Author here. There's no complaint. It's an observation rather than an absolute good or bad. It's something you have the consider in designing your application.
How would you feel if an attacker could read your AWS resource tags? Turns out they can! We’ve found a way to enumerate various metadata from public resources and created a tool to help you test your environment.
There's been a lot of great work recently on hacking Github-AWS OIDC integrations but I've think we've undersold how bad it is. Here's my guide to finding all the vulnerable roles in all public repos, including new commits in real time.
For those that aren't aware, it's devastating for anyone affected. You give an AWS role permission to be assumed by Githuab Actions, only you misconfigure it not to match the repo or org name. The result is a classic confused deputy, where any repo in Github can assume your role.
This applies to everything you do which depends on review.
Want a particular job? Put in more effort than everyone else. Create a ‘I want to work for you’ website. Be prepared at the interview. Understand everything about the organisation. Quote its founders.
Want to have your paper accepted? Do a little research about what they are looking for. Contact the reviewers directly and ask for help. Get your article reviewed by people who have been accepted previously.
Want to have your RFQ response win? Read the requirements carefully. Make the reviewers jobs very easy. Address criteria directly and clearly. Ask questions.
I am consistently surprised by how little effort the average person puts in to any reviewed endeavour. It really doesn’t take that much effort to stand out.
Author here - As an information security manager at a large organisation, this scares me. As much as we train our users and put governance structures in place to help them do the right thing, they don't always make the right decisions and we can't expect them to. LinkedIn is encouraging some really poor behaviour here and putting both itself and other organisations at risk.
This is awesome. I don't know much about typography but every time I try to learn something, I give up pretty quickly because of the overwhelming amount of (boring) information. I love how this guide is set out in easy to read and consume chunks that flow well from each other.
Is it me or does the author of this article, and the abusers of the exploits he writes about, land on the wrong side of both the law and common morality?
Surely EA being a "terrible company" has nothing to do with whether it is okay to steal their products? Moreover, just because there was a coding error/oversight, again doesn't mean it is okay to steal their products? If you have a complaint about a company or discover an exploit, surely there are other more ethical channels to pursue the matters?
For the record, I dislike some of EA's conduct as much as the next person.
Yes this rubs me the wrong way. I think it's analogous to a retail store (say, an Apple store) leaving their front door unlocked overnight. It's possible to go in and take merchandise. After all, it's not your fault they left their front door open. You could even argue that Apple's business practices are morally questionable, so they deserve to be taken advantage of . (I'm not trying to make any statement about Apple. It's for the analogy.)
You could argue that the situation is different with virtual goods, since they have an incredibly low marginal cost, but I think that the situations are morally analogous. The games aren't supposed to be free.
Not really. It's more like Apple issuing you a coupon for a free iPod Nano, but when you go to checkout with the iPod Nano and a Macbook in your cart, the cashier tells you they're both free.
It may still be unethical, my point is just that there are shades of gray here.
I understand your point, but I disagree. There is a marked difference between being told by a cashier that the MacBook is also free, and exploiting bad coupon code mechanics for free products. Primarily, the coupon code users knew that the code was broken (the door was unlocked) and proceded to abuse it.
From my understanding, the coupon recipients knew that the coupon was supposed to only be for a single $20 discount. The only shade of grey in this case (as far as I am aware) is that there may be a user who used the code and unwittingly received a discount applied to multiple products. I believe that the majority of people in this case knew that it was unethical (and possibly illegal) but rationalized it by saying that EA deserved it.
Except that, in that case, Apple will loose a lot of money
from the free hardware.
In this case, the only real loss for EA is the bandwidth.
Since it would be safe to asume that the downloaders
wouldn't have bought a lot of games at the current prices.
Sure, but I don't think that's relevant to the discussion. It's hard to quantify, but there is some set of those downloaders who at some point in the future would probably have bought one of the EA titles they received, so there is some actual lost revenue. I suppose that's their lesson for pushing bad code into production.
But it shouldn't matter. Real loss isn't necessary for it to be a unethical (or worse, a crime).
Is it actually true that real loss isn't necessary to be unethical? You couldn't possibly provide an example? I am having trouble imagining such a situation.
(I would argue in terms of importance, ethics > crime)
Is it actually true that real loss isn't necessary to be unethical?
Plagiarize a paper in college, you have caused no real loss but still been unethical. Say you knew the topic very well and could have done the work yourself, you just plagiarized because you were lazy to get around the whole you harmed yourself argument.
Yeah, that is a good point. I had this idea that it most ethical questions are to do with other people.
Like stonemetal alluded to, in a pretty esoteric sense you are harming yourself by bringing yourself into disrepute.. but that is just quibbling. Also I guess the 'scientific' method employed in marking papers is as a proof which you have not given. Though you may have done the groundwork it does not automatically follow that you are able to reliably produce the required results. You may also then be bringing the school into disrepute... but, probably not the central issue here.
I don't agree that EA's reward is diminished UNLESS people who would have otherwise bought these games did not (which I would then absolutely regard as stealing) and ASIDE from the very real argument about server time (which I would argue is a separate instance of theft).
I don't think the social contract argument holds much beyond the idea of patronage ie. I have a duty to support the content producer, but no such duty to allow him to profit. That is arbitrage, I may find it worth my while to allow it, but I have no duty to support it. In abstract Kant-ian terms (thanks for the link, jogged my memory of all those philosophy subjects I studied way back when) if all the world rejected arbitrage people would only make things that were really valued (in real terms, some over-production allows for innovation of course.. things are never so simple).
In fact, in the OP, he mentioned that on some boards people were justifying their actions by saying that they were taking back some of the money EA had taken from them over the years. This could be read as taking back the profits, or the arbitrage, which they no longer felt were justified given EA's continued mistreatment of their custom. (or, of course could be read as a petty way to make themselves feel ok about stealing).
stonemetal's point about plagiarization is excellent. I had in mind something along the lines of media piracy, except in EA's case there is an actual cost (since their bandwidth provided the content, and their servers will have to support it when they go online). I think the majority of people accept the fact that piracy is ethically wrong, even if there is no cost to the producer. When you pirate, you are enjoying content that someone else produced with their finances, time, and talents. The social contract is that in return for that enjoyment, you support the content producer by purchasing a licensed copy so they can be rewarded for their efforts. When you pirate, you deprive the producer of that reward.
The same deprivation occurs here. EA's reward for publishing these games is reduced or removed because people acquired them when the "door was unlocked".
I do not know enough about formal ethics to express my point here, but I would look at http://en.wikipedia.org/wiki/Categorical_imperative under Perfect Duty to show how the concept of piracy doesn't hold up under the Categorical Imperative.
The exploiter's gain is greater than EA's loss, especially when you consider that EA desperately wants people to use Origin. That doesn't make it ethical, but I won't shed any tears over it.
I think the analogy is wrong. EA didn't lose any physical copies.
I think a better analogy would be Chapters/Barnes & Noble (A Book Store) had accidentally put in free to use high quality photocopiers inside their store. The photocopiers were intended to be free to use, but not intended to be used on the books in the store.
Your argument isn't morally analogous because theft implies EA were deprived of something (EA still can sell and play their games), when the issue at hand is the EA botched up controlling access to their product. In your argument, Apple can't sell the stolen merchandise any more.
The more important part for EA would not to be to "punish" or claw back copies. That genie is out of the jar. They should just chalk it up to marketing and move on (fix the technical issue).
"Your argument isn't morally analogous because theft implies EA were deprived of something (EA still can sell and play their games), when the issue at hand is the EA botched up controlling access to their product. In your argument, Apple can't sell the stolen merchandise any more."
This whole "if you still have the physical object, you weren't robbed" is a rationilization. If your school decides not to give you a diploma you still have whatever you learned - but now the value of your education in the marketplace has been reduced.
Repeat after me: "Taking something that isn't yours without permission is stealing."
But... the fact that the servers honored the code being used multiple times _is_ permission. You can't assume that this wasn't EA's intent, (although it's almost certain it wasn't). Ultimately, the onus is on EA to make their system work right.
I'm not arguing that people who abused the code weren't doing something wrong, but it is not cut-and-dried. However, I definitely disagree with the idea that they were "stealing".
I think a better analogy is when a business accidentally advertises a product at the wrong price. They are required by law to honor the advertisement even if it was a mistake. This is much closer to the situation with EA than the idea that they "left their front door unlocked", etc. Regardless of other circumstances, the transaction was legal, and I think the law might well require EA to honor it... but I don't know the details.
Another analogy would be issuing a coupon and forgetting to include "limit 1 per customer", or even having a salesperson giving out free product, who misunderstands and doesn't limit the product to one per customer.
Would customers in those cases be considered "stealing" if they took advantaqe of these situations? I don't see how that can be argued. Could they be accused of being greedy? Definitely, but as much as people might wish otherwise, being greedy isn't against the law.
FWIW, I didn't use this code, and wouldn't have exploited it even if I had. I have too much great stuff already from GOG, Steam and Humble Bundle, etc... that I don't have time to play it all. I have no need nor interest in exploiting anyone in this way.
But... the fact that the servers honored the code being used multiple times _is_ permission.
I'm not sure. It's my understanding that the intent (and legal TOS) of the code was "limit 1 per customer. Non-transferrable." The fact that the server allowed it doesn't change the fact that the intent was for it to be used once.
Imagine a bowl of candy out during Halloween. There is a sign that says "Take only one". The fact that this house failed to implement a means of controlling how many people take doesn't make it OK to take two handfuls.
The important distinction in this case is what the legal language of acceptable use was, and not what was possible through the (broken) server. If you fail to print "limit one per customer" on your coupons, that's a lesson learned. If you DO print "limit one per customer" but fail to validate that at the self-checkout lane, and people abuse it, that's fraud.
*This all predicates on whether the actual language stipulates that the code really is only good for a single, non-transferrable use.
I don't approve of abusing the exploit, and I did not abuse the exploit. I put that paragraph in because I thought it was interesting that some people were indeed using that argument as justification for using the promo multiple times.
I think it is a little more nuanced than simply being 'not okay'. Whether it is 'okay' or 'not okay' is a personal moral decision, which though I might agree with you (for myself), I would not push that morality onto someone else. I would however give a reasoned argument as to why I think it is or is not okay. Ethics are not clear-cut, and ethics do not equal the law.
As dkokelly points out, this cannot be thought of as lost revenue. The vast majority of games taken here would never have been bought otherwise, and it is unlikely that any of these games will be devalued by having a wider audience. So it is spurious to describe this as simply stealing.
EA has a history of disrespecting their customers' privacy, security, payments, and computers, as well as (as the op mentions) questionable ethics. They don't seem to value their customers except as a cash cow to be milked to death. This is a message, an imperfect, impure, but pretty bloody strong retributive message. To draw a long bow, think LA riots.
But still, does that make it okay? I just think each person needs to assess that for themselves. It certainly has a ring of just desserts about it. Speaking for myself, it would depend on my motives. I would put that if the gamers are more interested in getting a positive response from EA than they are in free games, I would suggest they protest by dumping their EA games in an online equivalent of a big bonfire.. 4chan maybe :|
But I would agree that a more ethically clear-cut channel could be actually more effective - but just not because it is more ethically clear-cut. if they really want a positive response from EA, rather than just to protest (or steal), they need to publicly and loudly stop buying EA games.
You are pointing your anger in the wrong direction. The reality is that security is a hard problem, much too hard for Blizzard, much too hard for RSA, much too hard for banks, and much too hard for governments.
Major companies being hacked is not a new phenomenon. What's new is them (a) detecting the hacks and (b) disclosing them. It's unfortunate but true; you should be happy that they are telling you.
You misunderstood my entire comment, but I can see why you would think I was angry. I'm disappointed, not angry. Disappointed that in this day and age, companies like Blizzard are making record profits and fall prey to attacks that are sometimes as simple as an SQL injection attack. While I am grateful they have told us about the attack, I'd much prefer the situation went like this: "We've been attacked, our database was compromised but because everything important is encrypted all they have is your email address"
