Hacker News new | past | comments | ask | show | jobs | submit | dendory's comments login

Being part of design meetings, it's amazing how many endless customizations and workflow adjustments people like project managers and consultants like to request for a new piece of software. But when it comes down to it, most users don't want a complex, hard to understand interface that has so many features it's supposed to improve everyone's productivity. Most people want to use their spreadsheet, their Outlook calendar and their IE browser. Not because it's best at the task, but because that's what they know and are used to.


Of course users don't want anything complex, and if the resulting custom software makes a task more confusing and error-prone than a spreadsheet, the developers and designers have failed.

Instead, I read this comment as meaning a few different things:

1. It is difficult to get users to try something different.

2. Most users don't comprehend the limitations of the software with which they are already familiar.


> most users don't wan ... so many features

mmm. which features do you want?

and you over there, which features to do you want.

and you, in the corner?

It adds up, doesn't it!


Obvious question I know.. but why were the SSNs of sailors on some HP contractor's laptop?


You probably have no idea the degree to which the IT people in and around the military maximize their belief that those simpleton sailors not in the IT circle of trust are sheeple, and that they, the IT gods are, each and every one, the grand saviors of the Republic.

That sort of arrogance begets an unprecedented sense of entitlement. Coupled with a severe dependence on Microsoft Tuesday updates, and a general inability to recognize an SQL query (not making that up), and you have a real problem.

I would not doubt, for a second, that 134k SSNs were on some contractor's laptop.


>You probably have no idea the degree to which the IT people in and around the military maximize their belief that those simpleton sailors not in the IT circle of trust are sheeple, and that they, the IT gods are, each and every one, the grand saviors of the Republic.

You're posting on HN. I'd wager that a lot of us are or have been guilty of a bias like that.


Which provides additional insurance they are unaware...


I can imagine this happening very easily. Let's say a contractor is helping add a module to some web application...

"It worked on test, but not in production. It's supposed to be live already, what's the holdup? Fine, I'm not supposed to do this but I'll give him access to the live-server, read only, of course, since you have security clearance anyway. Plus, the data is in the DB, not on the application server. Ok, so now you have the whole /deploy folder, find the issue..."

"What do you mean you lost you laptop on the metro this morning? Fuck! Ok, well you only had access to the /deploy folder, but now I'm required to audit your laptop's backup to see if you had anything important, what a pain in the ass. Wait, what's this? There are all these XML files with personnel data in them in /deploy/api/xml/!!!!! Those files are supposed to be processed and removed from the web server, not stored! Shit!"


It was probably the MS Access database from BUPERS. It gets mailed to every command (or downloaded nowadays) on a monthly basis. It has everything on everyone. SSN, names, addresses, ranks, birthdays, etc. At least 50 fields of personnel info for almost everyone in the Navy. And it's not classified, otherwise they wouldn't be able to distribute it so widely (although they could at least make it Secret since most admin have Secret clearance, but most admin also work on unclas machines, so I guess not).

Source - I was a Yeoman in the Navy and had access to this. I already didn't think much of the Navy's PII procedures, but seeing this thing for the first time blew me away. It shouldn't exist.


HP does government consulting, it's quite likely they were working on an application that needed access to that data. When I was a civilian working in Navy medicine (building apps), that was often the case.


As a Navy physician trying to get IRB-approved research done, could you kindly share what kind of app needs a lone developer to have 134k SSNs on a laptop?


There are lots of very legitimate reasons, but a very common example might be vendor upgrades of core software for coding, integrations, dictation, etc. Fairly standard procedure to do (at least) a one off just in case backup of a database before running a big code update.


App developers never need access to real data. Ever.


Haha. Okay. I would hazard a guess that you haven't worked on real world apps then. Users will do things that you cannot predict. They will break things like never before.

I've written plenty of code that checks out against out test environment, but it'll choke on a weird thing in production. You NEED access to real data if you're going to make any progress in that scenario.


Yep, precisely. And it's not just the users that fuck up either. Sometimes, other systems you have to integrate with are also poorly designed and don't have proper control mechanisms in place. For instance, I'm working on integrating with another system right now where the zip_code field has values like "don't know". You're never going to be able to cover for things like that unless you have access to the real dataset.


>App developers never need access to real data. Ever.

What about if the app chokes on real data and it's not something covered by testing?


Use better type-checking?


>Use better type-checking?

You're not living in the real world. Users do weird things.

At some point someone will legally change their name to an emoji and it'll break a whole load of systems. Nobody saw that coming when they originally built some middleware in 1998.


It's pretty common for the government to do this sort of thing --

http://www.cnn.com/2009/POLITICS/01/27/va.data.theft/ 600+

http://thehill.com/policy/technology/97817-va-loses-another-... 26.5 million veterans/active

The funniest part of all of this is that the non veterans here seem to be surprised by this.


The real question is why not? Its not like HP will be fined to the tune of tens of millions for the breach, at best they will get stern reprimand letter.


I think there's multiple things there and I don't think taking any particular stance is wrong. I love technology, in the sense that if I get a problem to solve which makes me dig deeper into an area to figure out how things work under the hood, I really dig that. But I don't use Facebook, Netflix, Siri, Alexa or any of those things. I want nothing to do with the Internet of things. I suspect this is common among those of us who grew up with technology, as opposed to those who had technology by the time they grew up. They see technology as a service they should always have available in every facet of their lives, while we see it as something that used to be cool and mysterious, but now has been wrapped by so many commercial interests.


Pretty much every router is sold with UPnP turned on.

Many IOT devices use UPnP to open their interface to the world.


I don't consider myself a programmer, just someone working in IT that writes a lot of code, and to this day when I want to write any type of web page or web based "app" PHP is my goto tool. I can write my HTML and add PHP logic directly inline whenever I need it, and get the job done in no time. Sure I could spin up a node.js framework, use routing, create classes and objects, etc.. But to 99% of my needs it's just not worth the extra time.


In the short term, there's always a lot more risks in scraping an old system and spinning up a new one, especially in large complex organizations. However, in the long term you're really better off with modern systems.

So it really is a difficult trade off.


Private key stored in a passworded file on an encrypted disk, plus a key fob as second factor.

Pretty hard to get better security.


It's a bit of a catch 22, if you lose your iPhone then you need some way to locate it / erase it without having your iPhone. I don't think it's a big deal, you should have backups anyways.

One thing they could do is, if you have more than 1 device on your account, then force you to use another device for 2fa.


It occurs to me that the "use another device" verification process built into iCloud Keychain would work well for this. You could make the entire thing cryptographic, actually: just store each device's "erase code" in the Keychain, such that you have to auth yourself on one of the devices that has the unlocked keychain in order to (automatically) grab the erase code and send it to the associated device.


You're still screwed if you lose both devices (e.g. a burglary where both your phone and laptop are taken).


I'm still locked out of a 2FA-enabled Dropbox account. I broke my phone while my laptop was undergoing maintenance. Still have a log-in token on the encrypted drive of a laptop whose boot password I've since forgotten...


I once left my bag with both inside. It surfaced in city's lost and found two months after, thankfully. But if I had 2FA enabled, it would have been mighty inconvenient.


I keep some Google and Github account recovery codes on a slip of paper with my passport, some more in my wallet, and all in an encrypted file on a server with SSH access.

Hopefully that's enough that I'm not too inconvenienced, should my phone be stolen.


How often do you travel?


For holidays (6 weeks per year) plus one or two business trips (up to 2 weeks per year), plus about 1 weekend a month.

But does it matter?

Should my wallet and phone be stolen whilst I'm away, I can log in to my server using SSH (and a long password), then decrypt a file containing the backup codes (PGP with a long passphrase). Then I can access GMail/Github.


I'm not sure I get the point of this article. Travel nomads are a real thing, and more and more numerous. They typically don't have a lot of money and often work at local menial jobs or by doing freelance gigs online, but then again it's no coincidence that Tailand is the world's digital nomad capital. When your cost of living is ridiculously low, it's not impossible to work from the beach and spend your time traveling.


I made https://dendory.net/coding a while back as a cheatsheet of syntax between languages.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: