Hacker News new | comments | show | ask | jobs | submit login
Girl unaware all her pictures are sent to journalist (translate.google.com)
148 points by lordlarm 1634 days ago | hide | past | web | 177 comments | favorite

I'm experiencing something that is obviously dumb users.

i have a first.last@gmail address and my name is very common. So i bet others had to use less desirable gmail addresses.

Since google started to aggressively push for adding alternative email and/or phone number, dumb users that initially wanted my email address entered it as their "alternate email" not understanding it's for password recovery only.

I clicked the "not me" link in more than 20 confirmation emails, but google probably never used that to better inform the dumb users.

Now my gmail account is a cesspool of emails intended for other people, site registration confirmation for idiots with same first/last name but a different middle name... And there's no spam algorithm that can fight that!

Time to start looking for alternatives.

Most of my projects involve a mass-market audience so I get a pretty good view of what average competence looks like. Based on this, I would guess that a significant portion of Americans have a great difficultly reading. Even when you put a big message that says this is not for X, people will continue to do X.

If you run a startup or a company whose audience is early adapters you get a skewed view of the average level of competence of users.

I don't know if things get worse in other countries. However, I would guess that 10-20% of the US population lacks the basic literacy and logic skills to hold a manual job involving anything but repetitive tasks.

However, I would guess that 10-20% of the US population lacks the basic literacy and logic skills to hold a manual job involving anything but repetitive tasks.

~13% when it comes to reading, ~20% when it comes to quantitative tasks.


And even besides the people with low IQ, most everyone is only capable of thinking abstractly some of the time--and even then only after years of cognitive development[1]. System 2 thinking[2] is taxing to the brain (consumes more glucose/oxygen/etc), and is switched out of whenever it's not absolutely necessary.

[1] http://en.wikipedia.org/wiki/Piagets_theory_of_cognitive_dev...

[2] http://en.wikipedia.org/wiki/Dual_process_theory

> Most of my projects involve a mass-market audience so I get

> a pretty good view of what average competence looks like.

How interesting - I bet you could tell some good (and informative/scary) stories. I'd buy the book.

> I don't know if things get worse in other countries.

Due to the decentralized nature of education in the US, there is higher variation in outcomes. This likely leads to greater illiteracy in the US than in other industrialized countries.

in my case, most of the emails i get are in portuguese. so portugal, brazil and parts of africa.

It's not about reading ability, it's about the way things are written. There's been plenty of research done on how to write notices and warnings etc. that will catch attention, and how to persuade readers to follow the directions. But of course "user interfaces" are often not "designed" by designers at all, much less anyone who's ever studied the research. (Not that most designers study the research, either, but they're more likely to than Joe Programmer.)

Example: Jakob Nielsen publishes research that shows "people on the web don't read." The sample content used to determine this? The list of tourist attractions in North Dakota.

Garbage in, garbage out.

Finally, the vast majority of text on the web around forms etc. is useless, poorly written, obtuse, abstruse. People have been indirectly trained to ignore it. It's not surprising that most users ignore that messages you took the effort to write.

If you cross paths with enough Googlers in your career, eventually you'll come across the lucky souls with first names as gmail accounts; then when they explain the deafening background radiation they get, you start thinking "hm, maybe lolhackerx0@gmail.com isn't such a bad address after all"...

Example: Grandma sending pictures to Larry! Oh, he must be larry@gmail.com, right?

I have a first name only email forwarding account at a "well known Easter technical school." (I signed up first thing when these were made available at a time when a lot of people still weren't on the Internet.) I don't get as many random emails as I once did but, at one point, I even got on an email thread involving board discussions at some company.

ha! i can up you. last year got invites to some chinese gov stuff intended to a consul of some country with my same first/last name as me. they had a bunch of emails @gmail and @yahoo and a couple @country.gov, and apparently mixed a few.

Should have taken that free trip to shengze or something :)

> well known Easter technical school

Derived from a well-known Passover technical school?

You can always drop the few dollars a year for a vanity domain. No one has ever accidentally typed/used tk@tkte.ch!

This is exactly why I:

1. Use a handle that is a deliberate misspelling of an archaic name, and;

2. Use an archaic spelling of my surname as a vanity domain.

I wonder if you have trouble giving your email over the phone.

I have a <name>@<name>.net email. And every time I'm spelling my email to someone, I say: name, n a m e @name.net, 99 times out of 100 they ask me if the second "name" is spelled like the first one.

I have a friend whose surname was McCurry (which she rarely used - family baggage) and she ended up changing it to Blake, because you never have to spell out Blake to people, but you do every time with McCurry.

Yeah .... I had the same problem with a common first name + last name @gmail - even to the extent of getting someone else's buddy passes for JetBlue - before getting my own domain. I thought it wasn't bad for my purposes, but it's a terrible domain name for spelling out (my handle here plus .com).

Don't Googlers have mailboxes on the google.com domain directly? Gmail has only been around since April 1, 2004.

Some worked on gmail and were in the right place at the right time for personal mail. You keep it after you leave.

I own <first initial><last name>@gmail and I routinely get email intended for other people, including flight itineraries, new account info at various sites, personal emails, and once I even received legal correspondence.

Not only has this taught me how incredibly oblivious some people are to how their email works, but it also showed me just how many companies out there are willing to sign up a random email for an account without verifying the email's ownership, including some big companies like PayPal.

A pedantic but important point - you do _not_ "own" AnyUserName@gmail.com - Google owns them all.

So true. Also, I frown whenever I read someone ‘bought’ a domain name (when they mean they’ve registered it).

I got that for my Bank Of America account.

If three other people tried that username, I not only got locked out of my BoA account, and had to set up a bunch of stuff again.

I have a long blog post about BoA's horrible policies I still haven't published because I work in a major financial city and might end up wanting to work for them some day, but as time goes by the odds of it getting published go way up.

This happens to me, and I wouldn't call my name common (the email that this happens to is <nickname>@gmail.com, not my <firstname>.<lastname> one though).

It does make for fun responses... I was invited to a bachelor party in Las Vegas, which I sadly had to decline on account of being halfway around the world.

> including flight itineraries

Those are not real flight itineraries.

They are usually well crafted spam sent to anyone and everyone, designed to entice personal details like bank accounts, pin numbers and visa card numbers from unexpecting users.

No, they're real flight itineraries. I checked. Also, they're made out to the same people who keep misusing my address.

I have a few other people's bank accounts from foreign countries (mainly the US) emailing me. I really couldn't believe that banks have no email verification at all...

And same as the article, i never get to know the idiots email address they are trying to register mine as the password recovery. That's the dumbest on googles side. Makes me powerless to solve the idiocy dos attack on my account

Why do you repeatedly call them idiots and refer to this behavior as idiocy?

I've gotten everything from business plans to divorce papers sent to my firstname.lastname@gmail.com address. In some cases I've tracked them down and called their cell phones, and they still mistakenly send me email. There are some people whose email automatically gets re-routed to the 'correct' account with a note, and they continue to use my email address. Some have even sent me nasty emails saying they're blocking my address, as if I am to blame somehow for their incompetence.

I understand that people make mistakes and typos happen. But when you're dealing with legal documents there's no excuse for this kind of oversight.

> There are some people whose email automatically gets re-routed to the 'correct' account with a note..

How does that work? Have you created some sort of filter? (How do you make sure that it gets the correct emails?)

Yes, I've created a filter so that any emails from certain people automatically get re-routed to the intended recipient.

Because it's the near-equivalent of misspelling your name on an exam, at least when it's entering your own email address.

On the flipside I sometimes get mails intended for someone else with my name in Australia, but that is easy enough to assume that his friends/kids' teachers/etc. just manually typed in the address and messed it up.

Oh, you'll love this one. I was sent a notice that my car was ready to pick up, but it was for a guy that lives in Canada and has a similar name/email.

I respond saying the shop has the wrong email address. The shop owner (let's call him Bob) replies saying "that's the one you gave me" facepalm #1

I find the car owner and forward him the info on facebook. He responds back saying "Thanks, Bob." Even though the message is clearly from me. facepalm #2

Even if these people were completely tech illiterate... have they never heard of a wrong number?!?

I got added to a Black Board announcement list for some school. They don't seem to have a way to say 'stop sending this address mail'. I'm cranky, so I emailed the dean of student affairs about it.

He emailed back as if I were a student. I responded pointing out that I had no association with the school. He emailed back asking me to explain further, as there was someone with my name at the school. So I explained that I thought it was probably someone with the same name. At least that ended it.

(Shrug) There has to be some way to distinguish their behavior from people who actually bother to understand what email addresses are before using email.

Calling them either "Idiots" or "Dumb users" seems reasonable, so why not roll with it?

That's the most arrogant thing I've read in a while. The fat that someone doesn't comprehend something technical makes them inexperienced. Computer literacy is literacy.

Would you call someone who can't drive a car an idiot? Or someone who is using an ATM machine for the first time? These people are not competent. They are inexperienced. But a pejorative term like "idiot" isn't called for.

These people, for the most part, do not respond or even seem to comprehend correction. They seem to be the same people that refuse to understand what is going on when they dial a wrong number: "Hey Stan! What's goi-" "I am not Stan. You have the wrong number." "No, this is Stan's number." "....click"

If you can't apply the term "idiots" to these people then the word is useless and can never be used.

> Would you call someone who can't drive a car an idiot?

I would if this person was out on the highway. I learned to drive on a parking lot, and then on roads with very little traffic. People who can't drive are a danger to themselves. People who are too incompetent to know what their correct email address is are a danger to themselves too.

Would you call someone who can't drive a car an idiot?

Sure, if they didn't even attempt to learn to drive before getting behind the wheel.

Or someone who is using an ATM machine for the first time?

Sure, if their failure to use even the most elementary mental faculties available to them affected anyone other than themselves.

Oh boy! so many "idiots" and "dumb people" in your world, they don't deserve you believe me.

Next time call the Internet Police on those fkers!!

You are fantastic, cheers.

I get bank statements and postpaid mobile bills. When I wrote a bank (Kotak, India) the executive's first reaction was - "please contact the user" - of course I had mentioned in the email that I've no idea who the intended recipient(Some one in Pune, India) is. I finally had to set a filter and take a vow that I can never be this bank's customer and I ought to quit if my firm decides to tie up with them for salary a/c.

There's Tata Docomo who sends me monthly postpaid bill. I've learened two things from their emails - that gentleman in Nagpur is very irresponsible in paying bills and that Tata Docomo's spam filters are so strong my email never made it them. They keep on sending. I guess they shall send me the calls records if I request to this email.

My fault? I've one of the most famous/common Indian/Hindi names on Gmail/Hotmail/Yahoo and domain name too - both .in and .com.

> I get bank statements and postpaid mobile bills.

Most such e-mail traffic is just spam, not sent by the banks, but sent by people hoping to trick the recipitent into reading the e-mail, following the link and logging into a false web page set up to act like the bank web site.

Once they have your logon details they will go to the real bank page and transfer out your money.

The most amazing thing is that even though most of it is spam not all of it is. I get monthly emails telling me about various bills or status of from at least my internet, cell phone, and student loans. Pretty sure none have a copy of the bill and ask me to follow a link to log in.

I don't click on most email links because you never know if it's the scammer or the company.

>Most such e-mail traffic is just spam

Of course. But it's a real bank statement and it's a real mobile bill that makes its way into my inbox each month. Used to, I mean before I created a filter to delete it as soon as it arrives.

I have an email alias that’s similar to well-known rabbi Shmuley Boteach’s[1] personal email address (‘schmuley’ instead of ‘shmuley’). Occasionally, I get an email that’s meant for him, so I forward it. Not a problem.

[1] http://en.wikipedia.org/wiki/Shmuley_Boteach

This is one reason I put my email on my own domain. But yeah, you can't really expect most users to do that.

Same thing happened to me, but only once.

Gmail has broken the standard by adding dot aliases. They should at the very least acknowledge it.

I feel your pain. I also have this problem.


A Norwegian girl, living abroad, enabled "auto upload my pictures to Google+" on her phone and for some reason they end up in a Norwegian IT journalists Google+. Everything from full passport details to regular photos are uploaded. The journalist can see Geo location etc as well. Google keep stating it is not possible and the journalist are experiencing problems contacting Google.

This is exactly why I never say something is "not possible" in relation to IT anymore. Everything is "possible" some things are just more likely to occur than others.

In particular I've found race conditions and memory corruption to result in particularly fun "impossible" situations.

I try to say "I don't understand the mechanic by which that could occur, can you reproduce it?" and if they can then I have to figure out /how/ they can.

The mindset that something "isn't possible" is dangerous as a developer.

You should never deny the evidence. When you say "It's not possible", something in your understanding is obviously mistaken. Maybe your understanding of the evidence, maybe your understanding of the problem, but somewhere you're wrong. Your job now is to find out where you're wrong.

The correct response in such situations is "What am I wrong about?"

I've lost count of how many times I've seen the Can't Happen mindset delay resolution of an issue. It's a genuine problem.

The first job of the respondent is to validate the input so that the right problem gets solved.

> I've lost count of how many times I've seen the Can't Happen mindset delay resolution of an issue. It's a genuine problem.


> When you say "It's not possible", something in your understanding is obviously mistaken.

Not necessarily. Bear in mind that the "error" data itself can be wrong too, for many reasons -- some benign, some not so much. People can and do lie and make mistakes.

In the public sphere things are even more fraught. There are people who loathe $COMPANY and would love to see their services discredited. On the other hand, $COMPANY's legitimate success depends to some extent on people's perception of their reliability, so they have a right to defend themselves.

I think a reasonable response from $COMPANY in this case is "1) That's impossible", to reassure skittish customers, and "2) We'll work directly with the person having the problem and report back, stay tuned" to show respect and responsiveness (and potentially humility later).

If you were running your own company, paying the salaries of your employees and serving your investors, would you do otherwise?

Would I lie about my responsibilities without checking? No. Even to save myself financial loss, no.

It's loathsome that you ask.

Saying "We don't think this is possible on our end but are investigating to help wherever we can" is different than saying it is not possible.

I think that your "What am I wrong about?" approach is going too far in the opposite direction.

I usually use "That shouldn't be possible" - whether it is possible or if it's user error then often depends on the maturity of the system.

On a new system pretty much anything is possible. On a system battle-tested for years by thousands of users the possibility of encountering program bugs drops dramatically.

This is where good supporters become very valuable. They will be able to learn the solutions to common problems that users face and determine if it´s user error, other errors like OS problems or if it's something new that should be investigated by the developers.

Of course if the bug is reproducible then it's a different matter. But any developer who doesn't take a well-described and reproducible bug report seriously should probable find a different job.

Yeah, some people learn that lesson, and some don't, but usually it is when I am saying "That shouldn't be possible!" that I am running even faster than usual to put out a burning slag heap in my lap.

"The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair" – D. Adams.

D. Adams invented the iPhone battery?

My favourite is solar radiation striking a transistor in a RAM chip, delicately corrupting memory or altering programatic execution.

A great example of this is bit-squatting, where you register a domain name that matches a popular one except for one flipped bit:


It's enough to get quite a few visitors who were aiming for the popular site.

Whoa amazing!

It'd be great if it was something like a hash or uuid collision. Such things are super unlikely but not impossible.

The girl is Norwegian as is the journalist. I doubt that this is a purely random coincidence.

Hash collision between their internal IDs? I'll probably turn out to be something nutty like that.

Hash/GUID collision is exactly what I suspect. I wonder if we'll learn anything from this, or if we'll ever even see an analysis.

You do not have to `enable` it, as soon as you add an account to an android phone, photos automatically start syncing.

I have two Android phones (ICS and Jelly Bean) and this has not been my experience at all.

The first time you start the Google+ app, it will ask you if you want to enable Instant Upload (which uploads to a private album from which you can publish). Prior to that it doesn't do anything with your photos.

What kind of account? I have my Google account(s) synced up to my Android phone and have a total of 0 photos in my Google+ album.

I have them syncing with DropBox intentionally.

Same for me - but I noticed that it suddenly started syncing to Google+ too a few weeks ago (not sure why it started doing this, either there was an update or it was because I logged into Google+ using the default Android Google+ app and it enabled it then). Either way, I wasn't particularly happy about it, though I believe it uploaded them but did not make them public. I turned it off as soon as I noticed as I don't need my photos synced to two places and I already had photos synced to DropBox.

> or it was because I logged into Google+ using the default Android Google+ app and it enabled it then

It asks you if you want the uploads to take place when you first setup the app.

Unless its a small, easy-to-miss checkbox, I was only asked to log into my Google Account.

it's definitely not small or easy to miss. The whole "instant upload" part is an entire screen outlining what it is with a clear opt-out.

Both Google/Gmail account and Google Apps account.

I may not be correct about 'any' android phone though. I've only used stock and several custom ROM on Galaxy Nexus ranging from version 4.0.4 to 4.2.2. After you add a Google/gapps account you'll see this in sync setting- http://s24.postimg.org/fxbv98s05/Screenshot_2013_04_28_23_42... . I've found 'Google Photos' always checked by default. First time this feature was introduced, I didn't notice and my G+ filled up with random images from my mobile gallery. Since then I consciously turn this off everytime I flash a ROM.

Edit: so you don't necessarily need Google+ app installed for this to happen.

It's true. I was surprised when I suddenly started to get notifications that my photos had been uploaded to G+ and were ready to be shared (I don't even use G+ but have a zombie account).

I don't really mind though. Good backup.

It isn't true. By default -- including on a brand-new Nexus 4 -- it will notify you that photos are ready to be uploaded, and if you follow-through it gives you the option of automatically uploading from then forward.

No, it definitely uploaded them. They are in my G+ account. The notification says ready to be shared.

Indeed, happened to my very privacy sensitive colleague while setting up his new S3 (he had no prior G+ account, so he got a new one). This may depend on what type of account you have and what terms you have agreed to.

Then you opted to allow automatic uploads. When you first opened Google+ (which is not installed by default), you were asked whether to automatically upload photos. You chose yes.


"yes yes yes yes whatever, just let me use the service"

That's the same way malware/toolbars get installed...

No, I definitely did not. Believe what you want.

I can confirm this happens by default on Samsung phones (both att branded and unlocked) as soon as you create a g account

How did you confirm that? Google+ on my Galaxy S III asked me whether I wanted to allow it to upload pictures on first launch (not surprising as it runs the same G+ app as every other device). Of course most people will simply do what nnnnni stated, which is a "sure whatever" clickpast (which Google knows and takes advantage of), and forever more declare it unwanted, mysterious behavior.

   1. buy new note2 from att, register google account, skip samsung and att setup.
   2. buy new s3 from amazon unlocked, register google account, skip samsung setup.
   3. never even open G+ app on both phones
   4. take a picture
   5. wait an hour
   6. you get a notification "pictures you took are ready for sharing" i.e. they are already uploaded against your will and out of your knowledge.

Dammit everyone.

If someone complain about a bad Android default or behavior in a non nexus device, and you have a nexus device, just stay put!

Nexus are a completely different beat when it comes to user control, ok?

I used the Nexus 4 as an example of the most extensive Google integration. However my other devices are a GS 3, GS 2, Galaxy Glide, and Nexus 7s. Given that Google+ is an app (and is actually the same app on all of them), the same behavior was true on all of them.

You have to install the Google+ app, at least I had to do so. I don't have a Nexus though, does it come pre-installed?

I don't have a Nexus though, does it come pre-installed?

Not only does it come pre-installed but you also can't uninstall it.

You can very easily disable the app causing it to be no longer present in it's unextracted form, meaning it's effectively uninstalled.

Last I checked Google+ was the one spyware that you couldn't get rid of even when you rooted the phone. I.e. once you disable G+ all sorts of unrelated apps will hang/force close.

Admittedly it's been a long time since I tried, perhaps they fixed it since then.

To be fair, Google is not saying it's impossible. They're saying "these things" are most often a result of a user error and that they'll look into it.

She probably bought a phone he sold off or lost ?

They are on different continents. Also, he changed passwords afterwards and it kept happening.

Changing your password doesn't unlink applications or devices from your google account. See "connected applications and sites" at https://www.google.com/settings/security

The may be on different continents, but they have the same (rare) nationality. I suspect something similar.

Just a warning: blurring pixels in sensitive photos like this is often insufficient. Always black out the information instead (and make sure to flatten the image! and not save it as e.g. a pdf with a black bar over it which has actually happened before too)


That attack is more useful against a mosaic than a straight blur. In this case, to attack successfully, the attacker would have to lay out every possible passport with the letters in the exact position as they'd be printed, because there is a pretty strong blur applied. You have an F and the line of < characters to work with, you know about how long her given and surnames are, and you have a frame of reference for the rest based on how much of the bottom line the author had to blur. Not much else. You also don't have a guarantee that the blur is straight out of Photoshop and contains what you are trying to reverse; looking at it, I don't think it is the actual passport data. I think it was modified then blurred.

I'm happy to be proven wrong, but I think this one is impractical.

That would be interesting if they actually deciphered a real blurred picture.

Which they didn't cause it's not possible, I mean, left to reader.

[edit: I put it with the myth you need to erase data on a hard disk randomly multiple times http://www.nber.org/sys-admin/overwritten-data-gutmann.html ]

Funny how you present your view as fact and then complain about having to put up with myths...


No, I more commented on the article made a pretty bold statement and then didn't follow it up yet everyone buys into it.

I've never seen it actually shown so that to me makes it dodgy. If it was possible it'd be a pretty cool demo.

(And I assume I don't need to say removing camera blur, the famous photoshop swirls incident etc is not the same.)

The link you provided doesn't provide us with any insight into what the NSA's state-of-the-art might have been.

This NIST publication[1] says: "for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack."

Tech changes have "altered previously held best practices regarding magnetic disk type storage media". It does not seem to confirm that multiple erases were unnecessary before.

1: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-...

It's quite possible. Not only is it possible to perform deconvolution, but since you know that you're looking for text data, and you even have the font, you can do much better. You can iterate through millions of names very quickly and find which one, once blurred produces the best match.

In the same vein, check out http://www.ee.columbia.edu/~wliu/CVPR05_LiuWei1.pdf

Have you seen the photoshop image deblurring plugin?


There is a big difference in removing camera shake from a raw image file and removing a blur from a jpeg.

They actually have an example for a regular blurred jpeg at the end. And yes, a camera shake may big difference to a regular blur, but then again, an actual regular blur (so an unfocused lens instead of a moving lens) is less often the problem.

Wow, I had meant to have another sentence saying that it is probably still possible based on the "blur" technique used. But... yeah, I clearly did not say that.

I would assume most of the time people "smudge" the data they want to be removed from a photo. Though, as stated, adding new information to the image has got to be the best way to do this. (a blackout.)

Your gutmann document is interesting. Thank you.

There are some things that were not mentioned.

1) Obviously you're talking about traditional spinning platter drives, and not SSDs.

2) The complete drive needs to be overwritten to be sure all data has gone. The safest way to do that is to use an ATA secure erase command. This will overwrite all the sectors marked as bad. DBAN is good, but it will not overwrite sectors marked as bad. (The risk from this is small.)

Depending on the filter that you use, it can be reversed: http://en.wikipedia.org/wiki/Christopher_Paul_Neil

A blur acts as a low-pass filter, removing high-frequency information from the resultant image.

If the high-frequency data that was removed is unique enough that it can't be either guessed or recovered then a blur might be just fine.

If the high-frequency data is something that can be easily guessed, extrapolated, etc. then a blur does not provide much protection as far as the information content goes.

I guess tech-journalists gets to try out quite a few mobile phones through their work.

Would it not be a reasonable scenario that the journalist got to try a phone and used the Google+ app with his account. Upon returning the phone, it wasn't reset properly before being sold on to another person. So the Google+ app could still be associated with the journalist's account when the phone was sold on.

Update: In this article(http://www.dagensit.no/tester/article2355417.ece) the journalist reviews the Sony Xperia S, the very same phone model that the girl uses.

I am guessing there is a user Hash Collision.

Google uses hashes for a lot of things. Hash tables are very fast, and great for database look up. In Python if there is a hash collision both entries are compared and resolved by comparison. This is still fast because doing a compare against 4 collisions is still much faster than doing a compare against 1Billion user names.

That said... The odds get to be beyond astronomical. What percentage of people are journalists? I mean if they said someone contacted us to let us know, that would be believable, but "I am a journalist, and this is happening to me" seems a lot less likely.

I'm not ready to side with Google that this is impossible, but even the response from Google doesn't sound like the Google I know. While Google is hard to get a hold of for tech support and resolution of things, if you do get them to respond to a privacy concern they are swift.

With a Teen Girl they would be even swifter. One naked Bathroom pic and they are suddenly in the Child Porn distribution business, knowingly infringing (since they have been told now) on a teen with out her knowledge. That's the kind of thing that an employee goes to jail for, not just gets some big fines.

This does not look at all like a hash collision. Any hash table worth a damn does not rely solely on hash value for retrieval. There's a separate comparison for dealing with collisions on lookup.

Agreed, this does not sound like the bug.

Even if it was a realistic design pattern, what are the odds that not only that a collision occurred, but also occurred between two users in the same geographic area (i.e. Norway)?

Here is a more likely scenario: They're using the same ISP, and that ISP has some poorly configured transparent HTTP cache that is serving Cache-control: private responses to multiple users. I would bet a significant amount of money on this being the problem.

To test this theory, the journalist should logout (invalidating his cookies), and then only use HTTPS with Google Plus (Install the HTTPS Everywhere extension to be certain https://www.eff.org/https-everywhere). If the pictures keep coming, I'm wrong. If they stop, then they're going to another user with the same ISP until they fix their broken cache.

It is said in the article that the journalist and the girl are from different continents... is there any ISP that operates on multiple continents and uses the same cache infrastructure for all the geographical locations?

It says they're both norwegian, and she was visiting another country..returned from vacation and uploaded her pics? Using her norwegian cellphone while abroad (i.e. norwegian APN)? Emailing her pictures to mom who uploads them from home?

Who knows, but the fact that she visited another country doesn't invalidate it.

Perhaps multiple hash collisions?

I had a mysterious document appear in my Google docs once. I assumed it was due to a hash collision.

I reported it to Google but never heard back from them.

I thought the same thing.

When I first created a Google+ account, when I went to YouTube, it was just a hash. I imagine your gallery would be the same since it's all now one linked platform. And this is indeed not the Google we're all familiar with.

Google could land it real hot water; not the wrist slaps for privacy/monopoly violations we've seen so far that could actually be chalked up to oversight... if you tried hard enough. This would be a real low point in the company if pans out to be some sort of auto-upload feature that got enabled and to the wrong account.

Umm...how do you know it's a hash and not a unique id?

By your rationale, UNIX is broken because my uid is a small integer.

The odds get to be beyond astronomical

The odds of winning the lottery are pretty poor too. Yet people win them every day.

Let's not hand-wave; the numbers actually matter here. One-in-a-million chances happen every day. One-in-2^128 chances do not. If you're exclusively using a hash for identifying someone, then you'll make sure it's big enough to prevent accidental collisions. This is not expensive.

That is a facile analysis. The lottery is a massively distributed brute force attack against a fairly weak hashing algorithm. The odds of you winning the lottery are astronomically small. The odds of someone winning the lottery are not.

The odds of winning the lottery are not "astronomical" in the sense people usually mean when speaking of hash collisions.

As much as I love bashing Google over privacy. And as highly probable as I believe the sort of glitch described is likely to occur, two things make me skeptical of this story.

A) That of all the random ways that a bug like this could manifest itself, it happened with a tech journalist on the receiving end.

B) That the author spoke with a live human Googler over a customer service issue in regard to a free service.

The real story here is B not A.

For all we know it could be happening to lots of people.

But they aren't tech journalists so we don't know about it.

> The real story here is B not A

I would assume if you're a journalist in the tech industry worth you salt you probably have a Google contact you could call.

There is a difference between knowing someone at Google and getting someone at Google to go on the record in regard to a customer service issue with a free product as "spokesperson Cristine Sorensen" is reported to have done.

Claims of Brokenness don't get support. Claims of violations of privacy policy and law get support.

My wife had a problem with a girl creating a facebook account using a similar email to hers that somehow got her gmail account connected to that facebook account.

There was some account sharing going on, as the girl used that email address to login to her facebook account and all the FB notifications ended up in my wife's inbox.

At first I thought her account was compromised, but it was a secure password, so it seemed to be caused by the only slightly differing email addresses somehow being shared internally by gmail.

Only after activating 2-factor authentication did I manage to prevent that girl from using my wife's gmail account. However, this was followed by a few weeks of constant gmail notifications about a detail/password change request sent to her phone.

"The girl lives on another continent, so it is not just knocking on the door either."


"Jenta bor på et annet kontinent, så det er ikke bare å banke på døren heller."

Can I assume that is mistranslated since the passport picture shows Norway which is the same country as the journalist?

Separately, DN.no seems to be a business tabloid, 8th largest, in Norway, according to Wikipedia (http://en.wikipedia.org/wiki/Dagens_N%C3%A6ringsliv).

The translation is correct, so she might be living somewhere else.

On the topic of translation issues, "We" in the first sentence of that paragraph is "Google" in the original which changes the meaning a little.

For the longest time, I used to receive someone else's e-mails on GMail. Our e-mail addresses were very similar except that mine had periods in it and his apparently didn't. Either that or he really loved signing me up for things.

Periods are supposed to be ignored in GMail addresses, so maybe this other person's address was very similar to the period-stripped version of yours.

I get emails intended for other guys with my first and last name at gmail.

Since periods don't matter, I assume since _I_ grabbed firstlast those other guys have had to settle for firstlast + a random bit tacked on. Later they write it down wrong, or their correspondants omit the random bit.

Quite interesting. I've gotten bids on paving jobs from Scotland. Inquires about DJing in Florida. Invoices from a consultant in Seattle.

My understanding is that Google strips full stops before comparing email addresses and accounts for equality, which is really annoying when people split their email addresses differently at different times, making them look distinct when they are actually the same.

It's really useful to me.

I have a filter for messages to: m.y.g.m.a.i.l@gmail.com

which marks the message read and moves it out of my inbox.

This is the address I give out to companies whose correspondences I don't care to read generally but don't necessarily want to go directly to the trash.

You can also use + suffixes, which allows you to label.the address.

Scott+newslettername@Gmail.com for example.

Assuming the crappy regex on the form will accept it.. :( It's better now, but I still fail about 20% of the time.

Similarly, I give out period-wise permutations.

Minor wording point: I think "sensitive" rather than "delicate" pictures is what's meant here, i.e. in the sense of "sensitive documents". (Sensitive/delicate overlap in some of their meanings, but not this one.)

I thought the same thing but had assumed this was a Google Translate issue.

Yes, I saw this post in the 'Newest' feed but decided not to click on it because it sounded like badly translated porn-spam. Luckily, others were less cynical and upvoted it.

" Whether you are trying to protect corporate intellectual property or just the privacy of your personal life, the key idea is that you shouldn't underestimate the importance of your disclosures, particularly over time. " [1]

[1] - Conti, Greg (2008-10-10). Googling Security: How Much Does Google Know About You?

I'm glad to see a story like this getting some press as I've suspected that I've been dealing with something very similar for years now. Every so often I get an email from Facebook or some other service asking me to confirm a sign up I never made and under a different name, and then afterwards (where it gets strange) I get an email thanking me for confirming. Gmail says no other IPs have logged into my account and there's nothing in my sent folder related to it. I've changed passwords and it still happens. It's almost as if I share an email address with someone but they have a different "account".

Is there a dot in your username?

That is just someone using your address as their alternate email.

I really doubt that, as it doesn't seem like you can put in multiple email addresses when you are first signing up for Facebook (http://puu.sh/2IP5J.png). I also don't imagine Facebook continues to email the unverified email addresses after a user has changed their address to pass the verification.

Uff! Min paranoia fortalte meg å slå av automatisk opplasting. Jeg er veldig glad jeg gjorde.

კარგი გადაწყვეტილებაა.

slight mistranslation: "...sak som Google ikke kan forklare" means "...that Google can't explain", not "...that I can't explain". (my Norwegian isn't that good, but this kind of sticks out...)

Reason #12 why I will not use Google Glass or talk (beyond "hi" and "Yeah, nice weather") to one that has them on. I don't care how much they keep pushing them, they have their agenda, I have mine.

Stuff like this has the potential of ruining lives and relationships.

your mobile phone has the exact same capabilities as glass. it just isn't mounted on your face.

you're mobile phone has the exact same capabilities as glass. it just isn't mounted on your face.

Unwanted sharing is not cool, however when you say-

Stuff like this has the potential of ruining lives and relationships.

Do you mean that truth has the potential of ruining lives and relationships?

The idea that context-free photos uploaded to the internet (and potentially shared with the public) without the subject's permission somehow represent 'truth' is hilarious.

If they say a picture's worth a thousand words, then it's not much of a leap to apply this quote:

"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."

How many pictures out of context do you think it would take to ruin the average person's marriage? Destroy their career? Make them a public laughingstock? Not many pictures, if you choose the right ones.

The idea that you can misphrase what I actually said so grotesquely is itself "hilarious".

The GP opined that photos ruin lives and relationships. I've yet to hear a scenario where a unwantedly shared photo ruined either a life or relationship where it wasn't that it actually revealed a hidden truth.

You're awfully close to a No true Scotsman argument, there. However, if you're interested in damaging photos that aren't secret, you need but take a look at the history of social news. There have been a number of high-profile false allegations with associated vigilantism.

>You're awfully close to a No true Scotsman argument, there.

Not really. More an argument that all Scotsmen are men.

I'm nowhere near that fallacy. I am specifically looking for examples to the claim that I questioned (the single example provided to me thus far actually supports exactly what I said).

That the crowd can be stupid (as in the recent Reddit Boston bombing nonsense) has absolutely no relevance to this.

So what you're looking for is 1) a photo 2) not depicting a secret 3) publicized unintentionally 4) that ruined a life or relationship 5) without involving mass misunderstanding

Sorry, I can't provide one for you. The documentation on such events is typically kept to a small circulation.

Yes, truth does have that potential, or even more accurately, the mistakes made that truth reveals.

Humans make mistakes in judgment. Sometimes not revealing those mistakes (lying, if you will) let you grow through it. Someone might conceal a mistake for life, or reveal it after time has passed, or confess immediately. Unless there's a law enforcement agency trying to get at the truth, I think it's best left up to an individual how to deal with everyday mistakes.

And they are everyday mistakes, because that's our nature.

We're dealing with this issue already in our schools. It used to be if two kids fought in the halls, a teacher or principle would deal with it. Suspension at most, rarely expulsion. The school would almost never bring the matter to the attention of law enforcement except in rare cases. But it's against the law to fight, and they concealed it from law enforcement.

Now police are often stationed in schools. My kid's high school, and the middle school before that, has a dedicated officer. And he has said if he sees you breaking the law he'll arrest you. Do we need more kids contacting the justice system, for doing what kids do as they outgrow being kids? It's the truth, but is it right?

Do you ever spell check or read over what you've written before you submit writing? Shouldn't the computer stream everything as written, so everyone would know the truth about your spelling, grammar and judgment?

I look out the window and I see a lot of color. I'm really glad it's not all black and white.

There's more to it than mistakes. I'm reminded of an advice column from a few weeks back where someone had found out that their recently dead grandmother had been homosexual and was wondering whether to share this with her homophobic family.

Excellent point. Sometimes things are nobody's business simply because we decide so. That's a good thing.

People who aren't socially disabled recognize that you don't always tell all the people all that is true. I'd never deny say surfing for porn, but that doesn't mean I want my mom to know my porn viewing tastes.

> Do you mean that truth has the potential of ruining lives and relationships?

Yes, if context is missing. And context will most likely be missing from ‘leaked’ information – and if the subject is sufficiently emotional, people will have little reason left to wait for/inquire about said context.

> Do you mean that truth has the potential of ruining lives and relationships?

Of course it has.

Sometimes the information portrayed does not represent the truth and lacks context.

Truth is not what most people fear. It's absence of truth and the assumption that something is true that can do the most damage.

Give some examples, please. In the overwhelming majority of unwanted picture releases, it is actually the truth that caught people out, not anything "out of context" (which is the ultimate weasel phrase. "Sure I said that racist jokes..but you have to understand that I'm being taken out of context: There weren't any black people in hearing range!").

The teacher that actually has a night life, outside of the lie that everyone sits knitting sweaters for kittens at night. Etc. It is the individual and social lies that get unfurled.

the overwhelming majority of cases...

So you recognize there are cases? Why isn't it "In all cases..."?

Answer that and you'll have your answer.

> Give some examples, please

You connect to an old friend of the opposite sex on fb. He/she is a silly git and the first thing he/she does is post an old photo with you and him/her visibly drunk on your fb wall. Your current partner sees it and assumes it's a relatively current photo and thus thinks you're cheating on him/her.

Well - if that social lie is nessescary for that teacher to keep her job, it seems pretty harsh to sit on your high horse and say 'lies are the reason - not unintended sharing'.

The customary examples in this discussion are battered wives hiding from their abusive husbands, and homosexuals in the UaE.

Is it a high horse? Quite a few people seemed to knee-jerk to that assumption, yet it was absolutely nothing of the sort.

Much of society lives a lie (such as the nonsense that teachers live puritanical lives). Those lies are unsustainable with the continued impact of technology on our lives.

Teachers get fired for drinking alcohol outside of work, because their employers force them to lie.

Are you arguing that truth doesn't have the potential ?

If so. Care to upload photos of your passport, credit card and social security documentation ?

It is a sad day on Hacker News when the majority of replies to my basic question are these nonsensical, defensive, attack replies, as if everyone needs to pick a side and wave a flag. Rar rar!

> Do you mean that truth has the potential of ruining lives and relationships?

Of course it can.

If you don't believe me, please do answer honestly when your wife asks 'does this outfit make my bum look big?'

Truth is a little more than a random smattering of facts.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact