This reminded me of a Scientific American article from nine years ago about the evolutionary roots of depression. It says that depression is a useful adaptation:
Dr. Stephen Ilardi from the University of Kansas takes the opposite position. In his book, The Depression Cure, he says that depression is a disease of modernity. "[O]ur bodies were never designed for the sleep-deprived, poorly nourished, frenzied pace of twenty-first century life."
In order to look into this controversy, I searched for rsync.net on Wikipedia, and this is what I found. The user Kozubik submitted a draft with references, but the user Arthur Goes Shopping dismissed each of the references. Then when no one edited the draft for six months, the user JMHamo deleted it.
I have a locally saved copy of the submission and the references included a long form article at arstechnica, a long form print article in a magazine (Linux Format), The Yale Law Journal, theregister.co.uk, Lifehacker, ComputerWorld, EFF/Canarywatch, and more ... all over a 10+ year period.
Dismissed, flagged as not notable, and nothing to do but let the submission expire.
Luke's essay reminded me of Aaron Swartz's essays when he dropped out of high school and my own experiences when I dropped out around the same time. We knew something was wrong, and by the size of the "education reform" section at the library, we're not the only ones.
Sudbury Valley School was my first thought as I read Luke's essay, so I am very excited to read your contribution to this discussion. The readers of Hacker News want a startup to fix education. But what if this startup was already founded forty-seven years ago in Framingham, MA?
For anyone who is interested in learning more about Sudbury Valley School, I recommend reading some of their articles at the following location:
Every Sudbury school startup is its own thing. Each school is different in its own way, much like different tribes of humans. There are a few basic common elements such as Judicial Committee and School Meeting, but each school forges its own path.
This is one of the big challenges of spreading this model. It is a lean startup. By the way, for those who want to sort of see the school from the eyes of a startup, I wrote a series of blog entries using the ideas of Peter Thiel's Zero to One and making the case that the natural way to prep people for startups (and the future) is a Sudbury education.
I would be surprised if how easy ingredients are to pronounce is correlated with their health. Since half of all food is wasted, preservatives could even be good for the environment.
Myth: "No ISP in the country has been a stronger supporter of the Open Internet than Comcast[.]"
Fact: "Comcast spent the most money of any organization in support of the Stop Online Piracy and PROTECT IP bills, spending roughly $5 million to lobby for their passage."
I lived in the Bronx for a couple of years in a boarding house which is part of the Kolping Society founded by a Catholic priest intending to provide a home-away-from-home for young workers in the cities of industrial Germany. There's also a Quaker house near Union Square that is over a hundred years old.
We welcome all reports of security vulnerabilities, we try to fix them quickly, and we credit the researchers - but we offer rewards only for higher-impact flaws. You can check out this page for more info:
In this context, phishing issues are tricky. Because many of our products simply have to do things such as displaying snippets of potentially attacker-controlled text and multimedia, we try to evaluate phishing concerns on a case-by-case basis. In essence, we ask ourselves how easy it would be to exploit a particular behavior to mount a convincing attack.
My take on this bug is that the attack vector is severely constrained in well-behaved e-mail clients; and that in badly-behaved clients, the existing exposure is already considerably worse than any incremental hazard caused by this flaw. It's valid and worth fixing - but does not quite meet the bar for the reward tiers set up for higher-impact bugs.
So chuck him a C note and move on. I don't think it's worth the bad PR to quibble over what is clearly a security bug no matter how minor. HTML injection is sort of like the bike shed of security vulnerabilities, every web developer understands it, so you'll get a perverse amount of attention and discussion on it.
In essence, we have a reward structure that we think is internally consistent, attracts the right sorts of research, and makes an optimal use of our resources - and we try to apply it fairly.
Here, we handled the communications poorly, and I think it's OK to call us out on that. In fact, I think it would be wrong to offer a reward in hopes of buying silence from the reporter :-)
I don't think that giving me some money would have refrained me from writing this blog post. The main issue here is that it was not recognized as security sensitive, and would most likely not be fixed if I didn't insist on it.
How would you describe a well-behaved e-mail client with regards to this vulnerability?
The phishing attack I described in my blog post affects all e-mail clients that are able to render HTML and CSS. As for rendering remotely included CSS, this was not necessary, as one might as well include a <style> element.
If you are referring to just GMail as a well-behaved e-mail client, you are most likely correct that it wouldn't be possible to create a legit-looking phishing e-mail (as GMail only allows in-line styles). I think that most other e-mail clients allow the use of <style> or <link> in e-mails. The screenshot of the "phishing e-mail" in the blog post came from Mail.app (version 6.5)
I intentionally did not classify this vulnerability as "Cross-Site Scripting", although XSS vulnerabilities also rely on injecting HTML content, as the main impact here was not the execution of Javascript code in the user's e-mail client, but rather changing the visual output of an e-mail so it can be used for phishing.
This type of vulnerability can be used to aid phishing attacks but it cannot be directly exploited by an attacker to obtain or modify user data. Phishing attacks are not listed as qualifying in the Program Rules http://www.google.com/about/appsecurity/reward-program/ although they are evaluated as security issues on a case by case basis.
In this case a bug was filed, but it took some prodding to get it fixed.
https://www.scientificamerican.com/article/depressions-evolu...
Dr. Stephen Ilardi from the University of Kansas takes the opposite position. In his book, The Depression Cure, he says that depression is a disease of modernity. "[O]ur bodies were never designed for the sleep-deprived, poorly nourished, frenzied pace of twenty-first century life."
https://www.youtube.com/watch?v=drv3BP0Fdi8