Back in the day (1960s?) two relatives of mine had a prank battle going on. One of them posted an add in the local newspaper offering to buy old Christmas trees, at the address of their adversary. Half the city showed up, were told trees were not in fact being bought, and everybody dumped the trees at their door.
Reminds me of the story in Pranks[1] (I got my copy at a garage sale V. Vale was having in SF years ago!) about an even more vicious prank - advertising for workers to help demolish a home - while its owner was out of town...
Wasn't that one of the SF robber barons wanting to expand his palace and the home owner refusing to sell? Even calling it a vicious prank seems nicer than the action deserves.
Yup, V. Vale certainly exists and sells his RE/Search publications pretty regularly outside of City Lights bookstore in SF!
He has a table he set up on the sidewalk and is very friendly and full of great anecdotes.
Back in the Depression, my grandfather and a friend posted an ad. It claimed to be a medical laboratory who needed cats for an experiment, and offering $0.25 per cat if people would bring their cats to the local train station at whatever time.
Of course there were no lab representatives waiting at the appointed time, so lots of people just dumped their cats (or perhaps they were feral cats that they rounded up?) at the train station. The neighborhood was infested with them for some time after that.
Unusually for gramps, he actually proved that this particular story was true. He actually had a newspaper clipping that told the story.
Seems like a great way to stock up your firewood supply for the next winter, if you manage to target it in a way that doesn't cause half the city to show up, but maybe a little less than that?
We lit up a dead Christmas tree that had been sitting outside one summer. We were so sure the cops would show up when someone saw the two story column of fire that thing made. The good part is that it was all over in about a minute.
How dry are we talking? Because burning furniture-grade EWP offcuts (~6% moisture content) is smoky as hell. It isn't the wood, at least not entire - it's the sap pockets and other crap.
(I have a wood shop, these are things relevant to my interests!)
Here in Sweden at least, christmas trees are not pines but spruce.
These small ones with lots of branches - probably not worth the work effort unless you are desperate. And you'll get a lot of residue branches. You also want them to dry for a season before you burn them.
Other than that, they burn just like any other log. Maybe a bit less energy per log. Maybe more smokey than some, but smoke should go out the chimney not in the room.
It's worse than that. The sap in it will collect in the chimney and then cause a chimney fire. You really don't want to burn that stuff in a fireplace.
It's both too low temperature burning leaving resiude in the chimney that can catch fire later, AND pine/spruce having way too much sap to burn alone. You should absolutley mix it with other wood when you burn it, same as oak.
It reminds me of a newspaper ad I saw 20 years ago which read "Free monkey and 10 pounds of monkey food. call 555-555-5555". Well the gentleman that answered did not have a monkey for sale, and was quite rude about it.
Had a roommate in graduate school whose friend listed his car (and phone number) on craigslist for a ridiculously low price. His phone was ringing off the hook for like two days until he was able to get it taken down.
This reminds me of a classic (non-internet powered) version of this where every business in London was sent to some unsupecting resident's address in order to win a bet, clogging the streets in the process: The Berners Street Hoax of 1810.
What I love about this is that it's a textbook example of a reflection DoS attack (https://en.wikipedia.org/wiki/Denial-of-service_attack#Refle...) - you send a message with a spoofed reply-to address, such that the message you sent (in this case, a letter) is much cheaper than the response eventually sent to the victim (in this case, tradespeople / goods / dignitaries).
Just to point out some possibly ambiguous phrasing, but the person pulling the prank was trying to win the bet - the tradespeople and visitors were called there to use their services(ie chimney sweeps thought they were going to sweep a chimney), not that they themselves were going to claim some prize.
This is what happens when optimists win and the realists are cut out of the conversation.
As a taxi service, I believe I would want to know if I'm about to have a shortage of taxis in any one area of town, and I'd better only have a concentration in one area of town for an event the entire world is talking about, like a reunion tour or a championship game.
Even with the hack, the moment all of the taxis started converging on one area of town, alarms should have been going off and managers should have been asking questions. But that's not what happened, because we say yes the moment money enters the conversation, without bothering to ask what it says about you as a person if you'll do anything for money, or for that matter if the money is even real or just a trick to get our attention.
It’s already so hard to build a large company, you just don’t have the resources to chase super rare, low pain outcomes.
This is the first time this has happened and the total cost of it is at most a few hours revenue. They’ll likely add safeguards to prevent such a thing now, but if they ran the company preparing for every possible way things could go wrong, they’d get absolutely nothing done.
Equifax lost millions of credit files, no consequences for them.
The Us government lost the completed forms that people who want a security clearance have to fill and that lists all their hidden skeletons (they must disclose them in the form so the govt can assess the likelihood of them being successfully leveraged by an enemy) and nothing changed[0]:
> In 2018, the OPM was reportedly still vulnerable to data thefts, with 29 of the Government Accountability Office's 80 recommendations remaining unaddressed. In particular, the OPM was reportedly still using passwords that had been stolen in the breach. It also had not discontinued the practice of sharing administrative accounts between users, despite that practice having been recommended against as early as 2003.
Not to mention the breaches happening at regular interval. I’m concerned about them and even I can’t remember them.
People don’t care. It happened to many times. It’s too abstract for a lot of people just like “Facebook and gmail can read my messages, nothing to hide”. There is little to no penalty for not being secure enough/getting breached.
99% of customers won’t care, because they will only briefly see the news, this hack did not harm them, they don’t care that much about security of an app and they don’t have a good alternative.
The impact of such incidents on company reputation and revenue is often exaggerated.
A few customers will have strong negative opinions "I was waiting at the airport in the rain for four hours!" but most people will indeed shrug this off. It's a much different issue than what happens when payment systems are compromised.
A lot more people care if they're informed their credit card was stolen and told to carefully watch statements for the next month - that leverages a real PITA cost on the customer.
Yandex had already leaked ALL data about their food delivery customers, including addresses and names. Didn't hurt them a bit since they're a monopoly. (It used to be a duopoly, but they're acquiring the only seriously competing service now).
When you're a government controlled corporation in an openly fascist state, you couldn't care less what your customers think.
That's got nothing to do with what we're talking about.
The first comment didn't say they should have spent more time on security, it said they should have spent time creating a system to detect if too many taxis were in one spot.
I think we can all agree that security is valuable and should be prioritized, but spending time worrying about how to stop who is already in your system from sending all the cabs to the wrong place seems like a waste of time.
Hell, IF (big if) the worst thing a hacker could do once they had access YandexTaxi's servers is send a bunch of cabs to the wrong place, you could almost spin that in a positive light. "We spent so much time protecting customer data that all they could do is send our divers to the wrong place".
It is hard to make a solid argument about perceptions. Is it possible that non-technical people would perceive the ability to send all the drivers to one location as a big security problem, even though it doesn't really require any conventional security issues? Maaayybeeee. "Hacks" that intrude into the real world do have a bit of an over-inflated appearance of importance after all.
Maybe they managed to also steal or encrypt data, and now the media attention in a sense helps the hackers claim extortion money? Since the showlights are now on that company?
True, but going back to the original argument, if hackers did manage to steal data, that makes the idea of spending time trying to prevent all the taxis from being sent to one place even stupider. In the world where YandexTaxi had extra time to spend on something, they should have spent it on securing their data better.
When you write a comment, you have to be responsible. Others might read it and take it seriously and your advice might lead to death and dismemberment. If you aren't willing to get insurance before commenting, don't comment. Leave it to the professionals with licences.
This is more of what happens when you do the least effort to build a product to make a buck. They're probably optimized for the average happy path, however flooding isn't a concern until someone gets upset.
Not necessarily. Despite us armchair critics, it is also very easy to miss an attack vector when building your software. We find stuff after years that we can't believe we missed like a missing auth check.
Not that unusual at all when you are talking about 10s of 1000s of lines of code written by different people over the span of about 8 years.
That’s why I favored detection at the top. I’ve worked on complex code signing apps that the blockchain people would recognize. Shit is hard. You can’t stop many things and still make money. But if you figure out what the boundaries are of the nominally running system, you can chart or earn when you start to lose the plot.
I prefer charts over alerts, because as the company grows we keep forgetting to update the alerts. But then you need people who look at the charts between other tasks or you won’t catch anything and have to go back to alerts.
Yandex in particular has a system where it would dynamically adjust the price to prevent that sort of thing happening. When many people want to order a taxi to the same place, it gets really expensive, really fast. Uber does that too. This normally works well, but I feel like this hack bypassed the normal ordering system entirely and just sent bogus orders straight to drivers.
In most areas taxi-companies use a zone-based system where cars will flag what zone they're in (rarely automatically using GPS and more often via button presses) this is an effort by the cab company to keep their vacant vehicles well distributed to keep a high response rate and increase customer turnover.
It also happens to have the side benefit that an operator watching the flagged zones would be able to see this kind of an issue happening in advance and maybe check into why every cab is suddenly bee-lining it to zone 3.
But there should still be some override that would allow for a bunch of taxis to converge at one spot. Say a sporting event just got out, there's going to be a lot of people looking to catch a ride home. If you don't want all of those customers finding another ride, the system should have no problem dispatching drivers from other zones to pickup. Having a bunch of fares popup at the same location shouldn't be a major concern and it sounds like there were no safeguards preventing every driver from being dispatched. Without just adding a limit, like no more than 50% of taxis can be dispatched to a single zone, I'm not really sure how you could prevent this from happening again. I don't know exactly how the hack happened but if someone was just able to manually spam the dispatch queue directly, the only thing you could do going forward would be to place an automated check on every addition to the queue that it's from a real user with a valid credit card and that no other requests from that user exist in the queue.
My comment is about how Royal City Taxi, Yellow Cab Vancouver and Benways in Burlington work - I have never been an Uber driver or involved with the company and can't comment on how they manage drivers.
Also, you're saying my comment is out of date but this out of date system effectively solves the issue that just occurred with YandexTaxi - so maybe if you're working on a more up-to-date system you should borrow from the out of date tactics.
There are always going to be individuals that say yes the moment money enters the conversation, as long as food and housing cost money and there is the possibility of going without.
Yandex.Taxi, like Uber (in fact, they merged with Uber in Russia), is not really a 'taxi service', they're a marketplace.
A real taxi firm would notice and stop taking new calls to the address, but Yandex.Taxi aren't really 'dispatching' taxis, they're just advertising jobs, and letting drivers respond in real time.
In fact, I'd imagine that almost none of the orders placed are reviewed in realtime, and the only indicator that anyone would have had for this to begin with would have been a higher than average number on the dashboard for 'trips requested today' - an interesting metric, but not something that I would expect to be monitored closely in real time.
I'd imagine there's a 'no show' procedure that doesn't involve human oversight, so the first couple of drivers likely arrived at the address, waited a few minutes, then coded in the no show and moved on to different jobs.
This is also likely a metric on a dashboard which would have been the second indicator - booking cancellations/no-shows/driver rejections. But again, it's an analytics metric, rather than realtime actionable business intelligence, so it's the sort of thing that gets put into weekly reports. Maybe someone would have seen it and thought 'huh, that's a bit high', but probably didn't trigger any alarms.
Eventually a curious taxi driver would start to question why there are so many taxis outside this address, and would get out of his car and chat to his colleagues. They'd identify that they'd all been asked to the same address, and probably all cancel together and drive off.
MAYBE the third indicator here would be a call from one of the drivers to customer support, letting them know about the 'system glitch' that meant multiple taxis were waiting at the same address, but it's equally possible that the drivers just moved onto their next fare without reporting any issue.
So potentially, the first time that anyone at YT realised there was a serious issue was already 10-15 minutes after the incident occurred, by which time, it's already late. On top of that, it's unlikely that they have a way to easily and effectively cancel all bookings to a particular address.
I don't have any details on the hack itself or YT's infrastructure, so it may have been very difficult to identify and cancel the fraudulent bookings en masse (e.g.: fuzzed addresses, booking times, different users, card details not stored or different card numbers used, etc.).
By the time it got escalated to any technical teams, we're already likely 30-40 minutes into the incident itself, at which point they have to analyse what is happening, trace how it happened, and identify a fix.
With the immediate nature of taxi booking (I want a taxi NOW, not in 45 minutes), it doesn't surprise me that an incident like this can occur before any technical measures can be put in place to stop or mitigate it.
Who is cutting anyone out of the conversation? You sell your product and if I care for 100% uptime, I'll pay for it. I actually don't. I can route through lots of stuff for appropriate savings and most people can.
No one wants this single pair of instances in a Tier 4 datacenter that host a single key-pair authenticated process with dual manual approval and an air-gap that dispatches one taxi (and precisely one taxi) every 30 days on a route where it can be guaranteed to hit its time prediction.
Any fool can build a bridge that stands. It takes an engineer to build a bridge that barely stands.
I guarantee you there are two ex employees saying “I told you” right now.
Faster faster faster always wins because that’s what the management wants to hear. As long as their options best before the consequences stack up, they have no - and accept no - responsibility for the longevity of the company.
If you haven’t worked with any defectors than you’ve managed better than many of us, or you’re very lucky.
this is also something that's oddly absent from the self-driving debates. Mass deployment of the same models or apis in automated systems is very brittle because it means errors are highly correlated. it's like a form of central planning.
individual drivers or individual taxi firms in a market due to their decentralization are much more robust to any kind of individual failure.
People often ask "is the car smarter than the driver?" but the correct question would be if the car, or system is more diverse than the aggregate knowledge of all the participants.
Yes. Additionally, this is a commonly cited win of cars in cars v. public transport. You can take your car anywhere in the zombie apocalypse*, whereas any system that requires central planning (trains) are more likely to break.
Making cars (human or machine driven) depend on a centralized service basically takes away that advantage.
A related - today is the first, and thus kind of celebrated, day of school in the former-USSR territories, like Russia and Ukraine, and the top Russian TV channels in Crimea were hacked to broadcast Zelenskiy speech congratulating schoolchildren there with the first day of school https://focus.ua/voennye-novosti/527684-hakery-postaralis-ob...
I suspect you're kidding, but you know, having lived through a few very long traffic jams I could imagine some scenarios where I'd be willing to pay for:
1) Rickshaw or cargo bike with a narrow pull along trailer to let me use the bathroom
2) Similar setup with food and drink
3) Similar setup with a few gallons of gas if I've gotten a bit too close to empty
4) More expensive (XL?) version of the service where I am getting delivery from a helicopter (since drones flying over congested traffic is not an FAA approved delivery method)
You might not be able to make this a daily thing, but when things get bad I suspect the margins might be unreal.
Or the idea from Nathan For You where another driver will be delivered on a motorcycle (in places they're allowed to cut between traffic jams) to take over while you ride to your destination on the back of the bike.
I used to be a taxi driver and anytime something looked to be turning into a major clusterfuck like that I’d just get the hell out.
One night Modest Mouse played downtown Phoenix and went past the time light rail stopped running on weeknights. Same thing happened, basically everyone who took the train called for a cab. Once I realized what was happening I just grabbed the first group who flagged me down and got the hell’s out of there.
What I especially like about the video is it is completely obvious something isn’t right and they’re all still trying to get to the pickup point.
Many drivers do not read the passengers' comments on the order. Anyone who took a second to read this comment would've understood that there is something fishy here.
Uber seems to have been transferring business to Yandex as far back as 2018 World Cup - that's when the Uber Android app stopped working for me there. Yet, I've seen it work for some people this summer, very weird.
Someone hacked #YandexTaxi and ordered all available taxis to Kutuzov Prospect in Moscow. Now there is a huge traffic jam with taxis. It‘s like James Bond movie.
I think you are right. I think the unknowns are, how tiny will the script be that commands all the cars into a lake and will it be a cloud hack or a local broadcast hack?
Yep, I've had Google Maps direct me to drive into a wall or an empty field more than a couple times over the years. It's not uncommon for people to get stranded or even killed by blindly following bad GPS directions. The maps are often quite bad in less traveled areas. And these are the non-malicious cases!
Sorry, this bugged me enough to try and find some data:
> It's not uncommon for people to get stranded or even killed by blindly following bad GPS directions.
Google took me to Wikipedia[0], which took me to a conference paper[1]:
In a corpus of about 400 news articles from 2010 onwards (via Lexus Nexus search), they found 52 deaths related to navigation technologies, which accounted for about 25% of the incidents they recorded.
57% of the incidents were collisions; someone running into something due to GPS giving bad directions.
20% total involved being stranded.
That's over ~6 years of US, UK, Canadian & Austrailian news reports.
It may not be uncommon for GPS to kinda suck, but it is _very_ rare for GPS to kill people.
I haven't done any deep research on the topic but know of several specific fatal cases off the top of my head. It's not like someone dies every day, but for every reported case there are probably many that don't get reported as such.
The much more common case is getting stuck and needing a rescue. Google maps is absolutely terrible at dirt roads. It will confidently give you directions that make absolutley no sense once you get away from pavement. It never got me stuck anywhere, but easily could have many times if I had been less cautious. Nowadays I know to ignore those directions in less developed areas.
I think the broader point is that driving navigation tech is getting fairly good at happy path cases but is woefully underdeveloped outside of that.
there were already such bugs before, and my analysis is that even the older ECU cars before the 2000s had such bugs, just nobody bothers to look for them (also ECUs have been causing deaths from bugs but they just assume its the driver's fault). self driving cars will be the next order of magnitude of problems. ECU 1x, smart 10x, self driving 100x.
> In July 2015, IT security researchers announced a severe security flaw assumed to affect every Chrysler vehicle with Uconnect produced from late 2013 to early 2015.[120] It allows hackers to gain access to the car over the Internet, and in the case of a Jeep Cherokee was demonstrated to enable an attacker to take control not just of the radio, A/C, and windshield wipers, but also of the car's steering, brakes and transmission.[120] Chrysler published a patch that car owners can download and install via a USB stick, or have a car dealer install for them.[120]
I’ve had this worry for years of a state level attack via network connected FSD cars. But I’m hardly alone, it was shown in a Fast and Furious movie, so people are thinking of it.
No, the future is to command all self driving cars to immediately accelerate to 100 mph and do not stop for whatever reason no matter what. Pure remote code execution.
