gave a presentation at an education conference". I guess that someone must have been born with the skills to present, because they (according to the story) think very lowly about the idea of practicing it.
Collecting information, organising it into a easy to understand format and then presenting that information to others is a very common task in real life. There are whole very well paid and respected professions where their job is mainly about doing that. (lawyers, teachers, tv presenters, etc.) It is also a crucial element in many other jobs where it is not thought as the main part of the job itself. Doesn't matter how good of an engineer you are if you can't convince others to give you the resources for your excellent plans. Doesn't matter how good of a scientist you are if you can't tell others your results. Doesn't matter how visionary a business leader you are if you can't convince others to give you money for your businesses.
I'm not saying it is the only useful skill. There are many others. But it is certainly part of the toolkit of a well rounded and skilled human. I'm curious how you concluded that it is "obviously worthless" practicing it.
> What stops ExampleCo from asking for a receipt and limiting replacements only to legitimate channels?
They can. Doesn’t help with the reputational damage though. People who think they bought an ExampleCo jean will still think that the company quality has slipped. They will still tell all their friends that the “new jeans made by ExampleCo are not like they used to”. Not all of them all the time, but some of them some of the time.
> why is ExampleCo directly dealing with the consumer, and not Macys or Goodwill?
> Would you want her charged if she didn't even know?
Yes. She is responsible for making sure her children is safe and well taken care of. I say this morally, not as a legal fact. She should know what they are up to, and she should notice if any of them are regularly abused over an interval of years.
Bringing the full weight of the legal system down on all parents whose children were harmed by third parties, regardless of whether the parents even knew anything about it, is monstrous cruelty.
Pray tell where did i say that all parents should be responsible whose children were harmed by a third part? I’m specifically talking about this case.
Unpredictable random acts of violence happen. Would be lunacy to punish the parents for that. On the other end of the scale here we are talking about abuse ongoing for years. By someone who the mother brought into the child’s life. Somewhere between those two ends of the scale i run out of sympathy for the excuse of “she didn’t know”. Where exactly the bundary is I don’t know. What i know is that in the scenairo described in the article i strongly believe we are in the “she should have known” territory.
Think it through. Do you think that the kid who was praying for someone to come help her, and for whom the law enforcement officers were sufficiently concerned about that they started learning brick manufacturing, do you think that kid was not at least a little bit off? You know, just enough for their mum’s to become concerned and start looking for an explanation?
You call what i say monstrous cruelty. I tell you what i think is monstrous cruelty: no kid, ever, in the history of humankind has ever had the opportunity to consent to being born. Giving life to a kid is a choice. Especially in this day and age. By choosing to father a kid or give birth to a kid one becomes responsible for the wellbeing of said kid. How far and how deep that responsibility goes can be debated. I strongly believe that the parents (both the mom and the dad) is responsible who they bring into their young kid’s life. They are responsible for knowing what is going on with the kid. (Not necessarily every step and every breath of the kid, but you know the large stuff, like for example are they being sexually abused.) The parents are also responsible to have a relationship with their kids where they would be confided by their kids if something goes terribly wrong. So the kid would go ask them for help, before praying for some help comming from who knows where. These are basics. And these are separate but interlacing failures on the part of the mother. And that is why i think what she did (or didn’t do) is monstrously cruel.
I'm reminded of the Gene Weingarten's 2010 Pulitzer Prize winning article, Fatal Distraction, on parents whose children have died from hyperthermia after being left in cars[1].
Similar to this case, some people believe that such parents should be criminally liable, and that there cannot possibly be any extenuating circumstances — despite the correlation between the rise of back-seat children's car-seat laws and the prevalence of such deaths.
> Think it through.
I have. The article provides very little to go on, and it is not hard to imagine that an abuser who is clever enough to publish CSAM material online for years without getting caught is clever enough to keep the abuse hidden from the mother and manipulate a child into keeping their trauma secret.
> (Not necessarily every step and every breath of the kid, but you know the large stuff, like for example are they being sexually abused.)
There are vast numbers of parents who do not find out for years[2]:
73% of child victims do not tell anyone
about the abuse for at least a year.
45% of victims do not tell anyone for
at least 5 years. Some never disclose.
Given how often sexual abuse happens, we're talking about millions of parents. I do not believe that every last one of them is morally culpable because they did not "know the large stuff, like for example are [their children] being sexually abused" and that they should be criminally charged.
I mean, there is no official database of “boyfriends”. Even after you identified the girl, and found the mom, how would you figure out if she has a boyfriend, and if so who?
Remember that if you tip them of in any way the abuser might go escape and hide with the girl or even worse decide to get rid of the witness by murdering the girl. So you can’t just do the easy thing and ask the mom nicely.
I have a radical idea which goes even further: we should have legaly mandated bug bounties. A law which says that if someone makes a proper disclosure of an actual exploitable security problem then your company has to pay out. Ideally we could scale the payout based on the importance of the infrastructure in question. Vulnerabilities with little lasting consequence would pay little. Serious vulnerabilities with potential to society wide physical harm could pay out a few percents of the yearly revenue of the given company. For example hacking the high score in a game would pay only little, a vulnerability which can collapse the electric grid or remotely command a car would pay a king’s ransom. Enough to incentivise a cottage industry to find problems. Hopefully resulting in a situation where the companies in question find it more profitable to find and fix the problems themselves.
I’m sure there is a potential to a lot of unintended consequences. For example i’m not sure how could we handle insider threats. One one hand insider threats are real and the companies should be protecting against them as best as they could. On the other hand it would be perverse to force companies to pay developers for vulnerabilities the developers themselves intentionally created.
reply