I didn't mean to trivialize the issue. You describe a problem that arise when multiple parties share data with "presumptions of trustworthiness" i.e. do not perform proper input validation. No?
I looked briefly at the encoder and it looks like the ad names are truncated on the size 32. Not sure why the threat actor would do that do. I guess they need some size limitation and just picked an arbitrary number
1) Is that really a bad thing? Isn't it generally a good thing that law enforcement finds law-breakers?
2) So do drunk drivers that crash.
3) You're arguing against yourself. Yes, it's bad that bad guys get notified so they can avoid checkpoints.
4) Shouldn't law enforcement spend their time enforcing the law? It's well spent time IMO. As you say in (1), they also solve other more serious crimes (e.g. finding wanted criminals)
Author here. Thanks for your comment. I think you have a valid point about users clicking anything. However I would only say that's the case if you send around 20 phishing mails. In a targeted attack you want to send one or two phishing mails and you wanna maximize your chances of success to avoid a reaction from the blue team.
I agree that the impact is low compared to other vulnerabilities. It is definitely the case that you get a t-shirt (at best) for it. Though, my point is that they could be critical for the users, not for the website itself. An attacker that don't really care about the vulnerable website can still exploit the trust in the vulnerable website to perform attacks on the user he is interested in (e.g. hash stealing or malicious redirects). In fact, I believe malicious redirects is a really common payload of XSS flaws.
Firstly, it is not possible to opt out of facebook. [1] And they do indeed collect private data that we didn't choose to share (shadow accounts, third party website trackers, etc).
Facebook have broken "actual laws". There are so many cases were facebook have broken the law. [2] [3]
Also, please read up on Fallacy of relative privation ("not as bad as").
That's one of the main takeaways from the story tho. In an open office those who need silence cannot get it, even if there are private rooms available: "Some of us even feel that escaping to a quiet room is a sign of weakness" and "it can feel as if we’re not pulling our weight if we’re not present"
Most definitely. In my experience ideas are rarely valuable by themselves. Rather an idea is valuable when implemented by someone who have what it takes to see it through.
Simply put, not a lot of people have what it takes just because they filed a patent.
I don't think they are comparable. I run both. NoScript is a security suite – besides blocking java, webgl, flash, silverlight, javascript, etc – it has additional defenses against XSS, ABE, clickjacking etc.
uBlock was to my knowledge never developed to securely stop scripts and deter drive-by attacks etc. It should be used for adblocking, not for security.
4) Film a video that looks like a DEFCON speech. Some simple video editing should fix the face. Voice likely doesn't matter. Start speech by saying "oh this talk is not listed, we changed topic last second"