Smile! And your favorite charity benefits.

Recently, Amazon implemented a program called ‘Smile’ that allows you to select a charity who will get a small portion (0.5%) of your purchases. The beauty of this program is that you select your charity one time. Every visit to Amazon after that, they donate. Even better, if you forget to go to the ‘smile’ sub-domain, Amazon will usually remind you and give you a chance to one-click over.

When you consider that Amazon made $74.45 billion in revenue in 2013, this could potentially add up to serious money being donated to charities around the world. If 0.5% of all of their revenue in 2013 was donated, that would be $372,250,000. Yes, $372 million dollars. That is almost 2% of the estimated cost to end homelessness in the U.S. Not bad, that a single company has that capability and puts that power in the hands of their customers.

So click on smile.amazon.com once, choose your charity, and help contribute to your cause. Finally, spread the word. The more that opt in to this program, the more charities benefit.

A quick, factual reminder on the value and reality of a “EULA”… (aka MADness)

[This was originally published on the OSVDB blog.]

This post is in response to the drama the last few days, where Mary Ann Davidson posted an inflammatory blog about security researchers that send Oracle vulnerabilities while violating their End-user License Agreement (EULA… that thing you click without reading for every piece of software you install). The post was deleted promptly by Oracle, then Oracle said it was not the corporate line, and due to the crazy journalists who of course felt obligated to cover. You can read up on the background elsewhere, because it has absolutely no bearing on reality, which this very brief blog covers.

This is such an absurdly simple concept to grasp, yet the CISO of Oracle (among others) are oblivious to it. Part of me wants to write a scathing 8 page “someone is wrong on the Internet” blog. The other part of me says sleep is more valuable than dealing with these mouth-breathing idiots, which Davidson is one of. Sleep will win, so here is the cold hard facts and reality of the situation. Anything else should be debated at some obscure academic conference, but we know Oracle pays big money to debate it to politicians. Think about that.

Reality #1: Now, let’s start with an age-old saying… “when chinchillas are outlawed, only outlaws will have chinchillas.” Fundamentally, the simple fact that cannot be argued by any rational, logical human, is that laws apply to law-abiding citizens. Those who break the law (i.e. criminal, malefactor, evildoer, transgressor, culprit, felon, crook, hoodlum, gangster, whatever…) do not follow laws. Those who ignore criminal law, likely do not give two fucks about civil law, which a EULA violation would fall under.

Reality #2: Researchers get access to crappy Oracle software in the process of performing their job duties. A penetration test or audit may give them temporary access, and they may find a vulnerability. If the client doesn’t mandate they keep it in-house, the researcher may opt to share it with the vendor, doing the right thing. Where exactly does the EULA fit in here? It was agreed to by the customer, not the third-party researcher. Even if there is a provision in the EULA for such a case, if the company doesn’t warn the researcher of said provision, how can they be held liable?

Reality #3: Tying back into #1 here, what are the real consequences? This is civil law, not criminal. When it comes to criminal law, which is a lot more clear, the U.S. doesn’t have solid extradition case-law backing them. We tend to think “run to Argentina!” when it comes to evading U.S. law. In reality, you can possibly just run to the U.K. instead. Ignore the consequences, that is not relevant when it comes to the law in this context. If you focus on “oh but the death penalty was involved”, y

BSidesLV, two boxes-of-shit up for charity auction…

For those not familiar, last year I created a new-and-improved Box-of-Shit that was put for charity auction at BSidesLV 2014. Wow, lot of dashes there, go Engrish! For those not familiar with the absolutely legendary attrition.org boxes-of-shit, take a minute to familiarize yourself with it. The box last year was the center of a heated bidding war, with a BSidesLV security staff member proxying bids from another room, as a bidder was also teaching a class or robbing a casino or something like that. Anyway, Nate the Hero (official title) donated $1,000 to the charities selected by BSides (EFF, Securing Change, and HFC). Outstanding!

This year, I doubled down. There are TWO boxes of shit up for auction…

First, the important part. I humbly ask that you read and focus on this bit, because it is the entire point of my effort and goal in doing this. BSidesLV 2015 auctions will raise money for OWASP, Electronic Frontier Foundation (EFF), Hackers for Charity (HFC), and Hak4Kidz. Supporting charity is always a good thing, right?

Remember, InfoSec is considered a “zero unemployment” industry, and our average salaries are ridiculous. While we are quick to do the Facebook “like-activism” to support minimum wage increases, many of us spend $6 on a coffee every morning. If you make solid money in our field, and you cannot go out of pocket for 1% of your salary, you should probably skip the next version of “h4ck1ng f0r l33t kidz” and read a book on personal finances. Live a little… give up a shred of luxury, and donate to the greater good. If you win, you will get to read some personal thoughts I have on the matter, and receive a challenge of sorts.

So… there are two boxes this year! You can troll my Twitter feed for a few random pictures that barely tease what are in each. Even better, you can use this blog to see the teaser page that is accompanied with each box! I’ve been told that there will be remote bidding this year, which is very cool. For the next two days, I will also answer questions about each box, in a manner that does not reveal how awesome, or how lame a box is. Rest assured, more time and energy was spent on these two boxes than all other boxes/envelopes I have ever sent out, combined. Each box comes with a ~ 4 page personal letter for the winner, among other things. That has to be worth a postage stamp at the least.

box-bad

box-good

Here you go! You get what the in-person bidders get, the same teaser PDF. If you are at keys, you can play 20 questions via Twitter, while they are throwing back a bud light and telling their new friends about how they found an unpatched WordPress CMS last week.

p.s. These are likely to be the last ever boxes I brew, for many reasons.
p.p.s. In the interest of exposure, I will spam this link several times the next couple of days. DEAL WITH IT