Yes, I started counting the words, thinking there was some misrepresentation of the title, then realized that was not what the title was referring to...
This explanation is far more plausible than the idea Amazon suddenly got all squishy about showing certain titles.
Amazon has generally followed the tradition of booksellers and libraries in the free world, erring on the side of inclusion, with regard to controversial topics. Given that most of the 'excluded' books were hardly controversial at all -- even anti-gay activists rarely expect major retail chains to drop gay-themed works -- a 'glitch' or hack/prank was always more likely than an intentional Amazon decision.
Let's face it, Amazon's system probably doesn't require large numbers of users flagging something before it takes automated action, because the average book just isn't going to get that much attention. So combine a likely low barrier to removal with a CSRF hole that lets you trick people into flagging whatever you want them to, and... you get exactly the result people are raging about all over the internets.
Targeting a group like this makes it more believable. I mean, if Amazon was banning books about 'successful entrepreneurs', most people would have thought it was a bug in the site, not malicious intent.
Really? How are gays and lesbians persecuted? Gays now have more rights than most other people. I would rather be gay than be fat.
And they have that universal excuse ("you're firing me because I am gay?") that they use in any situation (almost as good as the “you're <doing something that does not suit me> because I am black/a woman/Jewish/a vegetarian?).
Why don't everybody just leave everybody else the f*ck alone?
It is because gay people wants to force acceptance to all people that believe differently. If there is a church/religious institution that does not “accept” you, why don't you fucking start your own?
Why do you have to whine about “homophobia” (a misnomer). And why do you have to whine especially on the Internet? (you are getting almost as irritating as the Atheist Army (e.g. www.reddit.com/r/atheism)). NRA supporters do not whine on national television about NRA-phobia. Hunters do not whine about hunting-phobia. Yet they will be treated worse in liberal areas as liberals will be treated in conservative areas.
The most persecuted group is middle aged white males – they have to hear how bad they are from black people, feminists and gays. If they are successful in an area (such as engineering for example) it must be their fault for “disadvantaging” black people or women and that they are “overrepresented” (i.e. will not be promoted in favour of a “designated” group). I wonder when we will start seeing Gay Economic Empowerment!
Like what? They can vote and they could have voted since Licoln.
One of the few things that they whine about is "marraige". Well, uhm... start your own church and start marrying people - you don't need the government for that.
(They do want the state to name it marraige instead of "civil unions" because that would force people to accept them).
Marriage is a legal union which is specifically denied to gays in the overwhelming majority of states in the US. The issue is not a religious one or a question of acceptance, it is a question of equality before the law.
Marriage confers many benefits, including financial, guardianship (of children), visitation rights, control over partner's affairs when the latter is incapacitated, etc.
At the Federal level, the US prohibits same-sex couples, even if they are married in another country (http://en.wikipedia.org/wiki/Gay_marriage) to sponsor each other for immigration.
These are things heterosexuals can take for granted, but our gay friends cannot.
Everyone is equal in the eyes of the law. Gay and straight are bound by the same laws - if a gay person ever wants to marry a woman he can (no questions asked). There is not two sets of laws - the tax law is the same (yet no one worries about that).
I would personally like to see the state absolve marraige and leave everything at civil unions. The only reason why the state should even have that is to keep track of children.
> Marriage confers many benefits, including financial
Uhm... yeah. We should therefore discriminate against people who are not married? If there is a benefit provided it costs someone something (in this case the burden is on unmarried people).
> control over partner's affairs when the latter is incapacitated
Uhm.. tried having a signed letter to the appointed executor? This can be solved within 5 minutes with a printer and 5 signatures.
> At the Federal level, the US prohibits same-sex couples, even if they are married in another country (http://en.wikipedia.org/wiki/Gay_marriage) to sponsor each other for immigration.
So, this is nothing major. The USA also have quotas for certain countries. Does that mean that the USA is racist towards that country?
The USA also have requirements for education levels. Some countries (esp. Australia) is fairly strict against people with transmittable diseases (e.g. AIDS). Does that mean that they discriminate against sick or stupid people?
> if a gay person ever wants to marry a woman he can
In the same way that you, presumably, wouldn't want to marry/sleep with someone of the same sex, so a homosexual wouldn't want to marry someone of the opposite sex.
The question is, why do State governments specifically prevent same-sex unions? There are already 7 countries that have gay marriage.
From marriage all the other legal benefits flow.
> I would personally like to see the state absolve marraige and leave everything at civil union
Agreed - but not limited to only heterosexuals.
> Uhm.. tried having a signed letter to the appointed executor
Why do gays have to do extra work that heterosexuals get "for free"?
> So, this is nothing major. The USA also have quotas for certain countries.
Imagine the following: you are American, and marry the love of your life, a Canadian, in Canada. Now, if you are a man + woman, you are allowed to bring your spouse into the US, but if you are a same-sex married couple (yes, Canada has gay marriage), then you cannot.
This has nothing to do with quotas, or "profiling" for numbers or against health-risks.
No, that's exactly my point. In most states there is no concept of civil unions for homosexuals. And furthermore, they also don't recognize civil unions from other states. This is in stark contrast to recognition of heterosexual unions.
> Also - what is the use for the state?
It is not about the state; it is about individual liberty.
> It does not need to keep track of the offspring.
Not sure I understand what you mean?
> It takes 5 minutes. Most straight and sane people do it in any way - it is simply a good practice (just like writing a will).
So maybe the government (state and Federal) should simply not recognize Marriage AT ALL?
> If the person you married was a woman with AIDS
Homesexuality is not a disease, dude.
> Also - if you benefit gay couples you conversely discriminate against 2 single people.
Single people choose not to get married. But with gays, the state forces them to stay single.
the alleged perpetrator is 'weev', one of the people featured in that NY Times article that everybody was talking about awhile back, "The Trolls Among Us."
"I contend that trolling is the chief moral arbiter of the Internet. I see little difference between the methods performed by trolls on the Internet when they ruin the lives of furries and pedophiles and the methods used by Moses when he ordered the idol worshippers killed. Martin Luther contended in his tract "On the Jews and Their Lies" that if Moses were alive today he'd be busy burning synagogues. I'm inclined to agree; the only thing keeping us deriding furries on the Internet instead of going to their furry conventions and rapidly exterminating them is the Jewish influence upon society."
"I used to be for the mass extermination of the physically disabled, but my business associate Claudia reminded me of how the ancient greeks made an effort to find means of living for their disabled; Homer was blind but still managed to become a defining influence upon Western civlization. I believe that without the narcotic of state welfare these people would find a positive means of living."
"Upon some timeline Protestants are going to have to stand up and admit that it is their belief system that made their nations so great, and that without their persistent influence they will degrade into the third world shitholes from which they began."
keep in mind, he probably doesn't believe a third of that. if he'd do what he seems to have done to amazon for attention, then you know he's willing to make up inflammatory lies for an interviewer.
Trollers are sadists, period. Just because you are capable of the problem solving and coding required to pull stunts like this off doesn't justify deceiving others and causing them anguish. I have no idea if they believe the ideologies they spin to justify what they do as a perverse form of heroism. All of the worst assholes in history had ideology aplenty to justify their destructive behavior.
True or not the real fascinating thing was the fallout, not the catastrophe itself. Watching the #amazonfail twitter real-time search results was incredible last night. Every few seconds there would be dozens of tweets covering it, and as I watched I could see how the story was progressing. Initially there was outrage, then the reaction from Amazon that it was a glitch created the #glitchmyass hash, and then there were links to alternative listing areas for the de-listed books. It was impressive to see how rapidly this evolved, on a holiday no less.
How many of these do we have to stare down before the internet punditry learns to take three deep breaths before clicking "post"? Remedial reporting here would have saved a lot of faces from a lot of egg.
The internet punditry (including us, mate) get rewarded for reacting quickly and get virtually no punishment for being wrong or late. An uncharitable way to put is that many journalists, pundits and activists are just conduits for other people. You don't blame the pipes when the water is cold.
I'm mainly wondering if he can get his face sued off over this.
I've got NO doubt that this is going to have a noticable negative impact on Amazon's profits. Not world shaking, but more than enough to make the lawyers angry.
As another commenter mentioned, he's been in a NYT article, with his face and full name displayed. Amazon won't have any trouble finding him.
While he's certainly mischievous and possibly malicious, he didn't actually do anything that I think should be illegal. He merely used Amazon's flawed system against them, at considerably personal expense. He hacked them, in other words.
I can't agree with his aims in this case but you've got to hand it to him really - you don't have to like trolling in general to admit that was an amazing troll. It shouldn't be illegal and he shouldn't be able to be sued. Society would be worse for it, counterintutive as it may seem.
> he didn't actually do anything that I think should be illegal.
Registering multiple false user names?
Giving false feedback?
Restraint of trade?
I'm not a fan of government prosecuting someone for registering on Facebook with the user name "Joe Schmoe" in order to blog anonymously about their crappy job at Microsoft.
...but I have no problem at all with the government enforcing laws against using aliases to log into a system and inject bad data in order to create a public relations firestorm?
> He merely used Amazon's flawed system against them
I'd be somewhat pissed if someone used my flawed front door lock (pickable by anyone with a set of picks, 60 seconds to spare, and decent picking skills) against me.
"Oh, all I did was hang a sign in the window saying 'A child molester lives here' - what LOLZ!"
I don't know... maybe this could fall into the category of 'spam' - using up resources of a remote computer without permission etc, but the fact is he wasn't the one using the resources. It was the users visiting the websites containing the iframe.
At the end of the day, IMHO this shouldn't be illegal, and no action should be taken. Amazon was extremely silly to accept user flagging from a GET request in an iframe.
How is what your're saying different from, "I didn't send those DDOS packets, the lusers executing my trojan program did!"
How about: "IMHO, that shouldn't be illegal. Mrs. Smith was extremely silly to believe that a consumer door lock and sticking her life savings under her mattress was a good way to secure money."
A company like Amazon should be able to deal with DDOS and CSFR in it's stride though. They should present absolutely no challenge.
The correct response IMHO is for Amazon to realize they were stupid, and fix it. If you sue etc you put out the signal that being stupid is fine - you'll be able to sue someone if they take advantage of your stupidity.
But then we live in an age where if someone doesn't tell you explicitly that your coffee is hot, and you spill it, you can sue them...
So the victim's capabilities are to be taken into account? If Mrs. Smith was trained as a ninja guard, trying to abscond with her mattress stash is ok? I don't buy it.
Also, you can argue that not suing is sending out the wrong message -- that manipulating the flagging mechanism is cool, so long as you're a cool, clever hacker.
If I was running a business, and my employee left a storage shed unlocked, I shouldn't prosecute the thieves because I did something "stupid?" Uh, no. Most people would suggest that you make sure locking the shed is on the checklist and you prosecute.
Someone else being stupid doesn't give you a "Get away with being an asshat" card.
Well, actually, it is those "lusers" who executed the trojan, and their computers, capable of action and under their control, that sent the packets. Since when is "but I didn't know!" an excuse? Sounds like negligence to me; widespread perhaps, but negligence nonetheless.
It's like those people who buy those terrible cheap car alarms that go off at anything at all and then don't stop for an hour. Their car is sitting there, ruining everyone's quality of life with its incessant blaring. Can they just excuse themselves by saying "well it's not me, it's the car alarm"? Of course not. If you own something, and that something is capable of harm, it's your responsibility to ensure its integrity. Blithe ignorance is no excuse at all.
The door lock/money under the mattress analogy doesn't hold up. Mrs Smith did not invite millions of visitors from around the world into her house to walk around her bedroom, relying solely on the mattress to hide her treasure, and if she had no-one would have much sympathy when one of them eventually looked there. Amazon did invite such behaviour and should have taken appropriate safeguards. This is no-one's fault but their own.
Another's negligence does not justify being an asshole!
If Mrs. Smith was running a bric-a-brac store and didn't know how to secure her display cases, then it's alright to shoplift from her?
If Mrs. Smith was holding a big party at her house, then it's alright for a party goer to steal her life savings?
If I hand a firearm disguised as a jelly donut to a random bystander, then they shoot someone with it, it's their fault and not mine?
Amazon messed up. It doesn't justify Weev's action. He could've just told them. Deception and malicious intent are markings of crime or antisocial behavior. That's just common sense!
Guh. Here we are, about 3 steps into an argument, and already it's a quagmire of complexity, grey areas and sliding scales. I could now posit the example that it's actually more like Mrs Smith leaving the money in a bag on the floor of her store (or house) but seriously we could go on like this forever. My Infinite Biased Analogy Generator is in good working order and I can tell yours is in full effect also.
The fact is, nothing was stolen and no-one died. You're all about "intent" so intend this: this whole story is one guy exploiting Amazon's flawed security to annoy gay people.
I do not even like Weev. This is nothing but principle, namely - should the government be papering, with the full force of the law, over the cracks in Amazon's security?
I say, "no". You say "yes". We are each convinced of our righteousness. Let's leave it there.
Uh, no you see the danger and are trying to weasel out of it by pleading "oh noes, the greys," but, "Mrs Smith leaving the money in a bag on the floor of her store," pretty much breaks the back of your argument.
Someone absconding with that bag is stealing. Period. They didn't pay for that bag, why are they leaving the store with it? The thief is wrong. Nothing grey about that.
The problem here is that Weev's intent was to deceive and have a particular group's books effectively censored. This fits in with Amazon's Terms of Use? I don't think so. There is no grey area. If Weev wanted to improve the world with his hacking, there are tons of ways he could've done this without hurting anyone (reduced income), deceiving anyone, or running afoul of the TOS.
Prediction: if you go any further, your analogy generator is just going to illuminate how far you have to grasp for straws. (And I'll also note that I have been careful to construct relevant analogies, usually 2 or 3 at a time, picking the best fit. Also, your feedback in the discussion has resulted in iteratively more damning analogies.)
Well then, unless your actual name is "tjic" then we are both criminals right off the bat. And since when is the government in the business of checking whether feedback is "false" or not? That's the company's job. It's not illegal to lie unless you are under oath, and nobody was.
"Restraint of trade?"
I don't see how Amazon's trade has been restrained in any way, shape or form. Unless you consider criticism or bad reputation to be restraint of trade, in which case any criticism is fair game. Very dangerous ground.
"but I have no problem at all with the government enforcing laws against using aliases to log into a system and inject bad data in order to create a public relations firestorm?"
Who says it's bad data? What's wrong with aliases? You're trying to legislate against intent.
And your example of how Joe Schmoe should be protected even though he's slagging off Microsoft - MS will say that's bad data bringing a PR firestorm. It just doesn't work.
"I'd be somewhat pissed if someone used my flawed front door lock (pickable by anyone with a set of picks, 60 seconds to spare, and decent picking skills) against me."
Dear god, not this argument again. Look, physical security is NOT the same as network security. It is impossible to totally guarantee physical security. It is possible, even easy, to create perfect network security. The two are totally at odds. Creating a few fake accounts and submitting some votes (which Amazon encourages) is not even remotely similar to breaking into your house and placing signs advertising your partiality to child molestation.
You are giving Amazon a free pass for their lax security practises, and placing all the blame on some random guy who had the balls to admit he did it. And if it was illegal, the only thing that would change is that he wouldn't have admitted it. You can't have laws like that. You may as well try to make a law that everyone has to be nice.
Sometimes that's a sign that your point of view is out of whack. (And being able to realize this is a mark of true learning. And yeah, it is painful sometimes.)
What happened here is more like Whole Foods setting out free samples. If someone concocted a scheme to walk out the front door with all of the free samples, I would not be at all surprised if the perpetrator were taken off to jail. "But Whole Foods encourages you to take them!" yeah, right. Something smacks of rationalization here.
"Sometimes that's a sign that your point of view is out of whack."
Same goes for you, of course ; )
Unfortunately, regardless of who is ethically right or wrong, my view will retain the upper hand, for the simple fact that the network is global, and whatever laws you pass in any country will not, nor ever, apply to all. For this simple reason you must continue to consider security the sole responsible of the proprietor, and assume the complete legal immunity of the customer/attacker (same thing).
"If someone concocted a scheme to walk out the front door with all of the free samples"
I do not particularly care for the idea of the judiciary being involved in rationing out Whole Foods' free samples. I do see your point - theft is theft, after all - but do you really want to make an obvious prank illegal? Outright shoplifting is one thing. Pranks are another, and they were free samples. You're so enthusiastic to consider intent in your other examples, why forget all about it in this one?
If someone is going to alter my storefront sign, it's vandalism, intent as a prank or no. If they leave it that way for a few days, then I have every right to seek redress, especially if it affects my livelihood in some way.
It's not the intent as a prank that's the problem. It's the intent to have the particular effect that he did. I'm sure Amazon's Terms of Use would preclude what he did.
> Well then, unless your actual name is "tjic" then we are both criminals right off the bat.
Under US law, there is no such thing as a sole "actual" name. Any name that you use for non-fraudulent purposes is a legitimate name.
TJIC is my initials: Travis James Ignatius Corcoran.
I have been using it as a legitimate name for 15 years. My mom addresses emails and letters to me using that name.
So, no, I'm not a criminal.
...but if someone signed up for an account at Amazon using 500 different names, and one of them was "TJIC", and the intent was to inject bad data ... yes, that person would be a criminal.
"but if someone signed up for an account at Amazon using 500 different names, and one of them was "TJIC", and the intent was to inject bad data ... yes, that person would be a criminal."
No way. Guaranteeing the integrity of Amazon's Customer Review data is not the job of the state. Guaranteeing the legitimacy of the name(s) used to sign up for accounts is not the job of the state. Assessing the state of mind of someone filling in Amazon's complaints form is not the job of the state.
I am kind of amazed you think the government or the law should be even tangentially involved in any of this.
> No way. Guaranteeing the integrity of Amazon's Customer Review data is not the job of the state
According to many theories, much of the point of the state is to lower transaction costs.
That's why states get involved in things like creating default rental agreements, setting up standards of weight and measure, inspecting pumps at gas stations, stamping out ponzi schemes, running courts to enforce slander laws (even when the target is a corporation), etc.
I'm a pretty extreme libertarian. I'd like 99% of the government to go away. Maybe more.
...but I'm going to assume that we're holding this debate in the real world, not in a science-fictional Heinlein-esque anarcho-capitalist moon colony. ...and if that's the case, then 99.9% of people think the job of the state DOES include stopping people from intentionally gumming up third party transactions.
I agree with you, it's all about intent. If you give false feedback to avoid having your family killed, that should be legal. If you do it to troll Amazon, that's malicious, and should be a crime.
This guy is a jerk, and he's making society slightly less good. As a society, we should try and avoid the tragedy of the commons, or else we won't have a society for much longer. Someone needs to remind this guy, in an official capacity, that his actions are not appreciated or tolerated.
Laws exist to deter people from doing things that are possible, so the fact that their system allowed him to do it is irrelevant.
The quality of the troll is also irrelevant. The fact that you commit a crime really well doesn't make it any less illegal.
That said, I'm not certain what he did should have been illegal. But I can't think of a single reason he shouldn't be sued. There's no way he didn't forsee loss of revenue for Amazon. If you deliberately cause harm to another person, even if you work out how to do it without technically breaking the law, they should absolutely be able to get their loss back from you.
Posting a message that you got food poising from a local restaurant will cause them to lose money without you breaking the law. Would you say it's reasonable for them to sue you if you where telling the truth?
Then we have fundamentally different opinions of what should and should not be legally actionable.
How the hell should anyone be able to drag someone through the courts on the grounds that they might have lied about about feeling sick or not? And what could you possibly do when he just says "I did feel sick" - "no you didn't"? Yes I did, no you didn't?
I don't think you've given much thought to the complexities here. Laws have to be workable and practical and err on the side of freedom of speech and action. Trying to legislate niceness and truthfulness is pure folly, especially considering the imbalance of power between a corporation (or restaurant!) and a person.
Yes, yes, but the question assumed that the poster had told the truth. With a criminal complaint there is an assumption of innocence such that you have significant legal protections even if you fail to show up. With a civil suit no such evidence is required to file and if you fail to show up you the default is you lose without any party trying to defend you.
I would suggest that a reasonable demonstration of evidence supporting the claim should be required before the other party is even notified and such a requirement have no impact on the actual case. Also a public defendant should be provided to defend you etc. Basically, a presumption of innocence until demonstrated otherwise.
Reducing income by out-competing another company in a transparent and open marketplace is one thing. Reducing income by manipulating information in a deceptive fashion (thereby making the marketplace less transparent) is another thing entirely.
There were ways Weev could've made his hacking skill known without such negative impacts. He cared more about the notoriety than preventing harm to bystanders. (Though to be fair, he probably has rationalizations for why these weren't "real" negative impacts.)
The post I was referring to said: "But I can't think of a single reason he shouldn't be sued. There's no way he didn't forsee loss of revenue for Amazon."
I never said what he did was ethical, but I'm trying to say that just because an event reduces revenue doesn't mean its something that can be sued over. IANAL but it would have to be on the grounds of libel. (Which is likely, but parent never brought that up)
"counter-intuitive" is your code word for "I can't justify it but I like it anyway?"
If his hack involved writing an innocuous demo script and presenting it to Amazon or at a conference, this would be one thing, and society is better off for the freedom to make such discoveries and talk and write about them. Society is certainly better off when it accords freedom of speech. But academic freedom ends where you start to impact other's freedom of speech. (Like effective censorship of Amazon listings.)
All my life, I've had this background occurrence of strangers have coming out of nowhere to try and haze me with some racial epithet. Almost all of these idiots carry this air of striking some sort of blow for truth and beauty, as if they're defending motherhood and the American way through their yelling and insults. To me, Weev and his ilk have the exact same sort of misguided self-righteousness.
I'm sure the one who hazed that young girl into committing suicide on MySpace felt just as clever and justified.
(Many of those Weev targets may have the same self-righteous chip on their shoulder as well, and may be just as bad in their way. It's just not a productive way to expend mental energy.)
Let's be clear here. Weev didn't censor Amazon listings. If what Weev claims is true, the most you can say is that he helped trick Amazon into choosing, via automated means, to censor those titles.
But ultimately, it was Amazon who took the action to remove the listings.
(Unnecessary disclaimer: I'm a huge fan of Amazon, and hardly a week goes by that I don't buy something or other from them.)
Your logic simply doesn't hold. If some guy repaints highway signs to cause a car crash, then, if anyone dies, he should be up for murder, not the driver. The guilty party is the vandal in both cases, not the driver or the computer operator.
I'm going to take one last stab at this, and then let it go:
But he didn't repaint the signs. At worst, he convinced a few other people to call up the DOT and say "That stop sign shouldn't be there, please change it to a 55 MPH speed limit sign." If the DOT then goes and changes the signs without appropriately verifying, then it's on them...
I realize as programmers that we might think Weev's (purported) actions are directly responsible for the de-listing, but they aren't. It's ultimately Amazon's code that did the de-listing.
I for one hope he does. He's not some internet freedom fighter going up against the man, nor is he a legitimate security expert in any way. He did it for the lulz, I hope he gets his ass sued off.
He's like the kid dropping rocks off the overpass for shits and giggles - pathetic.
Wow. Anyone who owns, or hopes to own, an internet-based community of any type should read this, just to get a sense of the sophisticated methods and the lengths trolls will go to. While I have to hand it to this guy for deviousness and persistence, he is, after all, the "enemy" as far as the Web Site Owner is concerned.
It boggles the mind that anyone would do this, but they evidently do, and you may well have to defend against it.
He could also be seen as a free security consultant. What he did basically amounted to a victimless crime, but could have possibly been used for something worse. If Amazon has one CSRF vulnerability via an improper use of GET, there may well be more. This incident may help them tighten their systems against more malicious attacks.
How is it a victimless crime? The authors and publishers of all the books that lost sales rank were directly harmed by it. By not showing up in searches or bestseller lists, their sales were affected.
I see your point, but also that of the parent post. Is losing salesrank of a novel over the weekend (a holiday weekend no less), really a boom-or-bust kind of thing? If he'd been more malicious with this then this would be a crime with actual victims, but in this case I just can't reason through it enough to believe that.
If you walk into a bookstore and steal a bunch of books, even on a slow business day and it causes the store/publisher/author to lose sales, but not that much, is it a victimless crime?
How many customers did Amazon lose this weekend that will likely never hear that this was a hack? He directly and irreparably harmed the reputation of a company, how is this victimless at all?
He may have hurt the reputation of Amazon, but not through his crime. Publicizing vulnerabilities in Amazon's ranking system is what may hurt Amazon's reputation. The "crime" of messing with Amazon's system didn't hurt Amazon's reputation let alone their website much at all.
For 48-72 hours, some books appeared fewer places on Amazon's site.
Many of those same books got lots of extra attention from elsewhere, as examples of affected titles.
So some authors probably lost a little, others gained a little (by either being examples, or simply filling the slots emptied by affected titles).
If the loss to specific titles was significant, Amazon could easily restore the previous balance with a few days' enhanced promotion. So the amount of 'victimization' here is pretty small.
Perhaps we are forgetting that Amazon is a victim as well. If Amazon is unable to seek punishment against malicious users of its site, it is forced to spend its time and money patching security holes and preventing future attacks, in addition to repairing lost good will from customers and authors.
It always surprises me how quick people are to jump to the conclusion that the website operator is at fault for these sorts of malicious uses. It flies in the face of simple economics. The burden on Amazon to protect its site probably ranges in the thousands or millions of dollars; the benefit to the malicious user is a couple of laughs and a funny blog post. It would seem economically inefficient to say that the burden lies on Amazon, in this situation, to protect itself.
(Indeed, I don't believe anyone would analogously say that a thief is not responsible for acts of theft, because they provide a "free lesson in home security" to the victim. Why the difference when we move to the online realm?)
Even if one could accept that Amazon cannot possibly plug all vulnerabilities and should not be expected to do so against all attacks, we're still left with the obvious mistake of implicitly entrusting their users with the ability to -- automatically and without proper vetting -- alter whether or not certain items display on certain areas of their site. This fact, given automation via a bug or not, means that the tactic could have been used more maliciously and more covertly to bring additional damage (say, by getting an author's book delisted).
At the end of the day, do I think Amazon really deserved to be "taught a lesson"? No; he could have just contacted them with the exploit and been done with it. Could it have been worse? Most likely, yes. Plus, I found the resulting e-uproar to be quite hilarious. To think, people actually believed Amazon would intentionally and openly discriminate against those groups out of no where... it's very laughable, you must admit.
But what if trusting users works 363 days a year -- it helps users find and buy more books, it makes authors and Amazon more money. Every once in a while, it causes an embarassing screwup that can be reversed in 1-3 days.
Is having that system in place a mistake? What if the alternative system, that never has a 2-day-screwup, also means fewer lehappy customers and less-profitable operations the other 363 days?
Amazon is losing a lot of business in the GLBT community, historically a reliable demographic group in both online spending and books. (This actually wouldn't be so bad if they had been more forthcoming, and quickly made a statement apologizing profusely. However, just saying that there's a "glitch" after customer support had suggested that much of the material was indeed adult in various posts hovering around, this has resulted in a significant loss of goodwill.)
As for me, I'm considering looking for a new default myself. Powells, here I come?
> As for me, I'm considering looking for a new default myself. Powells, here I come?
Why? You know it was nothing more than a CSRF by a troll. That's like saying you're not going back to a store because it got tagged by some punk kids one night. As long as they clean up, what's the problem?
As an aside, if you ever go anywhere near Portland, Oregon, go to Powell's, and don't forget to visit Powell's technical too. I really miss those stores (I miss less all the rain that makes sitting inside and reading a compelling alternative so much of the time...)
History is littered with the blood of people fighting over social issues... We shouldn't be too surprised by the lengths, but the appeals for security concerns rings loud and true.
Does it? Think about it this way, why does this make right-wing nuts or technically inept parents go bonkers? A.) They a moral nut and they're reacting to the confluence of information and media as an invasion of privacy. B.) They fear that the exposure to such material at a young age will corrupt their kid, screw some other kid, and get pregnant in high school.
Either way, I think this is a cash cow and fertile conditions for any startup whose primary function is a sort of opt-in form of censorship, more or less the startup would act as a proxy for each IP. For the most part, I think their rage is fairly valid since this demographic is probably just old, confused, and sick of scouring the internet for web-sites to block.
The logic behind his motive is flawed. Just because there's an active homosexual/meth community on craigslist doesn't mean that members of the homosexual/meth community (or its superset, the homosexual community) are necessarily doing the flagging.
if true, that is pretty bad ... Amazon should have "signed" the cookies with the originating IP and then forced a refresh or a login if it was different.
I remember back in pre-teen days (just when I was starting to get curious), the internet was without Google, dial-up was fast, internet porn was innocent, and our home network consisted of one PC running Windows 3.1 in our living room. I relished those times when my parents would leave me (or me and my friends) at home to go out to eat, leaving nothing but these 10 lines between me and my hungry eyes.
I think my first hack was figuring out how to cover my tracks by making a backup of Netscapes's cache and cookies before going on my adventure then restoring the browser's history back to it's original state as soon as I saw those headlights pour through our dining room windows.
Ah those were the days. . .this was even back before E/N hit the scene.
Can anyone point out the "report as inappropriate" he claims to have used? I can't find it on either current Amazon pages or Google Cached ones.
If it indeed points to an unsecured GET statement, that supports the claim. If it doesn't, that opposes. If it did and has been fixed in the past day, that's nearly proof.
People are so gullible to believe a troll saying "I did it". Spend 15 minutes catching up on any military conflict and you'll quickly find that any unconventional attack has several groups claiming responsibility. It's just how it goes.
And getting so highly rated on HN is that time-honored tradition known as _feeding the trolls_. Please don't feed the /b/ trolls.
112 comments
[ 2.0 ms ] story [ 279 ms ] threadRather funny no?
Amazon has generally followed the tradition of booksellers and libraries in the free world, erring on the side of inclusion, with regard to controversial topics. Given that most of the 'excluded' books were hardly controversial at all -- even anti-gay activists rarely expect major retail chains to drop gay-themed works -- a 'glitch' or hack/prank was always more likely than an intentional Amazon decision.
Let's face it, Amazon's system probably doesn't require large numbers of users flagging something before it takes automated action, because the average book just isn't going to get that much attention. So combine a likely low barrier to removal with a CSRF hole that lets you trick people into flagging whatever you want them to, and... you get exactly the result people are raging about all over the internets.
http://bryant.livejournal.com/672165.html
While the method is plausible, the rebuttal is plausible as well. Who to believe?
Really? How are gays and lesbians persecuted? Gays now have more rights than most other people. I would rather be gay than be fat.
And they have that universal excuse ("you're firing me because I am gay?") that they use in any situation (almost as good as the “you're <doing something that does not suit me> because I am black/a woman/Jewish/a vegetarian?).
Why don't everybody just leave everybody else the f*ck alone?
It is because gay people wants to force acceptance to all people that believe differently. If there is a church/religious institution that does not “accept” you, why don't you fucking start your own?
Why do you have to whine about “homophobia” (a misnomer). And why do you have to whine especially on the Internet? (you are getting almost as irritating as the Atheist Army (e.g. www.reddit.com/r/atheism)). NRA supporters do not whine on national television about NRA-phobia. Hunters do not whine about hunting-phobia. Yet they will be treated worse in liberal areas as liberals will be treated in conservative areas.
The most persecuted group is middle aged white males – they have to hear how bad they are from black people, feminists and gays. If they are successful in an area (such as engineering for example) it must be their fault for “disadvantaging” black people or women and that they are “overrepresented” (i.e. will not be promoted in favour of a “designated” group). I wonder when we will start seeing Gay Economic Empowerment!
Gays are SPECIFICALLY excluded from many legal rights heterosexuals enjoy.
One of the few things that they whine about is "marraige". Well, uhm... start your own church and start marrying people - you don't need the government for that.
(They do want the state to name it marraige instead of "civil unions" because that would force people to accept them).
Marriage confers many benefits, including financial, guardianship (of children), visitation rights, control over partner's affairs when the latter is incapacitated, etc.
At the Federal level, the US prohibits same-sex couples, even if they are married in another country (http://en.wikipedia.org/wiki/Gay_marriage) to sponsor each other for immigration.
These are things heterosexuals can take for granted, but our gay friends cannot.
Everyone is equal in the eyes of the law. Gay and straight are bound by the same laws - if a gay person ever wants to marry a woman he can (no questions asked). There is not two sets of laws - the tax law is the same (yet no one worries about that).
I would personally like to see the state absolve marraige and leave everything at civil unions. The only reason why the state should even have that is to keep track of children.
> Marriage confers many benefits, including financial
Uhm... yeah. We should therefore discriminate against people who are not married? If there is a benefit provided it costs someone something (in this case the burden is on unmarried people).
> control over partner's affairs when the latter is incapacitated
Uhm.. tried having a signed letter to the appointed executor? This can be solved within 5 minutes with a printer and 5 signatures.
> At the Federal level, the US prohibits same-sex couples, even if they are married in another country (http://en.wikipedia.org/wiki/Gay_marriage) to sponsor each other for immigration.
So, this is nothing major. The USA also have quotas for certain countries. Does that mean that the USA is racist towards that country?
The USA also have requirements for education levels. Some countries (esp. Australia) is fairly strict against people with transmittable diseases (e.g. AIDS). Does that mean that they discriminate against sick or stupid people?
In the same way that you, presumably, wouldn't want to marry/sleep with someone of the same sex, so a homosexual wouldn't want to marry someone of the opposite sex.
The question is, why do State governments specifically prevent same-sex unions? There are already 7 countries that have gay marriage.
From marriage all the other legal benefits flow.
> I would personally like to see the state absolve marraige and leave everything at civil union
Agreed - but not limited to only heterosexuals.
> Uhm.. tried having a signed letter to the appointed executor
Why do gays have to do extra work that heterosexuals get "for free"?
> So, this is nothing major. The USA also have quotas for certain countries.
Imagine the following: you are American, and marry the love of your life, a Canadian, in Canada. Now, if you are a man + woman, you are allowed to bring your spouse into the US, but if you are a same-sex married couple (yes, Canada has gay marriage), then you cannot.
This has nothing to do with quotas, or "profiling" for numbers or against health-risks.
Uhm... Can't homosexuals have civil unions? Also - what is the use for the state? It does not need to keep track of the offspring.
> Why do gays have to do extra work that heterosexuals get "for free"?
It takes 5 minutes. Most straight and sane people do it in any way - it is simply a good practice (just like writing a will).
> but if you are a same-sex married couple (yes, Canada has gay marriage),
If the person you married was a woman with AIDS (or if you have a child with AIDS) you will also most likely not be able to come into Australia.
Also - if you benefit gay couples you conversely discriminate against 2 single people.
No, that's exactly my point. In most states there is no concept of civil unions for homosexuals. And furthermore, they also don't recognize civil unions from other states. This is in stark contrast to recognition of heterosexual unions.
> Also - what is the use for the state?
It is not about the state; it is about individual liberty.
> It does not need to keep track of the offspring.
Not sure I understand what you mean?
> It takes 5 minutes. Most straight and sane people do it in any way - it is simply a good practice (just like writing a will).
So maybe the government (state and Federal) should simply not recognize Marriage AT ALL?
> If the person you married was a woman with AIDS
Homesexuality is not a disease, dude.
> Also - if you benefit gay couples you conversely discriminate against 2 single people.
Single people choose not to get married. But with gays, the state forces them to stay single.
If this story turns out to be true (seems perfectly likely) maybe they'll finally start taking them seriously and fixing them.
http://news.ycombinator.com/item?id=263673
What a whackjob. Quotes:
"I contend that trolling is the chief moral arbiter of the Internet. I see little difference between the methods performed by trolls on the Internet when they ruin the lives of furries and pedophiles and the methods used by Moses when he ordered the idol worshippers killed. Martin Luther contended in his tract "On the Jews and Their Lies" that if Moses were alive today he'd be busy burning synagogues. I'm inclined to agree; the only thing keeping us deriding furries on the Internet instead of going to their furry conventions and rapidly exterminating them is the Jewish influence upon society."
"I used to be for the mass extermination of the physically disabled, but my business associate Claudia reminded me of how the ancient greeks made an effort to find means of living for their disabled; Homer was blind but still managed to become a defining influence upon Western civlization. I believe that without the narcotic of state welfare these people would find a positive means of living."
"Upon some timeline Protestants are going to have to stand up and admit that it is their belief system that made their nations so great, and that without their persistent influence they will degrade into the third world shitholes from which they began."
I guess it is easy to be a prick when you are only looking at pixels.
There are pundit rating sites out there now.
I've got NO doubt that this is going to have a noticable negative impact on Amazon's profits. Not world shaking, but more than enough to make the lawyers angry.
As another commenter mentioned, he's been in a NYT article, with his face and full name displayed. Amazon won't have any trouble finding him.
While he's certainly mischievous and possibly malicious, he didn't actually do anything that I think should be illegal. He merely used Amazon's flawed system against them, at considerably personal expense. He hacked them, in other words.
I can't agree with his aims in this case but you've got to hand it to him really - you don't have to like trolling in general to admit that was an amazing troll. It shouldn't be illegal and he shouldn't be able to be sued. Society would be worse for it, counterintutive as it may seem.
Registering multiple false user names?
Giving false feedback?
Restraint of trade?
I'm not a fan of government prosecuting someone for registering on Facebook with the user name "Joe Schmoe" in order to blog anonymously about their crappy job at Microsoft.
...but I have no problem at all with the government enforcing laws against using aliases to log into a system and inject bad data in order to create a public relations firestorm?
> He merely used Amazon's flawed system against them
I'd be somewhat pissed if someone used my flawed front door lock (pickable by anyone with a set of picks, 60 seconds to spare, and decent picking skills) against me.
"Oh, all I did was hang a sign in the window saying 'A child molester lives here' - what LOLZ!"
Yeah, OK, great, that's a wonderful "hack".
Amazon shouldn't just blindly accept data and trust it is legitimate.
Same with creating false accounts.
You can't really compare it with breaking and entering a house.
At the end of the day, IMHO this shouldn't be illegal, and no action should be taken. Amazon was extremely silly to accept user flagging from a GET request in an iframe.
How is what your're saying different from, "I didn't send those DDOS packets, the lusers executing my trojan program did!"
How about: "IMHO, that shouldn't be illegal. Mrs. Smith was extremely silly to believe that a consumer door lock and sticking her life savings under her mattress was a good way to secure money."
The correct response IMHO is for Amazon to realize they were stupid, and fix it. If you sue etc you put out the signal that being stupid is fine - you'll be able to sue someone if they take advantage of your stupidity.
But then we live in an age where if someone doesn't tell you explicitly that your coffee is hot, and you spill it, you can sue them...
Also, you can argue that not suing is sending out the wrong message -- that manipulating the flagging mechanism is cool, so long as you're a cool, clever hacker.
If I was running a business, and my employee left a storage shed unlocked, I shouldn't prosecute the thieves because I did something "stupid?" Uh, no. Most people would suggest that you make sure locking the shed is on the checklist and you prosecute.
Someone else being stupid doesn't give you a "Get away with being an asshat" card.
It's like those people who buy those terrible cheap car alarms that go off at anything at all and then don't stop for an hour. Their car is sitting there, ruining everyone's quality of life with its incessant blaring. Can they just excuse themselves by saying "well it's not me, it's the car alarm"? Of course not. If you own something, and that something is capable of harm, it's your responsibility to ensure its integrity. Blithe ignorance is no excuse at all.
The door lock/money under the mattress analogy doesn't hold up. Mrs Smith did not invite millions of visitors from around the world into her house to walk around her bedroom, relying solely on the mattress to hide her treasure, and if she had no-one would have much sympathy when one of them eventually looked there. Amazon did invite such behaviour and should have taken appropriate safeguards. This is no-one's fault but their own.
If Mrs. Smith was running a bric-a-brac store and didn't know how to secure her display cases, then it's alright to shoplift from her?
If Mrs. Smith was holding a big party at her house, then it's alright for a party goer to steal her life savings?
If I hand a firearm disguised as a jelly donut to a random bystander, then they shoot someone with it, it's their fault and not mine?
Amazon messed up. It doesn't justify Weev's action. He could've just told them. Deception and malicious intent are markings of crime or antisocial behavior. That's just common sense!
The fact is, nothing was stolen and no-one died. You're all about "intent" so intend this: this whole story is one guy exploiting Amazon's flawed security to annoy gay people.
I do not even like Weev. This is nothing but principle, namely - should the government be papering, with the full force of the law, over the cracks in Amazon's security?
I say, "no". You say "yes". We are each convinced of our righteousness. Let's leave it there.
Someone absconding with that bag is stealing. Period. They didn't pay for that bag, why are they leaving the store with it? The thief is wrong. Nothing grey about that.
The problem here is that Weev's intent was to deceive and have a particular group's books effectively censored. This fits in with Amazon's Terms of Use? I don't think so. There is no grey area. If Weev wanted to improve the world with his hacking, there are tons of ways he could've done this without hurting anyone (reduced income), deceiving anyone, or running afoul of the TOS.
Prediction: if you go any further, your analogy generator is just going to illuminate how far you have to grasp for straws. (And I'll also note that I have been careful to construct relevant analogies, usually 2 or 3 at a time, picking the best fit. Also, your feedback in the discussion has resulted in iteratively more damning analogies.)
Let's see it!
Giving false feedback?"
Well then, unless your actual name is "tjic" then we are both criminals right off the bat. And since when is the government in the business of checking whether feedback is "false" or not? That's the company's job. It's not illegal to lie unless you are under oath, and nobody was.
"Restraint of trade?"
I don't see how Amazon's trade has been restrained in any way, shape or form. Unless you consider criticism or bad reputation to be restraint of trade, in which case any criticism is fair game. Very dangerous ground.
"but I have no problem at all with the government enforcing laws against using aliases to log into a system and inject bad data in order to create a public relations firestorm?"
Who says it's bad data? What's wrong with aliases? You're trying to legislate against intent.
And your example of how Joe Schmoe should be protected even though he's slagging off Microsoft - MS will say that's bad data bringing a PR firestorm. It just doesn't work.
"I'd be somewhat pissed if someone used my flawed front door lock (pickable by anyone with a set of picks, 60 seconds to spare, and decent picking skills) against me."
Dear god, not this argument again. Look, physical security is NOT the same as network security. It is impossible to totally guarantee physical security. It is possible, even easy, to create perfect network security. The two are totally at odds. Creating a few fake accounts and submitting some votes (which Amazon encourages) is not even remotely similar to breaking into your house and placing signs advertising your partiality to child molestation.
You are giving Amazon a free pass for their lax security practises, and placing all the blame on some random guy who had the balls to admit he did it. And if it was illegal, the only thing that would change is that he wouldn't have admitted it. You can't have laws like that. You may as well try to make a law that everyone has to be nice.
Sometimes that's a sign that your point of view is out of whack. (And being able to realize this is a mark of true learning. And yeah, it is painful sometimes.)
What happened here is more like Whole Foods setting out free samples. If someone concocted a scheme to walk out the front door with all of the free samples, I would not be at all surprised if the perpetrator were taken off to jail. "But Whole Foods encourages you to take them!" yeah, right. Something smacks of rationalization here.
Same goes for you, of course ; )
Unfortunately, regardless of who is ethically right or wrong, my view will retain the upper hand, for the simple fact that the network is global, and whatever laws you pass in any country will not, nor ever, apply to all. For this simple reason you must continue to consider security the sole responsible of the proprietor, and assume the complete legal immunity of the customer/attacker (same thing).
"If someone concocted a scheme to walk out the front door with all of the free samples"
I do not particularly care for the idea of the judiciary being involved in rationing out Whole Foods' free samples. I do see your point - theft is theft, after all - but do you really want to make an obvious prank illegal? Outright shoplifting is one thing. Pranks are another, and they were free samples. You're so enthusiastic to consider intent in your other examples, why forget all about it in this one?
It's not the intent as a prank that's the problem. It's the intent to have the particular effect that he did. I'm sure Amazon's Terms of Use would preclude what he did.
Under US law, there is no such thing as a sole "actual" name. Any name that you use for non-fraudulent purposes is a legitimate name.
TJIC is my initials: Travis James Ignatius Corcoran.
I have been using it as a legitimate name for 15 years. My mom addresses emails and letters to me using that name.
So, no, I'm not a criminal.
...but if someone signed up for an account at Amazon using 500 different names, and one of them was "TJIC", and the intent was to inject bad data ... yes, that person would be a criminal.
"but if someone signed up for an account at Amazon using 500 different names, and one of them was "TJIC", and the intent was to inject bad data ... yes, that person would be a criminal."
No way. Guaranteeing the integrity of Amazon's Customer Review data is not the job of the state. Guaranteeing the legitimacy of the name(s) used to sign up for accounts is not the job of the state. Assessing the state of mind of someone filling in Amazon's complaints form is not the job of the state.
I am kind of amazed you think the government or the law should be even tangentially involved in any of this.
According to many theories, much of the point of the state is to lower transaction costs.
That's why states get involved in things like creating default rental agreements, setting up standards of weight and measure, inspecting pumps at gas stations, stamping out ponzi schemes, running courts to enforce slander laws (even when the target is a corporation), etc.
I'm a pretty extreme libertarian. I'd like 99% of the government to go away. Maybe more.
...but I'm going to assume that we're holding this debate in the real world, not in a science-fictional Heinlein-esque anarcho-capitalist moon colony. ...and if that's the case, then 99.9% of people think the job of the state DOES include stopping people from intentionally gumming up third party transactions.
This guy is a jerk, and he's making society slightly less good. As a society, we should try and avoid the tragedy of the commons, or else we won't have a society for much longer. Someone needs to remind this guy, in an official capacity, that his actions are not appreciated or tolerated.
The quality of the troll is also irrelevant. The fact that you commit a crime really well doesn't make it any less illegal.
That said, I'm not certain what he did should have been illegal. But I can't think of a single reason he shouldn't be sued. There's no way he didn't forsee loss of revenue for Amazon. If you deliberately cause harm to another person, even if you work out how to do it without technically breaking the law, they should absolutely be able to get their loss back from you.
How the hell should anyone be able to drag someone through the courts on the grounds that they might have lied about about feeling sick or not? And what could you possibly do when he just says "I did feel sick" - "no you didn't"? Yes I did, no you didn't?
I don't think you've given much thought to the complexities here. Laws have to be workable and practical and err on the side of freedom of speech and action. Trying to legislate niceness and truthfulness is pure folly, especially considering the imbalance of power between a corporation (or restaurant!) and a person.
http://en.wikipedia.org/wiki/Defamation
I would suggest that a reasonable demonstration of evidence supporting the claim should be required before the other party is even notified and such a requirement have no impact on the actual case. Also a public defendant should be provided to defend you etc. Basically, a presumption of innocence until demonstrated otherwise.
Consider the small startup eating an established business's lunch; surely the startup isn't liable for the losses of the larger company.
There were ways Weev could've made his hacking skill known without such negative impacts. He cared more about the notoriety than preventing harm to bystanders. (Though to be fair, he probably has rationalizations for why these weren't "real" negative impacts.)
I never said what he did was ethical, but I'm trying to say that just because an event reduces revenue doesn't mean its something that can be sued over. IANAL but it would have to be on the grounds of libel. (Which is likely, but parent never brought that up)
If his hack involved writing an innocuous demo script and presenting it to Amazon or at a conference, this would be one thing, and society is better off for the freedom to make such discoveries and talk and write about them. Society is certainly better off when it accords freedom of speech. But academic freedom ends where you start to impact other's freedom of speech. (Like effective censorship of Amazon listings.)
All my life, I've had this background occurrence of strangers have coming out of nowhere to try and haze me with some racial epithet. Almost all of these idiots carry this air of striking some sort of blow for truth and beauty, as if they're defending motherhood and the American way through their yelling and insults. To me, Weev and his ilk have the exact same sort of misguided self-righteousness.
I'm sure the one who hazed that young girl into committing suicide on MySpace felt just as clever and justified.
(Many of those Weev targets may have the same self-righteous chip on their shoulder as well, and may be just as bad in their way. It's just not a productive way to expend mental energy.)
But ultimately, it was Amazon who took the action to remove the listings.
(Unnecessary disclaimer: I'm a huge fan of Amazon, and hardly a week goes by that I don't buy something or other from them.)
But he didn't repaint the signs. At worst, he convinced a few other people to call up the DOT and say "That stop sign shouldn't be there, please change it to a 55 MPH speed limit sign." If the DOT then goes and changes the signs without appropriately verifying, then it's on them...
I realize as programmers that we might think Weev's (purported) actions are directly responsible for the de-listing, but they aren't. It's ultimately Amazon's code that did the de-listing.
If I was an author of those books, who would compensate me for my lost income? You?
He's like the kid dropping rocks off the overpass for shits and giggles - pathetic.
Yeah man. Except for the overpass, and the kid, and the rocks, that is a very good analogy.
It boggles the mind that anyone would do this, but they evidently do, and you may well have to defend against it.
The intent is the same whether or not you walk through the open door or break the window.
While I admire the guile and technical reasoning required to pull this off, it's high time the community at large stop admiring this type of crap.
Authors of the books in question lost real money. It doesn't matter how much. Amazon lost credibility from all sides.
There is a difference between screaming that the Emperor has no clothes and stealing his wallet.
Many of those same books got lots of extra attention from elsewhere, as examples of affected titles.
So some authors probably lost a little, others gained a little (by either being examples, or simply filling the slots emptied by affected titles).
If the loss to specific titles was significant, Amazon could easily restore the previous balance with a few days' enhanced promotion. So the amount of 'victimization' here is pretty small.
It always surprises me how quick people are to jump to the conclusion that the website operator is at fault for these sorts of malicious uses. It flies in the face of simple economics. The burden on Amazon to protect its site probably ranges in the thousands or millions of dollars; the benefit to the malicious user is a couple of laughs and a funny blog post. It would seem economically inefficient to say that the burden lies on Amazon, in this situation, to protect itself.
(Indeed, I don't believe anyone would analogously say that a thief is not responsible for acts of theft, because they provide a "free lesson in home security" to the victim. Why the difference when we move to the online realm?)
At the end of the day, do I think Amazon really deserved to be "taught a lesson"? No; he could have just contacted them with the exploit and been done with it. Could it have been worse? Most likely, yes. Plus, I found the resulting e-uproar to be quite hilarious. To think, people actually believed Amazon would intentionally and openly discriminate against those groups out of no where... it's very laughable, you must admit.
Is having that system in place a mistake? What if the alternative system, that never has a 2-day-screwup, also means fewer lehappy customers and less-profitable operations the other 363 days?
As for me, I'm considering looking for a new default myself. Powells, here I come?
Why? You know it was nothing more than a CSRF by a troll. That's like saying you're not going back to a store because it got tagged by some punk kids one night. As long as they clean up, what's the problem?
Someone breaks your car window with a brick, but doesn't steal anything.
You thank them for showing that car windows aren't brick-proof.
http://valleywag.gawker.com/5032989/journalists-do-it-for-th...
http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html
Either way, I think this is a cash cow and fertile conditions for any startup whose primary function is a sort of opt-in form of censorship, more or less the startup would act as a proxy for each IP. For the most part, I think their rage is fairly valid since this demographic is probably just old, confused, and sick of scouring the internet for web-sites to block.
I think my first hack was figuring out how to cover my tracks by making a backup of Netscapes's cache and cookies before going on my adventure then restoring the browser's history back to it's original state as soon as I saw those headlights pour through our dining room windows.
Ah those were the days. . .this was even back before E/N hit the scene.
If it indeed points to an unsecured GET statement, that supports the claim. If it doesn't, that opposes. If it did and has been fixed in the past day, that's nearly proof.
And getting so highly rated on HN is that time-honored tradition known as _feeding the trolls_. Please don't feed the /b/ trolls.