While it's honorable to want to keep things on a handshake-and-honor level, when things go wrong, none of that matters. In my experience, clients are impressed and more comfortable with proceeding when a written agreement is in place. The only time I've had trouble negotiating an agreement is when dealing with large mega-corporations, where I'm still able to add in notable definitions and exceptions to the work that I'm performing.
> "the client can afford more expensive lawyers than I can, so regardless of the truth they would be able to wipe me out"
Just like lines of code are not a measure of quality of software, hourly rates of attorneys are not a measure of the quality or effectiveness of their legal representation. The only time that you are on equal legal footing with a large corporation is when you're both entering the relationship. If you and a client sign an agreement defining and limiting the work and your liability, a more expensive attorney isn't magically able to rip that contract up.
> "if the client has to read the detail of the contract, it's probably too late to save the relationship anyway"
I couldn't possibly disagree more. If a client isn't willing to work with me on defining the scope of the work to be done for both of our benefits, then I have no faith that they're going to work well with me at all, on anything. For a software developer, a scope of work is also just another piece of documentation: here's what I'm building, and what it does and does not do. A client should be as eager to define that as you.
Case in point: a bank recently suffered a data breach and had to spend more than $150k to comply with its notification obligations, and the bank's insurance company sued the bank's web design firm for, as they allege, failing to do proper servicing, security updates, etc[1].
Web design firms doing ongoing security, monitoring, and maintenance is totally not the norm. Usually the design firm designs the site, either has a couple developers in-house or contracted to another company to build out the front-end and do any integration with the bank's back-end, and when it launches, all is over. But here, this small midwestern design firm with a few employees is on the hook for damages and their reputation will be destroyed.
There are many details lacking in the civil complaint in terms of what their actual responsibility was, or if there even was an agreement in place. But if the design firm had a master services agreement that (a) disclaimed responsibility for doing security monitoring, updates, malware fixes, backups, contingency planning, and any costs or lost business as a result; and (b) limited liability to the amount of money the bank paid the design firm (a common business practice); and (c) indemnified the design agency against any claims by third-parties; the complaint probably would have never been filed.
None of this is legal advice, but don't risk having your reputation destroyed and being personally bankrupted simply because you're desperate for work, lazy, or unrealistically optimistic about people having good faith in all situations.
HTTP Shamer here. I absolutely practice 'responsible disclosure' when it is appropriate.
In the case of TripIt, they've known about this issue for a VERY LONG TIME and chose not to address it. I'm incredibly sad about this because I absolutely love TripIt.
There's several sites and apps I've either found out about myself or have been submitted to the Tumblr that I do think warrant responsible disclosure, and I've either done that or am working on that. Sadly, only one of those vendors even has a security e-mail address with a responsible disclosure policy.
In the case of Scribd, if you're using HTTP for all of your account activity, it's not going to be encrypted, period. I'm not going to responsibly disclose that passwords are sent cleartext over HTTP because that's obviously what happens with HTTP. If the vendor made any attempt to use SSL that appears broken, I would stop and responsibly disclose.
In the case of apps going out and checking for updates insecurely, I think that behavior is prevalent enough to see, and obscure enough to exploit, that responsible disclosure doesn't really apply. It's just that HTTPS is something I'd like to see on developer roadmaps. There's been good discussions about this on Twitter, including the VLC team closing a ticket about it.
If I saw personally-identifiable information being sent from an app, I would stop and responsibly disclose.
Personally, I don't see how responsible disclosure can really apply to cases like this.
This is not some obscure vulnerability. It's a deliberate design decision with obvious tradeoffs. It's analogous to a bank keeping deposits sitting on tables in front of the building. It's obvious to anyone who looks, and it should have been obvious to the person who came up with the scheme.
The point of responsible disclosure is to give companies a chance to fix a vulnerability before it becomes widely known. That doesn't work when the problem is obvious to anyone who glances at it, because you've lost your chance at "before".
For something like "you can hijack session cookies sent over an unencrypted connection", I can see how that would warrant responsible disclosure. But for "this entire feed is dedicated to sensitive information, and it's sent in clear text by the very nature of the protocol you've chosen to deliver it", it doesn't seem like it works.
The two main typefaces are Knockout and Gotham, both being fonts from Hoefler & Co. — formerly Hoefler & Frere-Jones (H&FJ), until Jonathan Hoefler allegedly never gave Tobias Frere-Jones the equity stake he promised, eventually calling him just an employee[1].
Not only do I think is Hoefler & Co. a terrible company under Hoefler's leadership for that unethical move, the company has refused for the longest time to support web fonts using @font-face — now they partially support it, but only using their proprietary hosting platform, which is just setting a bad precedent for the open web.
There are plenty of small foundries producing high-quality typefaces, with @font-face friendly licensing for webfonts. Can we please stop using Hoefler fonts and supporting this guy?!
Agreed, they own some of the most well known typefaces in the world. Sadly, their pricing is absurd.
For example, I run a forum with a million daily page views. If I wanted to use Gotham, I need to pay $150 for the font, and then subscribe to their cloud service and pay $450 per month for that amount of page views.
I might be willing to pay a one-time $100 fee to use one of their fonts, or a $100 per year subscription to use any of their fonts. However, $5,500 a year for my site? That's almost as much as my servers. It's a laugh, I'll stick with the well respected free web fonts.
> "...which did that because there was no communication from No-IP ... The court ordered No-IP to send a response and looks like there was no response."
That's absolutely false. Microsoft explicitly asked the court to allow them to file the entire case under seal, and to obtain ex parte emergency relief without notifying the defendants.
The TRO states: “...good cause and the interest of justice require that this Order be Granted without prior notice to Defendants, and accordingly, Microsoft is relieved of the duty to provide Defendants with prior notice of Microsoft’s motion.”
The judge signed that. No-IP did not receive any advance warning or service by Microsoft's own admission, and No-IP's blog post confirms they weren't served until today.
That's not true. On June 19, Microsoft filed the Complaint, Motion to Seal, and Ex Parte TRO Application all at the same time.
The TRO actually says: “...good cause and the interest of justice require that this Order be Granted without prior notice to Defendants, and accordingly, Microsoft is relieved of the duty to provide Defendants with prior notice of Microsoft’s motion.”
It says that because Microsoft wanted it to say that; Microsoft used that language in their proposed TRO for the judge to sign, and the judge apparently agreed.
The Summons has nothing to do with this. The court issued the Summons, but the court doesn't do anything with it. It's the plaintiff's obligation to serve a summons on a defendant, and they have 120 days to do so before the Court would require the plaintiff dismiss the case without prejudice. The plaintiff could serve them the same day, or they could take their time. Corporations with registered agents are much easier to serve than an individual that dodges a process server.
There's often a good chance a defendant will receive a solicitation from an attorney (who searches court records for new cases) to represent them before they actually get served with the summons and complaint. However, nothing would come up in court records in this case because the entire docket is sealed.
There's no way Vitalwerks/No-IP would have known about this, and it sounds like they weren't served until today, after Microsoft's action.
I think it's pretty clear that Microsoft wanted to ensure that nobody, including No-IP, knew about the case until they were able to strike.
I hate pay-walls and even login-walls, so I genuinely disagree with Scribd's payment model. However, I do think the service provides value in that users are able to upload a PDF and it renders in a pretty widely-compatible viewer format (in HTML5). Embedding PDFs across multiple platforms are still a terrible native experience, and on some systems it launches tons of painful Acrobat toolbars or just doesn't show up at all.
I have yet to find a free or open source solution that's incredibly easy to implement and embed (for bloggers). To get PDF content showing nicely inside of a scrollable iframe, you need to convert the PDF to HTML, and host images somewhere. That's not easy for people who just want to jump right into publishing blog content. DocumentCloud seems totally awesome, but their hosted platform is restricted to journalists; specifically, "newsrooms."
I use Scribd for legal research; there's a lot of attorneys who post PDFs of case pleadings, since (a) PACER is expensive to use, and (b) RECAP has terrible searching. To that end, it really is the YouTube of PDFs, and I love it for that. Of course, YouTube is ad-supported, so perhaps that'd be a better option for Scribd, but that tends to draw ire too.
For what it's worth, you don't need to pay for a Scribd account if you regularly upload content. I haven't uploaded anything in a few months and I was able to download, for free, the Declaration of Independence link that the author highlighted. Of course, you wouldn't know that unless you stared at the little text on the bottom of the page, so that should change.
Just out of curiosity, what is it about pay-walls that you hate so much?
I don't hate them (my wallet does, when the content I want is behind them of course), but I find it to be a pretty reasonable model. Have a bite of the content, if you enjoy it then pay for the rest. It doesn't seem crazy to me that people should be compensated for their work, and while the "pay what you want" model is a lovely ideal, some people are more comfortable putting a fixed price on it.
I'm not asking to be combative, I'm genuinely curious on whether or not you have a better solution, and I'm totally open to having my opinion of pay-walls changed if I've overlooked some flaw in that model.
The paradox of paywalls is that content you have to pay for is less valuable than content you get for free. The ability to link to and from a page is a tremendous value-add in the web; a paywall breaks the chain of links. If an article is behind a paywall, I can read it, but I can't Tweet it to all my followers and expect they can read it, I can't link to it from my blog and expect all my readers to get the context... sharing is a fundamental feature for the web and paywalls break it.
There IS a case where paywalls work and work well -- if some of the value in the information is information asymmetry. This is why the Wall Street Journal works better behind a paywall than the New York Times does -- the audience for the WSJ is a bunch of people who deal in investing, where the value sometimes isn't in merely being informed but being more informed than the others.
I actually appreciate the humor, but I'm in the same boat where there's a good portion I'm just not wrapping my head around clearly. I'd love if someone made an annotated version with technical descriptions.
I wish they were more transparent about the components used for the site, specifically for licensing purposes.
Example: The demo site uses Proxima Nova, which is loaded via Typekit. That's not an open source font, there's nothing documenting that they have a sublicensing/resale license, which means it's an added cost to someone to either license each weight of the typeface ($29 per weight, and I think I count 8 weights = $232). Alternatively, that font is only available in the Typekit $49.99/year plan, which imposes pageview limits. The typeface really seals the deal and adds to the emotion of the page, and could be a big disappointment or added cost to someone. Certainly, startups don't need the drama of being accused of copyright infringement.
PS. By the way, Mark Simonson was one of the first type designers to experiment with liberal web-friendly licensing and would you just look how well Proxima is doing these days.
> "the client can afford more expensive lawyers than I can, so regardless of the truth they would be able to wipe me out"
Just like lines of code are not a measure of quality of software, hourly rates of attorneys are not a measure of the quality or effectiveness of their legal representation. The only time that you are on equal legal footing with a large corporation is when you're both entering the relationship. If you and a client sign an agreement defining and limiting the work and your liability, a more expensive attorney isn't magically able to rip that contract up.
> "if the client has to read the detail of the contract, it's probably too late to save the relationship anyway"
I couldn't possibly disagree more. If a client isn't willing to work with me on defining the scope of the work to be done for both of our benefits, then I have no faith that they're going to work well with me at all, on anything. For a software developer, a scope of work is also just another piece of documentation: here's what I'm building, and what it does and does not do. A client should be as eager to define that as you.
Case in point: a bank recently suffered a data breach and had to spend more than $150k to comply with its notification obligations, and the bank's insurance company sued the bank's web design firm for, as they allege, failing to do proper servicing, security updates, etc[1].
Web design firms doing ongoing security, monitoring, and maintenance is totally not the norm. Usually the design firm designs the site, either has a couple developers in-house or contracted to another company to build out the front-end and do any integration with the bank's back-end, and when it launches, all is over. But here, this small midwestern design firm with a few employees is on the hook for damages and their reputation will be destroyed.
There are many details lacking in the civil complaint in terms of what their actual responsibility was, or if there even was an agreement in place. But if the design firm had a master services agreement that (a) disclaimed responsibility for doing security monitoring, updates, malware fixes, backups, contingency planning, and any costs or lost business as a result; and (b) limited liability to the amount of money the bank paid the design firm (a common business practice); and (c) indemnified the design agency against any claims by third-parties; the complaint probably would have never been filed.
None of this is legal advice, but don't risk having your reputation destroyed and being personally bankrupted simply because you're desperate for work, lazy, or unrealistically optimistic about people having good faith in all situations.
[1] Article with linked PDF civil complaint: http://www.scmagazine.com/travelers-accuses-web-firm-of-shod...