It’s possible that the nut of the problem here isn’t exploits, but the fixes themselves. If the model is capable of identifying and fixing things it “shouldn’t” like back doors. That would throw a wrench in things hard enough to freak out the wrong people, perhaps?
What occurred to me reading this was the wage. Initially, and famously, the hours put into building a startup result in sub-par wages. But the amount of work by an individual never increases as it is limited by human capacity. In a successful startup with continuous growth the wage is ever increasing, to the point of absurdity.
That’s weird. I grew up around farming and farmers. A group also very proud of the work they do, in a profession where the wage is also indirect — sometimes negative, sometimes a fortune, always based directly on the work they’ve done. Year after year, the work.
That’s different.
I’ve always identified two sets in the realm of entrepreneurs: those that want to “be rich”, and; those that want to “become rich”. The latter group is perhaps more admirable as they acknowledge the process and the value creation whereas the former seek only the status. But neither are often interested in the work of it.
I tried to recall the last time I saw what I felt was an ego-driven tirade on HN comments, and I'm currently drawing a blank. There's a lot of what's called "performative erudition", and there is the occasional lengthy diatribe, but I would call neither one of those ego-driven tirades.
I don’t understand what Flux hoped to gain in this situation. It seems counterproductive to building a platform for engineers while attacking folks respected by engineers.
They wanted the make sure Adafruit stays silent about the number of active users, and Adafruit gave them some leverage by imo naively reporting a security vulnerability.
What do you mean by "naively"? Reporting a security vulnerability to the vendor is the responsible and ethical thing to do. Suing someone who did you a favor is fucked up behavior and they should be shunned for it.
Wait, you can't really think that it's ethical and in any way a person's responsibility to expose themselves to the CFAA and lawsuits??
Ok, let's go over this again - it is naive because you naively trust the vendor not to report you to the authorities/sue. A side effect is that such companies never get to learn their lesson, thus you naively think that you contribute to overall privacy and security while the effect is opposite - the company got a freebie and won't change security stance, the CFAA gets to stay.
I would argue about the ethical part as well. One way to guarantee ethics is to immediately report to both vendor and respective government body so that any suspicion of blackmail is removed.
Another person's definition of ethical would be to immediately notify all affected users.
My personal stance is that the IT community needs to shut the fuck up until companies start begging for help and the backwards-ass CFAA gets deleted. This is ethical - you didn't get paid for a security audit, then you keep your mouth shut and offer no free work and you don't expose yourself to lawsuits.
The wisdom from my Mom was “it’s better to be paid for what you know than what you do”. I’ve found it’s a bit more subtle than that, and enjoyed and learned a lot from piece work labor. But the sweet spot seems to be getting paid for what you do that uses what you know.
Traveling without a quick acting pen and a long acting pen would never occur to me. Even if I’m traveling for a weekend I do (and take finger prick strips and tester). It means not having to worry about pump or sensor failures, which for me generally happen during exactly the fun activities I go on vacation to enjoy.
I’ve enjoyed the combination with Range headers for paging, despite this tidbit:
> It is expected that these built-in features will be used instead of HTTP Range Requests
Using the QUERY request as the definition of a set, and Range to retrieve subsets seems very natural.
reply