>the attention paid to LulzSec — a litter of script kiddies with kindergarten knowledge of the basest forms of technological harassment since 90s AOL proggies — is disgusting. And pathetic. And dangerous.
Many of the things I've read in criticism of lulzsec is that the writer always considers themselves better, somehow above the techniques employed below themselves. They're writing lulzsec off like some snooty bankrobber who prefers elaborate oceans eleven style heists so much that they find the mere idea of breaking into an unlocked bank at night distasteful. They seem to gloss over the fact that lulzsec got results. Enough doors were unlocked at night that they caused a good shitstorm.
If you want to use them as a springboard for discussion on responsible disclosure, fine. Were they immature? Of course. Want to analyze what the coverage means for the current state of journalism be it tech-specific or not, blog or real news outlet? Good, go do that. But what I am sick of seeing, is the "Oh yeah, well, I could do that if I wanted to, I just don't want to." attitude. Fuck you buddy. What did you do to stop those widespread vulnerabilities from being exploited? Oh, nothing? So you're just miffed that the culture and collective ego you bought into was shaken? You deserve it.
I think the shouting in the wilderness is directed primarily at the amount of gee-whiz attention paid to lionizing LulzSec. That big brands are leaving their figurative safes unlocked would make an interesting and responsible story. Laughing along with them, the argument goes, drives them to greater risks. Don't doubt that we'll see some of the same reporters chortling at their arrests.
The story should be that what should be online bank vaults are actually protected like convenience stores, and who cares who's kicking over the apple cart?
>I worry that rapidly improving the web's ability to deploy applications will make it less suitable for reading and writing.
Will make it? It already has. The web as we know it is a fucking unfettered mess. We've just been jamming applications into a document format so hard for so long we're used to it. You are right though, its going to get a lot worse.
We need a new platform. We're probably not going to get one, the "web" is just going to expand to engulf every bit of functionality a new platform would have, but bring along over two decades worth of evolutionary cruft. I've resolved to just stay out of the way, not fight the inevitable.
No, we have people like you to thank. Standing on the sidelines bitching about the bad things that will happen in reaction to lulzsec instead of even attempting to prevent the gov't from doing them.
I'd be down for that, it sounds like a fun project in an interesting domain and I was actually thinking about what building one would entail as I've been reading though the comments here.
Business processes. The code is dead simple. A few hundred lines of order matching. The real meat is handling all the business processes, clearing transfers, etc.
and finding a legally safe location to put a business like that.
Way to suck the fun out of it :) -- I know, I just think a bitcoin exchange is an interesting concept, the kind of thing I would enjoy knowing my code was running in and got a little caught up bikeshedding in my mind how I'd secure a target like that.
You know what's really fun? Chilling on a beach somewhere while girls in grass skirts bring you drinks with umbrellas in them.
For that I'll put my ego aside and do a few weeks of boring work. and yeah, I was fantasizing about neat-o technology problems too. I'd love to build an order matching system. Then I got to thinking about the market size, and taking a cut of each transaction.
That doesn't help anything other than dropbox's efforts to obtain new customers because they would be ill informed about the track record of the service.
>There is no way dropbox would be able to explain to them what happened without scaring them silly.
Opposed to who? People who do know what it means and should be scared silly but aren't because they've been beaten into submission by breach after breach after breach.
You're making the rather large assumption that this was a one time goof on the part of Dropbox.
IMO, this is reflective of a corporate culture that places testing and security on the back burner. And while some people may be OK sending their data to such a company, the rest of us might not be.
Last time the Dropbox security thing was in the news, regardless of your personal preference on what encryption keys dropbox should have been using, the issue and more importantly the way they handled it made me question their abilities. Then they sent a DMCA takedown notification notification to someone they were just trying to censor, and now they temporarily set their auth method to "allow any password".
They are showing us that they are technologically incompetent at managing their own systems. I don't know why anyone continues to do buisness with them for files they want any sort of privacy over.
I've moved to rsync.net. Its uglier, but at least they know what the fuck they're doing.
> I've moved to rsync.net. Its uglier, but at least they know what the fuck they're doing.
How do you know? Could it just be that the only reason Dropbox has publicized exploits and rsync.net doesn't is because Dropbox has many, many more users? And thus more people trying to exploit it and more publicity when an exploit is found?
Pubkey auth connecting to openssh on freebsd to hippa- pci- sox- and sas 70- compliant storage with a warrant canary and you can give them a call to talk to the engineers (I have). Looking back dropbox feels like a fly by night in comparison.
> Then they sent a DMCA takedown notification notification to someone they were just trying to censor...
That's not true. They used an admin control to disable public sharing of a file in DropBox; this procedure apparently is typically used when DropBox receives a DMCA request and it had a side-effect of (mistakenly) notifying the file's owner that DropBox received a DMCA notification. See http://news.ycombinator.com/item?id=2483053. DropBox didn't send a DMCA takedown request to any service provider hosting the file.
Honestly the whole DMCA explanation from the executive team sounded like finding an explanation that fits. I hate that people read a comment like that then turn around and claim it to be the truth as you are doing.
You do not know what happened any more than the OP does so your usage of the word 'true' is weak at best. I'd be more okay with your comment if you had written "Drew explained" instead of "That's not true" as if you speak authoritatively.
I must remind you that DMCA email did contain name of the company who sent it (and it was "Dropbox", if I remember it correctly). I guess, Dropbox administrator had to type it by hand (I doubt they frequently send DMCAs from "Dropbox") - and it is hard to imagine that UI was unclean on purporse of that field.
This is completely unfair to Drew and also out of line.
We do know what happened, because Drew told us what happened.
Years ago, when my wife thought her MacBook was stolen, I emailed Drew and asked if he would notify us if it connected to Dropbox, and he was happy to help. This was back when Dropbox was small. (My account is number 315, for example.)
Drew is a good person, and unless you have some basis for calling him a liar, don't.
What is "out of line" is attacking me for operating on a default-untrusted policy instead of a default-trusted policy. We all don't share your happy Drew Houston story do we?
That is great that Drew helped you when the company was small. Facts are easy to distort when your company's reputation is getting flushed down the toilet and it is not a reflection upon Drew personally that I do not automatically trust him.
I tried believing in the best in people. It stopped working. Until shown otherwise I question every input and you would be stupid to do otherwise.
I can relate with "I tried believing in the best in people. It stopped working." I've had some nasty experiences as well. I've been burnt, badly, a lot. By both family and friends.
You're right. I was probably just clinging to the fantasy that YCombinator is the one pure group of people in a world of backstabbers. But I guess Airbnb already disproved that.
I don't distort facts. Neither did Feynman. Drew is an MIT alum, so I was assuming/hoping YCombinator consisted mostly of people with that type of scientific integrity.
I think there's a difference between deciding that you're skeptical, so that you're not going to act in a way that risks too much; versus publicly implying that it's actually a lie.
I know. I didn't bring that up to accuse them of malice as far the DMCA part, I brought that up as an example that dropbox employees don't understand what their own internal tools do.
I don't think that is as damning as you seem to. Once a company reaches more than a handful of people, knowing all the tools inside and out (especially in the divide between development and support, which this particular case highlighted) becomes impossible.
However, regardless of whether I feel like the previous event said anything about DropBox's development capabilities, I do feel like this event does.
I'm responsible for the authentication code for my company. I can't imagine having a default "YES" in any circumstance, and that DropBox did shakes my faith in them and their ability to protect my information significantly.
I'd suspect that rsync's security advantage is more related to their obscurity than their superiority. My personal site has not been compromised by LulzSec or Anonymous, for instance, but that's simply because I haven't attracted the attention. I'm sure my Wordpress, FTP or hosting passwords could be discovered by some attack.
If it's online, it's not safe, period. Not combination of encryption, or BSD*, or any operating system will make it safe. Why? Human error.
Brain surgeons makes mistakes, people die. Pilots makes mistakes, people die. _Everyone_ makes mistakes. There is not one single person on this planet who is perfect, human error, this includes the employees of rsync.net, or any other company for that matter.
Today it happened to dropbox, tomorrow it happends to Visa, Bank of america, Amazon, rsync.net, <insert X company here>
Its just life, learn to deal with it. If you seriously have seriously confidential stuff, you're probably intelligent enough not to "upload" it anywhere, much less some file service with millions of users.
The more users the more exposed it is, human error. No encryption or system will ever protect against it, at least until we have true AI, and yes you also make mistakes, now matter how stupidly simple or complicated they are, nevertheless you do.
And dropbox, don't get a sad face because of this, just look at Sony or whatever, then smile.
Many of the things I've read in criticism of lulzsec is that the writer always considers themselves better, somehow above the techniques employed below themselves. They're writing lulzsec off like some snooty bankrobber who prefers elaborate oceans eleven style heists so much that they find the mere idea of breaking into an unlocked bank at night distasteful. They seem to gloss over the fact that lulzsec got results. Enough doors were unlocked at night that they caused a good shitstorm.
If you want to use them as a springboard for discussion on responsible disclosure, fine. Were they immature? Of course. Want to analyze what the coverage means for the current state of journalism be it tech-specific or not, blog or real news outlet? Good, go do that. But what I am sick of seeing, is the "Oh yeah, well, I could do that if I wanted to, I just don't want to." attitude. Fuck you buddy. What did you do to stop those widespread vulnerabilities from being exploited? Oh, nothing? So you're just miffed that the culture and collective ego you bought into was shaken? You deserve it.