This is, almost verbatim, my exact same experience. Used pi-hole as an excuse to get a Raspberry Pi. Used it for a long time but got tired of troubleshooting. Discovered NextDNS (from this site), and have been a happy customer since. NextDNS has not been perfect (it looks like they abandoned their app(s)), but it has the added benefit of working outside of my home network.
Regarding the client apps, I find them to be mostly not neccessary now that you can identify clients to DNS-over-TLS and DNS-over-HTTPS endpoints. What do you miss?
Being able to disable it on the fly is the number one thing I miss the most. Additionally, it would be nice to interface through the app instead of the website, but that's definitely under nice-to-have; the website is functional on a mobile device.
Yes, HN guidelines are generally to avoid modifying the source for headlines like this unless it is impossible/impractical otherwise. Doing so risks either accidental misrepresentation or editorializing, which is a bit of what happened here.
True I wish I could edit the headline. But to be fair, 99% of the time people are trying to donate used clothes and not a fresh , unopened stack of Hanes white t shirts.
The fines are symbolic. Even if you look at the fine for the hotel data breach in 2018, that was only $52 million (US) and $23 million (UK), total of $75 million. And the Equifax breach? An executive VP of IT sold $584k of shares right after the breach and before the press release. Nothing happened to him, he said he was unaware of the breach. https://www.npr.org/sections/thetwo-way/2017/09/08/549434187...
The SW supply chain attack is one of the most brilliant cyber attacks in recent history. They hit a train load of gold bars, and had a much as 14 months of dwell time with potentially 18,000 customers. Discovery must have been disappointing for the attackers.
If you follow the most important rule, secrecy, you get plausible deniability and small-er fines.
Unisys and Avaya are both reporting losses. This fine makes it even more of a loss. Further, if they don't mend their ways, the SEC will give them an even bigger fine.
SEC likely offered low settlements here to get agreements without having to battle in court whether SEC even has the authority to do this. Now that they have to some degree established authority here* they can go for enforcement harder and push companies further on disclosure.
Unisys and Avaya are both security vendors. This absolutely is a bad look for them, as almost every Security RFP asks about internal controls and how a vendor has remediated against these issues, and this is ammunition for any competitor to ask a prospect to re-evaluate purchases from either due to misrepresenting their security procedures.
Furthermore, Unisys only has an operating profit of around $200M a year, so a $4M fine is fairly brutal (that's an entire security team's operating budget for a company at Unisys' size).
Avaya's is smaller still, so that $1M is fairly brutal for them
Furthermore, security vendors like Avaya and Unisys could arguably be in breach of contract with customers because it could be argued that they misrepresented their internal security protocols to customers.
What really gets attention is "consent orders" where if the regulated entity doesn't clean up the act, then that line of business, or the whole entity, gets shut down.
Often you may see this result in a divestiture, as in, unable to clean up, so we'll sell the client base to someone with better systems. (In theory. Almost inevitably, this drags a few legacy systems over anyway.)
It's not a case of deterrence. As the orders linked from the press release describe, all four of these companies have been cooperating extensively with the SEC to fix things up and agreed to continue doing so as part of the settlement.
The reason why companies get breached is because the systems being breached are all legacy. Company A buys company B who bought company C, which merged with company D. C fires D's old IT department, because it's redundant, so now D's billing system is being managed by C's IT department. C then sells itself to B, who has a much more robust billing system. At this point, it'd make sense to replace the billing system from D, but everyone who knew how it worked got fired in the C/D merger. So it sits around because nobody wants to break that part of the business. Then A buys B and does another round of layoffs, so anyone who even knew about this is gone.
Ten years and hundreds of iterations of this exact cycle later, you get an e-mail from a stranger saying they found all your customer records being sold on a cybercrime forum. Your IT department scrambles to remediate a breach in a system they've never heard of that nobody remembers installing or maintaining. It's just always been there. Corporate amnesia runs deep. People are finding forgotten old servers running unpatched versions of Windows Server 2003 that were so ritualistically overlooked you'd need to be high on Class Z mnestics just to perceive them.
Every enterprise IT department is like this. That's why companies get breached so damned often. There is never enough time in the budget to properly document legacy systems, nor are the decision-makers at the top even aware of the fact that they exist. Their job is to eat things, and they eat voraciously. If you want to stop this from happening, you need to make M&A illegal, not just inflict more pain to the invisible arms the corporate body cannot perceive pain from.
That's because it's not understood what a liability allowing this to occur is. Perhaps if we fine them based on revenue they would understand that IT is a core part of their company and can no longer live on the edges of the business units.
Clearly not everyone agrees with you that it is minimal and inconsequential. Perhaps you are lucky enough to not have anything vital of yours disclosed without your knowledge or consent.
The liability of allowing this. Liability to the company. It is factually minimal and inconsequential.
Look at the stock price hit companies take when they have security breaches. The impact is basically none apart from a short-term dip which recovers soon enough. Or look at the fines companies get for breaches, always a minuscule percentage of their profit.
This is why companies will keep short-changing security, because to them it's just a cost that doesn't really matter. And objectively, it doesn't matter when viewed from the lens of maximizing profit at all cost.
Did crowdstrike go out of business yet as a consequence of their breach? Did tmobile? Did equifax? These all should have, but all are going strong.
Thankyou for a clear explanation of how this sort of thing can happen. I've seen similar issues in profit-making parts of businesses, so I imagine it can only be worse in areas seen as cost centres
They will easily find time and budget as soon as liability starts being a common thing in IT industry across the board, instead of only on high integrity computing deployments.
> law should be written to require a mandatory percentage of revenue. That will wake them up.
Percent of revenue fines regressively to margin.
10% of Walmart's revenue is 4 years' profits. 10% of Equifax's is a few quarters'. Moreover, you'd have a bureaucrats' delight of companies splitting revenues across entities while courts have to litigate common control claims. Unless you have a good reason to punish low-margin businesses more heavily than high-margin ones, this is an inefficient scheme.
Except damages for data leaks are kind of hard to compute, since in practice they're $0 until some of the data is provably used to cause some non-$0 worth of damage down the line.
> damages for data leaks are kind of hard to compute, since in practice they're $0 until some of the data is provably used to cause some non-$0 worth of damage down the line
Through private action, yes. Use statute to define damages as a function of number of people affected, type of data released and whether the company self reported or was caught, by the public or a regulator. Add enhancements if the company was reckless, the data was out there for longer than a month or if it was accessed by foreign adversaries.
My wife purchased a Stanley cup through Amazon and 5 months later its thermal regulation stopped working. She contacted Stanley about their lifetime warranty and after some back and forth with Stanley's rep, they determined that the item was counterfeit and because Amazon is not one of their authorized resellers there wasn't anything they would do. This was purchased through the "Stanley" store but was fulfilled by a third party and not Amazon directly, something my wife wasn't even aware Amazon did. The seller never responded to contact and Amazon refused to post the review complaining that it was counterfeit.
The hypocrisy is apparent when you notice that the pretty much the only brand of products that miraculously does not have third party resellers listed (and hence escapes third party inventory commingling contamination issues) is Amazon Basics. [1]
Nah, let’s not go this far. Might be true for some AmazonBasics product categories, but I have a specific example where this is just not true.
Their AmazonBasics monitor arms are manufactured by Ergotron (aka one of the most reputable and best monitor arm brands out there). I have both AmazonBasics and Ergotron arms (purchased from their official website), and it is clear as day that they are nearly the exact same product.
I purchased the AmazonBasics arms back in 2016, and they still serve me great to this day, surviving 2 moves between west-east coast and many more local moves.
You can call this anecdata, but both AmazonBasics monitor arms and Ergotron ones have excellent reputation.
Mind you I buy a lot of both Amazon Basics as well as Aliexpress generic products. I'm not saying something is garbage for being in this category, sometimes there are quality products, as you note.
In other words being generic and being garbage aren't a perfect circle in a Venn diagram.
> refused to post the review complaining that it was counterfeit
That sounds like a legal liability for them, as in "exhibit D demonstrates the defendant knowingly kept a fraudulent listing available for purchase" /ianal
>they determined that the item was counterfeit and because Amazon is not one of their authorized resellers
Amazon is an authorized retailer of Stanley 1913 products.
They determined that the item was counterfeit because you did not purchase it from Amazon.com you purchased it via Amazon.com from a third-party.
My Amazon account was created in 1998 and since 2008-ish I have barely entered any physical stores due to me being in an extremely rapid delivery area where I once got a microwave delivered three hours after ordering it.
Since then, the number of times I have purchased something on Amazon that has been fulfilled by a third party without my knowledge can be counted on zero fingers. The seller is prominently displayed directly below the "Add to cart/Buy now" buttons on both the website and mobile app and is listed again during the checkout process.
Please help me understand because I hear about this happening often and have a genuine, non-snarky belief that Amazon might be showing me a different version of their storefront because I also hardly ever see any of the cheap Chinese trash everyone complains about.
Obviously, if I search for "novelty rainbow colored wig" I'll get all of the hootoovooodoo brands but for normal things? Nope.
And I have never been curved to a third-party unless I specifically hit "compare all options" and scroll through the list down past all of the other amazon (returns/refurbs/scratch-and-dent) listings and EXPLICITLY choose a reseller.
To be clear, this wasn't an example of Amazon explicitly not having it in stock and she went to third parties looking for it or her shopping for better prices. In both of those workflows it is very obvious you are buying from a third party. Instead, she went to the product page, went to the color she was looking for and just hit add to cart. I will note that it does show a different seller, but you can't argue it is prominent; it's the smallest font on the entire page. Here is a link to an Amazon page with the product[1]. If you click on the different colors on that page, you'll see that most of them are shipped and sold by Amazon; this product was shipped by Amazon, but not sold by them. Here is a screenshot of the product page[2]. You'll see that "Pure luxury" is the actual seller, even though it is shipped by Amazon. As mentioned before, while it is directly below the Add to Cart and Buy Now buttons, it is the smallest font. I hope this explains how even though you are on the official store page, you can purchase from a third-party without realizing it. Amazon has been doing this more and more recently, but this was the first time it ever bit us.
> that has been fulfilled by a third party without my knowledge can be counted on zero fingers.
Since they commingle products at the warehouse level and handle *actual* fulfillment at the SKU level and not the vendor level - how do you know this?
At the warehouse there's a bin of widgets that are all supposedly the same. Regardless of who the vendor is purported to be when you buy it, if it's coming from that warehouse it's coming from that bin of widgets.
>Since they commingle products at the warehouse level and handle actual fulfillment at the SKU level and not the vendor level - how do you know this?
Because Amazon does not commingle first and third-party inventory and I do not buy, since it is so easy to avoid, from third parties (or drop shippers) unless it is an extremely niche item like a 0.1" to 0.025" 10-pin header adapter.
Unless, of course, they are lying. Do you have evidence they are lying?
Do you have any proof they are not commingling? Have they outright said it at any point? Because there's more than enough anecdotes out there (and in previous threads about it on HN) that show that 1st party products are not treated any differently.
Amazon has to list the value of their inventory in financial reports.
If they were commingling every single report would be a lie.
Also, they explicitly state that:
>Generally, we recognize gross revenue from items we sell from our inventory as product sales and recognize our net share of revenue of items sold by third-party sellers as service sales.
If they were commingling, those figures would be a lie.
The reason that would be lie is that Amazon has defended itself from product liability lawsuits for harms caused by defective products sold by third parties by repeatedly claiming in court that they do not take title to the goods in their possession that are supplied by third parties.
When you take title to something it is yours.
If it is yours, you need to include its value in an inventory valuation.
If inventory that you have title to and inventory you do not have title to is commingled there is no way to track which of the two have been sold, who holds title to what remains in inventory, and what that is worth.
Their inventory valuation would be a lie, their product sales figures would be a lie, and their service sales figures would be a lie. The amount of insurance they carry would be wrong, and that would open them up to legal vulnerabilities if anyone can demonstrate that the toaster they bought from a third-party seller which exploded was actually a toaster Amazon had title to and was shipped to them due to being commingled.
The only thing an investor has to do to sue the shit out of amazon is establish that their numbers are wrong, and are wrong on purpose, and they have been harmed by their numbers being wrong.
They can commingle but simply keep track of how much of the inventory is theirs and how much is not. I think you have a limited understand of how their system works.
I got an Amazon product the other day, likely counterfeit, Amazon listed as seller and has 3rd party sticky barcodes on the packaging. How is that possible without commingling.
Ok cool, so they haven't actually said it anywhere. You're just assuming because of your interpretation of wording in their reports, and then taking it to the slippery slope extreme.
> If inventory that you have title to and inventory you do not have title to is commingled there is no way to track which of the two have been sold, who holds title to what remains and inventory, and what that is worth.
How is this not a problem for the 3rd parties with commingled inventory? Amazon clearly has a way to know which of the many 3rd party sellers they commingled sold the product in order to pay them, and know how many products are in stock across their commingled inventory.
Considering the product is supposedly the same, the cost would be the same, and they would only need to do the exact same tracking they do with 3rd party sellers whenever they themselves sell an item from the commingled pile.
By design, it is assured that the number of products you put into the system are the number you will eventually sell, even if it's not the exact same physical product. And that is totally fine if the products are identical and cost the same. That is the whole point of the commingling system; that the products are meant to be completely interchangeable. There's no accounting magic to be done, you're just tracking the number you sold vs the number you put in.
I am curious about the legality of this. This directly diminishes the value of Peloton bikes for sellers. Imagine if the fee was so high that it was greater than the value of the bike; the used market would obviously be affected. If there was no subscription, but a purchased license, I would understand that argument, but a fee on top of a monthly subscription?
My question is, preferably to a contract lawyer, would Peloton owners have a case to make that Peloton has diminished the value of their property by $95? Is that even a thing? If there was a competitive marketplace, for example, an alternate service for you to hook your bike up to, it would be an argument against this; but as far as I am aware, a Peloton bike can only be used with Peloton's services.
So...Golden SAML isn't a vulnerability, as the CyberArk article quoted in the post reiterates, it's a type of attack that requires completely comprising the box before using. Unless I am misunderstanding something, I don't see any particular flaw, per se. As Microsoft (mocked in the article) would say, it's not crossing a security boundary. SSO will ALWAYS have this particular tradeoff. If your SSO infrastructure is compromised, everything that uses it is at risk of being compromised.
Exactly! AD FS is part of Tier 0 in the same way as Active Directory itself and needs to be treated and secured as such. Of course, security goes a long way when it's part of a holistic approach like zero trust.
Mitigation is also not really possible when using SSO. One way would be to require the target service to require a second factor in addition to a valid SAML token, but then each user needs to keep current its second factor, whatever it might be, in each target service. This get unmanageable quite quick not to mention that there are basically no SaaS or self-hosted applications out there that support SSO and a second factor at the same time.
It was the SolarWinds hack that gave internal access and potential admin rights. It's no different than if a domain controller gets compromised. The attacker has gained control of the keys to kingdom; it's an inherent risk to SSO.
It doesn’t. The number of games that natively target Vulkan are minuscule.
Both Unity and Unreal support metal well (and for a long time, better than Vulkan), especially due to iOS. Even many proprietary engines do.
Even before Vulkan and Metal existed, OpenGL was consistent (before Apple stopped supporting it) and there weren’t many more native games then either.
Someone will no doubt bring up reusing Proton, but they’ll gloss over the differences in platform and also that Game Porting Toolkit exists and does the same thing.
The reality is that, until recently, the number of Mac systems that were gaming ready was a very small number that wasn’t worth focusing on.
reply