Quit volunteering my time.

Every week someone, or several people, think their 140 characters is worth me spending an hour+ writing an article for them. They noticed some plagiarized text or think someone is a fraud, and they turn around and expect me to research and document it. For years now, I get mail to Errata with a single link or a couple lines of commentary, along with the expectation that is all that is needed. Voila! An article will magically appear. These days, I don’t even get an email, just a Tweet or two.

I’ve said it before, many times. I’ve given an entire presentation on the project twice. I’ve told people in person, in email, and on Twitter. For the last time:

Errata was designed to be a community project. That’s “crowd-sourced” for you new people. A couple people serve as a clearinghouse for well-written, well-documented articles. No names on the articles because if they are properly referenced then attribution is not an issue. Then the clearinghouse stands up to defend the work as needed. Simple concept.

If you are in the security industry and cannot write an Errata article, get the fuck out now. You are simply too stupid and too dangerous to be advising anyone on something so important as security. Sure the articles take a little time because they have to be solid on making logical points, being organized, and citing public information that justifies any accusations or conclusions. But anyone that does penetration testing or auditing or system maintenance should be familiar with documentation along these lines. They are not difficult to write, they are time consuming.

If it bothers you that someone plagiarized or is selling snake oil, and it should, then take the time to write your own blog. Enough of us have stood up and defended our work. We’ve shown that you can do it, quite safely, if you are responsible in your work. If you still feel it risky, write the article and send it over. Do the leg work, we’ll provide the safety net.

Until you send such articles, don’t volunteer me to write them.

Any wonder why people use images without attribution?

Found the perfect image for my @BSidesDE talk. Noticed in the corner a tiny ‘GettyImages’ watermark, so I went to their site to see how much it would cost to license. Because I happen to know they require a license… which I imagine 99.9% of the modern Internet world does not. The auto-pricing options did not seem to match my intended use, a regional talk to maybe 75 people. I chatted with a rep to ask if there was a better price than $495 quoted by the web site.

Welcome! A representative will be with you shortly. For your security, do not give out your credit card number or other sensitive personal data during a Live Chat session.
You are now chatting with Andy.
Andy: Hello! How can I help you today?
Brian Martin: When selecting the pricing options, the drop down listing possible uses does not include anything close to what I want to use the image for.
Andy: How do you plan to use the image?
Brian Martin: For a regional public conference (free to attend), I am not being compensated for the talk.
Andy: Okay, will it be in a presentation?
Brian Martin: Correct
Andy: Okay, we do have a license for that. What image were you interested in?
Brian Martin: http://www.gettyimages.com/detail/photo/woman-at-computer-control-panel-1960-high-res-stock-photography/10153785#
Brian Martin: That is an IBM 7094 if you would like to update the information =)
Andy: Michelle Williams at Beyonce’s bday party?
Brian Martin: No…
Andy: Okay, I must have pulled up the wrong image
Brian Martin: http://www.gettyimages.com/detail/photo/woman-at-computer-control-panel-1960-high-res-stock-photography/10153785#
Brian Martin: “woman at computer control panel 1960 high res”
Andy: Okay, woman at her computer panel?
Brian Martin: yes
Andy: yes, I see it.
Andy: Okay, so this usage will fall under our External Presentation license
Andy: You can find that under our Marketing Use category
Brian Martin: OK, that was not on the drop down list. How much is it to use the image for such a purpose?
Brian Martin: OK, but this is not marketing at all. Just a talk about the history of software vulnerabilities. I am with a 501c3
Andy: How many people do you think will be ata this conference?
Andy: Right, but it’s a public conference right? Not just your company?
Brian Martin: think they are expecting 150 max across two days, maybe 75 max in my presentation
Brian Martin: Correct
Andy: Okay. Even though it isn’t marketing, that is the correct license for this use.
Brian Martin: OK, how much is that?
Andy: Pricing for that license comes out to be $685
Brian Martin: Unbelievable
Andy: Is that anywhere near your budget for this project?
Brian Martin: Since GettyImages hates 501c3 non-profit work for the advocacy of better computer security, I will have to find an alternate image. Thank you for your time.
Andy: No problem. Enjoy the rest of your evening!
Andy: Thank you for chatting today. We value your feedback. Please click the “Close” button at top right to answer a few questions about your experience with us today.
Thank you for chatting with us. Please click the “Close” button on the top right of the chat window to tell us how we did today.

I understand they want to make a profit, but without more granular licensing, do they have any doubt people freely use their images in presentations or web sites, simply cropping out the watermark?

If I had used GettyImages for each image in my presentation, I would be looking at a convenient rate of about $34,250.

Seeing those EULAs in a different context.

Many years ago I realized that the End User License Agreements (EULA) that we are forced to endure for web sites and software was out of hand. There have been a lot of good points made in the past about them and how they are rarely read. I had written notes about an article but wanted to add something that I had never seen before. What do all those EULAs look like if they are printed? I made a list of all the software on my computer at the time, and a handful of web sites. Ultimately, I never got around to doing it but I mentioned it in discussions with various people.

Recently, Andrea Matwyshyn and I discussed it as well. Some months later, she and some of her students did exactly what I wanted. Pictured below are printouts of some of the many EULAs you have “read”, or at least agreed to. That is a whole lot of legalise you are bound to. Be scared.

Wharton EULAs

Wharton EULAs2