“Anyone who can be fooled by an internet scam should be sent to war” is faulty in two ways, given that it hinges on a young person making poorly informed decisions:
- being sent to war should probably not be the result of being young and gullible
- if we need to send anyone to war, should we send the dumbest people we can find?
Oculus already lets you watch Netflix and stuff, visually it’s a pretty decent experience, but like … 42” TVs are $300 or something. you’re not gonna fall asleep on the couch with your headset on, or at least you certainly don’t want to.
I think it’s a beautiful and fascinating piece of tech, I doubt I’ll be an early purchaser, but I’d sure like one. It does feel like they are grasping at straws for mainstream use cases.
Yeah, I reacted to that too. It's like nonchalantly saying that you have all your passwords written on post-it notes at your desk.
The topic of discussion shouldn't be how to secure your desk from spying eyes, but about why having post-it notes with passwords is bad practice and just a bad idea overall.
If your private github repo accidentally goes public, the response should be "that's annoying but ultimately harmless", anything else is misguided.
Postits for passwords are better practice than memorizing passwords. If you can memorize it, it is a bad password. Password managers are better yet, but you still need the master password.
The problem is not keeping those passwords in a secure location, treat it like a stack of $100 bills.
That's basically an analog password manager, we have gone full circle.
Or we return the metaphor to github repos, having a separate cabinet is like having a secret vault so that secrets are not directly in plain view in the repo itself, which is exactly what you should be doing.
Some folks use tools like https://github.com/mozilla/sops to store most secrets (besides the sops key, of course) in source control. Of course, you aren't committing the cleartext but if the repo gets published you should probably rotate your keys just to be safe...
Even this I would consider to be bad practice. Old versions of secrets are never relevant. Easy way to break your system:
1. Write code v1
2. Add secret
3. Write code v2
4. Rotate secret
5. Oops, some kind of problem, let's go back to known-good and redeploy (2). Broken because it tries the older secret, not the rotated secret.
That one has an easy fix: store secrets in a separate repo that you never roll back. That's not the reason to avoid storing secrets in git. You might be giving some junior dev here the idea that if they can solve this issue, then storing secrets in git will be ok. Obviously it's not; it's still a bad idea after you've solved this minor annoyance and, indeed, this annoyance had nothing to do with the security reason why you don't store secrets in git.
This assumes that the secrets are deployed along with everything else in the repository. Even if the same repository contains your app, they needn't be deployed together. And as far as old secrets go, they are at most as sensitive as current secrets.
What for? I've seen this happening and if there would not have been a review, it would have stayed there unnoticed.
/edit:
Also what someone considers a secret and then not, is often not well defined. If management has no clue what this is about, it is often better to only commit and push on direct and simple work order, because these need to be well understood and you have the paper trail (as that author also suggests blameful retrospectives - IMHO hilarious).
Or do we have forgotten about the basic rules sending data over the interwebs to other people computers?
Sure, but in computer programming “secrets” is also industry jargon for small strings of characters that enable authentication, like passwords or private keys, which have much higher standard of secrecy than the rest of the codebase.
A secret is something that you go out of your way to keep private. But there are a lot of other things that are private by default, but aren't really secrets, like "the brand of toilet paper I use".
This. Every CI platform under the sun has support for secrets and config that should never live in git. It's worth ensuring people know this, of course, but I'm not sure storing secrets in git is all that prevelant. Many platforms also have secrets scanning to ensure you don't accidentally do this too.
> Many platforms also have secrets scanning to ensure you don't accidentally do this too.
The reason secrets scanning even became a thing is because of how often secrets get committed to git. Some of them even lead to intrusions.
Uber (2016) – Attackers gained unrestricted access to Uber’s private Github repositories, found exposed secrets in the source code, and used them to access millions of records in Amazon S3 buckets.
Scotiabank (2019) – Login credentials and access keys were left exposed in a public GitHub repo.
Amazon (2020) – Credentials including AWS private keys were accidentally posted to a public GitHub repository by an AWS engineer.
Symantec – Looking at hardcoded AWS keys in mobile apps, discovered they had a much wider permissions scope and led to a significant data leakage.
GitHub – Over 100K public repositories on GitHub were found to contain access tokens.
I've worked at companies with developers who didn't know that once committed, the secret remains in the history even if a subsequent commit removes it. It's not trivial, and involves rewriting the history[1]. There's also no way to fix clones of the repo, and there are a handful of other ways secrets can still leak.
The most secure way to deal with secrets accidentally committed to git is to rotate the secret.
OP's target audience, judging by all the emojis and the subject matter, seems to be a pretty green junior devs who might not know any better. OP is putting themselves in their shoes as a rhetorical device, the author isn't saying that they themselves put secrets into git.
When I studied art history in school, a major theme was that most of the artists from long ago that we have heard of did some kind of work for whoever was in power, to make money, to create their masterpieces.
Let’s not pretend the CIA is particularly good at anything other than overthrowing Latin American democracies.
Wikipedia suggests Modern begins in the 1860s; the parent post is absolutely correct that it’s more the patronage rather than the artists or styles that drive classification in this case. Lots of things are disrupting the patronage of art around this time, especially photography, and changing markets for art result in very different kinds of art being produced.
I cannot comment as to whether the CIA is particularly good or bad at anything, but what I will say is that they are particularly effective at guiding domestic policy and operations.
> I could see they justify this as value-based pricing. As in, it would have costed more for you to travel farther to get the food from that particular restaurant if you were to order pickup.
If this isn’t going to the driver, it’s absolutely unacceptable. DoorDash does not have to do more work because you would have had to drive further, but the actual driver does have to drive further, and is working for a flat fee.
To hear people on HN say things like this explains exactly why these companies do this. This is absolutely not a reasonable way to think.
FIRST, obviously, there are probably fewer dark patterns in anything than the intuit / us tax situation. there are so many problems with our tax system and the way it eats away at working people while barely touching the wealthiest folks.
i’ve had some unfortunate interactions with the CA Franchise Tax Board in recent years that have made me question whether the IRS will choose to be transparent and treat us fairly if this passes.
I’m certainly no tax expert, so the notion that I may have made a small mistake in past tax years that needed to be corrected is not unreasonable. that i was not provided with any detailed information, or really any communication at all, and the money was siezed from my paycheck without notice. The first time this happened was the second paycheck in the month of december. This sucked, but I was probably wrong, maybe I failed to update my contact address somewhere, and I always want to pay what I owe.
Fast forward to 2021/2022, somewhere in there, IIRC, the CA FTB, during a budget crisis, found that I was short a couple thousand over multiple years from several years back. I had never heard anything about this before, and they came at me for 2-3 years all at the same time. No information on what was incorrect.
CA has an, “Office of the Taxpayer Advocate”, because of course at some point we legislated that there should be someone paid by the state whose job is to help taxpayers who feel they have been wronged. Obviously there’s a weird conflict of interest here, but it’s better than nothing.
My interaction with the taxpayer advocate many years ago involved them trying to tax me for work I performed in an office in San Antonio, Texas, over a year before moving to California.
certainly part of this is about the fact that CA is a bit grabby at the entire lifetime income of anyone who relocates here, which is absolutely the fucking truth, but I also found these situations to give me pause on whether I want to trust the government to tell me whether or not I have correctly paid my taxes.
Even though I am single, live alone, no dependents, and claim 0, somehow I am always off.
If we want to simplify this, get out from under Intuit’s thumb, and have like 95% of the country or whatever not even have to worry about taxes, we have to fundamentally rethink how they are calculated.
Why isn’t my employer liable for not calculating the appropriate deduction? Why is this something I have to worry about? On balance, at this point in my career, a thousand bucks a year isn’t a big deal, the problem is asking me for it all at once, when there’s no great way for me to know to expect it.
I have, for the first time in my life, a small amount of savings, but I still don’t consider it a nest egg. That is my insurance for when I somehow manage to owe taxes even though I have done every single thing that I should do, correctly.
another knock on TurboTax is that they often end up calculating that you owe more tax than you do, and I think it backs up my concern that in those cases, the IRS does not say, “Hello, kind person, you gave us an extra $3,000, we would like to return it to you.”
> Wow, not even Debian has done this. What a world in which RHEL is more adventurous than Debian.
Adventurous is adding things. Why remove things that work if some people are using them? Debian is less prescriptive than RHEL, and is widely used as the basis for a vast array of different targets. If there are still reasons for people to use Xorg, there are still reasons to have it in Debian, IMO. That doesn’t mean it will be installed and/or used by default.
RHEL is a specific type of target, particularly for things that need some sort of vendor certification, or for fleets who want to depend on RH for LTS and/or use their professional services, use it as part of a larger IBM contract, etc..
> Stop visiting sites who treat their users this badly!
The problem is the individual sites aren’t making these highly technical decisions, people are using what seems to them an innocuous security product.
Not visiting a random website places no pressure on CloudFlare to change, since there’s no way to correlate your choice with the decision to use CloudFlare.
Not to mention that you may not have a choice. I've seen government sites have this shit on them. We're quickly approaching the satirical society of the movie _Brazil_.
Unverified: 27B/6 derives from George Orwell's address.
I'm wondering how long it will be before we have memory holes considering how, apart from the internet archive, there is perpetual bitrot and silent updates.
