This doesn't make sense -- from Feb 11th 2014 ebay will be allowing Virtual Currency to be sold in its own category.

This is eBay policy, so papal will have to fall in line.

FYI - there are categories on eBay which have a format (Classifieds) whereby the transaction is to be handled offline: http://pages.ebay.com/help/sell/formats.html#classified

An example use-case is the Real Estate category.

If this isn't a good enough reason to GET THE HELL OFF FACEBOOK then you wont be convinced otherwise.

GET THE HELL OFF FACEBOOK!

or simply change your habits online. there's absolutely no need to have "I like to get drunk and party" on your Facebook page if you're worried that people will see that.

Well put CC

weev still thinks that AT&T 'published' this information. AT&T had no intention on 'publishing' this information, he abused their system in order to obtain it, then he leaked it.

No weev, you found a bug in their web app, then _YOU_ willfully published other peoples personally identifying information for your own fame and glory. Unfortunately, someone who's name and details you leaked didn't like that, and called in a favor. The DoJ came after you hard.

Your little tech crunch article chooses to omit crucial facts, and you are riding on the back of AAron Swartz again. You are nothing like AAron.

But they did publish it. Just because they didn't _intend_ to publish it doesn't mean it wasn't published.

Right now the URL I'm looking at has "id=5095821" in it. If I change that to "id=5095822", I'm looking at something else published by Hacker News. But by DoJ standards, I'm "hacking" and have broken the law if HN didn't deliberately publish it.

weev is an ass. But he didn't hack anything.

These cases are trying to set a standard of "security by intent". There is no such thing. It's like my internet banking saying "To access your bank account, please type in your account number. Be careful to get it right or you'll be looking at someone else's account"

Another fairly common example is with facebook where you can access profiles with names, like facebook.com/lessnonymous.1 . I got fairly tempted to check other people in the world with the same name as I have so I incremented the number myself. I am not sure that facebook intended their website to be used that way

He certainly hacked it - but that's not necessarily pejorative. Your average individual couldn't just try entering the number into AT&T - weev had to spoof the user agent, and, make some intelligent guesses as to what valid CCID's would be.

It's not the world's greatest hack, but it certainly was using the system in a manner that I'm certain AT&T did not intend. The IRC logs indicated that they knew what they were doing was likely criminal, and if AT&T discovered them, would "sue" them.

Whereas I'm guessing PG would be fine with you incrementing the number on the HN URL. And I'm pretty certain that's not criminal behavior.

It's important to note, that just because weev was hacking the AT&T site, didn't mean it was a criminal hack. In my mind it barely crosses the line - and he gets punished somewhat, but I'm thinking a week in jail and 30 days community service - not the silly levels that the feds are going to in this case.

So what you are saying is, that AT&T could have made a webpage with all user data in plain text,and just write at the top in capital letters: "YOU ARE ONLY INTENDED TO LOOK AT YOUR OWN DATA, DISREGARD EVERYTHING ELSE" and it would be magically ok, because you know, if you look at other people data then you are not using the webpage as it was intended to? Because this is basically what they did. Yes, an average American individual would not know how to change the URL,but that does not mean that the data was secure. And AT&T has all legal obligation to keep their customer data secure.

I'm not saying AT&T was in the clear. Obviously just requiring a reasonably easy to guess number to secure an email address is amateur hour. But, at the same time, just because web security is easy to break into, doesn't give people free reign to go traipsing through and pull out what they can.

Keep in mind - 99% of the population wouldn't have been able to figure out how to spoof the user-agent to get into the AT&T site, and most of those that could, wouldn't have gone beyond extracting a couple IDs, and then notifying AT&T.

Weev's sin (if not felony behavior) was extracting 100,000+ personal email addresses, and the exposing them for the sheer purpose of embarrassing people he despised. Do I believe he engaged in illegal behavior? Yes. Do I believe it merits years in Jail? No.

With regards to legal obligations - In California, the closest I can find is Bus. & Prof. Code §§ 22575-22578 [1]. It is a requirement for site collecting personal information to "conspicuously post its privacy policy on its Web site"

I can't find any laws in California that require the securing of this information beyond that, though.

[1] http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc...

More to it than that...

lets say you exploit that bug in the internet banking application and you access my account.

Then you start logging into other peoples accounts and copying their address, balance, transaction lists.

Then you publish all this information you have stolen and say "Oh dont use internet bank -- they don't protect your private information"

the bank should have done better to protect that information, granted, but you have also performed an unethical and criminal act by publishing this information.

both the bank and the person that leaked that information should be punished.

i think the semantics in the method in which weev retrieved this data is far overruled by the fact he LEAKED it afterward.

Real people were hurt here by having their PII exposed. Don't forget that.

The problem with your argument is that he did not leak it afterward. None of this info was ever public. He demonstrated it to the media and then deleted it. I suggest you look into the case.

Okay, when I find a bug in your web app I will publish it anonymously, widely and embarrassingly for you.

That's because you didn't want to be friendly. You wanted to be hard. You wanted DoJ. Now you will be forced to want class action suit from your customers and bankrupcy.

Responsible disclosure to the vendor is one thing. Taking the fruits of your exploits and publishing it for glory and a "I leaked all that information because you wouldn't fix it" attitude is quite another.

I would hope that if you discovered a vulnerability in one of my web applications you would contact me first and allow it to be resolved. Might even be lucrative for you.

If you used that vulnerability to steal my database and publish it to the public domain -- when it has no place in the public domain, i would expect the DoJ to hunt you down.

I never said anything about not being friendly. But if you are playing with peoples identities, their lives, this is not friendly at all.

As we saw from many and many articles, vendor disclosure often ends with threats, intimidation, your business interaction with them being canceled, and forcing you to sign a NDA on hostile terms.

Once you contacted vendor it's not safe to go the pastebin route. So it becomes an unfeasible solution.

On the other hand, try to "hunt down" a pastebin post original author. It would be the last of your worries.

Also, "Aarons law" was raised 1 year ago by the same Congressperson under a different name.

This is nothing but personal political quests using our martyr for justification. I'm insulted.

If she hadn't, would the complaint be, "why didn't anyone propose this change early enough to actually help?"

I suppose one could focus on retribution for this particular event, or recognize that the CFAA allows for many other unknown people to spend lengthy jail sentences with few people caring about them.

If the legislation is flawed, it should be changed, so that even people without celebrity are protected. Prosecutorial discretion has its place, but the idea of prosecutors selectively applying laws that are on the books with considerations about how popular suspects are in a poor model for a legal system.

It usually takes a tragedy to actually accomplish anything in government (occasionally just a wildly outlandish remark, but I digress).

Progress is still progress, even if the event that got the ball rolling should have never happened.

Also, "our martyr"? Now I'm insulted.

A better AArons law would be to force publicly funded research be released freely and under a Creative Commons license. They did this in EU, why not the US?

Weakening the Computer Fraud laws, and naming it after Aaron trivializes his quest for free flow of information.

Of course this wont happen -- too much money tied up in selling research.

I have the same idea about open source software in governments. If it uses taxpayers money, then it should be open source, wherever possible (so in most cases). Taxpayers' money shouldn't be used to fatten corporations, if it can be avoided. And by that I don't necessarily mean that government software should be written by volunteers, but if they're paying them to write software, then that software should be made open source later. And they can keep paying companies for maintenance and upgrading it if they want. But at least the software would be available to anyone to use and tinker with it.

The problem is that every project claims to be buying off the shelf software with some 'minor tweaks'. If it truly is off the shelf, and you're guaranteed that it will be your last sale because after that your work will be in the public domain, then you'd have to send the government one hell of a bill. Things like windows, office, ERP systems, BI and reporting systems, accounting and HR, logistics.. it's more tax effective to buy them as a normal customer.

I asked before and was told that code written by the government is available by request due to the FOIA, no state secrets mind you, but it might be true of (a significant portion of) code written by contractors as well.

Does that really matter? The NSA faced scrutiny for writing its own software when commercial solutions were on the market. The US government contracts out almost all its software needs below the state secrets level anyway.

If you are forced to pay for it, you should be allowed to read it. Better not to be forced in the first place, of course.

Yes, we must keep fighting for open access.

Graphical 'signatures' cannot be legally binding as they are trivial to forge.

I also don't understand this retrograde step. I will repeat it. It is trivial to COPY and FORGE a graphical signature! And from a cloud provider??

What about S/MIME and PGP? These are cryptographically strong, essentially unforgable signatures that capture time and can ONLY be signed by the party that holds the private key. That is what i would want from a 'signing' provider.

I used to love the FireGPG plugin for firefox to "do this on gmail from firefox", however the javascript model in firefox meant that this plugin needed to be discontinued. (It could lead to private key disclosure).

Also S/MIME and PGP are open, free, standards that totally make 'graphical' signatures ancient exploitable technology.