Everyone should read this comment, it does a really eloquent job explaining the situation.
The fundamental thing to understand is this: The things you hear about that people make $500k for on the gray market and the things that you see people make $20k for in a bounty program are completely different deliverables, even if the root cause bug turns out to be the same.
Quoted gray market prices are generally for working exploit chains, which require increasingly complex and valuable mitigation bypasses which work in tandem with the initial access exploit; for example, for this exploit to be particularly useful, it needs a sandbox escape.
Developing a vulnerability into a full chain requires a huge amount of risk - not weird crimey bitcoin in a back alley risk like people in this thread seem to want to imagine, but simple time-value risk. While one party is spending hundreds of hours and burning several additional exploits in the course of making a reliable and difficult-to-detect chain out of this vulnerability, fifty people are changing their fuzzer settings and sending hundreds of bugs in for bounty payout. If they hit the same bug and win their $20k, the party gambling on the $200k full chain is back to square one.
Vulnerability research for bug bounty and full-chain exploit development are effectively different fields, with dramatically different research styles and economics. The fact that they intersect sometimes doesn't mean that it makes sense to compare pricing.
Why is it the USA doesn't have their own bug bounty program for non-DOD systems? Like, sure, they have a bounty for vulns in govt systems. But why not accept vulns for any system, and offer to pay more than anyone else? It would give them a competitive advantage (offensive & defensive) over every other nation. End one experimental weapons program (or whatever garbage DOD spends its obscene budget on) and suddenly we're not cyber-sucky anymore.
This underestimates the adaptability of threat actors. Massive cryptocurrency thefts from individuals have created a market for a rather wide range of server-side bugs.
Got a Gmail ATO? Just run it against some of the leaked cryptocurrency exchange databases, automatically scan for wallet backups and earn hundreds of millions within minutes.
People are paying tens of thousands for “bugs” that allow them to confirm if an email address is registered on a platform.
Even trust isn’t much of a problem anymore, well-known escrow services are everywhere.
According to OP, there is substantial evidence indicating about 50% of the daycares are scams. I've seen Nick Shirley's video, I don't think he demonstrated any concrete about any of the sites he visited (he's not a very good investigator), but if the 50% number is correct... well, the broken clock was probably right at least a couple of times that day.
The 2019 OLA report "Child Care Assistance Program: Assessment of Fraud Allegations" is what makes the claim that greater than 50% of reimbursements to child care providers under these specific programs were fraudulent. That estimate is broadly and bipartisanly considered to be directionally true.
Have you read the document? I often find these things that we believe to be true wind up being a game of telephone. We further have no prior (is the metric of this sort of like how everyone has committed a crime given sufficient prosecutorial attention)?
I've also never heard of this report before this year as someone quite attuned to what happens in Minnesota.
One document contributor contends, notably, that if "adult “employees” spend hours in hallways chatting with other adults [...] the entire amount paid to that provider in a given year is the fraud amount."
Edit to add: Also, Israel was actually attacked, and civilians were raped, kidnapped, and murdered. Did any of the protestors in Iran kill, rape, or murder any of members of the regime who subsequently slaughtered them?
Right, that was the number I had in my head... and that's for the whole war. This guy apparently believes 300k were killed in the first month, but I have no idea where that's coming from.
> Edit to add: Also, Israel was actually attacked, and civilians were raped, kidnapped, and murdered. Did any of the protestors in Iran kill, rape, or murder any of members of the regime who subsequently slaughtered them?
Just to be clear. You're arguing that if a country is attacked, it's ok to kill civilians that are unrelated to the attack? Or are you arguing that those 300,000 were somehow involved in the killing of the 3,000 Israelis that died in the Hamas attack?
> Edit to add: Also, Israel was actually attacked, and civilians were raped, kidnapped, and murdered. Did any of the protestors in Iran kill, rape, or murder any of members of the regime who subsequently slaughtered them?
So you're not saying that what Israel is doing is less bad due to the fact that it was attacked? So what are you saying then?
I guess that no, I can't find a more charitable way to interpret what you said.
>> From now on, every time anyone says anything about Iran, I'll be pushing the narrative that "whatever Iran did, it was to defend itself".
> Israel was actually attacked
I was responding to your claim that Iran was defending itself... Whether or not Israel responded disproportionately to October 7 (it did), I don't think it's fair to say Iran's actions are "self-defense" in the same way that Israel's war was self-defense.
No, I don't agree. What is Israel is doing is WAY past the "disproportionate" conversation. For one, Israel's targets have nothing to do with the people who attacked Israel, other than they come from the same geographical area. It's like saying "bombing Italy is a disproportionate response to Luigi Mangione assassinating someone".
Disproportionate would be if they caught the October 7 terrorists and their collaborators, and instead of arresting them killed them. If that was what happened, I wouldn't be morally against it.
Thanks for sharing, I don’t think I’ve ever seen anything involving James Randi testing someone’s ability and actually verifying their claim, nice to see that not everyone is a bullshit artist!
I think "no wars of conquest" is a bright line that was crossed by Russia, that hasn't been crossed by other nations in a long time. And I think it's important for the whole world to take a stand on that, not just the nation that was invaded. It's not a "random stand."
I find it much easier to take a strong stand on Russia/Ukraine than on Israel/Palestine. The history of Israel/Palestine is much more of a gray area. Palestine has used plenty of aggressive actions and rhetoric that make Israel's actions more understandable (if not justified).
Example of actions: Gaza invaded Israel and killed, raped, and kidnapped civilians on October 7. Ukraine had no such triggering event that caused Russia to invade.
Example of rhetoric: Gaza's political leaders have said they want to destroy Israel. I don't think anyone in power in Ukraine has said they want to destroy the Russian state.
I am amused by my (unpopular and downvoted by now) comment by the scourge of "whataboutism" sparked a discussion, where comments begin with "how about" :-)
That is exactly my point! Saying "but what about" is akin to saying "you shouldn't do anything, because there is another unrelated $thing happening elsewhere". I refuse to follow this line of thinking.
> people who share what the mistakes are and where they themselves have made these very mistakes over the years, to help other people not make them and so that the world continues to remember this hard-learned stuff
But then we have this in your post:
> That tells me that you are writing from ignorance, as for starters that's a truly pathetic test
and
> I had an actual poke around the parser code, in contrast to your superficial experimentation.
Perhaps you really did intend for these lines to be helpful and informative? If so, I encourage you to have a moment of empathy for your interlocutor and ask yourself if talking this way is actually the best way to communicate and pass on this hard-earned knowledge.
> ad hominems, straw men, insults, and vilification
I didn't see this from the other poster. I did see it from you. As a disinterested third party, I'm just telling you, you come off way worse in this exchange. Good luck out there buddy.
You’re misunderstanding the question - he’s asking how Shopify could avoid jurisdiction, not avoid this suit. Jurisdiction is a threshold question before you get to the merits… maybe Shopify did the bad thing, maybe they didn’t, but before we decide that, we need to determine if California law even applies to Shopify.
The author seems to think that there should be some way for Shopify to avoid jurisdiction while still offering services in California, but I don’t really understand why he thinks so.
As a former student of the author, I don't think he's saying they should be able to avoid jurisdiction. I think he was musing on whether it would even be possible under this new Ninth Circuit framework/test. He concludes it's unlikely, and hence for Shopify (or any other company putting cookies in browsers) to have any chance of avoiding it, they're going to have to appeal to SCOTUS.
Not at all. I think he rightly concludes that jurisdiction is completely avoidable by geoblocking California.
It is baffling to hear the author ask the question “did Shopify ‘expressly aim an intentional act at California?” And subsequently conclude that Shopify’s entire business model is in doubt if it doesn’t do business in California.
Other than the one about using only one platform, which you referenced, it seems like he's really just asking for clarity from maintainers about what contributions they would like, and how they would like them to be provided.
What items on the list do you think are just the author's preferences, but other potential contributors wouldn't like? It seems unlikely that contributors would prefer NOT to know if the maintainer doesn't want PRs, or would prefer NOT to have an example of how to contribute, e.g.
reply