The author didn't seem to request payment in monetary form but expected some kind of contributions back which would have helped both sides. It would probably be difficult to include some guarantees about upstream contributions into the license but interesting takeaway.
With GPL you don't have to actively work to upstream your patches, but in practice you can't withhold your patches from upstream. If you add a feature, they get to have it too.
Unlike permissively licensed software, where you can add proprietary features.
Depends how savvy your users are, and what your users lose if they do send your patches upstream. For example, GRSec or RedHat both drop you as a customer (so no security updates) if you republish their patches publicly. Or a paid iPhone app's users probably wouldn't know what source code is, let alone where/how/bother to republish it for the benefit of other users.
Parent poster wasn't referring to Ozempic but a general healthy lifestyle. Which requires resources many people do not have such as time, money, education etc.
This might be misleading as often biodiversity can't be measured by how lush it looks and how much vegetation there is. Certain plants and animals can only survive in arid landscapes that look 'dead' but can't survive otherwise as they are adapted to an environment with less nutrients. So it is possible that you actually reduce biodiversity by doing things like this. Often land has too much nutrients due to farming and leaving arid landscape as it is might be better.
You would only do this to a land that is degraded. I don’t mean, degraded like in its natural state I mean, degraded as an already fucked up by man. In this case, the land was choked with invasive grasses
And to add that he tried out the exploit on unknowing participants. It would be better to try this with a friend in-the-know at a separate table. It makes me think he did it more as a practical joke than testing his exploit, especially because he mentioned they were "not-too-intimidating-looking guys".
I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.
He could have just tried it on his own table (order on the phone, and then on the laptop through the vulnerability) and avoid having to a) bother others, b) waste food. The result would have been the same.
The author says "I refuse to believe they’re unaware of this. This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care." Agree that this is an uncharitable way of looking at it.
Its a justifiable worldview. I'm an Indian dev and I've seen obvious backdoors like these added to the backlog as a low priority bug. If somebody spends time on this, that means features are being delayed and you are rewarded less.
I've worked in lambda web editor (not in Git) and my lead considered replacing sql injection with parameterised queries was a distraction/insubordination. Cant wait till audits, data breach insurance and imprisonment becomes the reality.
I don't mean to pick on your comment, but to respond to a prior comment, you are beginning with a very positive world view and interpreting the events from there.
Lazy API that did not vet a simple backdoor?
Good coders but accidentally pushed the debug version of the API?
I am going to have to say the second option feels less likely (yes, I have been called cynical).
> Because who at the "company" does even know about this?
Everyone who designed engineering requirements, technical requirements, test plan, everyone who wrote technical specifications, everyone who performed traceability. It was all approved by security engineers and management.
> The company was founded during the pandemic when contactless dining became popular.
There were tons of people intimately aware of the issue, yet for four years nobody cared.
If you discovered an incompetent healthcare provider was prescribing antibiotics for every condition would you "contact them privately" or contact the relevant authorities?
Private disclosure is for when you believe the company cares about security but made a genuine mistake. For the company in the OP it would be more like free education in fundamental privacy and ethics. They're not entitled to that. Name and shame.
Sure, but what you’re describing is not what is being suggested. Responsible disclosure typically involves disclosing publicly after a reasonable period of time.
Why? Why should they be the responsible ones, when the well-funded, well-connected service provider is acting like the fly-by-night startup (that they probably started as)?
There's little public benefit in responsible disclosure here; all it would lead to is the whole thing being swept under the rug with some trivial "fix". There's lots of public benefit in immediate, wide disclosure - the scramble to fix this under pressure from vendors before potential abuse, and any real or imagined attempt at abuse, and subsequent lawsuits, would go far towards educating people and the industry about privacy, security, and bad business practice. It's a nice low real damage, high publicity case.
It's not like this stuff is new. But without serious pressure, the businesses will never learn and never stop making or enrolling into such systems.
Anyway, if it happened over here in the EU, I'd do the responsible disclosure thing and give a full, detailed advance expose to the local Data Protection Authority.
(And if I sound adversarial, then consider that neither the vendor developing such systems, nor the venues using them, are doing it in the interest of the customers.)
There's a big difference between announcing "I found all this private data" and "I found all this private data and here's exactly how I did it and here are the URLs". What the author has done is detail exactly how anyone else can abuse this system from anywhere in the world and also given them ideas about what to do with that information that would cause a direct cost to the company. I think that's irresponsible and unnecessary. You public disclosure rationale has some merit but it didn't require publishing the user manual for the attack. Just saying you used the API, publishing the amounts plus some proof of private data from people who have given consent would be enough to get the business scrambling.
This seems less like a "manual for attack" and more like tweeting that your local storage unit rental never puts locks on their garages and gates and "anyone could just walk in and out".
To expand your analogy can you see the difference between:
"A storage unit I know of never uses locks"
and
"The storage unit at 1234 Central Boulevard, San Andreas never uses locks, just wiggle the door a bit and it'll open."
I think most people would acknowledge there's a big difference.
That's not the same though at all.. A closer analogy would be publicly announcing that "Company managing the storage lockers 1234 Central Boulevard, San Andreas is keeping all of them unlocked without telling their customers".
Which would still be wrong but you're implying that the business is the victim here when it's the complete opposite.
Causing damage or cost to a company through fraudulent use would be the cornerstone of a civil or criminal prosecution. Cases where there is good disclosure and no cost incurred tend to get dismissed, cases where there is identifiable damages get stupidly big sentences and/or fines.
Right but would you afford the same opportunity to the healthcare provider? You'd contact them privately and expect them to go and learn why over prescription of antibiotics is a bad thing and change their ways? Of course you wouldn't. You'd go to someone who cares. In healthcare there are ways you can report it without naming and shaming publicly, but how could the author do that?
In the EU this would be illegal and (hopefully) lead to very high fines. So why would you try to help and conceal their criminal behaviour instead of reporting them?
Of course in other places, there aren't really any good options. So I guess the most "moral" approach would be to what you think would cause most financial damage to the business and discourage people from going there.
Who says it was? Why would they willingly give out their customers' and customers' customers data to any anonymous person or a bot?
More likely a bad oversight
This is “the tire shop doesn't have a torque wrench” level shit. If it's an oversight, it's an oversight due to incompetency, not because a good team just happened to miss something in a crunch. Another possibility is that the issue was raised and management said to fix it later, and because software “engineering” isn't a real engineering field that holds its practitioners to any duty of care, those responsible (the engineers) just went along with it.
For 3 years? That would mean that no developer has ever raised these issues with management, to speak nothing of an actual pentest being conducted.
No, this is not some obscure security hole they forgot about. This is plain incompetence and/or deliberate design decisions.
I agree that full public disclosure like this is irresponsible, but exposing issues like this to the public is the only way for such companies to make a change or, preferably, lose business and shutdown.
Because they don't care, and their customers don't understand any of this shit?
It feels like the usual case of vendors buying service to better exploit the users, and themselves getting burned and/or exploited by that service too.
Yes! You as a user are not meant to knowingly access data that does not belong to you. Even something like changing the id from 1 to 2 is legally considered unauthorised access.
It would be different if for example the application was showing data for other customers through normal use of it, but even if there is no other barrier to access than changing an id that is considered bypassing access control and can result in jail time in most places. Now I'm not an expert in India's computer misuse laws but I am willing to wager they are not the most progressive when it comes to this kind of thing.
Most likely the company will blame them for trying to help. Also, if the company is so incompetent that they allow this why bother. He's not getting paid to be their test engineer.
In this case you probably haven't looked at it properly. There is just the starting entry main.zig, and a root.zig file which you can remove if you don't need it.
Nothing complicated or annyling problems at this stage.
OpenCV was not the "AI" here, the "AI" was a computer vision model trained at the roboflow website that he mentioned multiple times and that he used in the line commented with "# Directly pass the frames to the Roboflow model".
If it is needed soneone will and probably is currently doing original research. The payoff is too great that alternatives would be ignored. As long as financial incentives exist progress will inevitably happen and the financial incentives in this case is massive.
That is not necessarily true all over Europe. In my area prices were increases somewhat recently and I now decided against going there anymore. However, they did not change any seating inside, everything stayed somewhat tge same
