tdrp's comments

On the other side of this, if you have a long credit history you just don't remember the answer for many of these things. What was my apartment number 15 years ago? Which county did I stay in for one month while I was in temporary housing waiting for a new job?

Now I had to look them up and have a lot of these written down for whenever I need to do a bank wire.

I don't remember the math on hashing/bcrypt but isn't this the case that all passwords sort of hash to a fixed length string? Like why even have something like "your bank password must be 8-12 characters" long.

Obviously for a gigabyte long it's a bandwidth and hash-computing issue :p

"Our client-side Javascript should be enough to prevent any SQL injection attempts" /s

yeah it's a dating app

The scariest one is when ' is not allowed.

Regarding simple passwords, we added a check against the top 100K seclist passwords when first registering, to keep users from using easily guessable passwords (we also had an experiment where we checked if that password was one of the frequently compromised ones).

Literally this converted into:

1- Users abandoning on sign-ups "oh how am I supposed to find a password I will remember"

2- Users bashing us on the app store reviews: "make it super hard to sign-up" even though we only ask for username and password, not even an e-mail

3- Users logging in, liking the app, then a few months later when they got logged out for whatever reason, completely forgetting what their password was and not having a fallback e-mail.

We ended up pulling it back. We just have a small note now that says "easily guessable password" but allow them to proceed with registration.

Maybe someone in the field can pitch in, but I also saw this sentence in the article: "I have previously hypothesised that all human chronic autoimmune diseases are caused by Epstein–Barr virus (EBV) infection of autoreactive B cells,"

So it seems he's been hovering around the EBV hypothesis for longer than that so I am also curious if there was any real progress and whether this is something the medical research community is treating seriously.

Not sure why it's not mentioned but, in addition to technical mitigation, if you know the attacker's general info, then maybe you can also try other avenues such as law enforcement or legal claims.

More work as well but when you whois some of the attacking machines you can find out what the abuse@ email is for them and contact them. That can put the provider on notice if you later also go with some legal action.

If you are sure that's their home IP (and that's the same person triggering the spam), and they are in your country, you should consider getting a lawyer involved.

We had a similar issue and got one involved to get the process started (I think he used CFAA abuse). The attacker stopped as soon as we mentioned lawyers (he happened to also be in the US). We would have pressed it further but the lawyer was racking up billable hours and we were not in a position to afford it.

Also, after you hit a certain number of users the "bad actors" sometimes have people behind them manually adjusting their bots' algorithms to match your tricks.

By the way how do you detect VPN traffic? For tor we just pick up the list of exit nodes but we've had trouble identifying VPN without using a 3rd party API.

It seems some of the decision hinged around this fact from the article: "self-inflicted wounds are not irreparable injury".

I wonder if there could have been a better sequence of events (e.g. sue first rather than sneaking it in)?

You would think a developer accused of something as serious as _fraud_ would have their apps at least removed from the app store... this whole thing is a little odd.

His app opens fine for me: https://apps.apple.com/us/app/attics/id1434981632

Does it normally disappear if a dev account is terminated?

Plus these games were pre-internet so when you got stuck or lost somewhere you got really stuck. I remember spending over a month looking for something called "the hall of the mountain king" in ultima 8, to the point that I had hand drawn a bunch of maps and carefully planned out exploration paths.

Not a lawyer but what does "conceal" mean when it comes to websites like forums? You often see probably illegal stuff show up on popular forums and they eventually get banned/removed by moderators. Does that mean the moderators "concealed" it and are therefore liable?

This. Some people seem to be on the "Apple deserves a cut of 30% because they run the app store and 30% is reasonable etc." but what if tomorrow Apple just said: "OK we've bumped up the 30% to 90%".

The exact same set of arguments would follow. The users already own the phones so for the "market to adjust" to such changes would take years.

Seriously. We generally release most of our new features at 10% of the users and then gradually increase the percentage on the server end. If there's any issue we can turn it off immediately rather than potentially waiting days for the app store to approve our fix.

They do, but a lot of the social good companies are not actually non-profits but more like low-profit/high-impact, or B-corp style. In fact a few states have Benefit Corp/Social Purpose Company LLC-like structures.

So it puts you in a somewhat weird spot since you will never be potentially worth a billion dollars (which is the guideline for the for-profit track of YC) nor are you a pure non-profit.

It'd be cool if they added such a track or loosened the non-profit restrictions so it's not necessarily a 501c3 structure.

I wouldn't call it a waste of time but it did feel like it was targeted more towards very early-stage start-ups, and was probably helpful mostly to them.

If you have some kind of traction and experience, the video conferences felt pretty awkward because a lot of the founders were completely inexperienced and would try to be helpful by giving you "advice" they'd read in a blog somewhere or really obvious stuff.