Although this is blogspam, it's a blogspam that I can actually support...
This is being covered a lot more widely because FB didn't just pay the guy. I know it wasn't about money for FB, but this is easily done a lot more damage then they would have expected and because of their inadequate handling of a single bug report, I can only feel satisfied as I think this will go down as a good case study of how not to be so dismissive with critical bugs.
(I still think they should pay the guy, and it should be double the $5k he would have expected to receive).
Dismissive and ignored? Did you read what he submitted to them? It made no sense. He vaguely stated that there was a bug and his education. His bug report was nonsensical. I am not even slightly surprised they ignored it. And he violated the TOS before he even ever tried to post to Zuckerberg's wall.
Having dealt with fellow developers that don't have perfect english or thick accents I think it's quite unprofessional to dismiss someone's complaint without even trying to understand them. It's great for us native English speakers that it's such a dominant language but I think we should all give a little more respect for others where it's clearly not their first language and they're the ones having to go out of their way to communicate with us. I for one am glad I don't have to deal with the bilingualism, with a bit more empathy and less dismissiveness the whole thing could have been avoided.
I am not a native English speaker. Although I study in England (University of Manchester), I believe half of my course mates are not native speakers either. At least the ones who turn up to lectures. People try to explain their algorithms, ideas in broken English with damn thick accents but they DO explain. They put effort.
From what he managed to write in the blog post, he CAN write English which is not THAT bad.
But this dude doesn't really bother. Hey Facebook, there's a bug. Wanna know it? How about you... beg me to tell you?
I am quoting him: whatever , i dont care for miss spelling , just the idea , i never correct an underline red word ;)
Did FB treat it properly? No. Did he act properly? Not either. But since it's FB... THEY ARE EVIL!!!!111!
You do make a good point, but at the same time I was easily able to understand his original bug report. I agree that both sides should be making a little more effort, and engaging in a bit less drama.
He didn't make a bug report. He didn't specify how he could post to other peoples' walls. All he said was that he could, and that he already broke the ToS by using it on another person's account. This was his original report:
-----Original Message to Facebook-----
From: kha****@hotmail.com
To:
Subject: post to facebook users wall .
Name: Ḱhalil
E-Mail: khal****@hotmail.com
Type: privacy
Scope: www
Description: dear facebook team .
my name is khalil shreateh.
i finished school with B.A degree in Infromation Systems .
i would like to report a bug in your main site
(www.facebook.com) which i discovered it .
repro:
the bug allow facebook users to share links to other
facebook users , i tested it on sarah.goodin wall and i
got success post
link - > https://www.facebook.com/10151857333098885
-----End Original Message to Facebook-----
From that, you surmised that he exploited the "make a new wall post" form by replacing the user ID with another of his choosing?
When you're working across cultural boundaries you realise that most problems stem from an incorrect assumption.
In this case Khalil probably held the incorrect assumption that an actual demonstration of the bug would be how Facebook would want this to be reported, hence the lack of details.
It's not unreasonable for him to think Facebook would take a look at their HTTP logs to find out what happened.
Enough to get a sense of his thinking there was a problem, and look up his and Goodin's accounts to see what he meant. Certainly it warranted clarification, and I sppreciate that the FB support team must get a lot of nonsense/stupid requests, but that's why they get paid the big bucks.
I agree with that completely, however, common-sense should have told him that demonstrating an exploit on third-party was a really dumb idea. It has nothing to do with TOS or language barriers.
I think it's more telling that the lack of professionalism displayed by an unemployed developer is the focus, and not the fact that an unemployed developer with a lack or professionalism discovered this hack. This could have been exploited so much worse than it was. Just because he didn't follow unwritten rules of disclosure, doesn't mean that Facebook didn't majorly mess up here. The details of the dev and his behavior are quite trivial, in this case.
Someone in another thread pointed out that that page doesn't get translated when you set the language to Arabic, seems likely that the guy just couldn't understand the whitehat TOS for that reason.
I don't view that as a valid excuse not to follow the rules. Admittedly, I don't know any other language than English. But if I was setting out to participate in a bounty program run by a company that didn't have their website in my language... I would most certainly make sure I had someone to tell me what the rules are. Other people have condemned him for not knowing English. I don't fault him for that. But there is no excuse for not knowing the rules.
You still haven't explained why this matters. Facebook has a lot more responsibility than this developer. Get off your high horse. Even if Facebook wrote down these supposed "rules" they have no authority to enforce them (other then in relation of their supposed bounty program), so it's a moot point.
It matters because Facebook created their bounty program and created the rules around it. They absolutely have 100% authority to enforce them. There is nothing supposed about either the rules or the bounty program. They are not hypothetical. They both quite obviously exist and links to them prove their existence. I don't really follow what you are arguing. The developer has the responsibility to follow the rules of the program if he wants to participate in the program. He did not. Facebook has the responsibility to enforce the rules of the program. They did. So... yes... this is all moot.
You brought up the rules of disclosure... not me. And you said they were unwritten... so I was trying to let you know that they are, in fact, written. If you were not talking about the bounty program then I have no idea what rules of disclosure you are talking about and I'll move on.
His English is actually good enough. In the post he posted on Mark's wall you can see the language is good enough and I saw the video interview too where he even spoke well enough.
A technical and step-by-step report was well within his capability.
He could attach screenshots or create a video demonstration.
He used the bug on real users (2 of them!) one of them being Mark Zuckerberg which has obviously created huge negative PR for Facebook.
If someone tests a bug on your Facebook account how happy would you be?
Facebook can't reward someone who used a bug against its users.
On top of that he has damaged their reputation too. Almost all major news sites have written headlines similar to "Palestinian developer hacked Mark Zuckerberg", "Security vulnerability found in Facebook" etc etc which I'm sure they are not super thrilled about.
I don't think it is as cut and dry as that. The reply that 'this is not a bug' showed a lack of concern that the reporter may have been having difficulties correctly submitting information about what would be a very significant defect, if true.
A community member taking the time and interest to try and go through proper channels to submit a vulnerability should, IMO, be given more respect than was shown by FB.
The problem here is that if FB took every single bug report that they got 100% seriously, they'd never get to the real bug reports, but would just constantly be sifting through the spam. You have to make educated guesses on whether or not a report is just useless spam. This report, the way it read, shoots off a lot of spam flags. I understand why he got dismissed so easily and frankly it is his fault. Nobody has enough staff to hold hands with every single bug submitter regardless of what they send.
Replying "this is not a bug" is equivalent to saying "I have read and understood your report, and this is not a bug, it is a feature." First off, it's not a dismissal, it's an acknowledgement. Second, since it's not a bug but rather a feature, then how does using the feature violate the ToS?
The correct reply might be something like "cannot understand or reproduce, can you explain more clearly?" along with some bug report guidelines.
Embarrassment is a very relative thing - it looks to me like the majority of comments on this HN post are saying the guy was in the wrong for breaking the TOS and I have to say I agree. Facebook haven't been embarrassed, they've just upheld a policy which says that they won't pay anyone who doesn't play by the rules. Quite fair, in my opinion.
>they've just upheld a policy which says that they won't pay anyone who doesn't play by the rules. Quite fair, in my opinion.
My first thought is to say to facebook "Oh, I thought you were interested in fixing bugs. I'll know better what to do next time." Are you forgetting that the purpose of the bounty program is to protect facebook users by discovering and fixing bugs before spammers get the chance to use them? And that spammers pay real money for bugs like this one?
It's an awfully high standard to hold people to, considering the fb ToS is not translated to the guy's native language.
It is within our right however to protest against Facebook's decision, especially with the way it conducted itself before with the 'This is not a bug' response it gave.
Exactly! In any kind of support role the number one pattern you observe is that there is always a lack of information. Maybe they are flooded to the point where they really cannot respond to these reports, but from what I've seen over 2/3 of support requests and bug reports require extracting more information from the submitter (even when the form specifically states to provide as much detail as possible with examples).
I just chalked this up to a guy that was so excited to have discovered such a major flaw on facebook in disbelief. And yes they have rules and guidelines in place to protect users but clearly this was a case where a little creativity in handling situations would have helped educate the developer that this isn't how things are done at FB and get him on the right path while acknowledging his contribution without celebrating it... amateurs. This was almost guaranteed to be a publicity incident but then again maybe any publicity is good publicity :).
At USENIX this year, Chris Evans gave a talk about how Google does their VRP. Specifically, he mentioned that there weren't many false positive reports at all, way fewer than he expected there would be. In general, most bugs have something to them. Google has a long history of following up on bug reports with little or nothing to go on, because they take their jobs seriously, and aren't antagonistic to community bug hunters. FB would do well to take a leaf out of their book.
As I mentioned in the reply above, the engineer's response could've been many times better, but you have to agree the bug submitter gave them practically nothing to work with.
Clearly, any website the size of FB and its huge resources, needs to have an option for bug submitters to submit bugs in their NATIVE language.
I bet if the submitter had written the bug report in Arabic, and FB had a professional translator on their security team (with some technical background), things might have been very different and we may not even be having this discussion.
Sure, the guy's bug report was terrible. However, the blame is squarely on FB. It's the security team's job to follow up, and to ask for more information if they don't have all the details.
Contrast this with how Google responded when someone posted a Youtube video showing a Chrome exploit - they guessed that it was a Flash-based vector, collected millions of sample files and fuzzed for days to eventually discover the bug - based on a YouTube video that they could have also discarded as 'not a bug' based on lack of evidence.
Hardly anyone files a bug for fun. I can't imagine that the masses would file bugs since they don't know what they are in the first place. So when anyone files a bug and attach their name with it, they should be taken seriously. What was more important was that he made it clear that he made a post on someone else's timeline without him being friends with them. Red flag right there.
In the original thread a Facebook security researcher mentioned that they receive a lot of reports that just aren't bugs ("I view source and my password is there in plaintext!")
To all hackers: If you speak perfect english, please proceed to submit exploits to the FB security team and collect $5k on your way out. If not, post to blackhat forums and receive $10k. Or use the exploit to manipulate FB stock price (I'm sure posting as Mark would move the stock price significantly, if only for a few minutes. But that's enough to earn a lot more than $5k).
Also, relative to other places you could be spending your time, FB security issues yield relatively little in the blackhat market because of their highly responsive abuse and security teams.
What if I was able to send a fake press release on behalf of a company?[1]
What if I hacked the Twitter account of a major press organization?[2]
Eventually the SEC will require traders to seek independent verification before executing based on social data, or put stops in place similar to the flash crash protections.
Hell -- you don't even have to "hack" in to anything to do damage with a Press Release. Just Publish it anyway - most of the press is too lazy to double-check
Only problem with using an exploit to manipulate stock price is that the SEC would be at your doorstep in no time and put you behind bars for a significant amount of time.
The fact that hes not english native and that communication seems hard for him does not mean that:
- he did not do all this in good faith. it seems like he genuinely did. Sure there are TOS. But given his english, do you really think he understood them? Of course not. Good faith is a higher morale value (even thus Americans are pretty much used to "if it passed as law/text, morale values are irrelevant, cuz lawyers+money is all that matters)
- $500 is less than peanuts for FB. Finding these bugs, even if they have to read into the guy's submission more than usual, is critical for FB. Refusing the bounty means that next time it'll be left unfixed and the bad guys will probably get it instead.
All in all, FB's not wrong per say, but it's still a bad move from FB, morally and PR-wise.
I think the important part too, is when he technically violated the TOS it was only to get their attention because he was otherwise being ignored. I don't see any reason they should not want to pay him.
FWIW, his initial bug report included a link to a post he made on a non-friend's wall. So his first TOS violation was prior to his first attempt to file a bug. The second TOS violation (posting on Zuck's wall) was what got him press time.
I read it, but I don't assume to know the reporter knows how we do things, especially in light of security. The FB responses were absolutely dismissive, and I hope they have learned to, at least, setup some boilerplate responses. Perhaps they already have those, and the responder was simply doing a bad job. I suppose you've never received a bug report (much less a security report) from a client that hasn't the foggiest on even the difference between that blue "e" symbol that has the internets and that "orange swirly thing."
Hindsight may be 20/20, but I'd absolutely expect my support or security team to respond with instruction on how and what steps should be taken to diligently report issues. FB did not even try to correct the wrong and dissuade the reporter from abusing users' pages.
"they should be a little lenient in this case since it seems like he messed with only Zuckerberg's account"
No, he posted to another persons account first (that was his initial bug report). Then he posted again to Zuckerberg's account when they ignored him.
Also, it's too late to prevent the bad PR.. paying him now will only tell every other hacker that they can do whatever they want to facebook accounts/users, as long as they embarrass facebook with it afterward.
I hope that any credible hacker would be able to realise that to get paid for a white hat vulnerability, you have to use it in a white hat way - i.e. show your working in accordance with the security team's guidelines. Deliberately posting to other people's timelines "for exposure" isn't white hat in the slightest.
Unless you're getting ignored by the security team. Yes, I get it. There was a language barrier. There are what, 7 billion people on earth? Any one of them could be reporting a security vulnerability, and chances are english isn't their first/primary language. Prepare/act accordingly.
I believe part of the whitehat payment program is to avoid the exact sort of PR Facebook is receiving from this episode. I agree that the guy should not be paid; he didn't follow the agreement.
When I first saw the blog of this guy, just looking at the initial bug reports he mailed, I understood the nature of the bug this guy had discovered. It's strange that the people who are responsible for maintaining security at Facebook, failed to grasp that idea. It could be that they get so many bug reports a day, they have gotten in the habit of making fast initial judgments(which is natural). Maybe they made an initial judgement about this guy and then being biased, they failed at their job. If Facebook does not have a review of bug reports that they dismiss, and if this guy had not posted on MZ's profile, this bug would probably still exist.
Even if Facebook wanted to ignore the terms of their bug bounty to pay this person, they probably can't. Bug bounties are legally fraught as it stands. Like every bug bounty, Facebook's is clear: if you use a real account, you must have the consent of the accountholder. That term isn't just there to make the Facebook security team's job easier; they also can't officially condone people compromising random user accounts.
Facebook also operates in a web of contractual and regulatory concerns, including California's breach notification laws. Exploitation of security vulnerabilities on Facebook's public properties outside of the terms of their bug bounty might be legally more akin to attacks than to pro-bono testing. Further, Facebook obviously needs the ability to reliably enforce their terms, lest they provide attackers with ammunition in a court case if they, for instance, Pastebin large amounts of Facebook user data. "Oh, I was just participating in the bug bounty program; I certainly wasn't setting out to sell $CELEBRITY's data to a tabloid."
Jim Denaro is an attorney specializing in stuff on this. We talked to him on Twitter this weekend when the story broke, and he said he would have advised against paying the bounty here too. Maybe we can get him to write a blog post.
I don't know how much "outrage" this has actually generated in the security community (maybe you can find links). The security people I've talked to think what happened makes perfect sense. Facebook didn't freak out, the acknowledged the bug report (once they understood it) and fixed the bug. They're just not paying a reward, because the bugfinder violated what is perhaps the most important term in the bug bounty.
One more thing: people on HN have a lot of strong opinions about Facebook, and while I don't share many of them, I understand and respect them. Understand though that the people working on Facebook's security are real and very smart and by and large not the least bit interested in screwing other bugfinders out of 0.00000000001% of Facebook's operating capital.
I understand your position in this, and after reading the full story, I even agree... but I also know a few independent security researchers (i.e. people who don't do this professionally) who do not.
They, rightfully or not, see an independent who was ignored and then persecuted for trying to responsibly report a bug. It's given Facebook a black eye to more than just the HN crowd, and people will probably be thinking twice about disclosing security bugs, particularly if they get "working as intended" as their initial response.
Also, consider the guidelines that go into developing a UI. The more roadblocks you put in someone's way to register for your site, the fewer people will register. Apply that to this, and the more roadblocks you put into reporting a bug correctly (requesting special accounts, fighting to convince staff that your bug is an actual issue), the fewer bug reports you're going to get. That's not a good thing for Facebook in the long run.
Disabling his Facebook account, and deciding not to pay Khalil Shreateh (though the account was later re-enabled after further emails between himself and Facebook).
Understand though that the people working on Facebook's security are real and very smart and by and large not the least bit interested in screwing other bugfinders out of 0.00000000001% of Facebook's operating capital.
But they certainly are happy to act as total pencil pushers when it comes to parting with that 0.00000000001% of Facebook's operating capital.
I look forward to Jim Denaro's blog post. Perhaps my viewpoint on this completely wrong and could be corrected, but for now this stinks of a cop-out behind red tape.
How does this make any sense at all? You imagine Facebook's security team as a bunch of green-shaded pocket-beprotectored bureaucrats? They're appsec people spending their team trying to tackle one of the hardest appsec problems in basically the whole world.
Who would even have time for ceremony in a situation like that?
In this conversation, you appear to be defending the FB appsec team for the work they do other than _this particular incident_ and I have no contention with that.
When it comes to _this particular incident_, a lot of things went awry. (a) FB did not appear to have a process in place for handling bug reports from non-native english speakers (or non-speakers for that matter). (b) A bug did eventually get resolved, which otherwise may not have happened. The fact that the bug-reporter had to resort to extreme tactics was due to the breakdown of communication and not any malicious intent on part of the bug reporter (c) The infinitesimally small bug-bounty payout was denied on a technicality, that also appears to people other than me to be no more than a bureaucratic bitch-slap out of spite for the bug reporter resorting to extreme tactics (see (b)).
In summary, FB messed up by not providing the needed (language) resources to handle such an issue in the first place and is making a lousy situation worse by not paying the (token) bug-bounty that would have just put a kibosh on the whole situation exploding all over the internet, from the get go. All of this leaves FB (the company, not the smart appsec people) looking like the bad guys.
The English thing is a total red herring. Language barriers prevented them for acknowledging and correcting the bug as quickly as they might have, but couldn't change the fact that the bugfinder compromised a non-consenting account to demonstrate it.
What you call a "technicality" I continue to call probably the most important term in the whole bug bounty.
Moreover, you ignored half my comment. The point isn't that they had the ability not to pay; it's that they probably have a legal requirement not to pay.
Meanwhile: could you please acknowledge that when I pointed out that the Facebook security team does good work, your immediate response was to snark that they were pencil pushers? Your followup pretends you never said that, but you obviously did.
Perhaps we see things differently here, so lets just agree to disagree.
Meanwhile: could you please acknowledge that when I pointed out that the Facebook security team does good work, your immediate response was to snark that they were pencil pushers? Your followup pretends you never said that, but you obviously did.
I certainly conflated the FB appsec team with FB-as-company and whoever made the decision to not pay the bounty. Hence, I further qualified the target of my criticism in the subsequent replies.
But, boy-oh-boy, I must say, you seem to have taken my criticism of FB quite personally.
If so, I apologize for the misdirected barbs. They are not meant for you or the FB appsec team, but for whoever made the call to not pay the bounty. Like I said earlier, I look forward to learning more about the legal requirement not to pay. Hope you guys can muster that blog post.
> Shreateh reports he will not, however, receive a bounty for his work — per an e-mail from Facebook, he violated the terms of the program when he hacked Zuckerberg’s account.
I think this is wrong. He posted on Sarah Godin's wall first before making any report, very clearly breaking the rules FB sets up for its whitehat program. They offer a way to create test accounts for exactly this. Posting on Mark Zuckerberg's wall has nothing to do with it.
As far as I'm concerned. FB's only mistake here was to brush him off instead of asking for further information from the initial report. Hardly newsworthy.
Why don't people just send things in their native language? If the platform for communication is serious (like a place to report security vulnerabilities), I would imagine they would spend the time/money to get a real translation if one was needed. Even Google Translate probably could've done a better job than this guy's original report.
Whatever language he was going to send it in was not going to get parsed anyways since he barely communicated any relevant information in his emails.
The Facebook employee who replied to the email handled it very poorly, but the guy who found this bug also handled it very poorly by not actually sending any details about what he did.
Exactly. A step-by-step with screenshots doesn't require translation. I've worked with a lot of brilliant programmers with very poor English, and they communicate effectively by sticking to hard technical data.
I downvoted you and am leaving this comment in hopes that those reading this thread don't get the impression that the entire HN community supports such a despicable outlook. I, for one, am grateful for all of the many important contributions to furthering computer science and its associated industries by non english speaking individuals.
Do you ever stop and think that maybe if people were less lazy and started learning English things would actually improve? Information (including "important contributions to furthering computer science") would spread more rapidly, people would have access to an endless stream of news outlets and have a more detailed view of the world. Also, there won't be any need to waste money on translators (do you know how much money is wasted by governments translating official documents, bills and whatnot?). Do you have any idea of the abysmal quality of translation of the many textbooks that are used everyday by college students around the world?
But yeah, I guess ignoring the lingua franca of the world and furthering the status quo is the easiest path.
Wow, what an ignorant comment. There are currently more Mandarin Chinese speaking engineers graduating than English speaking ones and more people worldwide that speak the language as well (both native speakers and overall), yet I don't see everyone in America clamoring to learn Chinese. Of course the world would be more efficient if translation was not necessary, but demanding everyone stop being so "lazy" and learn English is a presumptuous jingoistic fantasy.
you know that the biggest advances in Maths are made in japanese, russian and french, right?
You know that english got a status of lingua franca only gradually, meaning that for a long time there was actually no reason whatsoever to learn it.
And now the best one, you know that thanks to the US money sent to Israel, Palestine is voluntarily maintained a third world country by its neighbor who impairs any form of education (or other form of societal development whatsoever, like having a port, and airport, fishing, trading, traveling etc.)
This guy learned some web stuff and some english (whose alphabet and spelling directions are different) while the most powerful nation in the world was sending obstacles (by which I mean missiles and bullets). I think he already did quite some homework.
Now, in the present, we live in a world where English is the dominant language (again, having a huge number of speakers it's a whole different thing) so, as a citizen, you have to adapt.
Secondly, at a no point I said anything against this guy, he at least put in the effort and is commendable. My whole point was that thinking about resorting to translators instead of thinking about how to improve the number of English speakers is being narrow-minded. It's like saying: building a dam is hard, let's just keep the floods coming.
Jesus, now I know why everyone is so lazy to learn a new language: you're lazy enough to not read a comment let alone learn an entire language.
I already said it: yes, English it's not the most spoken language, but it's the dominant in that it transcends cultures and countries. Saying that Chinese is the dominant language because is the most spoken is like saying that ants are the most influential beings because they're the species most prevalent on earth.
english is my 2nd language and i am very fluent in it. But have YOU ever stopped to think that why should everyone strive to learn english, or be labeled "lazy" otherwise? Isn't it lazy of the english speaking community to expect everyone to speak in THEIR language rather than the other way around?
It's the dominant language (yeah most people speak Chinese because there's so many of them but English is spoken by people of all ethnicities) so it's obvious that non English speakers should put in the effort and not the other way around. The most influential textbooks, novels, papers are written in English: ignoring them because learning a language is hard it's pure laziness.
Its also hard to counter the oblivious. If your concern was efficiency, you would instead promote that everyone learn Lojban (http://en.wikipedia.org/wiki/Lojban). Then at least you would have a regular, computationally parseable, culturally neutral language with unambiguous phonology and finely grained grammatical control. You would also have an established standard (English is not the same everywhere) and no need to appear to be an intolerant racist too since everyone has to learn a language. Plus it would be much much quicker to learn to fluency than English.
Do you know Chinese? Spanish? French? Unless you are fluent in all three and a lot of other languages, then you have absolutely _no_ grounds to make such a foolish comment. You are as 'lazy' as you claim others to be.
I would even argue that you are much much worse since not only are not learning other languages you are sitting on a forum complaining that other people can't speak your own and they must work just so you have less to do.
I have to assume that you can communicate fluently in a non-Germanic language, and that you already know that you can't change the way you think about concepts in a way that doesn't resemble your native language.
Otherwise: Con esa forma tan cerrada de pensar, por favor absténgase de opinar.
The only thing these nice commentators are advocating for is not blasting the character of others not conforming to your worldview. You are allowed to have an opinion, but the way you judge the choices of other people is rather unproductive.
You do realize the ironic of your claim that English is currently the most prevalent language is also the status quo, right? If the Earth is to used a single language, why would that be English (besides the status quo, which you obviously dislike)?
The main counter argument is that you simply have no right dictate how others communicate, despite your declarations of improved efficiency and increased idea proliferation. I think people who spend tons of money on clothes and other trappings are wasting resources and contributing to unhealthy societal development, yet I do not go around demonizing these people. I kindly share my view to receptive listeners, while also attempting to recognize my own biases and inability to perfectly understand this massively complex world. Do you also go around proselytizing SUV owners for their massive waste of gasoline? Why not?
Lastly, it would be impossible to quantify this, but I wonder how much cultural richness, diversity of thinking, etc we would be losing if all of the sudden everyone was forced to only use English? My bet is that it would not be a trivial loss.
Anyways, I wouldn't be surprised if translation technologies make this discussion completely moot in the next couple decades.
That's not a counterargument, that's just a bunch of hypotheses. Namely: we might lose diversity of thinking, we might get translation technologies in the future, while I presented only facts:
-translations cost a huge amount of money
-a fragmented world slows down the spreading of information
-the most influential pieces of writing are written in English
In addition, if you say "let's get some translators instead of learning English because learning is hard" that's laziness. There's no way around, it's not like I think you're just being lazy, it's just that you are being lazy.
Lazy:
adjective
-unwilling to work or use energy
-characterized by lack of effort or activity
All I got so far are a bunch of downvotes, what I didn't get is an opinionated, fact-based counterargument.
And I'm sad to say it, but I'm frankly disappointed that a community of engineers (for the most part) exhibits this kind of hidebound mindset.
The adjective "lazy" only makes sense as a part of a specified context - there needs to be some agreed upon "work" or "use of energy" that the alleged lazy person is neglecting, or some shared purpose. This conversation is a non-starter because you assume these foreign-language speakers are operating under the same context as you.
It's kind of like if I called you lazy for not going to the store and buying me a case of beer every week. EDIT: OK not exactly, but you get the point... demanding large life changes from others because you claim there is a benefit. This is the epitome of egotistical exuberance.
Since you seem intent on furthering this conversation, here's an honest suggestion for you if you want to truly think about what you are arguing. Extensive academic thought already exists related to the argument you are trying to make -- in short, that it is worth restricting diversity in order to normalize cultures across the globe:
Postcolonialism, and especially postmodernism, are very complex concepts that require a great deal of study to grasp, but it may be worth your while if you want a serious challenge to your argument.
Is anyone here arguing in favor of colonialism? This is equivalent to comparing people who disagree with you to Hitler. Thanks for your "extensive academic thought," which I note you did not even bother to summarize here. I think this thread is over.
P.S. While I do think some of the statements made by cliveowen were insensitive, I also think that teaching people English (or another world language) in addition to their native tounges would help break down barriers between people, and lead to a better world overall.
There’s no excuse for not knowing at least three out of English, Spanish, French, Mandarin, Urdu, Arabic, Portuguese, Russian and German. If you’ve finished university peeking at a fourth and fifth language can’t hurt either.
How many do you know?
Edit: Oh, and how about a bit of Latin and Greek, maybe?
I do know English, Spanish and Italian and I'm doing my best learning Portuguese but that doesn't mean we should encourage a world divided by language barriers. I'd be happy to completely forget about every language, including my own native language, and having English as a universal language, it's called progress.
There's no advantage whatsoever in having a fragmented world, and if the mess in my head is any indication the alleged advantages of bilingualism are just BS.
While it would certainly be convenient if everybody spoke the same language, I don’t think it would be better than the current state of affairs, where most people know two to three languages more-or-less well.
After all, knowing more than one language does give you some different insights, not just into the culture of the other language but also into your own culture. Furthermore, there is a whole canon of classical works in basically every language which would likely lose some of its value if it were only accessible in the translated form.
We can add to the last point by taking note that English is a particularly bad example of a ‘world-wide native language’. While its simplicity – both with regards to its vocabulary and its grammar – certainly helps when it is the second language of someone, such concerns are of smaller importance when you want it to be everyone’s first language: Such a language can come with a much stronger set of grammatical rules and nicer ways to build composite words and still be (roughly) equally accessible to its native speakers.
I can think of many. For example, you're unemployed, and live in a hostile environment (i.e. palestine). I however cannot think of an excuse for a support team who's native language is english to dismiss the possibility of a serious bug.
(I don't doubt you, but you are asserting something that is not always true. I know Hispanics that don't know Spanish for example, because their parents never raised them bilingual.)
I don't really understand what significance there is in stating that he is "unemployed." Does that somehow make his actions better/worse or the "hack" more/less tolerable?
You're starting to see the fnords. Stop that! Look over there, a celebrity is having marital problems! A pretty young blonde woman is missing!
Journalism is always fair and balanced. They would never, ever use potentially biasing words to suggest that you favor the big corporation over the individual.
I think it was done to give credence to the web-developers lack of "corporatism", to show an "underdog" narrative. Sort of like "homeless man discovers flaw in millionaire's mansion security".. he's so badass he doesn't need a home, or a job, to be good at what he does.
I think. It's gotten nearly impossible to tell w/ modern journalism.
"Unemployed" is never a positive word in American English. In America, if you're unemployed, it's because you're a lazy, shiftless bum - and will quickly resort to crime if your own shortcomings won't let you scam a powerful and scrupulously honest corporation.
The word "unemployed" has such negative connotations here that trying to use it in an underdog narrative is dooming your story to failure.
Got it. "Down on his luck web developer, just trying to make a living helping people, gets screwed out of $5k bounty for reporting a Facebook bug. News at 11."
The Facebook team should have taken better care of this, but the guy should have used one of the test accounts, or created a test account to demonstrate this, rather than fuck with someone else's private Facebook account.
WOW WOW you say "abused"... strong language there. He was trying to show the bug to them. This guy looks like he never read the TOS in the first place so he wasn't going after abusing. He didn't communicate properly is the way I would put it.
Really? Just because FB's security team was dismissive of a real bug report due to a language barrier they could have overcome with the tiniest bit of due diligence?
Had he sold this exploit, he could've made upwards of $20k-100k. Especially this bug. It allows marketing firms to post to peoples walls without even knowing them. That's a huge vulnerability at the moment when everybodies clamoring for 'social marketing'
I'd suggest that exploits for Facebook wouldn't actually sell that well on the black market. There's only one install of Facebook in the world and it's controlled centrally so can be patched at any time. It's not like an exploit for Windows which can go unpatched for months if people don't install an update - those are worth money because there's a real use case. With a Facebook exploit you'd get a few hours of spamming at best before it's patched and all the crap you posted is deleted - that's probably not worth the money.
I find it interesting the amount of attention Hacker News is getting from this in mainstream media.
It makes me wonder, when people unfamiliar to Hacker News read about it in stories like this, do they get the wrong impression and think Hacker News is about the criminal kind of "hacking"?
The mainstream media spent twenty years trying to turn the word "hacker" into some sort of unholy cross between thief, terrorist, child pornographer, and teenager. They'd better be getting the sense that hacker == criminal by now!
If the media hasn't consistently presented "hacker" as negative, why is it seen as such? After all, everyone who actually knows what hacking is a: sees it as positive, and b: is irritated at the media presentation.
Facts is facts, man. Sorry if you don't like the snark, but I'm not sorry for telling the truth.
It's the general public's opinion about "hacker", not just the media's. Connotations change. Everyone here knows "hacker" to mean "someone who finds a simple solution to a complex problem" but everyone elsewhere uses "hacker" to mean "someone who breaks into another person's computer system." It's not even the wrong usage; it's just a usage you don't personally like.
That's not touching on the rest of your posts. They've all been hyperbolic bullshit, and I hate seeing it bleed over from the political discussions.
Its simple, Facebook can't set the precedent that people who exploit bugs in this way get paid. If they did, every Joe who felt that their particular bug wasn't being addressed quite right would think that public exploitation is the faster route to their reward.
Conversely, they might be setting the opposite precendent, that they might ignore your intial email if you don't speak perfectly, and if they ignore your initial email, even hacking Zuck's account won't get you any offical recognition.
The bad precendent is that if you're not a great english speaker, you might as well sell your bug on the black market. This is not good for facebook.
This is being covered a lot more widely because FB didn't just pay the guy. I know it wasn't about money for FB, but this is easily done a lot more damage then they would have expected and because of their inadequate handling of a single bug report, I can only feel satisfied as I think this will go down as a good case study of how not to be so dismissive with critical bugs.
(I still think they should pay the guy, and it should be double the $5k he would have expected to receive).