> Retroactive Privilege Expansion. You created a Maps key three years ago and embedded it in your website's source code, exactly as Google instructed. Last month, a developer on your team enabled the Gemini API for an internal prototype. Your public Maps key is now a Gemini credential. Anyone who scrapes it can access your uploaded files, cached content, and rack up your AI bill. Nobody told you.
Malpractice/I can't believe they're just rolling forward
They should limit the new features to new API keys that explicitly opt-in instead of fucking over every user who trusted their previous documentation that these keys are public information.
Isn't it standard practice to harden permissions on API keys? Like, if I were a bootstrapped startup maybe I'd take shortcuts and let an API key have a * permission but not for anything that could rack up thousands of dollars in bills for the customer. But at googles scale that just seems irresponsible.
Sure, but the practical form of this attack is limited.
You can't maliciously embed it in a site you control to either steal map usage or run up their bill because other people's web browsers will send the correct host header.
That means you can use a botnet or similar to request it using a a script. But if you are botnetting Google will detect you very quickly.
Is there a way to use Google maps apis on the web without exposing the key?
Re host header seems an odd way for Google to do it, surely they would have fixed that by now? I guess not a huge problem as attackers would have to proxy traffic or something to obscure the host headers sent by real clients? Any links on how people exploit this?
Something that can be abused is if the key also has other Maps APIs enabled, like Places API, Routes API or Static APIs especially for scraping because those produce valuable info beyond just embedding a map.
The only suggestions I have are:
- If you want to totally hide the key, proxy all the requests through some server.
- Restrict the key to your website.
- Don't enable any API that you don't use, if you only use the Maps Javascript API to embed a map then don't enable any other Maps API for that key.
It would be helpful if you answer the question about web api usage, most of that is not relevant.
The only suggestion I see there from a quick skim that would avoid the above is for customers to set up a google maps proxy server for every usage with adds security and hides the key. That is completely impractical suggestion for the majority of users of embedded google maps.
As a professional-level baritone who has sung tenor parts quite a lot, there is a shortage of every low voice type (directors are often conflicted when I make the offer to sing tenor). People who can produce a chorally-acceptable A or Bb are in the shortest supply, though. It's getting worse as the amateur singing circuit gets smaller and the gender ratio gets more skewed.
Amateur-level choirs tend to have a lot more basses than tenors because it is easier to sing bass without effort spent on vocal training.
I am an amateur baritone, in school I was used for tenor parts because of course there was a shortage and I had good enough technique that I could sing tenor parts, if not well.
Now, I sing second bass for a men's choir, because that was what they were missing. I think all not in-the-middle voices are scarce.
Tenor parts are more difficult, technically speaking, and voices capable of the tenor range are rarer. So any given man joining a choir can more likely manage the bass range, and if they can, they can almost certainly manage the bass parts.
FTA:
> When men do join singing groups, they often avoid the tenor section. The tenor voice is “a cultivated sound”, says John Potter, author of a book on the subject. A man with no vocal training is more likely to have the range of a baritone (a high bass). It does not help that the tenor voice is associated with operatic stars such as Luciano Pavarotti, who could powerfully sing high notes that no amateur can easily reach. And the tenor line in classical choral music can be difficult, with many unexpected notes and alarming leaps.
surely a real bass is rarer? I just assume, as someone completely musically inept, based on listening to the vocal groups on the radio, that a bass contributes less, and can be omitted more easily?
People at the extreme ends of the spectrum of range are rarer and people in the middle of the range are more common. As it stands, choral bass parts fit better into untrained voices than choral tenor parts. A typical baritone (middle range male voice) can sing choral bass parts well enough, but will find tenor parts relatively strenuous.
I know many women who admit they "fall in love" anytime they hear a low bass. They might marry a tenor and never cheat on them, but every time their hear a low bass their heart flutters. Men know/see this and so tenors become less interested since their higher voices don't get the women (there are plenty of other ways they have).
Anecdotal I guess, but when I was in a high school choir, I loathed that my teacher assigned me to the tenor section. It did not fit with the image of myself that the high school version of me held in my head; "a man should be a baritone or bass after puberty!"
I liked choir and stayed in it for all four years, but I was never particularly good at it so what the hell did I know anyway.
"average bass steals all the love interests" factoid actually just statistical error. average bass steals 0 love interests per year. John Tomlinson, who steals 10,000 paramours per year, is an outlier and should not have been counted.
Doing things puts you on the hook when those things fail. Politically it's much better to keep the limit in place so that you can make virtue signalling votes that are guaranteed to fail. That way you're seen as "doing something" but without having to be responsible for it.
There are many tools available in Germany that support you doing your tax filings. They have endless questionnaires in (tax law free) easy language that guide you through all the taxing niches. They not only respect all rules regarding the laws but also the latest jurisprudence.
Like: If you have a lockable, separate office and work (almost) exclusively from home, you can basically deduct the entire room for tax purposes (rent + electricity + heating + insurance + etc).
....but wait until Finanzamt comes along and measures the size and checks with a controller if this room is really ONLY for work - if there is the slightest sign that this room maybe used for other things, your plan is gone.
Even an additional single sofa/couch can crush this plan.
And: If you say the room is worth 500€, you dont get back this 500€ with yearly tax declaration - you only get this amount deducted from total income, rising your after-tax income a little bit. In fact, with this solution you loose a room PLUS some money - rather rent out the room 1 week per AirBnB and pocket this in cash and you are fine.
Obesity drugs are in the top 25 for 2025, but don't make up the largest plurality. That goes to oncology drugs at ~1/3rd. Obesity drugs are at ~14%.
I want to mention here that these oncology drugs are mostly antibody methods. Which, what the hell? We're making antibody drugs at scale now?! And that's like some of the highest selling drugs out there?
For comparison, though not in the linked article here, Acetaminophen (Tylenol) only comes in at ~$4.3B, which would put it way down in 13th place, out of the top 10.
Granted, this is sales numbers, and in the US, that's practically taking the savings of very sick people and turning it into stocks. Something that elicits no small reaction here on HN or just about anywhere.
Still, to the point of the main article, yes, we live in an age of medical miracles, and it arrived quite suddenly, only in the last 7 years or so, and we have a lot of gas in this tank.
reply