I wonder if this was made by AI or a shit programmer
-
Yeah, if I leave my house door wide open for a few weeks and I get robbed, it's still burglary.
Thank you! I feel like I'm taking crazy pills reading people's reactions to this. And if it was a business instead of your house and it was customer data you weren't protecting you should still be in trouble too. It's like people think only one side can be in the wrong in this or that because the data wasn't secured and in the public that gives them free reign to post it everywhere. I wonder how those people would feel if their addresses were leaked. Afterall, if you're a homeowner your name is attached to the property and is publicly accessible.
-
Yeah, if I leave my house door wide open for a few weeks and I get robbed, it's still burglary.
In a legal context there's also the concept of a "reasonable expectation of privacy". The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.
A better analogy is putting your journal in a public library and getting mad when somone reads it.
I'm not saying what these ass holes did was right, I'm saying that the company weakened their legal position by not protecting the data.
-
In a legal context there's also the concept of a "reasonable expectation of privacy". The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.
A better analogy is putting your journal in a public library and getting mad when somone reads it.
I'm not saying what these ass holes did was right, I'm saying that the company weakened their legal position by not protecting the data.
A better analogy is putting your journal in a public library and getting mad when someone reads it.
Good analogy indeed. I'd go one step further and add: it's like promising others you'll keep their diary safe, then putting it in a public library, to then get mad when someone reads it.
-
Yeah, it has no notion of being truthful. But we do, so I was bringing in a human perspective there. We know what it says may be true or false, and it's natural for us to call the former "telling the truth", but as you say we need to be careful not to impute to the LLM any intention to tell the truth, any awareness of telling the truth, or any intention or awareness at all. All it's doing is math that spits out words according to patterns in the training material.
I figured and I know it's shorthand, it's my own frustration that said shorthand has partly enabled the anthropomorphism that it's enjoyed.
Leave the anthropomorphism to pets, plants, and furries, basically. And cars. It's okay to call cars like that. They know what they did.
-
A better analogy is putting your journal in a public library and getting mad when someone reads it.
Good analogy indeed. I'd go one step further and add: it's like promising others you'll keep their diary safe, then putting it in a public library, to then get mad when someone reads it.
Yeah the internet by design is a public space, and we must be responsible and treat it as such when handling sensative data.
Again, it was very wrong for people to take that data and especially to post like that.
The company also has to do their part and produce at least some kind of barrier to the data.
Even using UUIDs and making sure the data wasn't query-able would have been something.
-
Not really sure what you mean by reusing UUIDs but theres nothing bad about using UUIDs in URLs for content you don't want scrapped by bots. Sites like Google Photos are already are using UUIDs in the URL for the photos, and do not require any authentication to see the image as long as you have the URL. You can try this for yourself and copy the URL of an image and open it in a Private Browsing Window. Every so often someone realizes the actual image URL is public and think they've found a serious issue, but the reason why it isn't is because of the massive key space UUID provides and that it would be infeasible to check every possible URL, even if it's publicly available.
You point out the "vulnerability" yourself, sometimes (when it's Google) it works as designed, but a less robust site could have the full access through a UUID for example and then someone shares an image with it, bam they have access to more than they should. The history is littered with bulletproof things like this ending up being used wrongly.
-
Based on this comment alone, I am 100% sure that you are not a lawyer.
I don't claim to be, but you can't deny the difference the wording would make to a jury.
-
AI just enables the shit programmers to create a greater volume of shit
My favorite one I've seen so far was
"AI can take a junior programmer and make them a 10x junior programmer." -
In a legal context there's also the concept of a "reasonable expectation of privacy". The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.
A better analogy is putting your journal in a public library and getting mad when somone reads it.
I'm not saying what these ass holes did was right, I'm saying that the company weakened their legal position by not protecting the data.
Terrible analogy. You have permission to read books in a library.
Forgetting to lock your door isn't granting permission to people enter your house, and it doesn't grant people permission to take your valuables. It may be neglectful to leave your door unlocked, but it doesn't imply granting permission to enter your house.
Same goes with computer security. Leaving your computer insecure may be neglectful, but it does not imply someone has permission to take your data.
-
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
What big advantages does pathlib provide? os.path works just fine
-
It's not security through obscurity in this case. The filenames can't be obtained or guessed through brute force. At least not with current technology or processing power...
Security through obscurity is when you hide implementation details.
Saying that my suggestion is security through obscurity is the same as telling that ASLR is security through obscurity...
Until the psuedo random UUID generator can be reverse engineered. Makes me think of this video: https://youtu.be/o5IySpAkThg
Anyway, I think we're on the same wavelength and both agree that the implementation as is isn't production-ready to say the least
-
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
wrote on last edited by [email protected]- Everything is in one library which offers consistency for all operations.
- You can use forward slashes on Windows paths, which makes for much better readability.
- You can access all the parts of a pathlib object with attributes like .stem, .suffix or .parent.
- You can easily find the differences between paths with .relative_to()
- You can easily build up complex paths with the / operator (no string additions).
Just off the top of my head.
-
What big advantages does pathlib provide? os.path works just fine
- Everything is in one library which offers consistency for all operations.
- You can use forward slashes on Windows paths, which makes for much better readability.
- You can access all the parts of a pathlib object with attributes like .stem, .suffix or .parent.
- You can easily find the differences between paths with .relative_to()
- You can easily build up complex paths with the / operator (no string additions).
Just off the top of my head.
-
Yeah the internet by design is a public space, and we must be responsible and treat it as such when handling sensative data.
Again, it was very wrong for people to take that data and especially to post like that.
The company also has to do their part and produce at least some kind of barrier to the data.
Even using UUIDs and making sure the data wasn't query-able would have been something.
The web is a public space by design. The internet? I don't think you can make that case well. Https and all that. Private infra abounds.
-
- Everything is in one library which offers consistency for all operations.
- You can use forward slashes on Windows paths, which makes for much better readability.
- You can access all the parts of a pathlib object with attributes like .stem, .suffix or .parent.
- You can easily find the differences between paths with .relative_to()
- You can easily build up complex paths with the / operator (no string additions).
Just off the top of my head.
wrote on last edited by [email protected]if you don't need those, why burden the program with another dependency?
-
if you don't need those, why burden the program with another dependency?
It's in the standard library, just like os or shutil.
-
That's not a "senior developer." That's a developer that has just been around for too long.
Secrets shouldn't be in configurations, and developers shouldn't be mucking around in production, nor with production data.
That's just a senile developer
-
Terrible analogy. You have permission to read books in a library.
Forgetting to lock your door isn't granting permission to people enter your house, and it doesn't grant people permission to take your valuables. It may be neglectful to leave your door unlocked, but it doesn't imply granting permission to enter your house.
Same goes with computer security. Leaving your computer insecure may be neglectful, but it does not imply someone has permission to take your data.
Then how do I know what I am not allowed to access?
In this specific case there was no (formal) indication that the data was out of bounds.
I can't put 10 pdf files in a web dir and claim 5 are public and 5 are private, then charge you with a crime for viewing them.
You can't have "unauthorized access" when there's no authorization at all
-
This post did not contain any content.
dev came from marketing. pictures wouldn't show up with all that security enabled.
-
Then how do I know what I am not allowed to access?
In this specific case there was no (formal) indication that the data was out of bounds.
I can't put 10 pdf files in a web dir and claim 5 are public and 5 are private, then charge you with a crime for viewing them.
You can't have "unauthorized access" when there's no authorization at all
If I'm clicking around on a website and find a gallery of images, that's something I'm supposed to have access to. If I start typing in URLs that aren't linked anywhere on the site, then I'm accessing stuff the site hasn't explicitly indicated I have access to. If I'm doing this with the intent of getting data and distributing to others, then yeah that would be illegal.
The law allows for someone to exercise judgement. The people who do this are not so coincidentally called Judges. If the 4chan guys had have been white hat and reported the issue to the site owners, then they'd be fine. But it's obvious to anyone their intent was to get private information, they poked around to find some private information, and then distributed that private information to others causing a privacy violation. Yes, it was easier to do than it should have been, but it's obvious they had malicious intent and it's obvious they were accessing information they weren't supposed to access.
A crime being really easy to commit doesn't make it no longer a crime. Many times I've seen things that I could easily steal, but I don't steal things when I have an opportunity to do so because a) stealing is wrong and b) saying "they just left this thing out there in a place anyone could steal it" would not be any kind of legal defense. Simply because you're presented an opportunity to do a crime doesn't mean it's acceptable to do a crime, both legally and morally speaking.
