tetrad's comments

0.01 BTC is in fact a bitcent, and a Satoshi is much smaller (0.00000001 BTC)

https://en.bitcoin.it/wiki/FAQ#What_do_I_call_the_various_de...

It doesn't necessarily mean that they're storing it plaintext (ie it could simply be a front-end input validation). But in any case it doesn't inspire confidence that they're following best practices.

Their advice for diversifying your passwords is not very good. If you are using the same password stem with a suffix determined by the site name, as

"m1p.5AsGs9LXo_HN" for HackerNews "m1p.5AsGs9LXo_RandomForum" for some random forum "m1p.5AsGs9LXo_WF" for Wells Fargo

and the random forum's database gets popped, how secure do you think your Wells Fargo password "m1p.5AsGs9LXo_WF" is? Less than 12486848 years. That goes from the realm of password cracking to some guy typing out all the abbreviations he can think of for Reddit or Twitter.

In case you're wondering, Wells Fargo will not accept "m1p.5AsGs9LXo_WF" as a password - too long!

> Any designer would look at Flat UI and immediately realize that they drew inspiration from LayerVault. The similarities aren't minor, in either style, tone, or techniques.

What it boils down to is that there was no actual copyright infringement. If you look at the side-by-sides of the alleged infringement, it's kind of silly.

Even laying aside the heart of the issue, did they "rip off" the gear icon, the newspaper icon, or the chat icon? Did they "rip off" the general color scheme or look-and-feel? Or are those merely representative of a minimalist flat school of design which is currently in vogue?

How many freelance designers would you have to contract to make a "settings" icon, or an "interlocking gears" icon before you got back a (clean-room) design which looked even more like LV's than the one in question? Same goes for the newspaper and the chat icon. And is there any direct inspiration going on there (designer laying eyeballs on LV's design and then drawing ours a day or a month later) - probably not. And we could make the designs all clustered a lot tighter if we specifically asked for one that used very few high-contrast colors or a "flat" style.

If you then presented 10 of these farmed-out icon designs to a panel of designers, and told them that some of them had been ripped off of others, they would probably have some pretty strong opinions on which those were. And they would be wrong.

The executive editor of the Times says “Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied"... but referring to their forensics they say that the attackers "search[ed] for and grab[bed] Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server" after cracking their password hashes.

So which is it? Did they download gigs and gigs of mail, but not the ones they were looking for? Or is "found no evidence" doublespeak for "we're pretty sure they got what they were looking for, but the logs had already rolled over on that system, so we have no evidence that they did". Based on the rough timeline presented, this was after they were known, so it may have been their honey-pot server, but the tone of the article suggests that they were not honey-potting them and simply monitoring their progress as they slowly stomped their way through their live network. This begs the question... if they were really monitoring the attackers for months, including watching them grab Barboza and Yardley's e-mails, what are we to make of the PR statement that no relevant or sensitive e-mails were obtained?

I have read a few other discussions on the recent change, but not being an Instagram user I only read their "apology" and not the actual offending language in the TOS update.

Thank you for quoting the actual language. Frankly, their "apology" comes across as nothing short of completely disingenuous given what they said in the TOS update.

Very insightful article.

The vulnerabilities which I'm aware of in regards to the Sony breaches were all SQL-injection based. There are readily available tools which perform automated tests bombing a website with various SQL injection techniques, which I imagine is how they were found by the attackers.

It is negligent to run a website that contains the personal information of thousands+ people and not run a tool like this or do similar analysis to identify these problems. Fixing them may be another matter (although for SQL injection it should be a matter of sanitizing all of your input and parameterizing all of your queries), but I think the ball is in their court in terms of not knowing about them.