It's sort of the reverse: they can't know, from a bare commit ID, what repo it "belongs" to without searching backward from every tag or branch in the repo. (Even that question is malformed: repos have histories and may have contained commits in the past that are no longer ancestors of existing branches or tags).
So they just fake it: they look in their database to find any commit with that SHA and put it up. And that database happens (for obvious performance reasons) to be shared between a repo and its forks.
A branch is just a series of commits; if any one of the commits has a different hash (as this hack will do) then the commit and all following commits will have a different hash.
It seems like companies only get the message when there’s jail time involved. None of the companies would freeze my credit since their web sites said some unspecified value couldn’t be verified for me, despite confirming my data was indeed lost. Pretty sure, like other regulations that include jail time, this wouldn’t have happened or their website to freeze my credit would have worked.
I agree. Until someone's ass is on the line, and I mean in terms of prison time and not merely their job, the rational thing to do for a shitty company that never cared for its customers is to continue with that approach.
Just wanted to make the distinction that we are not the customer therefore, expectation to be treated as a customer are not going to be met. I was highlighting the frame of thinking and context that one should be using when thinking about their relationship with such entities. I could have delved deeper and specified that it is actually aggregate data, about us that is the actual product. My main point (which granted I could have been more clear on), was to emphasis that expectations will not be met if one thinks of themselves as a customer to a credit reporting agency. That is unless they work as an agent of an entity extending credit to consumers.
It was not my intention to be rhetorical nor to cast moral judgment, rather just to highlight that the relationship is different than that of a customer/business relationship.
Totally agree. Courts also need to be less hesitant to disband corporations that break laws or court orders. Too big to fail should go the way of the dodo.
I also tried to freeze my credit and their website required me to put something in the mail. I did, including sending copies of various documents, and never got any response. I have the same issue with one of the credit reporting bureaus. They refuse to give me my legally required free credit report despite multiple attempts and mailings.
I would have to get an actual lawyer with a lawyer's letterhead for them to care, probably. I don't really want to spend hundreds of dollars to get my free credit report.
I disagree, but I want to be clear that I disagree on practical, not ideological, grounds. As others have pointed out, handing out prison sentences for security breaches would be counterproductive. If we make it financially ruinous, companies are more likely to change their behavior in the way we want then to.
Why is Hacker news so obsessed with sending people to jail? Literally every time any sort of corporation get's fined (for nearly anything), there is a loud call to send people to prison.
It's like there is this undercurrent of bloodthirstiness and hatred for large companies and their leaders that get's brought to the surface.
Because many times, the default "punishment" is a fine that is often times a _small percentage_ of the _profit_ from the illegal/negligent act.
That is not a punishment, or even a deterrent. And therefore, corporate leaders continue, unabated, doing things like this. Because there is effectively zero incentive to do so.
If you are a corporate officer, directing and / or approving policies that are illegal, tell me why you should -not- go to prison?
> If you are a corporate officer, directing and / or approving policies that are illegal, tell me why you should -not- go to prison?
You should and the law allows for this. Certain crimes will get corporate executives locked up. It's a matter of making stricter liabilities and sentences for these white collar crimes, which really should have happened yesterday.
I absolutely agree. I was addressing the parent, more - and their question of "why does HN have this obsession with sending people to prison for corporate/white collar crimes?"
Because frankly wealthy, successful, rich people like those leading equifax (and many other major corporations) are not punished in the same way normal people are.
>Why is Hacker news so obsessed with sending people to jail? Literally every time any sort of corporation get's fined (for nearly anything), there is a loud call to send people to prison.
Because that is the default response to poor people, yet corporations don't have the same threat. They effectively become immune to the law as long as they are willing to pay the extra tax.
Jail time means a lot to people who usually commit high-stakes white-collar crimes since they have a lot to lose in those cases. A very material risk of facing it would definiely help prevent others from committing those crimes.
If you slap them in the wrist and let them carry on with a fine it makes it very easy for a psychopath to just risk it.
If you read the post, the question is how to change the behavior, and in the US would be white collar criminals are dissuaded by jail. We could give them a social score too, that seems to work in China.
Maybe not jail time but I would really want the board to be personally responsible for what they did. Or, if they can argue that they made sure their corporation had a good security culture, the executives who broke the company regulations need to be personally responsible.
Seriously, someone needs to be rehabilitated from this before they can be sent back into society. After someone gets out of jail from grand theft auto they need to understand that what they did was wrong and treating people like that hurts them. I’m not saying the executives need jail time and emotional trauma, but at least some sort of therapy where they’re confronted with the fact that doing this stuff with a hundred million people is not nice and has consequences. They should fundamentally rethink their lives and what brought them to do such a careless thing with people’s data, just like a convicted felon.
Edit: made it clearer that I meant the decision makers, not all owners.
The main problem with a lot of personal data is that it’s used for identification right? There are other issues of course, but wouldn’t it make sense to assign everyone a cryptographic key that’s just used for authentication?
You are right about providing a more proper digital authentication solution for citizens, and at least one country has this[0], but in this case it just seems that the data was being kept/exploited for no better reason than marketing and that the company should not have had access to it from the start.
37 CCU avg is a dead game, that’s admirable they put a best effort into making their last players happy. That also means, while a little embarrassing to lose code, it’s not a big deal. And it’s also not surprising they’d edit the code on the server and not have it in SVN, game development is full of sins like that.
Yep, power laws at work. Look at Twitch viewer numbers for another real time example. The distribution is always concentrated at the top, followed by a long tail. Also the case with the best selling apps, books, movies, etc.
In 2014 Riot released numbers of 7.5MM peak concurrent players for League of Legends (off a MAU 67MM) and in 2016 reported a MAU of 100MM (but no new concurrency figures). Those are old stats but still useful for comparison.
Disclaimer: I work at Riot but don't have any internal numbers to share.
E*Trade’s mobile app does the same thing, but you can’t edit the password field since it’s a native app. Website allows longer passwords than what their mobile app allows and just locked you out of your account after a few correct password entires. To make things worse, support tells you it’s due to your network.
Better IDE support would also help here, if it could annotate what each flag meant for example and provide inline help and autocompletion. The nice thing about shell is the commands are very short and easy to type on the command prompt, PS is too verbose and is cumbersome for that use case and more full featured languages have all the upsides plus better tooling.
Powershell has abbreviations (aliases) for common commands and fantastic autocompletion for flags and arguments passed to cmdlets. Where-Object|Format-Table is just ?|ft for example.
Also remember that in PowerShell there's very little munging - half of any serious shell script is sed/cut/awk/tr and so on to munge the output of one command into the input of the next. That more than makes up for PowerShell's individual commands or cmdlets having more characters in.
The article is likely the exception, where people do grow and become better at grasping the depth and essence of the problems their solving and the breadth too. I’ve never seen people grow like that outside of elite companies, and even at that it’s rare.
Despite being from the west, I find Chinese and eastern philosophy in general pretty straight forward since they’re just talking about fundamental observations of the mind which are universal and can filter out the misunderstandings of the translators well enough I feel. Language aside, in the cases where it’s clear to me the translator doesn’t understand is normally when to comes to basic fundamental observations about the mind, it’s as though in the west there’s basically no knowledge of the mind itself, so I think the west would have an easier time with eastern texts after observing their minds a bit closer. Typically westerns confuse the mind with the biology of the brain and go off track that way. My observations at least.
> since they’re just talking about fundamental observations of the mind which are universal
I have to politely disagree. In fact there are lots of subjects in common between so called Eastern and Western philosophy. Maybe you are mostly thinking about Yoga. Just reading the beginning of this piece of text today https://ctext.org/dictionary.pl?if=en&id=41979&remap=gb made me think about a phrase used by Jesus and then much later by Marx "Let the dead bury their dead."
More just the phenomena that happens when there is an honest investigation into the mind. The west has never attempted it, at least I’ve looked high and low, and the closest thing I could find was Plato’s Allegory of the Cave. However still it’s superficial, like Yoga and western religions in that it never directly addresses the mind itself; it’s always focused on the content, as opposed to the commonality between content to understand the mind which is transparent. This might seem like a lofty claim, but is indeed what shaped the east fir thousands of years and is what makes it different from the west. That’s the root.
Steam also stores your credentials world readable on the file system, I reported it I think in 2016 and they just said it was a limitation. I know Epic Games takes security more seriously than Valve at least.
As I understand it, there's no way to have the feature of "remember me" on the login box allow skipping 2FA without this. Anywhere they could put it while still allowing a no interaction login would be just as vulnerable.
The primary way of attack was to trick a steam user into either uploading the token file directly, or trick the user into running an executable that uploaded it silently. If you're already tricking the user into running an executable you design, there's not much left that can be done to stop this since such an executable could reach inside the running steam process and read whatever data it likes.
The attack here is simply another login on the same machine can get the token. I think that’s how I discovered it, I logged into another account on my machine and Steam logged in using my other account on start up with out asking me to login again.
I should also mention the trend towards these Vault services to store secrets is even worse, as that they effectively make all secrets on a machine world readable since an off box service can’t determine what user is making the request. And the trust on first use idea is lacking in most implementations and vendors like HashCorp in fact don’t want to add it anymore since apparently their users had problems using it and would lock their apps out by accident. So... yeah.
Plus, use Windows' Protected Storage Subsystem (which has been around forever) to at least lock the tokens to a specific Windows account/user. No need for a machine-wide readable file even if the tokens were signed and encrypted.
Seeing how Epic was caught uploading a copy that file (also contain friend list and wish list) for untold purpose (officially to import friends while bypassing steam api). I don't think they deserve any praise.
