new icn messageflickr-free-ic3d pan white
View allAll Photos Tagged facebook+messenger

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

This past early March I made my second trip to the Outer Banks of North Carolina along the ocean to photograph the Milky Way rising in the eastern sky.

 

The first morning I went further south to a site I've been wanting to shoot a time lapse of the Milky Way rising over the ocean and I'm happy to say I accomplished that.

 

I had planned a workshop in the OBX in March but the Coronavirus stopped that cold. However, the good news is that I'll be back again in the Outer Banks in 2021 for another workshop.

▀▀▀▀▀▀▀▀▀▀

2021 Workshops

──────────

Unfortunately, I had to cancel all my photography workshops for 2020 due to the coronavirus. However, the good thing is that I have 7 workshops planned to help get your photography adventures going again. Here is my 2021 workshop list....

 

01. Outer Banks of North Carolina - March 8 - 11

02. Arches Nat'l Park (ANP), Utah - March 14 - 17

03. Jekyll Island, GA - April 7 - 10

04. Grand Teton Nat'l Park, WY - July 11 - 14

05. Grand Teton Nat'l Park, WY - Oct. 1 - 4

06. Northern Scotland: Isle of Skye - Mid-October

 

All US based workshops require a $300.00 deposit fee to secure a position. Taking the Coronavirus situation into consideration next year, the deposits are refundable should the workshop have to be cancelled with the exception of a small processing fee to return one's deposit.

 

All workshops will include photographing the Milky Way on two mornings weather permitting. And, each workshop will include one to two 3+ hour Photoshop & Lightroom Classic Milky Way post processing class.

 

If you are interested in attending any of these, the best way to contact me is by messaging me via Facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

 

You may also find me at: .. 500px || 72dpi || facebook || Instagram

 

Thanks for stopping by.

I had a message this morning on Facebook Messenger from a lady telling me that she had a print made from one of my images that she saw on a social media site - this photo here - (www.flickr.com/photos/128712946@N07/50567565642) - she went on to thank me for taking the shot and showed me a photo of the finished canvas of the image that had just arrived from the printers.

 

Should she have asked my permission first? Has anyone else experienced this? Is it image theft or is it fair game as it is uploaded to a social media site? I don't know what to think? Strange one! I am very interested to see what other photographers think.

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

On September 28th, I will arrived in Jackson Hole, Wyoming in advance of the photography workshop I would be conducting from Sept. 29 to Oct. 3, 2019. I drove to many locations to check out the color and road conditions and the roads in the hills around the valley were bad because of the heavy rain that proceeded my arrival.

 

So on Sept. 29th I had the hotel meet & greet and the next morning we were off to a great start as the weather, clouds and light were just excellent.

 

On the first of October, I took everyone to this site, one of several new sites I haven't taken past workshop attendees in the fall but when I drove past this I knew this had to be one site to visit.

 

▀▀▀▀▀▀▀▀▀▀

My 2020 workshops (all cancelled due to the Coronavirus)

 

During all workshops, I will take my group out at night for Milky Way night sky photography weather permitting.

  

1. Arches National Park - Feb. 28-March 3

 

2. Goblin Valley State Park and Factory Butte (Mars area) - March 3-4

 

3. Arches National Park - September 15-18

 

4. Grand Teton National Park - September 30-October 3

 

5. Northern Scotland - October 18-23

 

All workshops include Photoshop & Lightroom Classic Milky Way post processing sessions when the workshop conducts Milky Way night sky field work.

─────────

If you are interested in attending any of these, please send me a message via Flickr or Facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram || Smashwords

 

Thanks for stopping by.

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

Today is Sunday, June 2, 2019 and I'm happy to say I'm back in Jackson Hole, Wyoming (USA) and getting in some personal photography time before the 3 back-to-back workshops I have to conduct starting on June 3.

 

Here's a sunrise scene of Mt. Moran reflecting in the beaver pond in north of the town of Jackson.

 

One of the things I'll be doing today is trying to locate a new grizzly bear in northern Jackson Hole area known as Felcia.

 

During the last week in May, she distracted a boar after hiding her two very young cubs. Once she accomplished this, she returned to the place where she hid the two cubs only to find one. The second has not be found to this date as far as I know so I'm going to have to contact Bernie Scates who lives here and see what he knows. He's the goto person here in Jackson Hole when it comes to knowing where the different grizzlies are.

 

▀▀▀▀▀▀▀▀▀▀

My Milky Way night sky photography workshops

 

In 2019 I will be leading two 2 day photography workshops in Jackson Hole and one four day workshop in Jackson Hole.

 

During all workshops, I will take my group out at night for Milky Way night sky photography weather permitting.

 

Here is a list of the photography workshops I will conduct in 2019:

 

1. Arches National Park - March 1-3 with Ryan Smith SOLD OUT - Completed

 

2. Goblin Valley State Park with Ryan Smith - March 3-5 SOLD OUT - Completed

 

3. Grand Teton National Park early spring - June 3-5 (a few seats available (just been added on very short notice)

 

4. Grand Teton National Park spring wildflowers - June 6-10 SOLD OUT

 

5. Grand Teton National Park - June 11-12 (3 seats opened)

 

All workshops include Photoshop & Lightroom Milky Way post processing sessions covering latest Milky Way processing technique with image stacking.

─────────

Advance 2020 Iceland workshop announcement

Iceland workshop dates: July 6-11

 

This workshop is timed to capture the incredible huge lupine wildflowers throughout the areas we visit.

 

If you are interested in attending any of these, please send me a message via facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram

 

Thanks for stopping by.

 

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

On September 28th, I will fly to Jackson Hole, Wyoming (USA) where I will conduct my last workshop of the year. I couldn't be happier than to be in GTNP for the fall colors as I have so many times in the past.

 

After I return home from this trip on October 6, I will fly to Northern Scotland on October 16th where I will meet up with one one Scotland's finest landscape photographer's, Jenny Cameron. Google her and check out her awesome photography.

 

Over the first four days there, we will travel to many places to document sites for the workshop we'll be conducting there over the 3rd week of October in 2020. And yes areas around the Isle of Skye will be included.

 

Once I return home, we'll then work on completing a multi-page informational workshop PDF to send anyone who's interested in attending this workshop. Following the PDF, we'll be posting video of the sites we'll take our group to and it will include some nice drone video as well.

 

Two days ago I made an early announcement of this workshop on Facebook and I already have 5 interested. So if you might be interested in this workshop, please send me a message and I'll add you to our advanced list and you'll also receive the workshop info PDF or if you're on Facebook please contact me via Messenger.

─────────

This site in Jackson Hole, Wyoming and many others are documented my ebook "Grand Teton National Park - A Photographer's Site Shooting Guide - I".... see "Smashwords" link below.

 

▀▀▀▀▀▀▀▀▀▀

My 2020 workshops

 

During all workshops, I will take my group out at night for Milky Way night sky photography weather permitting.

 

1. Arches National Park - Feb. 28-March 3

 

2. Goblin Valley State Park and Factory Butte (Mars area) - March 3-4

 

3. Grand Teton National Park - September 20-23

 

4. Arches National Park - September 15-18

 

5. Northern Scotland - October 18-23

 

All workshops include Photoshop & Lightroom Classic Milky Way post processing sessions covering latest Milky Way processing technique with image stacking.

─────────

If you are interested in attending any of these, please send me a message via Flickr or Facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram || Smashwords

 

Thanks for stopping by.

  

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

On September 28th, I will arrived in Jackson Hole, Wyoming in advance of the photography workshop I would be conducting from Sept. 29 to Oct. 3, 2019. I drove to many locations to check out the color and road conditions and the roads in the hills around the valley were bad because of the heavy rain that proceeded my arrival.

 

So on Sept. 29th I had the hotel meet & greet and the next morning we were off to a great start as the weather, clouds and light were just excellent.

 

On the first of October, I took everyone to this site, one of several new sites I haven't taken past workshop attendees in the fall but when I drove past this I knew this had to be one site to visit.

 

▀▀▀▀▀▀▀▀▀▀

My 2021 Workshops

──────────

01. Outer Banks of North Carolina - March 8 - 11

02. Arches Nat'l Park (ANP), Utah - March 14 - 17

03. Jekyll Island, GA - April 7 - 10

04. A Southwest US site: TBA - May 2021

05. ANP, UT & Monument Valley - April 13 - 16

06. Grand Teton Nat'l Park, WY - July 8 - 12

07. Grand Teton Nat'l Park, WY - Oct. 1 - 4

 

All workshops include Photoshop & Lightroom Classic Milky Way post processing sessions when the workshop conducts Milky Way night sky field work.

─────────

If you are interested in attending any of these, please send me a message via Flickr or Facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram || Smashwords

 

Thanks for stopping by.

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

Zion National Park - USA

 

Zion is such a cool park with so many great places for photography.

 

In 2020 I will definitely visit this site again as there is just too much to see here. This will be one of several sites in this area where I plan to capture the Milky Way in the night sky.

 

▀▀▀▀▀▀▀▀▀▀

My Milky Way night sky photography workshops

 

During all workshops, I will take my group out at night for Milky Way night sky photography weather permitting.

 

2020 Workshops

1. Arches National Park - April 26-29

2. Jackson Hole, Wyoming - Oct. 3-6

3. Scotland - October 11-15

 

These workshops include Photoshop and Lightroom Classic Milky Way post processing.

 

If you are interested in attending any of these, please send me a message via facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram

 

Thanks for stopping by.

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

I was going over some photos taken in Jackson Hole, Wyoming in Lightroom Classic over the years and came across this one.

 

During my visit to Jackson, Wyoming in September 2012, I was scouting different locations to take people to in a future workshop here and I thought attendess would really like the sunrise from this location.

 

So I documented this well and entered it into an ebook I was writing at the time called "Grand Teton National Park - A Photographer's Site Shooting Guide - I".

 

▀▀▀▀▀▀▀▀▀▀

My Milky Way night sky photography workshops

 

In 2019 I will be leading two 2 day photography workshops in Jackson Hole and one four day workshop in Jackson Hole.

 

During all workshops, I will take my group out at night for Milky Way night sky photography weather permitting.

 

Here is a list of the photography workshops I will conduct in 2019:

 

1. Arches National Park - March 1-3 with Ryan Smith SOLD OUT - Completed

 

2. Goblin Valley State Park with Ryan Smith - March 3-5 SOLD OUT - Completed

 

3. Grand Teton National Park early spring - June 3-5 (a few seats available (just been added on very short notice)

 

4. Grand Teton National Park spring wildflowers - June 6-10 SOLD OUT

 

5. Grand Teton National Park - June 11-12 (3 seats opened)

 

All workshops include Photoshop & Lightroom Milky Way post processing sessions covering latest Milky Way processing technique with image stacking.

─────────

Advance 2020 Iceland workshop announcement

Iceland workshop dates: July 6-11

 

This workshop is timed to capture the incredible huge lupine wildflowers throughout the areas we visit.

 

If you are interested in attending any of these, please send me a message via facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram

 

Thanks for stopping by.

 

"SERIOUSLY, SELFIES" - SOTN Challenge #62

 

Took my photo with Facebook Messenger selfie app that has face changing filters and masks.

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

My 17 day trip to Jackson Hole, Wyoming is now over and I can work on a few images before my upcoming two week trip to Iceland.

 

During this trip, I conducted 2 back to back workshops. One from June 3-5 and the second from June 6-10. The first I did by myself and the 2nd I collaborated with one of Utah's finest photographers Ryan Smith.

 

Once the workshop was over on the 10th I made a quick deviation down to Arches National Park, Grand Escalante National Park and Zion National before returning to Jackson Hole on the afternoon of the 14th.

 

On the morning of June 16th the light and clouds were really working with me so I headed over to the southern Moulton Barn for a few sunrise shots before heading north to look for grizzly 399 and her two cubs which I did see and photograph and hope to process and post some time soon.

 

This site and many others are documented my ebook "Grand Teton National Park - A Photographer's Site Shooting Guide - I".... see "Smashwords" link below.

 

▀▀▀▀▀▀▀▀▀▀

My Milky Way night sky photography workshops

 

In 2019 I will be leading two 2 day photography workshops in Jackson Hole and one four day workshop in Jackson Hole.

 

During all workshops, I will take my group out at night for Milky Way night sky photography weather permitting.

 

Here is a list of the photography workshops I will conduct in 2019:

 

1. Arches National Park - March 1-3 with Ryan Smith SOLD OUT - Completed

 

2. Goblin Valley State Park with Ryan Smith - March 3-5 SOLD OUT - Completed

 

3. Grand Teton National Park early spring - June 3-5 (Completed)

 

4. Grand Teton National Park spring wildflowers - June 6-10 SOLD OUT - Completed

 

All workshops include Photoshop & Lightroom Milky Way post processing sessions covering latest Milky Way processing technique with image stacking.

─────────

Advance 2020 Iceland workshop announcement

Iceland workshop dates: July 6-11

 

This workshop is timed to capture the incredible huge lupine wildflowers throughout the areas we visit.

 

If you are interested in attending any of these, please send me a message via facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram || Smashwords

 

Thanks for stopping by.

  

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

Camera: Nikon D850

 

I was going over some photos taken during my recently completed 3rd trip to Iceland and I came across for puffin images taken in quick succession.

 

While there I had visited a number of puffin sites and it's always a lot of fun to be able to get so close and watch them take off to the ocean then fly back.

 

This is a four image blend in Photoshop.

▀▀▀▀▀▀▀▀▀▀

My 2019 photography workshops

 

In 2019 I will be leading one 2 day photography workshops in Jackson Hole and two 4 day workshops in Jackson Hole.

 

During all workshops, I will take my group out at night for Milky Way night sky photography weather permitting.

 

Here is a list of the photography workshops I will conduct in 2019:

 

1. Arches National Park - March 1-3 with Ryan Smith SOLD OUT - Completed

 

2. Goblin Valley State Park with Ryan Smith - March 3-5 SOLD OUT - Completed

 

3. Grand Teton National Park early spring - June 3-5 SOLD OUT

 

4. Grand Teton National Park spring wildflowers - June 6-10 SOLD OUT

 

5. Grand Teton National Park - June 11-12 SOLD OUT

 

6. Grand Teton National Park - Sept. 29-Oct. 3 (recently announced, 1 slot open)

 

2020 Workshops

 

1. Arches National Park & Canyonlands - February 28-March 2

2. Grand Teton National Park - June 11-15

3. Iceland - July 6-10

4. Scotland - 3rd week in October: TBA

 

All workshops include Photoshop & Lightroom Milky Way post processing sessions covering latest Milky Way processing technique with image stacking.

 

More detailed info on the mid-June 2020 workshop in Jackson Hole, Wyoming may be found here:

www.eventbrite.com/e/icons-of-the-tetons-june-2020-photog...

─────────

The Iceland workshop is timed to capture the incredible huge lupine wildflowers throughout the areas we visit. I plan a two day extension for this workshop in case any want more time to capture more scenes in different areas.

 

If you are interested in attending any of these, please send me a message via facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram

 

Thanks for stopping by.

 

IT'S HERE!!!

Week two is now available on the site,

usually the post is made in the evening, but

since I'm working the evening shift tonight, I decided

to go ahead and post it up now :)

go check it out now, and as always if you want to submit one

just send it to me on Facebook messenger.

www.facebook.com/alturaandromeda.silentnova

 

(mobile version still under construction...my apologies! there is a possibility I may have to move this page to another site, but I'm still trying to work with Wix.)

 

week # 002 [ kudosandkindness.wixsite.com/mysite/blog ]

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

Camera: Nikon D850, Rokinon 14mm SP f2.4 lens

 

I was going over some photos taken during my late August to early September 2018 trip came across this one as I was using Lightroom Classic.

 

During my time there, I was scouting different locations to take people to in my July 2020 workshop I'm now planning and this is one waterfall I'll be taking everyone to. The great thing is that two others are very close by.

 

So I documented this well and entered it into an ebook I was writing at the time called "Iceland - A Photographer's Site Shooting Guide - I".

 

▀▀▀▀▀▀▀▀▀▀

My 2019 photography workshops

 

In 2019 I will be leading two 2 day photography workshops in Jackson Hole and one three day workshop in Jackson Hole.

 

During all workshops, I will take my group out at night for Milky Way night sky photography weather permitting.

 

Here is a list of the photography workshops I will conduct in 2019:

 

1. Arches National Park - March 1-3 with Ryan Smith SOLD OUT - Completed

 

2. Goblin Valley State Park with Ryan Smith - March 3-5 SOLD OUT - Completed

 

3. Grand Teton National Park early spring - June 3-5 SOLD OUT

 

4. Grand Teton National Park spring wildflowers - June 6-10 SOLD OUT

 

5. Grand Teton National Park - June 11-12 SOLD OUT

 

2020 Workshops

 

1. Arches National Park - March 21-24

2. Canyonlands National Park - March 21-24

3. Grand Staircase Escalante - March 26-29

4. Grand Teton National Park - June 23-26

5. Iceland - July 6-10

6. Scotland - Some time in October: TBA

 

All workshops include Photoshop & Lightroom Milky Way post processing sessions covering latest Milky Way processing technique with image stacking.

─────────

The Iceland workshop is timed to capture the incredible huge lupine wildflowers throughout the areas we visit. I plan a two day extension for this workshop in case any want more time to capture more scenes in different areas.

 

If you are interested in attending any of these, please send me a message via facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram

 

Thanks for stopping by.

 

Aria made a pic of our Hen Den, a group of Second Life and IMVU girls brought together on facebook messenger :3

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

This site in Grand Escalante Staircase National Park is well sought after by Milky Way photographers.

 

I love all the swirling lines around the top of this pothole and on the inside of it.

 

Regardless of when you visit this during the Milky Way season you can't help but return home with some really nice images.

 

I will definitely visit this site again. This will be one of several sites in this area where I plan to capture the Milky Way in the night sky.

▀▀▀▀▀▀▀▀▀▀

2021 Workshops

──────────

Unfortunately, I had to cancel all my photography workshops for 2020 due to the coronavirus. However, the good thing is that I have 7 workshops planned to help get your photography adventures going again. Here is my 2021 workshop list....

 

01. Outer Banks of North Carolina - March 8 - 11

02. Arches Nat'l Park (ANP), Utah - March 14 - 17

03. Jekyll Island, GA - April 7 - 10

04. ANP, UT & Monument Valley - April 13 - 16

05. Grand Teton Nat'l Park, WY - July 11 - 14

06. Grand Teton Nat'l Park, WY - Oct. 1 - 4

07. Northern Scotland: Isle of Skye - Mid-October

 

Each workshop requires a $300.00 deposit fee to secure a position. The deposits are refundable with the exception of a small processing fee to return one's deposit.

 

All workshops will including photographing the Milky Way on two mornings, dependent on weather permitting. And, each workshop wll include one to two 3+ hour Photoshop & Lightroom Classic Milky Way post processing class.

 

If you are interested in attending any of these, please send me a message via Facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram || Smashwords

 

Thanks for stopping by.

  

Good day! Dear friend!

 

1. Free webinar on how to become a trader and trade on the stock exchange. Is it possible to deceive the stock exchange? - bit.ly/2GqaCXs

 

2. Tera online - professionals in the field of online trading and marketing. In the market since 2014 year. No wonder the level of conversion from the application to the deposit from the start took the mark of 3.5%. GET OUR PROGRAM NOW AND EARN YOUR FIRST MONEY STILL TODAY. - bit.ly/2UUIsa2

 

3. Telegram 10 - a new crypto project INNOVATIVE EARNINGS ON MESSENGERS LEARN HOW TO USE POPULAR MESSENGERS TO PRODUCE PROFIT. SUCH MESSAGERS LIKE WhatsApp, Viber, Facebook Messenger, Telegram. - bit.ly/2EBym

 

4. Find an interested investor for your business among 1,538 investors willing to invest up to 1 billion right now. - bit.ly/2S0SyEC

Just in case anybody missed week one

over on Kudos & Kindness...

this week there isn't many, so feel free to send me yours for next week...

go check it out now, and if you want to submit one

just send it to me on Facebook messenger.

www.facebook.com/alturaandromeda.silentnova

 

(mobile version still under construction...my apologies! there is a possibility I may have to move this page to another site, but I'm still trying to work with Wix.)

 

week # 001 [ kudosandkindness.wixsite.com/mysite/blog ]

I only met you once at a leather event(this photo, Michael is on the left wearing a a leather strap & the medal around his neck) and you're very warm & kind to me. We kept in touch through Facebook messenger but everytime you're in town it was like ship passing through the night. Now I hear the sad news of your passing. I'm real sorry we didn't get to hang out together more often. Rest In Paradise Michael & God Speed. My condolences goes out to his wife Rhee, family, leather family & friends.

Fujifilm X-T2

Samyang 12mmm f2

 

© 2019 Anthem of Colours Photography | Mico Picazo

Stealing, cropping, or any other kind of modification without my consent is punishable by law.

If you want to have an access to my photo please contact me thru Facebook Messenger.

update A few days back Gambhir Singh died by hanging my video had reunited him with his family after 40 years ..

 

old post

I began shooting Gambhir Singh more as a case study than anything else ..children tease him on the streets calling him Nepali and he would abuse them and shout out that he was a Manipuri an Indian not a Nepali ,,

I got to know him as each morning he would come to Bandra Bazar where I stay he would visit the hooch joint there he would regal the people on the streets with old Hindi songs ,, I would buy him snacks or give him money he took a liking to me as I shot his pictures ..

He was never sober always incoherent he once told me he was in the Army he left the army when his father died he came to his hometown to till his farms than there was some misunderstanding with his brothers he left Manipur and was working in Mumbai ..something happened he said without giving me details that he began drinking gradually became a hardcore alcoholic,

 

This is his story and I am adding this narrration as I got messages from his relaives on Facebook Messenger that he was missing for last 40 years and they discovered him through my video,

 

I told them to file a missing persons complaint online with Bandra Police I am sure they will trace him out he is in bad company of drunkards ..

When I meet him he is sozzled and he misses me he says as I always have a good word form him.. as I too was addicted to booze in my early years and gave up the bottle since last 20 years .

So I understand Gambhir Singh Manipuris broken dreams loneliness and delusions ,,

And only a sensitive understanding family can cure a loved one of this evil called Alcohol.

 

I wish his family gets reunited with him..

He begs late evenings at Bandra Hill Road .

 

Gambhir Singh died in September 2020

  

youtu.be/nnDIyuukkh4

#firozeshakir #gambhirsingh #manipur

Fujifilm X-T2

Samyang 12mm f2

  

© 2019 Anthem of Colours Photography | Mico Picazo

Stealing, cropping, or any other kind of modification without my consent is punishable by law.

If you want to have an access to my photo please contact me thru Facebook Messenger.

Venom now discounted from £32 to ****£26.50****

 

He uses UV printing onto Official Lego pieces. (Designed by myself over the past few months, this is the first of many figures which I plan to print).

 

Unless these sell out very quickly from demand, each design will likely be done on a ***limited print of 10***.

5 have already sold so if you want one Now Is the Time to Get One. (if heavily requested, 5 more will be printed, but that shall be the max)

 

£26.50 + shipping (discounted from the original £32).

 

Features high quality print on front/back torso, leg, both arms and two head pieces. Also includes collectors card.

 

International shipping although local UK will be easier/cheaper.

 

Once these are sold out, there won't be anymore, now is the only time to get one.

 

If you wish to buy one please let me know below and contact me via instagram messages (_tom_beke_), facebook messenger (Tom Beke), or via my email thecampervantom@yahoo.co.uk

  

(I've tagged a "few" people who may be interested)

 

PRIDE FESTIVAL SL 2019

We are back bitchesssss!!

[Sponsored by Arcigay - Italian LGBTQ Association]

  

The first Pride Festival has been amazing! The whole organization has been MAD, we did it all in less than 3 weeks, and the result was incredible, thanks to all the people that helped us in many many ways. We raised 92.802 lindens and we donated them to Arcigay Italy, the no-profit organization that is helping the troubled italian LGBTQ community. We are so proud and so happy about the success of last year that we can't wait to organize a brand-new edition, full of music, art, fashion and lot of fun!

For more info visit our website: pridefestivalsl.wordpress.com/

  

>>> How Pride Festival was born?

 

The Italian community of Second Life, during these 15 years of virtual platform, has been present in many fields of activity, including design, the fair environment, role play and last but not least artistic events. We Italians are passionate, fighters, lovers of drama; however we always know how to give the best of us, united for a good cause. During my 11 years of Second Life I have explored numerous realities. In many cases I noticed that some of the progress made by the real society was not reflected in the virtual environment. I have seen too many homophobic attacks, a lot of intolerance and a lack of sensitivity towards a subject as delicate as sexual identity and gender freedom.

So, I decided to remind Italians about the infinite potential of our positive actions, by setting up a festival, the Pride Festival of Second Life.

 

The intent of the festival is to sensitize the Italian and the international community about intolerances and verbal violence, towards LGBTQ community. The festival (NO PROFIT) will last five days, the program will be varied and will bring together a whole series of events: from DJ sets, fashion shows, contests, photo exhibitions etc.

 

The main focus of the festival is a fundraising that will be donated to Arcigay LGBTQ Association, which for years has been at the forefront of organizing events and awareness activities for LGBTQ community.

We share our experiences, discover new realities and get to know each other. Because only in this way we can defeat homophobia.

  

>>> Pride Festival 2.0 - 2019 edition

 

WHEN: 26th - 30th June 2019 (5 days)

THEME: Community is power

WHAT: Music, fair, fashion show and art

SETTING: Retro-wave

 

These are the applications to join the event!

If you are interested in helping us with the organization, send a notecard to Eva Artemesia or contact me via Facebook Messenger: www.facebook.com/profile.php?id=100013453985844 or Discord: Eva Artemesia#1763

  

DESIGNER APP >>>

 

The rules are very simple: the fee is 2000L (you can choose to donate the entire amount to Arcigay or to give 1000L in donation to Arcigay and 1000L to the organization). There are no exclusives required (if you want you can do it anyway) but a simple group gift for the partecipants. In the booth you can also add everything you want, make sales, etc., you have 80 prims available. We have like 30 booths in the sim, first come first served!All the sponsor logos will be added on the website, on social media and, inworld, at landing point and along the runway of the Fashion Show Contest.

We don't have bloggers but you can send the gift to your bloggers. We will create a Gift Guide for the customers, it will be shared on Facebook, Flickr and added in the Pride Festival HUD.

APP LINK: goo.gl/forms/Be4BR00wMLZBNojE3

  

DJ APP >>>

 

If you want to join the event as a dj fill the form! The parties will start from 12 or 1 pm sl time. Please bring a host with you, we need to keep the parties alive and follow the donations! We have a retro-wave/neon location theme, you can choose this theme for your dj set or another one you prefer, just let us know! We will also organize some contest parties with a prize, let us know if you are interested in hosting and djing during these events!

APP LINK: goo.gl/forms/yJlCIu5K5U7ZHcFo1

  

MODEL APP >>>

 

We are looking for models (non-professional too) for our Great Fashion Show Contest! Pride Festival is a no profit event, so no money as award, but instead you can win the title of Mister and Miss Pride 2019, the amazing Peacock Crown and a gift card from one of our sponsors! It’s a funny way to be together, support the cause and have fun! Five male and five female will be selected, there will be a training lesson, 3 outfits to prepare and a special jury to decide the winner! If you are interested please fill the app!

APP LINK: goo.gl/forms/gyuJCD3gc6OiC2yJ3

  

ARTIST >>>

 

For the entire duration of the event we will set up a photographic exhibition open to everybody, with the aim of telling through the images the theme of homophobia , sexual freedom and LGBTQ community power.

If you want to participate send your work to Eva Artemesia. Square format. Texture name: "Pride Festival ART 2019 – Avatar name". Remember to set it with all permissions! (Copy / mod / transfer).

The Art Gallery is not a contest. The pictures will not be sold. The image can be an old one.

Please keep your works as an exclusive for the event, then you can spam it everywhere! If the picture is old, no problem.

  

All info here: pridefestivalsl.wordpress.com/

 

Contacts:

Owner: Eva Artemesia

Top Manager: Luigi Kariunga

SIM Manager: Ashlar Bayn

Social Media Manager: Dae Zarco

DJ Manager: Chad Paolino

 

-------------------

SECOND LIFE GROUP: secondlife:///app/group/0fdccbe3-4ba9-b1b8-3b54-c22aa8d3b853/about

FACEBOOK: www.facebook.com/groups/163726317811820/

DISCORD: Coming soon

-------------------

Designers and Artists of SL, we will be back in December so please stay tuned end of August 2020 when the application for designers and artists open!

 

This Event is to support all survivors of sexual assault, abuse and violence and to honor the dedicated personnel of RAINN (Rape Abuse & Incest National Network).

 

In the meantime, please feel free to view our official website:

isaidnoeventsl.wordpress.com/

RAINN.org: www.rainn.org

Letter of Authorization from RAINN: tinyurl.com/tjnh4hh

 

If you have any questions, please do not hesitate to contact me here on Facebook Messenger or inworld (mmorganwhitfield)

In October 2014 I was randomly contacted by a young Sudanese man living in a refugee camp in Uganda. His request from me was to send him to school. The rest is history. I will be chronicling the story of how one young man's request on Facebook Messenger turned into a new nonprofit called "Let's Send These Kids to School" and gave me a new life mission.

Heads up!

 

Starting today (December 26), Victory Liner will resume their trips from Cubao to Baguio City and vice versa.

 

Updated Trip Schedules

 

Baguio to Cubao (Dec. 27 onwards)

 

8:00AM

1:00PM

5:00PM

 

Cubao to Baguio (Dec. 28 onwards)

 

5:00AM

10:00AM

3:00PM

 

Point-to-Point Fare: Php576.00

 

You can book your bus ticket at the VLI Ticket Booth.

 

*Trip schedule may be changed without prior notice.

 

To ensure safe travel, the health safety protocols shall be strictly implemented such as:

-Wearing of face mask and face shield

-No talking and answering phone calls

-No food and eating inside

-With adequate ventilation

-With frequent and proper disinfection

-No symptomatic passengers

-Appropriate physical distancing

-Temperature checks

-Handwashing with alcohol and hand sanitizer

-Filing the Health Declaration Form for contact tracing purposes

 

Travel Requirements

 

Health Workers, Uniformed Personnel, and Government Officials who are residents of, or are assigned to work in, the BLISST (Baguio, La Trinidad, Itogon, Sablan, Tublay, and Tuba) Area:

-Medical Certificate issued by the Local Health Officer at place of origin

-Valid Government Issued ID, and any documents as proof of residence or assignment in the BLISST area

 

Authorized Persons Outside Residences not residing, or not assigned to work in BLISTT:

-Valid Government Issued ID showing place of residence

-Any document as proof of APOR status and APOR purpose in Baguio City (Employee ID, Certificate of Employment, Business Permit, IBP/PRC ID, Contract of Work, Official Invitation, etc.)

-Negative result of RT-PCR or Rapid Antigen test conducted within 72 hours prior to entry into the City (if none, proceed to Central Triage for testing)

 

Passing Through only:

-Medical Certificate issued by Local Health Officer at place of origin

-Travel Pass-through Permit (TPP) issued by PNP in place of origin

 

Persons travelling to Baguio for medical purposes:

-Medical Certificate issued by Local Health Officer at place of origin

-Doctor’s Referral or proof of medical appointment

 

Employees of the public and private sector who are residents of Baguio and working in nearby provinces, and who regularly pass through checkpoints. Workers in Baguio and living in nearby provinces, who regularly pass through checkpoints. Baguio residents returning from travels outside of the City (*For this purpose, BLISTT residents shall be given the same treatment.):

-Medical Certificate issued by Local Health Officer at place of origin

-Valid Government Issued ID showing place of residence

-If passing through the checkpoints for purposes of work, business, or employment, any document as proof of APOR status (Employee ID, Certificate of Employment, Business Permit, IBP/PRC ID, Contract of Work, and etc.)

-Negative result of RT-PCR or Rapid Antigen test conducted within the last 30 days prior to entry into the City

 

Returning Baguio Residents:

-Travel Authority issued by the PNP in the place of origin

-Valid Government Issued ID showing place of residence in Baguio City

-Negative result of RT-PCR or Rapid Antigen test conducted within 72 hours prior to entry into the City

 

*May opt to undergo 14 day home quarantine instead of testing

 

Non-APORs coming into the city for non-tourist, personal travel purposes a(including students):

-Travel Authority issued by the PNP in the place of origin

-Negative result of RT-PCR or Rapid Antigen test conducted within 72 hours prior to entry into the City (if none, proceed to Central Triage for testing)

 

*Those coming into the city for work or study the first time since ECQ may opt to undergo 14 day home quarantine instead of testing

 

Tourists:

-QR Coded-Tourist Pass (QTP) from Baguio Visita Website*

 

*Registration required.

 

Source: City Government of Baguio "Advisory On Localized Entry Protocols for Baguio City while on Restricted Status," issued on October 23, 2020

 

Cubao to Baguio:

-QR Coded-Tourist Pass (QTP) from Baguio Visita Website*

-Negative Antigen Swab Test Result (Valid for 72 hours before departure)

 

*Registration required.

 

Baguio to Cubao:

-Travel Authority

-Medical Certificate

-Valid Government-Issued ID

 

For Questions and Inquiries:

-Chat via Victory Liner Facebook Messenger

-Contact the Victory Liner Hotlines at (02) 8842 8679 or 0998 591 5102

 

For Further Reading:

Victory Liner Baguio Trips

 

*Updated as of Dec. 26, 2020 @ 7:42PM on Victory Liner official Facebook page.

 

Here's the Special Edition of Bus Fleets Then and Now featuring Victory Liner's MAN fleets deployed in Baguio route.

 

Then: Victory Liner 2117 - MAN A55 18.310 - Santarosa EXFOH

 

Entry Into Service: 2001

Year Retired: 2016

Photo Date Taken: July 20, 2013

 

Now: Victory Liner 7123 - MAN R39 18.350 - Santarosa Modulo

 

Entry Into Service: 2017*

Photo Date Taken: October 1, 2017

 

*Acquired in 2016. Converted into "New Normal" interior setup with 1x1x1 seating configuration and acrylic plastic barrier per seat and at the driver's work. The conversion was done by Del Monte Motor Works, Inc. and released this 2020.

A new set of chat stickers for Facebook Messenger is now available. Download a set for free today!

A dark pattern is "a user interface that has been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills." The neologism dark pattern was coined by Harry Brignull on July 28, 2010 with the registration of darkpatterns.org, a "pattern library with the specific goal of naming and shaming deceptive user interfaces.Bait-and-switch patterns advertise a free (or greatly reduced) product or service which is wholly unavailable or stocked in small quantities. After it is apparent the product is no longer available, they are exposed to other priced products similar to the one advertised. This is common in software installers, where a button will be presented in the fashion of a typical continuation button. It is common that one has to accept the program's terms of service, so a dark pattern would show a prominent "I accept these terms" button on a page where the user is asked to accept the terms of a program unrelated to the program they are trying to install. Since the user will typically accept the terms by force of habit, the unrelated program can subsequently be installed. The installer's authors do this because they are paid by the authors of the unrelated program for each install that they procure. The alternative route in the installer, allowing the user to skip installing the unrelated program, is much less prominently displayed or seems counter-intuitive (such as declining the terms of service).

 

en.wikipedia.org/wiki/Dark_pattern

 

This pattern is also used by some websites, where the user is shown a page where information is asked that is not required. For example, one would fill out a username and password on one page, and after clicking the "next" button the user is asked for their email address with another "next" button as the only option. It is not apparent that the step can be skipped. When simply pressing "next" without entering their personal information, however, the website will just continue. In some cases, a method to skip the step is visible but not shown as a button (instead, usually, as a small and greyed-out link) so that it does not stand out to the user. Other examples that often use this pattern are inviting friends by entering someone else's email address, uploading a profile picture, or selecting interests.

 

”This is a civilizational moment in a way I’m not sure we’re all reckoning with,” Harris said on stage. “It’s a historical moment when a species that is intelligent builds technology that ... can simulate a puppet version of its creator, and the puppet can control the master. That’s an unprecedented situation to be in. That could be the end of human agency, when you can perfectly simulate not just the strengths of people but their weaknesses.”

 

Where does technology exploit our minds weaknesses?

 

I learned to think this way when I was a magician. Magicians start by looking for blind spots, edges, vulnerabilities and limits of people’s perception, so they can influence what people do without them even realizing it. Once you know how to push people’s buttons, you can play them like a piano.

  

That’s me performing sleight of hand magic at my mother’s birthday party

And this is exactly what product designers do to your mind. They play your psychological vulnerabilities (consciously and unconsciously) against you in the race to grab your attention.

 

I want to show you how they do it.

 

Hijack #1: If You Control the Menu, You Control the Choices

 

1-kW01thCZaWQyq0A08hSj5Q (1)

Western Culture is built around ideals of individual choice and freedom. Millions of us fiercely defend our right to make “free” choices, while we ignore how we’re manipulated upstream by limited menus we didn’t choose.

 

This is exactly what magicians do. They give people the illusion of free choice while architecting the menu so that they win, no matter what you choose. I can’t emphasize how deep this insight is.

 

When people are given a menu of choices, they rarely ask:

 

“what’s not on the menu?”

“why am I being given these options and not others?”

“do I know the menu provider’s goals?”

“is this menu empowering for my original need, or are the choices actually a distraction?” (e.g. an overwhelmingly array of toothpastes)

Photo by Kevin McShane

 

How empowering is this menu of choices for the need, “I ran out of toothpaste”?

For example, imagine you’re out with friends on a Tuesday night and want to keep the conversation going. You open Yelp to find nearby recommendations and see a list of bars. The group turns into a huddle of faces staring down at their phones comparing bars. They scrutinize the photos of each, comparing cocktail drinks. Is this menu still relevant to the original desire of the group?

 

It’s not that bars aren’t a good choice, it’s that Yelp substituted the group’s original question (“where can we go to keep talking?”) with a different question (“what’s a bar with good photos of cocktails?”) all by shaping the menu.

 

Moreover, the group falls for the illusion that Yelp’s menu represents acomplete set of choices for where to go. While looking down at their phones, they don’t see the park across the street with a band playing live music. They miss the pop-up gallery on the other side of the street serving crepes and coffee. Neither of those show up on Yelp’s menu.

 

Yelp subtly reframes the group’s need “where can we go to keep talking?” in terms of photos of cocktails served.

The more choices technology gives us in nearly every domain of our lives (information, events, places to go, friends, dating, jobs) — the more we assume that our phone is always the most empowering and useful menu to pick from. Is it?

 

The “most empowering” menu is different than the menu that has the most choices. But when we blindly surrender to the menus we’re given, it’s easy to lose track of the difference:

 

“Who’s free tonight to hang out?” becomes a menu of most recent people who texted us (who we could ping).

“What’s happening in the world?” becomes a menu of news feed stories.

“Who’s single to go on a date?” becomes a menu of faces to swipe on Tinder (instead of local events with friends, or urban adventures nearby).

“I have to respond to this email.” becomes a menu of keys to type a response (instead of empowering ways to communicate with a person).

1-LsgYHAM-xhnkYGSkocOmew

 

All user interfaces are menus. What if your email client gave you empowering choices of ways to respond, instead of “what message do you want to type back?” (Design by Tristan Harris)

When we wake up in the morning and turn our phone over to see a list of notifications — it frames the experience of “waking up in the morning” around a menu of “all the things I’ve missed since yesterday.”

  

A list of notifications when we wake up in the morning — how empowering is this menu of choices when we wake up? Does it reflect what we care about? (credit to Joe Edelman)

By shaping the menus we pick from, technology hijacks the way we perceive our choices and replaces them new ones. But the closer we pay attention to the options we’re given, the more we’ll notice when they don’t actually align with our true needs.

 

Hijack #2: Put a Slot Machine In a Billion Pockets

 

If you’re an app, how do you keep people hooked? Turn yourself into a slot machine.

 

The average person checks their phone 150 times a day. Why do we do this? Are we making 150 conscious choices?

  

How often do you check your email per day?

One major reason why is the #1 psychological ingredient in slot machines:intermittent variable rewards.

 

If you want to maximize addictiveness, all tech designers need to do is link a user’s action (like pulling a lever) with a variable reward. You pull a lever and immediately receive either an enticing reward (a match, a prize!) or nothing. Addictiveness is maximized when the rate of reward is most variable.

 

Does this effect really work on people? Yes. Slot machines make more money in the United States than baseball, movies, and theme parkscombined. Relative to other kinds of gambling, people get ‘problematically involved’ with slot machines 3–4x faster according to NYU professor Natasha Dow Shull, author of Addiction by Design.

 

But here’s the unfortunate truth — several billion people have a slot machine their pocket:

 

When we pull our phone out of our pocket, we’re playing a slot machineto see what notifications we got.

When we pull to refresh our email, we’re playing a slot machine to see what new email we got.

When we swipe down our finger to scroll the Instagram feed, we’replaying a slot machine to see what photo comes next.

When we swipe faces left/right on dating apps like Tinder, we’re playing a slot machine to see if we got a match.

When we tap the # of red notifications, we’re playing a slot machine to what’s underneath.

 

Apps and websites sprinkle intermittent variable rewards all over their products because it’s good for business.

 

But in other cases, slot machines emerge by accident. For example, there is no malicious corporation behind all of email who consciously chose to make it a slot machine. No one profits when millions check their email and nothing’s there. Neither did Apple and Google’s designers want phones to work like slot machines. It emerged by accident.

 

But now companies like Apple and Google have a responsibility to reduce these effects by converting intermittent variable rewards into less addictive, more predictable ones with better design. For example, they could empower people to set predictable times during the day or week for when they want to check “slot machine” apps, and correspondingly adjust when new messages are delivered to align with those times.

 

Hijack #3: Fear of Missing Something Important (FOMSI)

 

Another way apps and websites hijack people’s minds is by inducing a “1% chance you could be missing something important.”

 

If I convince you that I’m a channel for important information, messages, friendships, or potential sexual opportunities — it will be hard for you to turn me off, unsubscribe, or remove your account — because (aha, I win) you might miss something important:

 

This keeps us subscribed to newsletters even after they haven’t delivered recent benefits (“what if I miss a future announcement?”)

This keeps us “friended” to people with whom we haven’t spoke in ages (“what if I miss something important from them?”)

This keeps us swiping faces on dating apps, even when we haven’t even met up with anyone in a while (“what if I miss that one hot match who likes me?”)

This keeps us using social media (“what if I miss that important news story or fall behind what my friends are talking about?”)

But if we zoom into that fear, we’ll discover that it’s unbounded: we’ll always miss something important at any point when we stop using something.

 

There are magic moments on Facebook we’ll miss by not using it for the 6th hour (e.g. an old friend who’s visiting town right now).

There are magic moments we’ll miss on Tinder (e.g. our dream romantic partner) by not swiping our 700th match.

There are emergency phone calls we’ll miss if we’re not connected 24/7.

But living moment to moment with the fear of missing something isn’t how we’re built to live.

 

And it’s amazing how quickly, once we let go of that fear, we wake up from the illusion. When we unplug for more than a day, unsubscribe from those notifications, or go to Camp Grounded — the concerns we thought we’d have don’t actually happen.

 

We don’t miss what we don’t see.

 

The thought, “what if I miss something important?” is generated in advance of unplugging, unsubscribing, or turning off — not after. Imagine if tech companies recognized that, and helped us proactively tune our relationships with friends and businesses in terms of what we define as “time well spent” for our lives, instead of in terms of what we might miss.

 

Hijack #4: Social Approval

  

Easily one of the most persuasive things a human being can receive.

We’re all vulnerable to social approval. The need to belong, to be approved or appreciated by our peers is among the highest human motivations. But now our social approval is in the hands of tech companies (like when we’re tagged in a photo).

 

When I get tagged by my friend Marc (above), I imagine him making aconscious choice to tag me. But I don’t see how a company like Facebook orchestrated him doing that in the first place.

 

Facebook, Instagram or SnapChat can manipulate how often people get tagged in photos by automatically suggesting all the faces people should tag (e.g. by showing a box with a 1-click confirmation, “Tag Tristan in this photo?”).

 

So when Marc tags me, he’s actually responding to Facebook’s suggestion, not making an independent choice. But through design choices like this,Facebook controls the multiplier for how often millions of people experience their social approval on the line.

  

Facebook uses automatic suggestions like this to get people to tag more people, creating more social externalities and interruptions.

The same happens when we change our main profile photo — Facebook knows that’s a moment when we’re vulnerable to social approval: “what do my friends think of my new pic?” Facebook can rank this higher in the news feed, so it sticks around for longer and more friends will like or comment on it. Each time they like or comment on it, I’ll get pulled right back.

 

Everyone innately responds to social approval, but some demographics (teenagers) are more vulnerable to it than others. That’s why it’s so important to recognize how powerful designers are when they exploit this vulnerability.

  

Hijack #5: Social Reciprocity (Tit-for-tat)

 

You do me a favor, now I owe you one next time.

You say, “thank you”— I have to say “you’re welcome.”

You send me an email— it’s rude not to get back to you.

You follow me — it’s rude not to follow you back. (especially for teenagers)

We are vulnerable to needing to reciprocate others’ gestures. But as with Social Approval, tech companies now manipulate how often we experience it.

 

In some cases, it’s by accident. Email, texting and messaging apps are social reciprocity factories. But in other cases, companies exploit this vulnerability on purpose.

 

LinkedIn is the most obvious offender. LinkedIn wants as many people creating social obligations for each other as possible, because each time they reciprocate (by accepting a connection, responding to a message, or endorsing someone back for a skill) they have to come back through linkedin.com where they can get people to spend more time.

 

Like Facebook, LinkedIn exploits an asymmetry in perception. When you receive an invitation from someone to connect, you imagine that person making a conscious choice to invite you, when in reality, they likely unconsciously responded to LinkedIn’s list of suggested contacts. In other words, LinkedIn turns your unconscious impulses (to “add” a person) into new social obligations that millions of people feel obligated to repay. All while they profit from the time people spend doing it.

  

Imagine millions of people getting interrupted like this throughout their day, running around like chickens with their heads cut off, reciprocating each other — all designed by companies who profit from it.

 

Welcome to social media.

  

After accepting an endorsement, LinkedIn takes advantage of your bias to reciprocate by offering *four* additional people for you to endorse in return.

Imagine if technology companies had a responsibility to minimize social reciprocity. Or if there was an “FDA for Tech” that monitored when technology companies abused these biases?

  

Hijack #6: Bottomless bowls, Infinite Feeds, and Autoplay

  

YouTube autoplays the next video after a countdown

Another way to hijack people is to keep them consuming things, even when they aren’t hungry anymore.

 

How? Easy. Take an experience that was bounded and finite, and turn it into a bottomless flow that keeps going.

 

Cornell professor Brian Wansink demonstrated this in his study showing you can trick people into keep eating soup by giving them a bottomless bowl that automatically refills as they eat. With bottomless bowls, people eat 73% more calories than those with normal bowls and underestimate how many calories they ate by 140 calories.

 

Tech companies exploit the same principle. News feeds are purposely designed to auto-refill with reasons to keep you scrolling, and purposely eliminate any reason for you to pause, reconsider or leave.

 

It’s also why video and social media sites like Netflix, YouTube or Facebookautoplay the next video after a countdown instead of waiting for you to make a conscious choice (in case you won’t). A huge portion of traffic on these websites is driven by autoplaying the next thing.

  

Facebook autoplays the next video after a countdown

Tech companies often claim that “we’re just making it easier for users to see the video they want to watch” when they are actually serving their business interests. And you can’t blame them, because increasing “time spent” is the currency they compete for.

 

Instead, imagine if technology companies empowered you to consciously bound your experience to align with what would be “time well spent” for you. Not just bounding the quantity of time you spend, but the qualities of what would be “time well spent.”

 

Hijack #7: Instant Interruption vs. “Respectful” Delivery

 

Companies know that messages that interrupt people immediately are more persuasive at getting people to respond than messages delivered asynchronously (like email or any deferred inbox).

 

Given the choice, Facebook Messenger (or WhatsApp, WeChat or SnapChat for that matter) would prefer to design their messaging system to interrupt recipients immediately (and show a chat box) instead of helping users respect each other’s attention.

 

In other words, interruption is good for business.

 

It’s also in their interest to heighten the feeling of urgency and social reciprocity. For example, Facebook automatically tells the sender when you “saw” their message, instead of letting you avoid disclosing whether you read it(“now that you know I’ve seen the message, I feel even more obligated to respond.”) By contrast, Apple more respectfully lets users toggle “Read Receipts” on or off.

 

The problem is, while messaging apps maximize interruptions in the name of business, it creates a tragedy of the commons that ruins global attention spans and causes billions of interruptions every day. This is a huge problem we need to fix with shared design standards (potentially, as part of Time Well Spent).

 

Hijack #8: Bundling Your Reasons with Their Reasons

 

Another way apps hijack you is by taking your reasons for visiting the app (to perform a task) and make them inseparable from the app’s business reasons(maximizing how much we consume once we’re there).

 

For example, in the physical world of grocery stories, the #1 and #2 most popular reasons to visit are pharmacy refills and buying milk. But grocery stores want to maximize how much people buy, so they put the pharmacy and the milk at the back of the store.

 

In other words, they make the thing customers want (milk, pharmacy) inseparable from what the business wants. If stores were truly organized to support people, they would put the most popular items in the front.

 

Tech companies design their websites the same way. For example, when you you want to look up a Facebook event happening tonight (your reason) the Facebook app doesn’t allow you to access it without first landing on the news feed (their reasons), and that’s on purpose. Facebook wants to convert every reason you have for using Facebook, into their reason which is to maximize the time you spend consuming things.

 

In an ideal world, apps would always give you a direct way to get what you want separately from what they want.

 

Imagine a digital “bill of rights” outlining design standards that forced the products that billions of people used to support empowering ways to navigate towards their goals.

 

Hijack #9: Inconvenient Choices

 

We’re told that it’s enough for businesses to “make choices available.”

 

“If you don’t like it you can always use a different product.”

“If you don’t like it, you can always unsubscribe.”

“If you’re addicted to our app, you can always uninstall it from your phone.”

Businesses naturally want to make the choices they want you to make easier, and the choices they don’t want you to make harder. Magicians do the same thing. You make it easier for a spectator to pick the thing you want them to pick, and harder to pick the thing you don’t.

 

For example, NYTimes.com let’s you “make a free choice” to cancel your digital subscription. But instead of just doing it when you hit “Cancel Subscription,” they force you to call a phone number that’s only open at certain times.

  

NYTimes claims it’s giving a free choice to cancel your account

Instead of viewing the world in terms of choice availability of choices, we should view the world in terms of friction required to enact choices.

 

Imagine a world where choices were labeled with how difficult they were to fulfill (like coefficients of friction) and there was an FDA for Tech that labeled these difficulties and set standards for how easy navigation should be.

 

Hijack #10: Forecasting Errors, “Foot in the Door” strategies

  

Facebook promises an easy choice to “See Photo.” Would we still click if it gave the true price tag?

People don’t intuitively forecast the true cost of a click when it’s presented to them. Sales people use “foot in the door” techniques by asking for a small innocuous request to begin with (“just one click”), and escalating from there (“why don’t you stay awhile?”). Virtually all engagement websites use this trick.

 

Imagine if web browsers and smartphones, the gateways through which people make these choices, were truly watching out for people and helped them forecast the consequences of clicks (based on real data about what it actually costs most people?).

 

That’s why I add “Estimated reading time” to the top of my posts. When you put the “true cost” of a choice in front of people, you’re treating your users or audience with dignity and respect.

 

In a Time Well Spent internet, choices would be framed in terms of projected cost and benefit, so people were empowered to make informed choices.

  

TripAdvisor uses a “foot in the door” technique by asking for a single click review (“How many stars?”) while hiding the three page form behind the click.

Summary And How We Can Fix This

 

Are you upset that technology is hijacking your agency? I am too. I’ve listed a few techniques but there are literally thousands. Imagine whole bookshelves, seminars, workshops and trainings that teach aspiring tech entrepreneurs techniques like this. They exist.

 

The ultimate freedom is a free mind, and we need technology to be on our team to help us live, feel, think and act freely.

 

We need our smartphones, notifications screens and web browsers to be exoskeletons for our minds and interpersonal relationships that put our values, not our impulses, first. People’s time is valuable. And we should protect it with the same rigor as privacy and other digital rights.

 

Tristan Harris was Product Philosopher at Google until 2016 where he studied how technology affects a billion people’s attention, wellbeing and behavior.

 

For more information and get involved, check out timewellspent.io. This piece is cross-posted on Medium.

  

MARCH 7, 2016 by TRISTAN HARRIS

Tech Companies Design Your Life, Here’s Why You Should Care

 

UNCATEGORIZED

5 COMMENTS

 

Four years ago, I sold my company to Google and joined the ranks there. I spent my last three years there as Product Philosopher, looking at the profound ways the design of screens shape billions of human lives – and asking what it means for them to do so ethically and responsibly.

 

What I came away with is that something’s not right with how our screens are designed, and I’m writing this to help you understand why you should care, and what you can do about it.

 

I shouldn’t have to cite statistics about the central role screens play in our lives. Billions of us turn to smartphones every day. We wake up with them. We fall asleep with them. You’re looking at one right now.

 

Of course, new technologies always reshape society, and it’s always tempting to worry about them solely for this reason. Socrates worried that the technology of writing would “create forgetfulness in the learners’ souls, because they [would] not use their memories.” We worried that newspapers would make people stop talking to each other on the subway. We worried that we would use television to “amuse ourselves to death.”

 

hFKu8yj

 

“And see!” people say. “Nothing bad happened!” Isn’t humanity more prosperous, more technically sophisticated, and better connected than ever? Is it really that big of a problem that people spend so much time staring at their smartphones? Isn’t it just another cultural shift, like all the others? Won’t we just adapt?

 

Invisibility of the New Normal

 

I don’t think so. What’s missing from this perspective is that all these technologies (books, television, radio, newspapers) did change everything about society, we just don’t see it. They replaced our old menus of choices with new ones. Each new menu eventually became the new normal – “the way things are” – and, after our memories of old menus had faded into the past, the new menus became “the way things have always been.”

 

gold-fish-in-waterASK A FISH ABOUT WATER AND THEY’LL RESPOND, “WHAT’S WATER?”

Consider that the average American now watches more than 5.5 hours of television per day. Regardless of whether you think TV is good or bad, hundreds of millions of people spend 30% of their waking hours watching it. It’s hard to overstate the vast consequences of this shift– for the blood flows of millions of people, for our understanding of reality, for the relational habits of families, for the strategies and outcomes of political campaigns. Yet for those who live with them day-to-day, they are invisible.

 

So what best describes the nature of what smart phones are “doing” to us?

 

A New “Perfect” Choice on Life’s Menu

 

If I had to summarize it, it’s this: Our phone puts a new choice on life’s menu, in any moment, that’s “sweeter” than reality.

 

If, at any moment, reality gets dull or boring, our phone offers something more pleasurable, more productive and even more educational than whatever reality gives us.

 

And this new choice fits into any moment. Our phone offers 5-second choices like “checking email” that feel better than waiting in line. And it offers 30-minute choices like a podcast that will teach you that thing you’ve been dying to learn, which feels better than a 30-minute walk in silence.

 

Once you see your phone this way, wouldn’t you turn to it more often? It always happens this way: when new things fill our needs better than the old, we switch:

 

When cheaper, faster to prepare food appears, we switch: Packaged foods.

When more accurate search engines appear, we switch: Google.

When cheaper, faster forms of transportation appear, we switch: Uber.

756612-b6f6919a-555a-11e3-b451-c2835887c2f5

 

So it goes with phones.

 

But it also changes us on the inside. We grow less and less patient for reality as it is, especially when it’s boring or uncomfortable. We come to expect more from the world, more rapidly. And because reality can’t live up to our expectations, it reinforces how often we want to turn to our screens. A self-reinforcing feedback loop.

 

And because of the attention economy, every product will only get more persuasive over time. Facebook must become more persuasive if it wants to compete with YouTube and survive. YouTube must become more persuasive if it wants to compete with Facebook. And we’re not just talking about ‘cheap’ amusement (aka cat videos). These products will only get better at giving us choices that make every bone in our body say, “yeah I want that!”

 

So what’s wrong about this? If the entire attention economy is working to fill us up with more perfect-feeling things to spend time on, which outcompete being with the discomfort of ourselves or our surroundings, shouldn’t that be fantastic?

 

wall-e

 

Clearly something is missing from this picture. But what is it?

 

Maybe it’s that “filling people up,” even with incredible choices on screens somehow doesn’t add up to a life well lived. Or that those choices weren’t what we wished we’d been persuaded to do in the bigger sense of our lives.

 

With design as it is today, screens threaten our fundamental agency. Maybe we are “choosing,” but we are choosing from persuasive menus driven by companies who have different goals than ours.

 

And that begs us to ask, “what are our goals?” or how do we want to spend our time? There are as many “good lives” as there are people, but our technology (and the attention economy) don’t really seem on our team to give us the agency to live according to them.

 

A Whole New Persuasive World

 

And it’s about to get a lot worse. Virtual Reality and Augmented Reality will offer whole new immersive realities that are even more persuasive than physical reality.

 

zuck-virtual-reality

 

When you could have sex with the person of your dreams, or fly through jungles in the Amazon rainforest while looking over at your best friend flying next to you, who would want to stick with reality?

 

By the way, this isn’t your usual “look, VR is coming!” prediction. This is the real deal. Facebook recently spent $2 billion to buy Oculus Rift, and hopes to put them in every home for this holiday season. Just like the late 1980’s when suddenly everyone you knew had a Nintendo.

 

Acknowledging the Problem

 

So we have a fundamental misalignment– between what the attention economy is competing to produce (more perfect, persuasive choices that fit into any moment), the design of our phones, and the aspirations people have for their lives (their definition of “the good life”).

 

AttentionEconomyMisalignment

 

So what’s missing from the design of our phones? I like to use the metaphor of ergonomics. When you think of ergonomics, you might think of boring things like how a cup fits into someone’s hand, but it’s way more than that.

 

If regular design is about how we want things to work, ergonomics is concerned with failure modes and extremes: how things break under repetition, stress or other limits. And the goal of ergonomics is to create an alignment between those limits, and the goals people have for how they want to use it.

 

10 Handle diameter

 

For example, an ergonomically designed coffee mug aligns the natural fatigue of forearm muscles during use (as a person “lifts” it to sip) with how frequently people want to use it, so they still can lift it successfully with repetition.

 

What does this have to do with phones?

 

Our minds urgently need a new “ergonomics,” based on the mind’s limited capacities, biases, fatigue curves and the ways it forms habits. The attention economy tears our minds apart. With its onslaught of never-ending choices, never-ending supply of relationships and obligations, the attention economy bulldozes the natural shape of our physical and psychological limits and turns impulses into bad habits.

 

Just like the food industry manipulates our innate biases for salt, sugar and fat with perfectly engineered combinations, the tech industry bulldozes our innate biases for Social Reciprocity (we’re built to get back to others), Social Approval (we’re built to care what others think of us), Social Comparison (how we’re doing with respect to our peers) and Novelty-seeking (we’re built to seek surprises over the predictable).

 

Millions of years of evolution did a great job giving us genes to care about how others perceive us. But Facebook bulldozes those biases, by forcing us to deal with how thousands of people perceive us.

 

This isn’t to say that phones today aren’t designed ergonomically, they are just ergonomic to a narrow scope of goals:

 

for a single user (holding the phone)

for single tasks (opening an app)

for individual choices

And a narrow scope of human physical limits:

 

how far our thumb has to reach to tap an app

how loud the phone must vibrate for our ear to hear it

So what if we expanded the scope of ergonomics for a more holistic set of human goals:

 

a holistic sense of a person

a holistic sense of how they want to spend their time (and goals)

a holistic sense of their relationships (interpersonal & social choices)

an ability to make holistic choices (including opportunity costs & externalities)

an ability to reflect, before and after

…and what if we aligned these goals with a more holistic set of our mental, social and emotional limits?

 

A New Kind of Ergonomics

 

Let’s call this new kind of ergonomics “Holistic Ergonomics”. Holistic Ergonomics recognizes our holistic mental and emotional limits [vulnerabilities, fatigue and ways our minds form habits] and aligns them with the holistic goals we have for our lives (not just the single tasks). Holistic Ergonomics is built to give us back agency in an increasingly persuasive attention economy.

 

Joe Edelman and I have taught design workshops on this, calling it EmpoweringDesign.org, or designing to empower people’s agency.

 

It includes an interpersonal ergonomics, to “align” our social psychological instincts with how and when we want to make ourselves available to others (like in my TED talk), so that we can reclaim agency over how we want to relate to others.

 

Just like an ergonomic coffee mug is safe to live by, even under repetition, over and over again, without causing harm to ourselves or others, in a Time Well Spent world our phones would be designed with Holistic Ergonomics, so that even under repetition, over and over again, our phones do not cause harm to ourselves or others — our phones become safe to live by. They support our Agency.

 

How to Change the Game

 

Android.Apple_.001

 

Right now, two companies are responsible for the primary screens that a billion people live by. Apple and Google make the two dominant smartphone platforms. Facebook and Microsoft make leading Virtual and Augmented Reality platforms, Oculus and Hololens.

 

You might think that it’s against the business models of Apple and Google to facilitate people’s agency, which might include making it easier to spend time off the screen, and use apps less. But it’s not.

 

Apple and Google, like all companies, respond to what consumers demand.

 

When Privacy became important to you, they responded. They developed new privacy and security features, and it sparked a whole new public conversation and debate. It’s now the most popular concern about technology discussed in media.

 

When Organic food became important to you, they responded too. Walmart added it to their stores.

 

We need to do the same thing with this issue. Until now, with this experience of distraction, social media, and this vague sense that we don’t feel good when we use our phones for too long, there’s been nothing to rally behind. It’s too diffuse. We receive so many incredible benefits from tech, but we’ve also been feeling like we’ve been losing ourselves, and our humanity?

 

But we’re naming it now.

 

What’s at stake is our Agency. Our ability to live the lives we want to live, choose the way we want to choose, and relate to others the way we want to relate to them – through technology. This is a design problem, not just a personal responsibility problem.

 

If you want your Agency, you need to tell these companies that that’s what you want from them– not just another shiny new phone that overloads our psychological vulnerabilities. Tell them you want your Agency back, and to help you spend your time the way you want to, and they will respond.

 

I hope this helps spark that bigger conversation.

 

www.tristanharris.com/essays/

via

 

>> ANNOUNCER: Pleasewelcome Katie Moussouris and Chris Wysopal. >> KATIE MOUSSOURIS:Good morning! And thank you all so much forjoining us on this early morning on the last day of RSA. We are so happyto be here today. Today we’re going to talk to youabout Coordinated Vulnerability Disclosure: You’veCome a Long Way, Baby. But first, we want to getthrough some vocabulary because we’ve seen a lot of words inthis space used interchangeably and it turns out words matter. Before we have this discussionweaving in some history with some current data aboutvulnerability disclosure, we really wanted tosettle on some terms. What is vulnerabilitydisclosure in the first place? Well, it is the process by whichyou receive a vulnerability report from the outside, decideto do something with it or not, and then release guidanceor a patch or something. That process is governed by twoISO standards that Art Bannon from CERT CC&Ico-authored and co-edited.Those are ISO 29147and ISO 30111. Think of 29147 as the mouth, andthe other end, and 30111 as the digestive system of the bugs. That’s vuln disclosure. Penetration testing, on theother hand, is inviting professional outside hackers totake a look at your security controls, try to find somevulnerabilities, and really ideally tell you how to fix themand prevent them in the future. That’s done under contract underNDA and it’s a profession that WeldPond, I mean Chris Wysopaland I both started out in a long time ago at the very beginningof the penetration testing industry about 20 years ago. Finally, we’ve gotbug bounty programs. A lot of people usethem interchangeably with pen testing. And a lot of people try to putnon-disclosure agreements on bug bounties, which is a littlefunny because it’s sort of a blend between coordinated vulndisclosure where people were reporting bugs for free andwaiting to get them fixed and penetration testing whereyou get paid for bugs. But even some of the bugs thatare deemed out of scope in some of these bug bounty programsare not allowed to be released.It’s a little bit like askingsomeone to work for the exposure without the exposure. Now that we’ve got the termsright, we’re going to go into some data. >> CHRIS WYSOPAL: Veracodeconducted a study last year on coordinatedvulnerability disclosure. We worked with 451 group toshape the study and actually execute the surveywith respondents. And we wanted it to be broadenough that we weren’t just talking to software companiesor just talking to researchers.We wanted to talk to people thatwere in charge of information security at organizations. We wanted to talk toprofessional penetration testers and infrastructuresecurity people. It was fairly broad. There were about 1,000participants in Europe and in the United States. And there was a requirementthat you actually had to have a medium to highawareness of vulnerability disclosure policies. You had to have some knowledgeabout it in order for your opinion to be valid. On the slide there, you’ll seethat’s actually the link to the full study, but we’re goingto be picking out some of the interesting data from the surveyand sharing it with you today.>> KATIE MOUSSOURIS: Well,first, let’s start with a little history. When Chris asked me to do thistalk with him, we were trying to think back of how longwe’ve known each other. We don’t remember, soit’s been that long. Since we have been throughsome of the evolutionary, core evolutionary points, andsometimes driven some of them ourselves along with our friendsand colleagues, we thought we would give you alittle piece of history. >> CHRIS WYSOPAL: Yeah. Some of these learningexperiences are what drove modern day coordinatedvulnerability disclosure. You sort of had tolearn along the way. One of those learnings was doingdisclosure without coordination. There was a time before CVD thatvulnerability researchers would just publish things tomailing lists like BUGtrack. I was part of the L0pht back inthe ’90s and we did quite a bit of vulnerability researchand publishing of research.The only thing in the ’90s thatreally existed, especially in the early to mid ’90s, thatexisted that even approached coordination was sending anemail to CERT and giving them the vulnerability informationand saying can you contact the vender? CERT would happily take thevulnerability information and say, yes, we’ll contact thevender, and that was the end of the process. You didn’t hear from them again. You didn’t know if thevulnerability got fixed, what version it got fixed in. You didn’t know when youcould start talking about it. Maybe the bug hadalready been fixed. It wasn’t really coordinated. We tried that a little bit atthe L0pht and we decided that, you know, that didn’t reallyhelp the general public understand that their softwarewas vulnerable, that kind of process. We would just publishthe things publicly. So in November ’97, Dildog, oralso real name Christian Riu, my cofounder at Veracode, was partof the L0pht, and he found a particularly interesting remotecode execution bug in IE4 where he could generate a link, putit on a webpage, and if someone clinked on that, you couldexecute code on their machine.He published this with a proofof concept code so other people could understand it. This was actually kind of anew kind of vulnerability. Now we understandthese pretty well now. And one of the fun things thathe did was he created a proof of concept on theL0pht.com website. I don’t know if anyone remembersback in ’97, Intel Pentium had a bug where if you executed theF00F instruction, it locked up the CPU.We did a reallysimple proof of concept. We actually called it the FOOFof concept because it was F-O-O-F, and you could like on alink on the Veracode page if you were running IE4 and it wouldlock up your whole machine. We put a lot ofwarnings around that. This kind of got in the pressand people were like look at this, IE4 is vulnerable. For the first time, Microsoftactually reached out and sent us an email to our contact addressand said, you know what, guys, if you send us the vulnerabilityinformation before releasing it to the public, we’ll fix it andwe’ll get back to you when we fix it, and then you shouldrelease the information.We said, you know, if you’rereally going to fix it and get back to us and tell us you fixedit and you have no problem with us releasing the informationafter you’ve fixed it, then let’s try that. Right? Let’s try that. That was really kind ofthe birth of coordinated vulnerability disclosure atleast between the L0pht and Microsoft. It was also the birth of thefirst haiku published in a vulnerability report. I believe Dildogwrote Microsoft IE. Is there no security? Not if you ask me. A little bit of a poet also. But then after that incident,people started to do a little bit of this coordination,but it was very ad hoc. It was kind of like you had tocome up with an agreement with each vender, like whatwould a vender accept? And, really, only Microsoftwas one of the only ones sophisticated enough to do this. Rain Forest Puppy, that was hisactual hacker name, so everyone called him RFP because that’squite a mouthful, was finding a lot of vulnerabilities andreporting them, and he took it upon himself to say I want tohave a rules of engagement that when I send a vulnerability to avender what my expectations are.He codified that up inwhat he called RF policy. One of the first things he putin there that was really kind of a breakthrough was I’m going togive you X number of days to fix it or I’m going to goahead and release anyway. I’m not sure how many days,if you remember how many days it was. >> KATIE MOUSSOURIS: I thinkoriginally it was five and then he bumped it up to 30. >> CHRIS WYSOPAL:Five is kind of short. We’re going to talkabout timeframes, too. And then a further evolutionof that was, in 2000, I got together, Steve Christy, who isthe father of CWE – I think he might be the grandfather becauseCWE has children now – he came to me and said, you know, Chris,why don’t we actually make a real standard around this? Why don’t we submit an RFC tothe IETF and actually have something that is documentedthat you can point to and it is not just something that asecurity researcher did; a standards bodyactually accepted it.A couple things happenedthat it didn’t go very well. One thing was the IETF thoughtthis was kind of a hot potato and just didn’t wantto deal with it. They said it isnot in our purview. We don’t want to deal withthis kind of standard. The second problem was when wereleased the standard, we called it the responsibledisclosure policy. In hindsight, that was a mistakebecause that word responsible is very loaded, and the fact thatit was a modifier on the word disclosure kind of meant thatthe researcher, if they weren’t going to follow this policy,could be deemed irresponsible. >> KATIE MOUSSOURIS: Yeah. Unfortunately, it became a tooland a hammer that is still used today to essentially intimidateresearchers into doing what the vender thinks isthe right thing.Reasonable people willdisagree about the best way to protect users. Sometimes the researchers findthat waiting forever is not actually the bestway to protect users. This next story is one whereChris and I had worked on the disclosure of an issue that Iand my boyfriend at the time had found. How many of you have seenthis Lexar JumpDrive thing? Right? This is a little USB drive. And at the time, they had aregular jump drive and then they had one that wasbranded as secure. The advertising basically saidthat if this drive were out of your possession, because youhave the capacity to secure a partition of it with a passwordand it’s encrypted, that it is safe even ifit gets lost. Right? That was their security model,which they promptly broke by their implementation. My boyfriend at the time, LuisMatos, and I took a look at this thing. We attached a debugger to theapplication that came with the drive that would partition itfor you and allow you to set a password. Well, this isn’t the real dumpof the memory there, but you can imagine.The application itselfdid the work for us. All we needed to do was set apassword and then come into the application again with thedebugger attached and we could see that the applicationhelpfully decrypted the stored password for us, showed it to usin clear text in memory, so any password attempt with thedebugger attached, you’d be able to see the stored password andthen just subsequently get in. Obviously, this was a problem. We tried to follow ourvulnerability disclosure policy because, at the time, we wereboth the artists formally known AtStake, you know,early application security penetration testers. We had a policy for disclosurebased largely on RF policy.And so we attempted contactthrough every means we could. I think we skipped faxing them,but we did everything else. We even called them. We exceeded our own timeframefor what we would normally wait, which was 30 days. We kept giving themchances to just say anything. Nothing at all. So we did what wewere going to do. Chris’ role in all of this wasto help us coordinate this vulnerability and make surethat we were also following the company’s policy which we hadset ourselves as researchers.But, you know, also to gut checkus when it was like, look, these guys haven’t even acknowledgedour email or phone calls or other emails orother phone calls. How long are wegoing to give them? Forever? Probably not. What we did was wedropped Zero-day. Right? We did redact someof the details. We didn’t release any proof ofconcept, but we still wanted users to be protected andunderstand that this thing, it doesn’t do what itwas marketed to do. We wanted people to understandthat if the drive were lost and outside of their possession thatsomeone could actually see their encrypted data. I don’t speak anyother human languages. But as soon as that advisorydropped, we got phone calls and there were swear wordsthat I had never heard in my entire life. What’s funny about this is someof the very same people who were on those email lists were comingback at us saying I don’t understand how you can callyourselves responsible when you did this. And we thought, well, you couldhave just answered our email.We told you what our policy was,and we gave you all this time. But I guess they figured that ifthey just ignored it, it might go away. Unfortunately, there is a lotof that still going on, but hopefully some of this data isgoing to show that things are going to get better. Here is some of the data fromthe Veracode report they did with 451 Research. This is sort of — of therespondents, these are the actions thatresearchers take now. What’s good about it is that themajority of researchers actually report vulnerabilities to theaffected vendor, they try to do it in a coordinated way, eitherdirectly through a coordinator at like CERT/CC or througha bug bounty program.But, you know, you can see9% of them do release the vulnerability to the public. For us, that was a last resort– last, last resort, and hackers still haveto do this today. >> CHRIS WYSOPAL: I mentioned alittle bit about the timeline issue that was reallyintroduced in RF policy. This is probably the thing thatis still the most controversial part of any kind of CVD. I think most of the otheraspects of CVD we’ve learned lessons of the past, but thetimeframe issue still becomes a challenge. I think the biggest reason isthere is a vast diversity in technology andcapability to fix things. Think of a SAS company wherethey control both building the software and deploying thesoftware, and a lot of times SAS companies are working with arelease schedule that’s agile or DevOps, which couldbe days or weeks. A lot of SAS companies can fix asecurity bug and push it out in a few days and it’s not eventhat much burden on them.All the way on the other end ofthe spectrum, you have things that are deployed in hardware,right, where you have – someone might have to actuallyphysically go and use arcane processes to patch things. They’re on systems that don’tget updated very often. Maybe they haven’t been updatedin years, so it’s difficult for the vendor to update and gothrough the testing process. You could see how that mighttake a few months to do that, even if you’reworking hard on it. We asked the survey — we askedour participants what they thought was a reasonabletimeframe, and you can see the majority are in that sort of30 to 60 days, or less than 30 days. So people think maybe 60 daysis kind of a good timeframe. But there’s 8% that think thatwe should wait until the vender fixes it.You should just keepwaiting until that happens. I want to do a couple ofshows of hands here to see what people think. My first question is, if youcould raise your hand if you agree, how many think vendorsshould be able to ask the researcher for more timeand the researcher respects those requests? How many people think that? About a third ofthe group, maybe. I have a second question here. How many agree that vendorsshould be given less than 30 days to fix a vulnerability? Thirty days is enough time? Show of hands. >> KATIE MOUSSOURIS: There’stwo, three, four people in this audience.>> CHRIS WYSOPAL: Maybe five. So, yeah, not many peoplethink 30 days is reasonable. >> KATIE MOUSSOURIS: Okay. So how many agree with the tenetthat one must never disclose vulnerability details ifthere is no fix available? Oh, there are a couple of those. Okay. All right. No, raise your hands ifyou’re proud about that. All right. And then how many of you knowthat even Microsoft has dropped Zero-day? Really? Okay. There we go. >> CHRIS WYSOPAL:Some people know. >> KATIE MOUSSOURIS:Some people know. I created Microsoftvulnerability research back in 2008 to assist with themultiparty vulnerability coordination of Dan Kaminsky’sDNS world-ending internet fire — dumpster fire bug. One of the things that wasinteresting about that process was bringing together differentvendors who had to implement a change and ideally coordinatetheir release altogether.In that process, Microsoft wasthe slow one in that group and we had to work to persuade theother vendors to please hold their patches so thatwe could get ours ready. But in other cases, certainly wewould see things where we were worried about — we as Microsoftat the time — were worried about our customer’s safety. And especially if we sawevidence of exploitation in the wild of a vulnerability we foundusing our telemetry, then it was absolutely appropriatefor us to release details. There is another case backin 2010 when Active Template Library, which was compiled intoevery single active X control that was made at the time,had a vulnerability in it.We could fix the library, butevery single active X control that hadn’t been recompiledwould still be vulnerability. How to deal with all of thosesecondary affected vendors? Well, we chose the top 10 or15 vendors with the biggest overlapping customer base toMicrosoft to try and protect as many customers as possible. We let them into the multipartyvulnerability disclosure circle, gave them the updated library,so that on the day we released it, they could release theirupdated active X controls at the same time. Trust me, one of those wasFacebook and their affected active X control component waswritten by some dude in Romania and I had to call him up on thephone and say, yeah, so there’s a problem in the libraryand it causes this. He said, well, wedon’t use that library. It was a challenge all around. But that was the order ofoperations that we did. Only those vendors of allof the affected vendors got pre-disclosure and we droppedoh day on everybody else. Couldn’t be helped. Sentiment has changedover the years. Right? This is also datafrom the survey. Ninety percent of respondents,and that’s on any side of the vulnerability disclosureequation, actually view vulnerability disclosure assomething of a public good.This sentiment has grown overtime and that’s a positive thing. Right? And then the majority of them,which is interesting, think that you do not need permission togo ahead and test and find a vulnerability. That gets interesting because,as you know, there are a lot of laws having to do with hacking,not just the Computer Fraud Abuse Act in the United States,CFAA, or the DMCA, but also there are increasing numbers ofdata protection and privacy laws which gets complicated. Right? You’re thinking to yourself,well, can’t we just have a bug bounty or a vuln disclosureprogram, make them sign NDAs and all of this stuff, well, andavoid a data breach if they find data or encounter data beforeasking for permission and before asking for authorization.That turns out tonot really work out. Right? It is not the equivalent ashiring a penetration testing company which is then actingas an extension of your own organization. Even if you find all of the datathat’s protected classes of data, it is still notcategorized as a breach because, ideally, your company in hiringthe pen test company has vetted that they have appropriate datasegmentation and that they will destroy any dataand all of that. When I was the first pen testerof the Gates Foundation and I got Warren Buffet’s SocialSecurity Number, if he’s watching, eventually,I don’t still have it. Okay? Because we got rid of it.Now, what happenedrecently, in recent history? This is pictures of metestifying before Congress in the Uber data breach case thattheir bug bounty program paid $100,000 to extortionists andmade them sign an NDA to say they were going to delete the57 million records they had downloaded and tell noone of what had happened. Now, Congress was obviouslyinterested in Uber’s handling of this because Uber had alreadybeen in trouble with the FTC for a different data breach. So they were in trouble. And what was interestingabout it was the researchers themselves, you know, theythought, well, we complied with the NDA.We got our money throughthis bug bounty program. And they tried the samething on another company. They were promptly indicted. It goes to show that thingsright now are complicated. Asking for permission ahead oftime is still the safest thing. But the survey respondents, youknow, certainly thought that a lot more could be done withoutasking for permission. Well, okay, so what happens whenCVD goes mainstream, which is kind of where we are today? Ideally, you have got a bunchof friendly folks coming and reportingvulnerabilities to you. What could possibly go wrong? Remember I said thatdigestive system of bugs is pretty important? Well, it turns out it’sespecially important if you start dangling money in frontof that equation and doing a bug bounty. >> CHRIS WYSOPAL: In thetimeframe 2005 to 2010 and a little beyond, we start seeingbug bounties crop up at a lot of the larger companies. They got used to the coordinatedvulnerability disclosure, so now they want to sort of turn on thefaucet a little bit more and actually incense people outsideresearchers to come in.At Veracode, we wanted to do aninfographic to kind of explain who has bug bounty programs,what is a bug bounty program, just to publicize things, and wecame up with this fun graphic. And, actually, the originalgraphic did not have Microsoft on it because Microsoft didn’thave a bug bounty program until June of 2013. We had created this acouple of years earlier. But when Microsoft came out witha bug bounty program, it was such a big event because they’dheld off for so long and they were the largestsoftware company, we updated our infographic.You can see here in the bottomleft there we put a new knight in shining armor, I guess, torepresent Microsoft, and then promptly we got an emailfrom this lady over here. >> KATIE MOUSSOURIS: SinceMicrosoft had publicly said that they would never pay forvulnerability information, their executives had gone on therecord, and I, of course, was diligently working inside asonly a hacker does changing hearts and minds and trying tocreate a viable process for Microsoft, when this thingfinally launched, it had taken three years of hard-won economicresearch, game theory research, all of these things to be ableto shape the funnel that was already the biggest funnelin the world for intaking vulnerabilities. Over 200,000 non-spam emailmessages a year come in to secure at Microsoft. You can understand why theywould have said, please, no more. We’re good. We don’t need to addmoney to this equation. I was quite upset that a whiteman was used to represent what I had created through flesh,bones, and tears, so I sent them an updated graphicthat I made myself.>> CHRIS WYSOPAL: And we didupdate the graphic, of course. What is that graphic, Katie? >> KATIE MOUSSOURIS: I mean,I think I’m a wizard, Harry. But here is the thing. You might be confused by thehair color on that, that it doesn’t match my current haircolor, but the internet’s memory is that of a goldfish. I’ve only had pinkhair for three years.That was my natural hair colorwith a little blue streak in it and it was an accuraterepresentation of who was really behind the Microsoft bug bounty. Representation matters. I made sure of it. And these guys had a great senseof humor with my, I don’t know, really, really badphotoshop — photoshopping of their infographic. Let’s talk about theseMicrosoft bug bounties. I said it was hard-won. Well, you know, years ofpreparation, all these studies, going up my chain of command. My chain of command certainlydidn’t want to handle more than 200,000 email messagesa year as it was.Right? I think 2008 was the year thatPopular Science called Microsoft security grunt in the topten worst jobs in science. We were between likeelephant vasectomist and whale feces researcher. We were right in there. And it was true. Right? Why tempt fate and get more bugspotentially when we could get all these bugs for free,high-quality bugs, bugs that could go for hundreds ofthousands of dollars on the offense market at the time? Well, what you’re looking athere is, on the left, you see the graph. That was the actual slide andthe actual data that was used by me to convince the head ofInternet Explorer at the time to pay for his own bugs. And what you’re seeing there is,in the white graph, that is the actual number of bugs wereceived during the IE10 beta period.The big old white spike is thespike of submissions we got after the betaperiod was closed. Now why would these friendlyhackers do this to us? It was kind of the worsttime ever to hear about it. Clearly, they were doingresearch the whole time. But remember, at the time, therewere no bug bounties, and so the only thing they could get was ahope at 12-point aerial font and their name in a bulletin. Right? That was credit. And so what I said was, look, wecould shape the traffic if we put a bug bounty at thebeginning of the IE11 beta period and we projected that wewould get the majority of the bugs at the beginning. That maximizessuccess for everybody. You know, a little bit of money,put their name up in lights on our webpage, get it fixed duringthe beta period, hopefully identify other relatedissues and fix those, too.I mean, it was prettymuch win, win, win. And then the customers wouldhave less to patch once the actual code wasreleased out of beta. We got 18 bulletin classvulnerabilities for a total expenditure of about $28,000. It was a huge success. What you see on the right isa giant check because James Forshaw, the recipient of thevery first $100,000 mitigation bypass bounty, had told me thathe envisioned me surprising him on stage at Blue Hatwith a giant check. We called it James and the giantcheck, and we gave him a giant check on stage,a novelty check which somehow disappeared afterwards. How do you lose oneof those things? But here is the thing. We all work for a complementaryset of motivations. Right? It is a blend of motivations,compensation, recognition, pursuit ofintellectual happiness. The recognition part wasactually tied to compensation in a lot of cases. Right? >> CHRIS WYSOPAL: When we wereat AtStake and, you know, we’re a small consulting company, Ihad to convince our CEO that having a vulnerabilitydisclosure policy, continuing to do vulnerability research andpublish it, even publish it if the vendor didn’t respond anddidn’t fix it, you can imagine how those conversations went.He’s like what is the benefit,what is the benefit to AtStake to do this? I remember having conversationswith our CEO, and the thing that really kind of flipped himover the side was the 12-point aerial font. I said, look, Microsoft andtheir webpage is going to thank — I’m going to say Veracodeagain — an AtStake researcher by name and it’s goingto say from AtStake. They’re going to recognize thatwe’re contributing to securing Microsoft’s customer base.He said, okay, that makes sense. If they’re going to give us thatrecognition, then I think that it’s acceptable that we do that. Without that little 12-pointfont, we probably wouldn’t have been able to even do thevulnerability research and release it. >> KATIE MOUSSOURIS: It wasnot just good for business. It was good for recruiting. It meant that if you came towork with us, you could continue your research and get itpublished and that we weren’t all going to be just doing pentesting under NDA and that you would never be able to developyour career if you came to work with us. It was super important. Now, is going to talk aboutanother disclosure event that he had the privilege ofhelping to coordinate. >> CHRIS WYSOPAL: Yeah. I was involved on the researcherside of the Facebook bug bounty, and this time it was actuallywith another woman and that woman happenedto be my daughter.My daughter was interningat Veracode when she was in college. I think this was about fiveyears ago or six years ago. She said we have theseHack-a-thons at Veracode twice a year where people would team uptogether in groups and write some software, figuresomething out, maybe do some security testing. She came to me and said,Dad, let’s do one together. I said that’s a great idea. What do you want to do? She said let’sfind a vulnerability in a popular website. I said, okay, thatsounds like fun. She was actually a politicalscience major, by the way.She wasn’t an engineer. And so I said what websitedo you know a lot about? What website do you knowhow to use, you know the functionalities? She said I know alot about Facebook. I had these visions of teachingher how to use a web proxy, showing her how to look atJavaScript and all this. She just went off on herown and did her own thing. Right? I didn’t actually do –I got busy and I didn’t do any testing.She came up with the idea thatthere was a recently implemented feature in Facebook where youcould block a user, then you wouldn’t see that user anymore. They couldn’t interact with you. They couldn’t post. They couldn’t seeanything you were doing. She said, well, let’s see ifthey implemented it in all the places that you would becausethere’s all kinds of little edge cases around user interaction. She’s going through, lookingthrough all the places in Facebook where users interact,and she finds out that after you block a user, they can stillsend you a message through Facebook Messenger,which seems kind of odd. Right? Like how could they miss that? We reported the bug to the bugbounty program, and they came back and said, well, we did sometesting and we actually found that it takes 24 hoursfor messages to start to get blocked.Because they eventually getblocked, we don’t see this as a bug. We’re not going topay you a bounty. Have a nice day. >> KATIE MOUSSOURIS: Bye-bye. >> CHRIS WYSOPAL: I have alittle bit of experience with reporting bugs to big companiesand I said, you know what, I think what you should write backis if you don’t consider it a bug, then you have no problemwith us writing a blog post about what we did to find thisand the problem that’s there. They came back the next day andsaid, actually, we’re going to fix it.We consider it a bug. My daughter got $1,100 bugbounty out of it, which was pretty awesome. One of the things I learned bydoing this, and I have to give kudos to Facebook, not only foractually fixing the bug, but they had set up a separateinstance of their software where security researchers could lookfor problems without potentially impacting the live site and thelive — and the privacy of other users because a lot of thingsare going to be authorization problems. Right? Think of how complex theauthorization is in Facebook. I can’t even imagine. But you could actuallyget at private data.Their bug bounty program rulessay go ahead and interact with the test instance,not the live instance. But Katie is going to tell uswhy that is, why there is that second instance. How do they comeup with this idea? >> KATIE MOUSSOURIS: Well, youknow, back in 2013, a researcher had submitted a bug where youcould post on another user’s page who didn’t allow postingfrom non-friends and basically tried to report it, but therewas a little bit of a language barrier issue.And so the triage team there atthe time at Facebook closed it and said, you know, sorry, comeback with more information or something that we cankind of take action on. That was closed in error. Right? So the researchers said, well, Ididn’t do a good enough job of explaining it. Let me just post on MarkZuckerberg’s page to show. Right? That happened. And, of course, they said,ah, yes, that is a bug. But because the terms of theirprogram — and they did not yet have this separate test instance– the terms of their bug bounty program said we’ll thank you,but if you violate another user’s privacy without theirpermission, then we’re not going to pay a bug bounty.The internet became outragedand crowdfunded this guy. I think it ended up atover $12,000 of a bounty. With that black eye of triageimplementation, Facebook decided that, you know what, they dowant the bugs, they do want to know about privacy violatingbugs, but they don’t want to risk anyone Zucking it up again,so they decided to make this other instance.Things really,really improved that way. But a lot of organizations don’thave that massive capability to throw up another instance andall of that and really model and keep in sync two versions. While that’s a great idea,sometimes it is harder to implement. Now, let’s talk for a minuteabout hard to implement bug bounty programs. How many of you have heardof Hack the Pentagon? Okay. I hope some of you haveheard of Hack the Pentagon. When I was at Microsoft, youknow, I was giving talks about the thinking that went into thecreation of the Microsoft bug bounty programs, and one was aguest lecture I got to do at MIT Sloan School, Harvard KennedySchool, and sitting in that small room was my friendMichael Sulmeyer, Sultan of Cyber on Twitter.Great Twitter handle. He actually was, at the time,the Director of Cybersecurity Policy for the Office ofthe Secretary of Defense. And so that was the first timeI was invited to the Pentagon. I was pretty excited. Over the years,they had a lot of questions about implementation. How do you take a complexorganization that was having trouble keeping up with thevulnerabilities they already knew about and experiment withdoing some of this interactive research coordinated vulndisclosure with hackers? When they called me up rightbefore RSA, I think it was about four years ago, they said,good news, we’re ready to do a bug bounty. I said why are youstarting with a bug bounty? I just told you you need tostart with vuln disclosure. They said, well, you know, wethink it’s going to be a really nice way to show off the newdigital defense service and we’re being more agile inadopting outside technologies and best practices. There we had it. Hack the Pentagon. We launched it in April of2016, and, my goodness, have things changed.So I’m going to call yourattention to a little bit of data here. One, when we launched it, youknow, they were cautious, and they wanted people topreregister and they had to be U.S. taxpaying persons. They could be U.S. citizens orsomebody authorized to receive money in the United States. You had to preregister if youwere interested and give your Social Security Number. You can imagine, therewas a lot of paranoia. But what was funny about it wasa lot of the hackers were like I’m not going togive the government my Social Security Number. I’m like, psst, hey, theygave you that number. It’s like but theydon’t know my real name. I went, no, that’s nothow that number works.Anyway. But they don’tknow I’m a hacker. You’re tweetingabout it right now. Luckily, after sending out afew tinfoil hats and reminding hackers that, hey, at leastyou’re good at hacking, an overwhelming number ofhackers preregistered. We were hopingfor a few hundred. We got over 1,400. But look at the cruelty thatwe imposed upon ourselves. Number one, never start a bugbounty program at midnight. Do not do because we receivedthe first vulnerability report at 13 minutes past the hour. Also, that number of researchersand that target that hadn’t really been hit by outsidersbefore, there were a lot of duplicate reports. Look at the signal to noise. Not so good. The number of reportsreceived versus valid bugs, not a great number. What did we do in the secondinstance, which was Hack the Army? One, we didn’t justlaunch Hack the Army alone. We also launched it at the sametime as what I told them to do in the first place, which is thevulnerability disclosure program for all of DoD. And so those launchedin November of 2016. And you notice the numbers.The signal to noiseis a lot better. We also started it at noon. Civilized. But we capped the number ofresearchers, and that was basically just to manage theinflux of traffic to not make the DoD triage team’s job as badas whale feces researcher or et cetera. It couldn’t have continued,really, without the ongoing coordinated vulnerabilitydisclosure program because people were excited that theywere finally able to, if they see something, say something tothe United States government. It was previously illegal, andthey would have definitely been considered for prosecution,if not actually prosecuted.What do researchers expect? >> CHRIS WYSOPAL: Now we’lltalk a little bit about bug bounty programs. I want to remind everyonethat there is still a lot of coordinated vulnerabilitydisclosure that’s going on that’s not part of abug bounty program. Back to some data here. What are researcherexpectations? If you look down there towardsthe bottom, I expect payment for my services is only 18% ofresearchers responded with that data. If you look at the top, thethings that they said were checked off as theirexpectations, they’re all around making sure that bug gets fixed.That’s really themotivation here. They expect to betold when it’s fixed. They expect regular updateson the correction of the vulnerabilities. They kind of want to know areyou working on it or are you just blowing me off? They expect the timeframe,right, that’s not — they don’t want it to take forever. They expect it to be — theyfound the flaw; they want you to fix it and protect your users.This one was surprising, 37%said I want to be able to validate the fix. I thought that was quiteinteresting that there was an expectation that they would begiven an opportunity to validate the fix. Over a third said that. And then the other thing thatwas actually surprising, it’s down there at 16% towards thebottom, is I expect recognition. There wasn’t really a lot ofresearchers who even wanted the recognition, but they allexpected it to be fixed in a timely way and to be told andupdated about the process. >> KATIE MOUSSOURIS: Right. The most attractive incentives,it turns out, is having a friendly open front door, notthreatening legal action, and actually fixing the bug.Amazing. Human nature. >> CHRIS WYSOPAL: Shocking. >> KATIE MOUSSOURIS:Who would have thought? So 47% of the participantshad actually worked with bug bounties, and that’s either onthe receiving end or on perhaps having to implement a fix oractually participating in hacking and bugbounties themselves. While the majority in the surveythought, yes, this is a useful way to leverage, you know,security research and everything, which is great, overa third of them didn’t have such a rosy experience. That 26% tried it, didn’t likeit, didn’t meet expectations. Right? And that could be on either sideof the equation because of the breadth of thesecurity respondents. And 7% really just thoughtit was a PR exercise. That’s the one that Icall bug bounty Botox.If you haven’t done any of yourhomework internally and you’re just looking to slap a bugbounty out there to say that we take your security veryseriously, but you’re not actually planning to fix it,well, you’re not pretty on the inside. It is bug bounty Botox. Knowing about bugs, it turnsout, is like 1/1,000th of the battle. Nearly half of the organizationshad implemented these bug bounty programs or implemented a bugbounty, but only 19% of the reports came from anactual bug bounty program, a managed program.What’s interesting here, interms of the equation, is in open source, who is responsiblefor fixing the vulnerabilities? Well, it is the maintainers. And in the survey, 63% of opensource vulnerabilities reported are not being fixed. Why? Because a lot of themaintainers are overwhelmed. There might be one personworking on an incredibly popular package that got really popularand had a vulnerability. Open SSL was in thatcategory for a long time before Heartbleed. But resources still aren’tbeing poured into that half of the equation. The European Commission said,good news, everyone, we’ve decided to sponsor bug bountiesagainst the most commonly open source deployed acrossthe European government. They didn’t eventell the maintainers. I contacted the Apache servercore guys and was like, hey, the three of you who were paid to dothis, did you know about this, and they said, oh, no,thanks for the heads up. >> CHRIS WYSOPAL: If they’regoing to turn on the fire hose, you might want toget ready for it.>> KATIE MOUSSOURIS: Yeah.Someone painting a bounty bullseye on your back.And, well, anyway. I just said why aren’t weactually pouring money into the folks who have to fix it andideally prevent vulnerabilities in the future. Unbalancing the equation here isa little bit of a problem with this bug bounty fever that wehave all been getting into in the last few years. >> CHRIS WYSOPAL: We have talkedabout some horror stories and some problems, but, in general,if you look at the survey results, we havecome a long way.Things are actually in really,really good shape than they were 10 years, 15, 20 years ago. And so I wanted to show up withsome final data from the survey which gives us agood positive picture. We found out — and I wasactually surprised how good it was. It was three out of fourorganizations had actually an established CVD. They had something. They had — they had anaddress and said please send vulnerability reports to us. It was a small bar to reach, butthe fact that three out of four organizations had donethat is really good news. The other good news is for thosein the survey who dealt with an unsolicited vulnerabilitydisclosure report, 90% said it was handled in acoordinated fashion. >> KATIE MOUSSOURIS: Yeah! >> CHRIS WYSOPAL:Ninety percent.That’s great. That’s even more happening in acoordinated fashion than people who have an established methodfor receiving vulnerabilities. That means that the researcherswere schooling the organization and saying this is how youdo coordinated vulnerability disclosure, even when theorganization didn’t have that. That’s a little bit differentthan it was 22 years ago when we were dealing with Microsoft, soI see this as a huge success. It only took 22 yearsto get to where we are. Things move slowly. Finally, one last point Iwanted to make here is there is actually a lot of unsolicitedvulnerability disclosure going on.If you don’t even have abug bounty program, 37% of organizations said they receivedsomething in the last 12 months. That should tell you that if youdon’t have a way of receiving vulnerabilities fromresearchers, that you should put one in place. That’s going to be oneof my recommendations. >> KATIE MOUSSOURIS: It is a22-year overnight success.Right? >> CHRIS WYSOPAL: Exactly. >> KATIE MOUSSOURIS:It’s totally working. >> CHRIS WYSOPAL: Exactly.We did it, Katie. >> KATIE MOUSSOURIS: Yeah. >> CHRIS WYSOPAL: I justwant to give some takeaways. We gave you a lot of data. We talked aboutsome war stories. What are our recommendationsfrom what we’ve learned over the years? The number one thing that youcan do really easily next week when you get back to yourorganization is find out if you have a contact address. Does your organization — isyour organization able to receive a vulnerability from theoutside world and do something with it? >> KATIE MOUSSOURIS: Butremember, you can’t just put up a contact address and ascope page and call it good.That’s like saying, you know,my grandmother makes the best lasagna. I’m going to invite everyonein the world over for dinner. She’s going to get a littlebacked up in the kitchen. So making sure that you have aprocess internally to handle unsolicited bug reports, thisis different from your regular vulnerability management processor your pen test vulnerability addressing process that you canaddress at your own leisure. This is very different. Making sure that you have thatdigestive system of bugs ensures that you will not go to the bugbuffet and get bug indigestion. >> CHRIS WYSOPAL: And thenfinally, and this will take some time, we highly, highlyrecommend doing your own security testing as part of yourdevelopment lifecycle before you release it, either usingautomation or manual testing, so that you can actually find andfix these bugs in a much cheaper way than waiting for an externalresearcher to find them. We still think CVDs are a greatidea and bug bounties could be appropriate.But without actually trying tofix the stuff yourself, it is just going to be amore expensive and more time-consuming process. >> KATIE MOUSSOURIS: Well,we have shared a lot with you today. We are so gratefulthat you joined us. And I believe that we’ll havesome resources and links in the final versions of theslide that are posted. Right now, we have got actuallyroom for a couple of questions. There are two microphones asI flight attendant you in. There are twomicrophones on either side. If you have questions,please come to the mics. But otherwise, coordinated vulndisclosure as driven by hackers who then became C-levelexecutives, hopefully we have done a little bit to help theworld become a better place.We have come a long way,baby, but we need your help. Thank you. >> CHRIS WYSOPAL:Thanks so much. >> KATIE MOUSSOURIS: Out in theaudience, Steve, Christy, please raise your hand. This wonderfulperson right here. Inventor CVE and co-conspirator. We can’t remember how long we’veknown each other, but dear friend and ally ofcoordinated vuln disclosure. Please, your question. >> BEN SPEAER: Hi. Thanks. My name is Ben Spear. I’m the director of theElections Infrastructure ISAC that’s been established to helpprotect the election offices, and we’re looking atestablishing a CBD and things like that. I’m sure you guys have seen theongoing discussion about the recent Blockchain votingapp and the vulnerability disclosure there.One of the arguments that theyhad made as to why they went forth the way they did wasbecause they felt that the vendor had previously hada negative response to vulnerability disclosure andthat they didn’t use the bug bounty program because theydidn’t feel that they could do the work that they needed to doto address the vulnerabilities they were concerned about withinthe constraints that were provided by that. And so I was wondering yourthoughts on that and how that can be addressed or how theresearchers should behave in that sort of context.>> KATIE MOUSSOURIS: Well, youknow, I have opinions about this. Yeah. I think that it is interestingbecause the commercialization of bug bounties and coordinatedvuln disclosure platforms we all thought was a great idea. Right? Facilitate this process andreduce friction between the researcher and theorganization receiving. But, unfortunately, becausethey have a business model and they’re kind of selling control,they have these sort of nondisclosure terms. Jonathan who found the Zoom buglast year encountered this on all the major bugbounty platforms. He said, look, I just wantto see the bug fixed within 90 days.It’s important to me. I don’t even need the bounty. And I don’t want to have to gothrough your platform to be able to do it. I will, but I keep getting thesenasty grams from the platform manager saying, yeah, but youcan’t disclose unless they give permission or we’ll kickyou off the platform. So, unfortunately, thecommercialization pressures of the bug bounty programs are nowdriving friction and wedges between security researchers andthe organizations that they’re supposed to be trying to get to. We don’t need any of that. We don’t need toregress on this timeline. Yes, I have strongopinions about this. This is why I think that bugbounty should not actually come with non-disclosure. And, in fact, Microsoft’soriginal bug bounties had no non-disclosure agreement,meaning we were paying $100,000 on a wink and a handshake. Do you have anythingelse to add to that one? >> CHRIS WYSOPAL: No.I think sometimes you have to gooutside of a bug bounty program because of restrictions. That’s just going to be part ofthe decision-making process that the researcher is goingto have to do sometimes. I don’t know the exact detailsof that case, but there are definitely going to be timeswhen you’re going to have to release or you’re not going tobe able to follow the rules of engagement. >> KATIE MOUSSOURIS:Unfortunately, that’s all the time we have. We’ll take your question whenwe see you some other time. Thank you all so much. Enjoy the last day of RSA..

 

The post Coordinated Vulnerability Disclosure: You’ve Come a Long Way, Baby appeared first on Fixhackedsite.

 

fixhackedsite.com/coordinated-vulnerability-disclosure-yo...

My really good friend Greg here on Flickr and Facebook saw my photo with a stick in it and fixed it for me without being asked. It was a pleasant surprise to open up Facebook messenger and see my newly refurbished photo. It was also really kind of him.

Photo was taken in Victoria B.C. Canada on January 18th 2021. :D

© Jerry T Patterson - All Rights Reserved Worldwide In Perpetuity - No Unauthorized Use. Absolutely no permission is granted in any form, fashion or way, digital or otherwise, to use my Flickr images on blogs, personal or professional websites or any other media form without my direct written permission.

▀▀▀▀▀▀▀▀▀▀

I was going over some photos taken in Jackson Hole, Wyoming over the years and came across this one.

 

During there in September 2012, I was scouting different locations to take people to in a future workshop there and I really like the sunrise from this location.

 

So I documented this well and entered it into an ebook I was writing at the time called "Grand Teton National Park - A Photographer's Site Shooting Guide - I". And now my ebook continues to generate a revenue stream for me.

 

▀▀▀▀▀▀▀▀▀▀

My Milky Way night sky photography workshops

 

In 2019 I will be leading two 2 day photography workshops in Jackson Hole and one four day workshop in Jackson Hole.

 

During all workshops, I will take my group out at night for Milky Way night sky photography.

 

Here is a list of the photography workshops I will conduct in 2019:

 

1. Arches National Park - March 1-3 with Ryan Smith SOLD OUT - Completed

 

2. Goblin Valley State Park with Ryan Smith - March 3-5 SOLD OUT - Completed

 

3. Grand Teton National Park early spring - June 3-5 (a few seats available (just been added on very short notice)

 

4. Grand Teton National Park spring wildflowers - June 6-10 SOLD OUT

 

5. Grand Teton National Park - June 11-12 (3 seats opened)

 

All workshops include Photoshop & Lightroom Milky Way post processing sessions covering latest Milky Way processing technique with image stacking.

─────────

Advance 2020 Iceland workshop announcement

Iceland workshop dates: July 6-11

 

This workshop is time to capture the incredible huge lupine wildflowers throughout the areas we visit.

 

If you are interested in attending any of these, please send me a message via facebook Messenger.

▀▀▀▀▀▀▀▀▀▀

You may also find me at: .. 500px || 72dpi || facebook || Instagram

 

Thanks for stopping by.

© 2017 Anthem of Colours Photography | Mico Picazo

(Attribution-NonCommercial-NoDerivs)

You may copy or repost my works as long as you give credits to me. Stealing, cropping, or any other kind of modification without my consent is punishable by law.

If you want to have an access to my photo please contact me thru Facebook Messenger.

I have been filling Flickr's coffers for a significant number of years. In that time, 99.9% - heck, more - of the people I've encountered have been decent. One or two have even become friends along the way. I've managed to gripe only once, about a decade ago.

 

There are two users here who stand out for being offensive shits.

 

The first is a person who's taken several hundred photos and would benefit from rapidly moving onto a second idea as his own equally repetitive descriptions demonstrate. A couple of years ago I semi-humourously prodded by way of a comment gently taking the mickey out of the canned descriptions, which earned a very short facebook messenger conversation, in which he blocked me before I had a chance to respond. He proceeded to block me on twitter and flickr. Last year, when I stumbled across a group with some nice photos that _happened_ to be run by the same fellow and sought to join, within an hour he booted me out. So that's a flickr group that's nothing but a fan-club for the administrator's work then.

 

The second is another group admin who took it upon himself to presume to dictate what constituted a panorama in comments on one of my photos - you'd think a little caution would be advised rather than barging in with a dictatorial "not a panorama". Just because it's square(ish) doesn't mean it hasn't been stitched, as my tags showed. His attitude was horrible so I blocked him, which earned me a ban from a couple of panorama groups as well.

Can't say it was a sad loss - however kindly I try to pretend to be, his own photographs are utter crap.

Today I put a photo in a group about people which probably didn't meet the rules (although the rules have also probably changed a lot - looking back, most of the photos I'd submitted wouldn't meet the current criteria). Rather than remove the image, maybe flickr-mail me a warning, I get banned outright. Looking through the group members, lo and behold but I see the same person as admin of that group too. It took a couple of minutes but I've happily removed _all_ my photos from that group.

 

I am not in the slightest bit upset at losing these audiences. I am, however, deeply saddened that there are people on the planet so immature as to both take and treat things as cause for personal mini-vendetta.

MY SITE IS FINALLY UNBLOCKED! PLEASE READ THIS!: magickthoughtssl.com/2019/03/27/seeing-light-second-life-...

  

magickthoughtssl.com/2019/03/20/petty-second-life-residen...

Due to people harassing me my site is blocked on FB. Second Life people had a bone to pick and got PETTY. If you can help this situation out and help get me unblocked it will be greatly appreciated. Here is my site magickthoughtssl.com/ THANK YOU SO MUCH! Please share this screen cap it I don't mind!

Designer/Creator application to be part of the I Said NO Event SL to Benefit RAINN (Rape Abuse & Incest National Network) is NOW OPEN!

 

This Event is to support all survivors of sexual assault, abuse and violence and to honor the dedicated personnel of RAINN (Rape Abuse & Incest National Network). To those new artists and designers who wish to sign up for this event but did not receive an invite, please contact me inworld (mmorganwhitfield)!

 

DESIGNER/CREATOR APPLICATION: tinyurl.com/qlyrbcc

 

Our official website:

isaidnoeventsl.wordpress.com

RAINN.org: www.rainn.org

Letter of Authorization from RAINN: tinyurl.com/tjnh4hh

 

If you have any questions, please do not hesitate to contact me here on Facebook Messenger or inworld (mmorganwhitfield)

 

Presented by Best of Second Life (BOSL), Miss Virtual World Organization, and BLVD Fashion House.

© 2017 Anthem of Colours Photography | Mico Picazo

(Attribution-NonCommercial-NoDerivs)

You may copy or repost my works as long as you give credits to me. Stealing, cropping, or any other kind of modification without my consent is punishable by law.

If you want to have an access to my photo please contact me thru Facebook Messenger.

**PLEASE READ AND CONSIDER*** Designer/Creator application to be part of the I Said NO Event SL to Benefit RAINN (Rape Abuse & Incest National Network) is NOW OPEN!

 

This Event is to support all survivors of sexual assault, abuse and violence and to honor the dedicated personnel of RAINN (Rape Abuse & Incest National Network). To those new artists and designers who wish to sign up for this event but did not receive an invite, please contact me inworld or here!

 

DESIGNER/CREATOR APPLICATION: tinyurl.com/qlyrbcc

 

Our official website:

isaidnoeventsl.wordpress.com

RAINN.org: www.rainn.org

Letter of Authorization from RAINN: tinyurl.com/tjnh4hh

 

If you have any questions, please do not hesitate to contact me here on Facebook Messenger or inworld (mmorganwhitfield)

 

Presented by Best of Second Life (BOSL), Miss Virtual World Organization, and BLVD Fashion House.

© 2017 Anthem of Colours Photography | Mico Picazo

(Attribution-NonCommercial-NoDerivs)

You may copy or repost my works as long as you give credits to me. Stealing, cropping, or any other kind of modification without my consent is punishable by law.

If you want to have an access to my photo please contact me thru Facebook Messenger.

MY SITE IS FINALLY UNBLOCKED! PLEASE READ THIS!: magickthoughtssl.com/2019/03/27/seeing-light-second-life-...

  

People never cease to amaze me. My site is safe. I am trying to get it unblocked. Thanks all the do gooders who reported it so many times just to be PETTY!

magickthoughtssl.com/2019/03/20/petty-second-life-residen...

"Ho traslocato"

   

Ho traslocato l’anima in esilio

 

e i sassi

 

che mi porto dietro:

 

da ripetuti danni

 

macerie

 

già destinate alla disattenzione

 

come per ricomporre:

   

l’inventario

 

mette in cornice pezzi di memoria

 

strappi nella trama

 

ed autoinganni.

 

disadattata più di quanto basta

 

lucida a specchio

 

sembianze d’irrealtà

 

dolore fondo:

 

nel disumano estraneo d’altro mondo,

   

Poesia di

 

Luciana Riommi Baldaccini, poetessa terapeuta dell’Umanità.

**************************************************************************

 

Best vision for you:

  

www.fluidr.com/photos/patrizia_9

Che cosa succede se gli adolescenti smettono di parlare tra di loro e alla comunicazione verbale preferiscono lo scambio di messaggi con WhatsApp o Facebook Messenger...?

È ormai in atto una rivoluzione nella comunicazione umana, che vede prevalere l’interazione con gli schermi su quella diretta tra persone.

  

"C'è più gente connessa nel mondo che gente che connette, "

 

Che dire,,,,.

Aspettiamo che questa generazione cresca, e vediamo se sarà migliore di quelle che hanno rovinato questo Paese, voi genitori fate veramente poco per cambiarlo, vi piace fare le cose che piacciono a voi , e questo non è certamente convivere..

  

************************************************************************

 

Ps:

     

«Non mostrero' mai più gli arcobaleni a voi daltonici,

 

Gli arcobaleni io me li tengo nel cuore, bastardi....!!!!!.>>>

 

************************************************************************

Thanks for visit.

Buenas noches a todos..............Dan !

After the first 285 rolled by I was a good worker and shut off the scanner feed and did my thing in the warehouse. In the afternoon, I got a Facebook Messenger text that 239 was out of New Baden with a CREX leader. That bit of information just happened to coincide with another trip around the building. Instead of my normal wide view at this spot, I opted for the Head On Tele of the striped CREX leader - definitely a rare leader for this line.

 

02-15-2017

Designers and Artists of SL, we will be back in December so please stay tuned for updates!

 

This Event is to support all survivors of sexual assault, abuse and violence and to honor the dedicated personnel of RAINN (Rape Abuse & Incest National Network).

 

In the meantime, please feel free to view our official website:

isaidnoeventsl.wordpress.com/

RAINN.org: www.rainn.org

Letter of Authorization from RAINN: tinyurl.com/tjnh4hh

 

If you have any questions, please do not hesitate to contact me here on Facebook Messenger or inworld (mmorganwhitfield)

📷The Heights Photo Contest📷

Rules of The Contest

📷 EVERYONE IS WELCOME! You don't have to be a professional photographer!

📷 To enter, contact KariNoelle Baptiste: Inworld Contact: KariNoelle Resident or KariNoelle Baptiste on Facebook! If you would like to rez props, please make sure you have Group space available prior to contacting Ms. Baptiste.

📷 TAKE a picture anywhere on The Heights Sim (submit 1 picture)! This Sim is based on the RL Brooklyn Heights in New York, so your image should showcase "Life in New York" using the facilities & landscaping that The Heights offer. Remember, this is an Adult Sim! You must be 18 or older to participate.

📷 You can upload ONE (1) photo to flickr and submit your link to Inworld Contact: KariNoelle Resident or KariNoelle Baptiste on Facebook.

If you do not have a Flickr page, you may submit a full perm pic via inworld or via Facebook messenger to KariNoelle Baptiste using the above contact methods.

📷 Your image should be CREATIVE, NO NUDITY, NO SEXUAL ACTS & NO PHOTO SHOP!! NO PHOTO EDITING AT ALL! Utilize the natural windlight and shadowing features of SL & you may use your own props.

📷 Your image will be judged by:

▶Uniqueness to the Concept

▶Originality

▶Creativity

▶Visuality Appeal

▶Overall Artistic Impression

📷 Photos will be judged by Renowned SL Photographers (Non-Heights Team Members)!

📷 Bloggers & The Heights Residents, Vendors & Employees are encouraged to participate!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

📷Contest starts Monday, November 20th to Friday, December 15th.

▶First Prize: 3000L & Rent a Uptown, Downtown Apartment or Vendor space for 3weeks, get an 1 week free rental (For New Resident or Vendor ONLY)

▶2nd Prize: 2000L & Rent a Uptown, Downtown Apartment or Vendor space for 3weeks, get an 1 week free rental (For New Resident or Vendor ONLY)

▶3rd Prize: 1500L & Rent a Uptown, Downtown Apartment or Vendor space for 3weeks, get an 1 week free rental (For New Resident or Vendor ONLY)

📷 Winners will be announced on Tuesday, December 26 & the first place picture will be featured on the the billboard in The Heights and used as the cover picture of The Heights FB Group!

📷Any questions, please feel free to contact KariNoelle Baptiste, The Heights Event Coordinator. NO IMAGES WILL BE ACCEPTED UNDER ANY CIRCUMSTANCES AFTER DECEMBER 15TH @ 12NOON SLT! YOU MUST BE 18 YEARS OR OLDER TO ACCESS THE SIM.

📷 REMEMBER, BE INSPIRED & HAVE FUN!!📷

Photographed using my Facebook messenger camera at the time as was in a rush... sorry for poor quality.

marketplace.secondlife.com/p/BIG-LIKE-Button-Facebook-Mes...

BIG LIKE Button : Facebook Messenger

 

• For your Second Life Avatar

• Works exactly like the messenger like button

• Precise animations with Sounds

• 100% High quality Mesh

• Modifiable (size, color, texture)

 

www.youtube.com/watch?v=5AXL8ze6Vdo

Photographed using my Facebook messenger camera at the time as was in a rush... sorry for poor quality.

Shot at 85mm, I lost the original photos, this was extracted from Facebook messenger.

Shot at 85mm, I lost the original photos, this was extracted from Facebook messenger.

Photographed using my Facebook messenger camera at the time as was in a rush... sorry for poor quality.

1 3 4 5 6 7 ••• 79 80