Hacker Newsnew | comments | show | ask | jobs | submit | Terretta's comments login

Assuming your friend lives in a democracy, and assuming your friend wants you randomly visiting, then if as you say your friend didn't vote on the immigration laws, tell them to be more active.

Have them write to their politi-critters. Get the law revisited. If enough of your friend's friends also agitate and your neighbors generally agree or at least don't oppose, the law will be revised -- problem solved.

If, on the other hand your friend is in the minority, and you being able to visit without immigration permition is still that important to them, they are welcome to emigrate to somewhere visits without visas are open to you.

reply


It takes one to be in those shoes to see how despicable and humiliating the process of getting a visa is.

If you were told you should tell your friends to vote better next time just so they can see you, I'd love to know how that would make you feel.

reply


Here is how it makes me feel.

I've lived all over the world, and also work with many offshore teams in places that don't just take my passport.

I've had to get plenty visas. It's their country, I'm a guest. I fail to understand the insult.

reply


JmesPath is built into the AWS CLI.

You don't need separate JQ. See the --query option:

http://docs.aws.amazon.com/cli/latest/userguide/controlling-...

Check out http://jmespath.org for details.

reply


> The Amex CEO was quoted saying something like 'the math of Costco's proposed deal didn't make sense.'

According to the 4th paragraph of the article:

“The numbers didn’t add up,” AmEx Chief Executive Officer Kenneth I. Chenault told investors last month. “We couldn’t accept their financial terms nor their contract terms, some of which would have meant taking on more risk than we were comfortable with.”

-----


> “Consumers ... have a strong desire to buy such apps on Android, as shown by revenue data on iOS...”

That's like saying, “Consumers have a strong desire to buy gourmet steaks from McDonald's, as shown by revenue data from Ruth's Chris.”

No, McDonald's serves billions of meals by understanding its own market, not by catering to diners at Ruth's Chris. And naturally, comparing top sellers at each will give very different lists.

-----


This is not a good analogy. McDonald's and Ruth's Chris are not direct competitors, they are targeting completely different markets. Android and iOS are in direct competition.

If we have to use a food analogy, I would propose Starbucks and a competing coffee shop. Almost all the major players in app development make corresponding Android and iOS versions of their apps. Imagine if Twitter or Snapchat only had an iOS or only had an Android app. Similarly, customers expect to have certain things available at all coffee shops, regardless the brand behind them: cappuccinos, flavored syrups, alternative milk choices, etc. So a better analogy would be one coffee shop chain not supplying their stores with espresso machines, or flavored syrups, or alternate milk choices... or maybe just not letting them have refrigerators at all to keep milk cold.

The prevalence of orders for highly-sweetened, cold, milk-based drinks at Starbucks almost certainly means that customers would order the same thing at similarly positioned coffee shops if it was available, and indeed most coffee shops offer such drinks now.

There is no reason to think that somehow Android users are in such a different market that they would have no interest in these apps on Android even though in almost every other case platform parity is expected from large players in the app market.

-----


> This is not a good analogy.

I'd say it's a bad analogy because most people who don't live in the US have no idea what Ruth's Chris is.

-----


Nor do most people who do live in the US, I would imagine... I infer that it's a high-end steak joint, but I've never heard of it.

-----


I haven't heard that name since leaving the Midwest.

-----


They have locations in DC, San Francisco and South Texas, so they're around.

-----


North Texas, too.

-----


> This is not a good analogy. McDonald's and Ruth's Chris are not direct competitors, they are targeting completely different markets.

So it was good, because that was my point.

> Android and iOS are in direct competition.

Citation needed. ;-) But seriously, I don't think they are. Too many observable differences in goals and strategies across each platform for your assertion to be true.

> There is no reason to think that somehow Android users are in such a different market that they would have no interest in these apps...

On the contrary, there is every reason to think that. Outside a very narrow and limited class of tech geeks who argue on technical merits, the broader market stats point to these being very different segments with different consumer profiles valuing different things.

-----


It's also a poor analogy because McDonald's is a futures trader with a private hedge (its stores) while Ruth's Chris is a steakhouse.

-----


Analogizing McDonald's:Ruth's Chris::Android:iOS is dishonest. While I agree you can't necessarily draw that conclusion, it's like having a major (equal caliber!) seafood restaurant deciding whether to start selling steaks because Ruth's Chris is doing well. It's still apples to oranges, but it's not apples to Twinkies.

-----


Oh come on, if you look at the major apps and games, Android gets the same things at like a six to eight month delay, if not better than that. And if you look at apps and games available on both platforms, the correlation between downloads is probably pretty good. It is nothing like apples to oranges. It's like Macintoshes to Granny Smiths.

-----


There's a significant unit cost associated with high-quality beef; it would be literally impossible to sell at McDonalds prices.

This is not true for low-latency audio; it's just something that Android has not prioritized.

-----


Like Packer?

https://www.packer.io/intro/getting-started/provision.html

-----


I was under the impression that Packer was used to create machine images for EC2 and DigitalOcean, but apparently it supports building Docker images now. That's perfect!

I'll have to make some changes to my pipeline :)

-----


No. An analysis of contribution patterns would signal to GCE, Azure, etc., what they're up to, in advance. Not a good strategy.

-----


You don't have to abandon. You just have to check your ego and contribute anonymously, with full corporate backing.

-----


I would rather work for a company that appreciates the value of my open source involvement and encourages me to develop it further.

-----


This is bad advice and creates a liability for the project. Many large FOSS projects require you to identify yourself and sign a committer's agreement.

-----


On the flip side, even Liberia's ministry of health (see author's credentials) could afford the $45, then disseminate to the clinics.

// Disclaimer: I lived and worked in Cameroon in the 80s, writing software for tracking and publishing data for various govt ministries.

-----


Academic here. There is no reason why these articles should have to cost $45. Academics have to publish in name-brand journals to get recognized, and these high prices are pure rent-seeking on behalf of the publishers.

-----


publishers need to make money too. i also dislike this anti 'rent-seeking' culture. if there is no reason for it to cost that much, start your own publishing company and give out the materials for free (or some lower price).

-----


> start your own publishing company and give out the materials for free

There are many people that are moving exactly to this. As ever, the problem is that the market is not perfectly fluid and things like academic cultural biases, impressions of prestige, etc often do not follow the most efficient contours. Posts like the GP's are called for precisely because they call attention to this and try to shift perception.

-----


Yep, that's what the whole Open Access movement is about, and it is making good progress.

-----


"Use a password manager" still seems to be the right answer for frictionless logins. "Easy" is requirement #1 to get people to use a thing. In fact, using it should be easier than not using it.

If you use 1Password, it nails the password details that trip up the "shady" password managers you allude to. See this study about stealing passwords or credit cards from users of auto fill password managers:

https://www.cs.utexas.edu/~suman/publications/suman_pwdmgr.p...

Interestingly, the Safari built in keychain is better to protect cc.

-----


you're free to use any password manager. my scheme is for developers to build better authentication

-----


but it just isn't better though. it's worse in the way that developers should be worried about most: security.

-----


How exactly is it worse if it's not different from classic scheme?

-----


you're removing something which people basically understand the concept of - passwords: keep them fucking secret/safe - and trying to replace it with something that is built on top of a system never meant to work that way. If your system routinely sends out OTP emails, all it takes is someone to intercept those emails on their way from your SMTP server out to the wider internet, and every fucking user is breached.

The only reason password reset links are at all acceptable is because they are used relatively rarely and it's not predictable when they will be used.

-----


So your point is it is less secure because the same weak feature is being used more frequently?

> all it takes is someone to intercept those emails on their way from your SMTP server out to the wider internet it doesn't matter when some user will create a reset request. Because you can do it for him, right?

There are tons of services out there generating a password for you and sending it over in plain text, which is exactly what I proposed. Do we see it heavily abused? The opposite is true - those services are more safe because they got rid of reused passwords.

Also there's a bunch of techniques i didn't describe to prevent some attacks. When user is trying to login save a secret token1 in a cookie and send token2 to their email. When the user clicks this link verify old cookies. This makes passive global wiretapping less useful (if it was your concern). Still vulnerable to more targeted attacks (enter username, wait for email, reuse cookie), but so "reset password" is.

-----


> it doesn't matter when some user will create a reset request. Because you can do it for him, right?

only if I know the user's email address for this given service.

with your system the attacker will get a regular flow of emails like this, and can even just track the emails as they're used, so as to then use them later to create a new authenticated session without arousing the suspicions of the user.

even if an attacker was lucky enough to capture a password reset email, they either have to use it immediately (or it will become invalid) or do a later, second password reset. Either way, the user still knows at the very least that something isn't right.

> There are tons of services out there generating a password for you and sending it over in plain text

and this is fucking atrocious from a security stand point.

> Do we see it heavily abused? The opposite is true - those services are more safe because they got rid of reused passwords.

Care to name some? I'm not aware of any major service, website or application that relies on a OTP via email for primary authentication.

> Still vulnerable to more targeted attacks (enter username, wait for email, reuse cookie), but so "reset password" is.

You still don't seem to accept that knowing your account was compromised is a security feature. With your system there is potentially ZERO indication to the end user that their account has been compromised. That is FUCKING TERRIFYING to me, and that it isn't to you, is even MORE FUCKING TERRIFYING.

Please stop making claims as if you have any fucking idea about security.

-----


> potentially ZERO indication to the end user that their account has been compromised

It's not exactly zero. For example you can generate new "security image" every time user logs in. If last time it was some cat and now it's dog, then someone logged in meanwhile. And that's, frankly, is not as terrifying to me as reused passwords.

>Please stop making claims as if you have any fucking idea about security.

I would be excited to see links to your security write ups, please share :)

-----


You keep making suggestions on the fly which clearly shows you haven't thought this through, and can't accept that its just a fucking terrible idea.

A "security image" doesn't work if it changes every time. First off - you're putting the burden of maintaining security onto the user - how the fuck am I supposed to remember what random picture you showed me?

You can consider this entire discussion thread my fucking security write up.

The comments on your own show that anyone else who listens to you has the same reaction, so it's no surprise you resort to ad hominem attacks implying that only someone with published security write ups is qualified to call your idea fucking stupid.

-----


I made it on the fly because "know that you've been hacked" is not important at all for regular users. They can't remember a random picture - true, but they also don't care if their password doesn't work anymore. That's all your (and everyone else's) reasoning so far. Why can't you accept that if your email was hacked you will learn about it pretty quickly anyway? (because your paypal funds are stolen).

> that only someone with published security write ups is qualified to call your idea fucking stupid

I didn't say that, your answers are on spot and questions raised are valid, however I am surprised you prioritize "password was changed" issue over entire reused passwords problem for normal users.

To make it clear: you dont care that people reuse passwords and it is a #1 problem, you only care if email account is compromised and if attackers decide to silently spy on one of your other accounts instead of getting the profit now. If that's true we just have different opinions and there's nothing to discuss here.

-----


> "not important at all for regular users"

You keep saying that but I just don't believe you. People LOST THEIR SHIT when a heap of celebrity nude photos were leaked, and that wasn't even their own accounts or information. Major sites being breached etc are not uncommon on mainstream news reports now. But no, you're right, no one fucking cares about that.

> I am surprised you prioritize "password was changed" issue over entire reused passwords problem for normal users

> To make it clear: you dont care that people reuse passwords and it is a #1 problem, you only care if email account is compromised and if attackers decide to silently spy on one of your other accounts instead of getting the profit now.

No, not at all.

Normal users have the very real, very safe option to use a password manager. They can work across devices and solve the problems of remembering and re-using passwords. This means they can have reasonably GOOD security, and can use it EASILY.

That system (the one that exists and works right now) has the extra BENEFIT that users will know as soon as they try to access their account, if it's been compromised via a password reset attack.

Your "solution" instead pushes all immediate security onto email and the users mailbox, which you freely admit IS NOT SECURE. Any requirement for any semblance of account integrity is then pushed onto the user apparently?

Edit:

So just to make sure it's crystal clear: I'm not saying password re-use is not a problem, it is. I'm saying the solution to that problem is improving the tools (i.e password management in browsers) that already exist, where necessary.

-----


> I'm not aware of any major service, website or application that relies on a OTP via email for primary authentication.

https://cash.me/account

-----


Diet Coda

Koder

iSSH

-----

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: