> a multi billion dollar casino with rules that can change and you have no option to legally fight it
Why is there no way to legally fight this? Is polymarket too de-centralized? Or incorporated in a jurisdiction where that's not feasible? Or are "you can't sue us" ToS actually enforceable here?
Doesn't really track, polymarket can be sued just like anyone else. It might be prohibitively expensive for a small individual, but that's no different from wanting to sue Apple either.
At the scale of facebook, humans are underpaid call center agents who are required to follow a script and don't have to the authority nor any incentive to scrutinize requests.
Aviation aside, it is worthwhile remembering that IBM traditionally had a whole other jargon vocabulary for computing. A 'crash' was an ABEND, an abnormal end.
The whole VPN requirement sounds like bullshit to me. The terminal should use secure TLS connections to the servers it communicates with, without relying on the security of the (local) network at all.
Last I checked, a VPN isn’t required by PCI (or really any other compliance regime). The parent commenter’s infrastructure had a VPN. And once you have a VPN and you’re showing it to the auditors as part of your in-scope infra for PCI, asking you to remediate findings for insecure algorithms allowed in the server config is rational.
Eh, not really. The VPN was on the same router that gave the card scanner access to phone home to the credit card company. They weren’t related at all. You couldn’t connect to the scanner’s LAN through the VPN. But since they had the same public IP, the vuln scanner counted them as in scope.
But in reality, why’s that a problem? Is the credit card scanner so tacitly busted that it can’t coexist with other hosts? Does it not use TLS? Doesn’t it pin TLS certs so that it’s not subject to MITM? Is it listening on ports with vulnerable services? There’s no excuse for the scanner being that delicate. It should be able to service an office LAN. And yet, the PCI-DSS group managed to push the responsibility for their hardware onto the network owners rather than making their own hardware robust. That’s nuts.
What kind of business writes down credit card numbers (even without CVV)?
Online payments (e.g. e-commerce) usually send such data directly to the PSP, or encrypt it with a PSP controlled key.
And in person payments (e.g. stores and restaurants) use a payment terminal/device, which is presumably PCI DSS compliant and doesn't store such information.
Passkeys cannot be cryptographically reset, but plenty of providers have account recovery flows in case you lose your passkey. Without a recovery mechanism you’d be technically locked out, that’s true.
All I know is I have about a dozen sites that think I have a passkey that I can neither find nor replace, and I have another few that allow only one passkey per device even if I have multiple logins.
Yeah, the whole point of passkeys is for the user to not be able to control them. You're at the provider's mercy if you want to switch to another device.
Yeah you just allow setting a new passkey by sending an email link, just like password resets. Passkeys don't have to be remembered, can't be phished, and don't need 2FA.
That's highly misleading to outright misinformation.
> Passkeys don't have to be remembered
Because you need an app for the login flow. You also don't have to remember passwords if you use a password manager app.
> don't need 2FA
Not true, a second factor in the form of eg a biometric ID or PIN is mandatory.
Phishing resistance exists, but only truly so if you completely surrender control over your device and access to your credentials. Something that the same organizations who you'll depend on for Passkeys are actively pushing for through various initiatives.
No it is not. You’re free to save passkeys in your manager of choice and it still won’t let you use a passkey on the wrong website. Users are freed from having to copy&paste TOTPs. No app other than a browser needed.
reply