This is hard to defend, guys.

It is literally the-simplest-thing-not-to-fuck-up. Nobody's asking you not to have security vulnerabilities. In fact: nobody's even asking you to fix vulnerabilities. We just need a reliable way to communicate with you about them.

If you're selling accounts on a web app, you need:

* A security page * With a PGP key * And an email contact * of someone who will write back * who knows what a security vulnerability is * and who will write back quickly.

That's it. Do that, and you're not a punch line. If someone dumps zero-day about you onto Twitter, you're already two steps ahead in the PR war, because you had a reasonable process, and the researcher ignored it.

Bonus points --- things that are trivial to do, but that nobody's even asking you to do:

* You can assign special issue numbers to vulnerabilities, to make the researcher feel like an XSS disclosure isn't the same thing as a bug in your online help.

* You can thank researchers privately, and let them know that you'd really like them to keep disclosing thing to you --- you could even give them (wait for it) a phone number.

* You can do what every vendor with a real security team does, and keep a public web page thanking people who have discreetly disclosed vulnerabilities to you.

The browser, however, would correctly treat 0xFF as an invalid initial byte, and then interpret the next character point, 0x1C ('<') independently.

So, you could pass arbitrary characters through Rails' string escape functions by prepending an initial invalid byte sequence, and thus cause the browser to interpret arbitrary JS/HTML.

I guess this is the scientific term for horny.

I appreciate the kind comments. If you or a friend / family member could benefit from the catheter, please do not hesitate to contact us on our website at www.vasculardesigns.com

No one will be turned away if they can not afford the catheter.

Robert Goldman

As with renewable energy, cancer treatment draws massive attention because it is such a big problem, and potential miracle solutions constantly make headlines.

However, the general audience does not have the background to place these announcements in context, and neither does the typical journalist. It is actually rather easy to come up with an entirely new approach that seems to work under certain conditions (algae make biofuels! solar panels in space! mice cancer cured!) but has no practical value. Having said that, good luck to this guy and I hope the device works well.

(I work in medical devices for cancer diagnosis)

This is my fault. I identified it as a Rails issue and requested that you forward your findings to the Rails security team so we could investigate in concert.

Craig here at 37s narrowed down a root fix with Michael, Rails' security ombudsman, who then enlisted Manfred's help to track down and repair the root cause. What you see today is the end result of those efforts. The security process worked, but you only saw the Rails arm of it. The apparent 37signals arm of it amounted to runaround. Completely not OK.

We now have a security-only email and PGP key at http://37signals.com/security. Next time, no runaround.

No disrespect, but that's not fascinating, it's stupid.

Basically, she had no savings. No rainy day fund. No retirement funds. No investments.

What's the first think Suze Orman types tell all of those women that watch her? Have enough set aside for 2-3 months living expenses - minimum!

There's simply no excuse for someone working so close to money to be so irresponsible with her own. I feel for her, but perhaps this is lesson learned.

1. The letter did not need to be open at all. If you want to travel the country for 30 days without paying, more power to you but why not just send it to the jetBlue CEO directly?

2. The people behind this letter obviously think their idea is amazingly brilliant. Which it isn't. Everyone has interesting stories. You could go into a Dunkin' Donuts at 3AM and hear some pretty crazy stuff. No need to be at 30,000 feet.

3. These people probably WILL get free flights or some other special support from jetBlue because God forbid a publicly-traded company didn't listen to any and every simple Jack who asked for something on the internet.

There is still much waiting to be said to fight back against the lifehacking, GTD, how to work for only 4 hours a week by being a giant dick and how to convert all of your farts into actionable GasHacks and become more productive by making sure you never have an original thought again movement. It is not said by productivity bloggers with a shitty book to hawk.