Hacker Newsnew | comments | show | ask | jobs | submit | sunchild's comments login

IAAL, and I think you should make up your own mind about what the agreement means. Personally, I think you're over-thinking it, but you shouldn't take my advice, because I don't represent you in this instance. It's a shame that something so simple has to be so dressed up by Apple's legal group in obfuscated language. I also fault Apple for deferring to its outside counsel on these matters. There's nothing stopping them from using plain english that everyone can understand in these agreements. Having said that, I read so many of these things, that I recognize 75% of it as pure "boilerplate" that is for all practical purposes ignored by everyone.

-----


Yes, and never mind that just about everything you take for granted about personal computers was "given" by Apple, too. I find this notion that users are entitled to complete device freedom really annoying.

If you find it so objectionable, go build your own hardware and OS platform. This isn't a matter of human rights because no one is telling you that you can't make your own.

-----


Yes, and never mind that just about everything you take for granted about personal computers was "given" by Apple, too.

The RDF is on full effect there, I see. You might want to look at systems like the Xerox Alto & Star, both released before the Lisa. The implementation was certainly excellent - and I have a lot of respect for the Lisa and Macintosh engineers - but many of the concepts were invented elsewhere.

-----


@cooldeal: Nope, I'm dead serious. There's no fundamental human right that entitles you to tell Apple (or any other device maker) what it can and can't sell you.

-----


Of course there is, it's called Free Speech. There's no right that entitles you to force Apple to do what you want, but then again, nobody's arguing for it.

-----


@recoiledsnake: (for whatever reason, I'm not allowed to reply directly to you)

You're comparing Apple's ecosystem to Earth's.

Apple is a private company that makes products that are sold on the commercial markets. The Earth is something entirely different. If Apple made planets, then yes – they could decide how to manage the atmosphere. That's how business works.

-----


(for whatever reason, I'm not allowed to reply directly to you)

It's a cool-off period.

-----


To keep me from advocating an unpopular, but entirely rational, position – all while other people freely misrepresent the First Amendment in response to my comments.

-----


It's an algorithm, I'm pretty sure it has nothing against you.

-----


... you really object to users stating what they want to have?

So... Apple generally gets kudos for 'giving users what they want', but users are not allowed to say what they want?

Nice work.

-----


And if you don't like pollution and global warming, stop complaining and trying to make things better, instead colonize your own planet and make them pollution-free.

-----


Great sarcasm. :-)

-----


I honestly can't get if that's sarcasm or the poster really believes such things. I think Poe's law applies here.

http://rationalwiki.org/wiki/Poes_Law

-----


And the "security" that they desired lost them tablet users on the dominant tablet platform...brilliant!

-----


It's not even like these are major motion pictures. They are clips from a television news program that are released for free over the air and have an effective shelf life of less than two weeks. The potential downside to posting their videos in iPad compatible h.264 seems minuscule.

-----


Not to mention that once you've seen one 60 Minutes episode, you've seen them all. It's a legendary formula, but tired as hell.

-----


Blame 60 Minutes for using the most ubiquitous web video technology instead of blaming Apple for not supporting it.

-----


Android has dropped Flash, too, for anything beyond ICS.

So has Microsoft for the new Metro browser.

So has Adobe, for that matter, if you read between the lines (yeah, they've only "officially" dropped mobile Flash, but desktop Flash is on deathwatch).

A year from now neither any new mobile device nor the default browser on desktop Windows will have Flash.

Time to learn some new tools.

-----


Adobe has dropped android, not the other way around.

-----


Right, because I can't think of any reason why Apple wouldn't support Flash on a mobile device...

-----


I wish more apps would get out of their own way and employ standard UIKit. I'm all for experimenting with UI on a new-ish platform like iOS, but the amount of parallel energy expended on checklist UIs is just depressing to me – esp. when the standard Cocoa libraries are more than adequate. There are just so many cases where turning the UI upside down is counterproductive.

-----


...but then it would be just like an iOS todo list tutorial app

-----


"... tell them their password is waiting for them in their inbox."

Nope. That email should contain a link to password creation.

-----


I really dislike this sentiment.

97%+ of people don't care about passwords being sent in plain text over email for non-banking sites. Or for accounts that have no info until you populate them.

The other 3% can just log in and CHANGE the password after-the-fact.

I'd rather not inconvenience the majority of my signups, nor force my ideas on how things should work on them.

-----


And what percentage would – like me – delete their account as soon as you send them a plaintext temp password?

You're living in the past if you think this is an acceptable practice. I don't care how trivial your web service is, if you're throwing my password around willy-nilly, I don't want you.

-----


To answer your question, probably less than 1%.

I like the practice of emailing a link to a page where the user can set their password for the first time.

-----


It's unacceptable to transmit in plain-text a password that the user specified.

But if it's a randomly-generated new nonce, seems OK as a pragmatic middle-ground. Folks like us, who care, will log in and change it.

-----


Probably a draw, as you say, since someone could get ahold of an authenticated link in your email, too.

-----


But usually, those links expire, or are only able to be used once. So the password the user creates is secure, and the period the attacker can use the captured link is only from the time the user requests the password reset until the time the user tries to use the reset, it doesn't work, and the user requests another reset.

When a user is sent a password via email, unless that user is required to change eir password upon entering it, it is inherently less secure than sending a link.

-----


This isn't an attack for the downvote. But if you're the type of customer that flips out over getting your temp password in the mail to a blank account, I don't want you. As the troubles are only starting...

-----


Google Apps sends plaintext temporary passwords.

-----


Only if you (admin user) ask it to. Still a bad practice. Also, the premise is that Google trusts itself as an email provider.

-----


Nope. That would require the user to take more action that necessary, since they now have to click on a link and remember your password. It would also be less secure, since they may choose a bad password.

-----


A. They don't need to remember any password. They're creating it for the first time.

B. Minimum password length/complexity. It's not hard to do.

I can't believe you're actually arguing that creating a new password is less secure than using an auto-generated password that was sent via email. I hope you are just confused...

-----


Hell yeah it is less secure. password, letmein, 123456, j@nuary1

All bad passwords. All will be chosen by your users at some point. The last satisfies any complexity requirements I have ever run against in the wild.

There is nothing insecure about sending a plain-text password that compares to a badly chosen password -- email isn't that easy to intercept and properly nobody is hacking your users physical (or wireless) network. At least not compared to the number of people who will be attempting to crack their online password.

-----


"email isn't that easy to intercept and properly nobody is hacking your users physical (or wireless) network".

If you actually believe this, then we will never be in agreement.

-----


For most of your users creating a new password will be much less secure than giving them a password.

> B. Minimum password length/complexity. It's not hard to do.

It is hard to do. That's why so many people reuse passwords, or have hopelessly weak passwords. (Some word with a few vowels swapped for digits, or some word with two digits tacked on the end.)

I agree that sending passwords over email is sub-optimal, but the solution is not to surprise users with a password creation screen.

-----


Are you taking the position that only auto-generated passwords can be secure? I'm trying to understand what conclusion to draw from your comment.

My point was that imposing length validations on passwords is not hard. Complexity validation, while more difficult, is also not exactly a novel problem.

I feel like I'm in bizarro-world with all these people telling me that sending a plaintext password via email is more secure than giving users the option to follow an authenticated link to create their own password because...users can't be trusted to choose good passwords?! Really?

-----


What are the risks for each situation?

Users are hopeless at creating secure passwords. They are especially hopeless at creating secure passwords if you suddenly present them with a password creation screen.

Adding complexity generation does not help. If anything, it makes things worse. People use stupid weak passwords, often re-using them across different websites. They'll do simple substitutions of digits for vowels, or they'll use one word with a couple of digits stuck on the end.

Complexity validation gives a false sense of security.

-----


right, so the email-only signup really just delays the step of creating a password. Is that better?

Would love to see usability commentary on these sites to see if/how they've decided to use one approach over another.

-----


It's better, in that you now at least know who to contact – someone who showed enough interest to provide an email address.

-----


And sending passwords, even temp ones, through plaintext email is just bad practice, a solved problem, and totally unnecessary.

-----


Actually, it has nothing to do with ruby. The problem here is that some people use minification tools that rely on semicolons. If that weren't the case, this would be a total non-issue.

-----


Am I the only person who considers use of the word "smart" as a leading indicator of the absence of intelligence? The term is so vague as to be utterly meaningless, and is usually a signal that we're really talking about someone's insecurities, their feelings of inadequacy, or their passive-aggressive megalomania. /psychobabble

-----


Does the phrase "work smarter, not harder" trigger your alarm bells too?

-----


You're probably past the point where this sentence is useful. Did you often thought about that ? Most people didn't.

-----


True, but in some cases, data integrity concerns outweigh the desire for total obfuscation.

-----


There is a whole bunch of legal jurisprudence in just about every country that deals with intentional infringement of copyrights.

In the US: Operation Gridlock, Operation D-Elite, etc., etc. Look it up.

-----


What are you basing this on? It doesn't jibe with the laws, as I understand them.

-----


I was talking about this story with a guy I know who is a lawyer specializing in IP. It didn't seem to me like it would rise to criminal prosecution and he agreed.

-----


First, you determine the rule. Then you determine whether it ought to be enforced.

While you might be right that the authorities won't take on the criminal case, you and your friend are wrong about the question of whether this is a criminal offense under the law. It's at least a colorable case of intentional infringement in a commercial setting.

-----


Whether it arguably could be or not, I think we both know this is never going to be prosecuted, which is why I agree with grellas' take on it.

(edited to fix grammar)

-----

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: