The gp isn't talking about spam using "secure message" as bait to open unwanted email.
Instead, legitimate companies like banks, healthcare, etc tell users to click on a url link to their "Secure Message Center" to read or submit some critical information. It's often the only way to get the info the users need.
E.g. if I open a payment dispute with the bank, the workflow they use is the Secure Message area. I can't just use my normal email client and upload some pdf attachments. Instead, I have to log into my bank website, navigate to their Secure Message area, and then upload the docs there to submit the claim. They also don't send followup status or final resolution in an email. Instead, you log back into the Secure Message area to read the case resolution. Similar for insurance claims.
Similar situation for asking a medical imaging center for some mammograms. They will not send those as PDF or JPG attachments directly to your email address. Instead, you log into a secure message area on a healthcare website and download it from there.
At least in part, because of your workflow, is that it's a ticketing system. Much easier to manage than having people reply to e-mails (even when you specifically state "REPLY ABOVE THIS LINE!" they are absolute cretins.)
> The gp isn't talking about spam using "secure message" as bait to open unwanted email.
No, this includes all messages from my doctor/healthcare. It's not mass spam.
Theoretically I could want to know what's in the message, but not enough to visit a website I've been logged out of again, perform multi-factor authentication, navigate to the message center and find the message and then back it up manually.
For instance, I received one today from HMRC (my country's tax body). I had to log in to find out what the contents were, in this case it was just a reminder of how much tax I need to pay by the end of next month.
As it happens, I already knew this because the previous bill 6 months ago also included this information, but the message itself was unique and important. Certainly, there would have been financial consequences if I didn't act on that information.
I would have preferred to receive the contents by actual message rather than having to log in to read it, but that's not an option they offer. It's certainly not safe to assume it can all just be ignored.
I don’t understand how one doesn’t. I need to do it to look up status on health insurance claims and to access the tax documents for my financial accounts.
I guess you can avoid the email spam by just directly logging into the website when you need that stuff, but how else are they supposed to notify you when something new has happened?
>With all the hate Ticketmaster has gotten [...], I'm surprised Ticketmaster still has a hold of pretty much the entire market. How are they doing this?
This question is a common mystery because you're using the perspective of the fans. E.g. "I hate Tickemaster ridiculous fees because it's price gouging, etc"
But the mystery of Ticketmaster being dominant is solved once you understand it from the perspective of the venues, promoters, and the artists. They are the true customers of Ticketaster. Ticketmaster's various "convenience fees, surcharges, etc" are just creative financial tricks to funnel more money back to venues+promoters+artists but still keep the ticket's face price artificially lower.
The alternative arrangement would be the ticket's face price being much higher to reflect the "true market price" but that means the artists would be the ones perceived as price gouging. Instead, just charge the higher price via convenience fees and let Ticketmaster take the public relations hit. The psychological manipulation of fans is working exactly as designed.
When the fans wish that there was another true competitor to Ticketmaster, what they're saying is they want "a service that charges less money". But that idea conflicts with the venues/promoters/artists that want to charge more money.
Therefore, if you really want to disrupt Ticketmaster, you need to charge even higher fees and more expensive ticket prices so that the greedy venues & artists will get more money from you and thus choose your service over Ticketmaster. I don't think that's the type of competitive disruption fans have in mind.
And the common cited reasons of vertical integration of LiveNation and owning the venues doesn't explain Ticketmaster's advantage. They were already dominant in the 1980s and 1990s before LiveNation acquired venues. Taylor Swift's tour promotor was AEG (not LiveNation) and she played at many stadiums owned by the cities (not owned by LiveNation) and she still chose Ticketmaster to be the selling agent for those locations. One of the reasons is she negotiated 110% of ticket's face price from Ticketmaster. How is extracting that type of money even mathematically even possible?!? The add-on "convenience fees".
Fun fact: it mostly does now (varies by market, but the big players have mostly adopted it). It hasn't changed much. As others have observed, the underlying reality is that the mega-acts are inherently supply-constrained, and (enough) people are in fact willing to pay those prices.
The mystery is regulation. Other countries have better regulations in this space (re-selling rules, anti-scalping rules, anti monopoly regulation, fee caps, general consumer protections).
If you want to disrupt ticketmaster, you need to vote for it, not build another ticketmaster.
what they're saying is they want "a service that charges less money". But that idea conflicts with the venues/promoters/artists that want to charge more money.
And it also conflicts with the other fans who are willing to pay more. There is no possible world where you can reliably get Taylor Swift tickets for $25.
There is a possible world where Taylor Swift sings every day in a stadium that fits half a million people, but she'd get a bit tired of it, and make less money.
>We need to establish measures of accountability for data holders. Not securing customer data appropriately needs to be persecutable, and the affected parties need to be given a right for compensation.
The ultimate entity that could hold businesses accountable is the government but the government itself is careless with citizens' private data.
My "compensation" for my data being leaked was 1 year of free credit monitoring. But obviously, criminals interested in identity theft will continue their attacks after 1 year.
As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour ... could have been put in prison as punishment instead of just resigning. I don't think that would change anything. There will still be future scenarios where governments want more collection of private data. Flock cameras, TSA airport scans, internet access age-verification face scans, etc.
> As far as persecution/prosecution, I suppose Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour could have been put in prison as punishment instead of just resigning.
If they committed a crime.
Law enforcement failing to prevent a robbery is not treated on the same order as someone committing a robbery.
As a practical matter, I just assume that the data I provide to anyone will get leaked, because there's a pretty good chance it will.
Katherine Archuleta and Donna Seymour aren't writing code or administering online systems. I'm sure their organizations have security policies and standards, why not put the devs and sysadmins in prison if they didn't follow them?
I think that what we're seeing is evidence that humans, in general, are not capable of securely delivering the kinds of online services that they are trying to deliver. It's just too complicated, and while defenses have to be perfect, attacks only have to work occasionally to be worth doing.
Edit: not that we shouldn't expect best efforts, and financial liability for organizational failures. Prison maybe for clear proven negligence or intentional sabotage, but for mistakes? Nobody will write software anymore. When is the last time you wrote even a screenful of code without a mistake?
This is bit too far to put onus on devs for security and the comparison is more like apples to oranges with other regular licensed engineers. It hard to justify ROI on Security, if anything it makes it harder to roll out features with more traction.
In the absence of any fine, most companies are comfortable with bit of reputation damage.
When the Minneapolis bridge collapsed there were no criminal charges involved. HN has this obsession with "licensed engineers" as if it completely prevents catastrophe and holds people to the highest standards. It's just a dog and pony show.
Accountability needs to start at the top. To allow a system where some underling is a liability blind for the top is to set up a system ripe for abuses of power.
>, SQL teaches you [...] Without any wrapper masking low-level logic.
I understand the point you're trying to make, and yes, it does seem like SQL is "low-level" from the perspective a wrapper like ORMs or a GUI db browser tool with menus for filtering data.
But it's also worth remembering that SQL itself is a high-level wrapper that hides the lower-level C/C++ code of the db engine that has the loops that iterate through b-trees, 8k data pages, memory blocks of the buffer cache, etc.
And C/C++ itself is a high-level wrapper that hides the logic in lower-level Linux o/s system calls that manages RAM and disk i/o.
And Linux itself is a high-level wrapper that hides low-level device drivers like SATA/SSD memory-mapped IO ... and so on and so on.
Depending on the type of app, you can ignore all the lower levels and just work at the abstraction level of higher-level wrappers.
Raymond Chen of Microsoft explained why they go through the effort of coding a lot of special-case compatibility shims for other's misbehaving apps. It's to remove obstacles that prevent customers from upgrading Windows.
(The urls from microsoft.com load very slowly for some reason so may have to use Wayback Machine instead.)
>3rd party is dumb and should never ever have been a thing. Before two parties had the secret (or something related to it) and now three parties have it and that's objectively worse
There seems to be a misunderstanding of how typical cloud password vaults work. The 3rd parties like Bitwarden, 1Password, Apple iCloud Keychain, etc don't have access to the users' passwords. The scheme is based on Zero-Knowledge End-2-End-Encryption. The 3rd-party cloud is just a mechanism to store an encrypted blob and sync them to various devices. The client devices (users' desktop, users' smartphone) are the only ones that can decrypt the passwords. There are still only 2 parties with knowledge of the actual passwords.
In contrast, the type of 3rd parties that do have knowledge/access to unencrypted plain text passwords would be Amazon storing users' wi-fi passwords, and Plaid storing users' bank account credentials & passwords. Gmail and MS Outlook.com would also be a 3rd party having a copy of users' passwords when they act as web clients to fetch email from other IMAP servers.
>, my dad and his printed out sheet of password next to his desk is still beating every company out there.
That doesn't work for users when they're not sitting at their desk and need passwords. Printing out a hardcopy sheet of passwords and carrying it the wallet or purse is a massive security risk.
I absolutely understand how it works, which is why I said something like it.
You still have an extra party involved; and you can't fully guarantee that Apple et al is doing things perfectly, and again, in this scenario you've created a 3rd very juicy target.
Yeah… when I’m eating breakfast, a lecture is not what I’m after. I watched that Veritasium video a while back and was glued to it. Any other presentation style and I probably would have completely skipped it (thinking I’ll watch it another time knowing I would never go back to it).
macOS/iOS Safari and Brave browsers have "Reader mode" . Chrome has a "Reading mode" but it's more cumbersome to use because it's buried in a side menu.
For desktop browsers, I also have a bookmarklet on the bookmarks bar with the following Javascript:
It doesn't darken the text on every webpage but it does work on this thread's article. (The Javascript code can probably be enhanced with more HTML heuristics to work on more webpages.)
It could be that HN commnter replying to submission about education in the United States indicating that he is "irked" by the term "democratisation" is not located within the United States but rather in a non-English speaking country not initiallu founded upon "democratic" principles (cf. United States) and with a dissimilar history of "democracy". As such, his interpetation of this term could have different meaning to him than the journalist working for The Atlantic who resides within the United States and is employed by one of its academic institutions
Right. But it's not my favorite nerd snipe interpretation that allows me to post low effort comments on hackernews about the headline instead of engaging in a meaningful discussion about the article.
Instead, legitimate companies like banks, healthcare, etc tell users to click on a url link to their "Secure Message Center" to read or submit some critical information. It's often the only way to get the info the users need.
E.g. if I open a payment dispute with the bank, the workflow they use is the Secure Message area. I can't just use my normal email client and upload some pdf attachments. Instead, I have to log into my bank website, navigate to their Secure Message area, and then upload the docs there to submit the claim. They also don't send followup status or final resolution in an email. Instead, you log back into the Secure Message area to read the case resolution. Similar for insurance claims.
Similar situation for asking a medical imaging center for some mammograms. They will not send those as PDF or JPG attachments directly to your email address. Instead, you log into a secure message area on a healthcare website and download it from there.
reply