Hacker News new | past | comments | ask | show | jobs | submit | laeri's comments login

Parent poster wasn't referring to Ozempic but a general healthy lifestyle. Which requires resources many people do not have such as time, money, education etc.


This might be misleading as often biodiversity can't be measured by how lush it looks and how much vegetation there is. Certain plants and animals can only survive in arid landscapes that look 'dead' but can't survive otherwise as they are adapted to an environment with less nutrients. So it is possible that you actually reduce biodiversity by doing things like this. Often land has too much nutrients due to farming and leaving arid landscape as it is might be better.


You would only do this to a land that is degraded. I don’t mean, degraded like in its natural state I mean, degraded as an already fucked up by man. In this case, the land was choked with invasive grasses


I am confused, they didn't contact the company at all and just disclose this publicly? Very immature handling of a vulnerability finding.


And to add that he tried out the exploit on unknowing participants. It would be better to try this with a friend in-the-know at a separate table. It makes me think he did it more as a practical joke than testing his exploit, especially because he mentioned they were "not-too-intimidating-looking guys".

I'll admit it is a bit funny and the damage caused is tiny(just the price of the food). However, things like this do harm the reputation of bug-bounty hunters.


He could have just tried it on his own table (order on the phone, and then on the laptop through the vulnerability) and avoid having to a) bother others, b) waste food. The result would have been the same.


The author says "I refuse to believe they’re unaware of this. This doesn’t feel like an oversight, it's either a deliberate design decision or they just don't care." Agree that this is an uncharitable way of looking at it.


Yep. It’s just working backwards from some pre existing very negative worldview.


Its a justifiable worldview. I'm an Indian dev and I've seen obvious backdoors like these added to the backlog as a low priority bug. If somebody spends time on this, that means features are being delayed and you are rewarded less.

I've worked in lambda web editor (not in Git) and my lead considered replacing sql injection with parameterised queries was a distraction/insubordination. Cant wait till audits, data breach insurance and imprisonment becomes the reality.


Could be as simple as no auth in debug builds and then deployed it by accident.


I don't mean to pick on your comment, but to respond to a prior comment, you are beginning with a very positive world view and interpreting the events from there.

Lazy API that did not vet a simple backdoor?

Good coders but accidentally pushed the debug version of the API?

I am going to have to say the second option feels less likely (yes, I have been called cynical).


Different confs in the same repo. Many CI/CD tools will pick debug/dev conf by default if nothing else is set.

It was just an example. Maybe they knew.


Is it a vulnerability when it is obvious the company do not care about security?


Yes. Because who at the "company" does even know about this? Maybe just some coder who wrote it. But the legally liable CEO? Maybe not.


> Because who at the "company" does even know about this?

Everyone who designed engineering requirements, technical requirements, test plan, everyone who wrote technical specifications, everyone who performed traceability. It was all approved by security engineers and management.

> The company was founded during the pandemic when contactless dining became popular.

There were tons of people intimately aware of the issue, yet for four years nobody cared.


That is his job to make sure he employs people who take care of this and that the services they sell are audited by an independent organization.


Who at the company gets to keep all the money?


If you discovered an incompetent healthcare provider was prescribing antibiotics for every condition would you "contact them privately" or contact the relevant authorities?

Private disclosure is for when you believe the company cares about security but made a genuine mistake. For the company in the OP it would be more like free education in fundamental privacy and ethics. They're not entitled to that. Name and shame.


Sure, but what you’re describing is not what is being suggested. Responsible disclosure typically involves disclosing publicly after a reasonable period of time.


Why? Why should they be the responsible ones, when the well-funded, well-connected service provider is acting like the fly-by-night startup (that they probably started as)?

There's little public benefit in responsible disclosure here; all it would lead to is the whole thing being swept under the rug with some trivial "fix". There's lots of public benefit in immediate, wide disclosure - the scramble to fix this under pressure from vendors before potential abuse, and any real or imagined attempt at abuse, and subsequent lawsuits, would go far towards educating people and the industry about privacy, security, and bad business practice. It's a nice low real damage, high publicity case.

It's not like this stuff is new. But without serious pressure, the businesses will never learn and never stop making or enrolling into such systems.

Anyway, if it happened over here in the EU, I'd do the responsible disclosure thing and give a full, detailed advance expose to the local Data Protection Authority.

(And if I sound adversarial, then consider that neither the vendor developing such systems, nor the venues using them, are doing it in the interest of the customers.)


There's a big difference between announcing "I found all this private data" and "I found all this private data and here's exactly how I did it and here are the URLs". What the author has done is detail exactly how anyone else can abuse this system from anywhere in the world and also given them ideas about what to do with that information that would cause a direct cost to the company. I think that's irresponsible and unnecessary. You public disclosure rationale has some merit but it didn't require publishing the user manual for the attack. Just saying you used the API, publishing the amounts plus some proof of private data from people who have given consent would be enough to get the business scrambling.


This seems less like a "manual for attack" and more like tweeting that your local storage unit rental never puts locks on their garages and gates and "anyone could just walk in and out".


To expand your analogy can you see the difference between: "A storage unit I know of never uses locks" and "The storage unit at 1234 Central Boulevard, San Andreas never uses locks, just wiggle the door a bit and it'll open."

I think most people would acknowledge there's a big difference.


That's not the same though at all.. A closer analogy would be publicly announcing that "Company managing the storage lockers 1234 Central Boulevard, San Andreas is keeping all of them unlocked without telling their customers".

Which would still be wrong but you're implying that the business is the victim here when it's the complete opposite.


Yea sure it is a difference, but for me not outrageously immoral. I guess you can get in trouble though.


> cause a direct cost to the company

Nothing wrong about that. Of course still doesn't justify publishing/providing access to client data who did nothing wrong.


Causing damage or cost to a company through fraudulent use would be the cornerstone of a civil or criminal prosecution. Cases where there is good disclosure and no cost incurred tend to get dismissed, cases where there is identifiable damages get stupidly big sentences and/or fines.


Right but would you afford the same opportunity to the healthcare provider? You'd contact them privately and expect them to go and learn why over prescription of antibiotics is a bad thing and change their ways? Of course you wouldn't. You'd go to someone who cares. In healthcare there are ways you can report it without naming and shaming publicly, but how could the author do that?


In the EU this would be illegal and (hopefully) lead to very high fines. So why would you try to help and conceal their criminal behaviour instead of reporting them?

Of course in other places, there aren't really any good options. So I guess the most "moral" approach would be to what you think would cause most financial damage to the business and discourage people from going there.


This is hardly a 0-day vuln exploit. This works as designed (and presumably design has been signed off etc)


is it really a vulnerability if the entire thing is open by design?


Who says it was? Why would they willingly give out their customers' and customers' customers data to any anonymous person or a bot? More likely a bad oversight


This is “the tire shop doesn't have a torque wrench” level shit. If it's an oversight, it's an oversight due to incompetency, not because a good team just happened to miss something in a crunch. Another possibility is that the issue was raised and management said to fix it later, and because software “engineering” isn't a real engineering field that holds its practitioners to any duty of care, those responsible (the engineers) just went along with it.


For 3 years? That would mean that no developer has ever raised these issues with management, to speak nothing of an actual pentest being conducted.

No, this is not some obscure security hole they forgot about. This is plain incompetence and/or deliberate design decisions.

I agree that full public disclosure like this is irresponsible, but exposing issues like this to the public is the only way for such companies to make a change or, preferably, lose business and shutdown.


No auth at all? For years? That’s a tremendous oversight. Nobody running a test having to authenticate?


Because they don't care, and their customers don't understand any of this shit?

It feels like the usual case of vendors buying service to better exploit the users, and themselves getting burned and/or exploited by that service too.


Yes! You as a user are not meant to knowingly access data that does not belong to you. Even something like changing the id from 1 to 2 is legally considered unauthorised access.

It would be different if for example the application was showing data for other customers through normal use of it, but even if there is no other barrier to access than changing an id that is considered bypassing access control and can result in jail time in most places. Now I'm not an expert in India's computer misuse laws but I am willing to wager they are not the most progressive when it comes to this kind of thing.


same thoughts, annual reports of larger companies have more dense figures than these too.


Doubt the company made it open by design. Doubt you will find an order from the CEO to make it open. It was probably a fuck up by a shitty coder.


Disagree.

Most likely the company will blame them for trying to help. Also, if the company is so incompetent that they allow this why bother. He's not getting paid to be their test engineer.


In this case you probably haven't looked at it properly. There is just the starting entry main.zig, and a root.zig file which you can remove if you don't need it. Nothing complicated or annyling problems at this stage.


Also the use of the words "dropshipping" and "windowshopping"


And "AI" for OpenCV


OpenCV was not the "AI" here, the "AI" was a computer vision model trained at the roboflow website that he mentioned multiple times and that he used in the line commented with "# Directly pass the frames to the Roboflow model".


Your point stands but in summer it gets up to around 35 degrees, 95 fahrenheit to be correct.


Since I wanted to describe a typical summer, I used a reportedly average summer day. I agree that highs and lows will vary.

> From July to August the daytime temperature range is 18 to 28 °C (65° - 82° F) https://www.myswitzerland.com/en-us/planning/about-switzerla...


Numbers in thst link are not realistic. Not in recent years, and certainly not in July and August.


It looks like that link was accurate. July highs in Zurich average between 70 and 80: https://weatherspark.com/m/60160/7/Average-Weather-in-July-i...


If it is needed soneone will and probably is currently doing original research. The payoff is too great that alternatives would be ignored. As long as financial incentives exist progress will inevitably happen and the financial incentives in this case is massive.


That is not necessarily true all over Europe. In my area prices were increases somewhat recently and I now decided against going there anymore. However, they did not change any seating inside, everything stayed somewhat tge same


*One of the richest men. Bernard Arnault seems to claim top spot currently and the definition of richest man is also very vague in general.


Not sure what is hindering you talking about it. You seem to be proud of it.


Um ... confidentiality? Maybe it's become passé, these days, but I subscribe to it.

I talk my life and experience. I’m old, and have been at this game for a while, so I’ve seen a fair bit. I don't fluff, brag, or humblebrag. I don't pretend to be what I'm not, and I can back up what I say. Sometimes, I don't think it's necessary or proper to do so (like in this case), and what I claimed was not so outrageous, when you consider that the graphic design agency was Pentagram, and the Interaction design agency was DDO. They did most of the difficult work, and did a great job of it.

Assume whatever you want as my motivation. I don't particularly care. It's a free country.

You seem to know me, better than I know myself, and I guess you're ... um ... proud of that?


My reading of what laeri wrote is "you seem to be proud of the work you did on that project so I'm not sure what is hindering you from talking about it". Not "you seem to be proud of not talking about it".


I'll be generous, and assume that. I tend to get a lot of young folks, telling me that I'm an empty boaster (spoiler: I'm not). Some of them actually seem to be obsessed, which is sort of flattering (I guess).

If that's the case, then I'll certainly apologize. Maybe I'm a cynic.

I don't really have a desire to be BMOC. It's just that this is the only place I engage in any kind of social media, and most folks seem to like what I post.

I've done a lot, over the years. I've worked amongst some of the best and the brightest, and I'm fairly used to being the dumbest guy in the room.

I know that there's many folks, out there, that make me look like a knuckle-dragger, and how ridiculous it is, for me to act like I'm King Shit. Maybe those folks don't feel the need to chime in, around here.

In the case of this posting, a question was asked, and I answered it, in what may actually be too much detail. The company I worked for, had (still has) a real paranoia, when it comes to intellectual property.

I just figured that folks might want to hear stories from the trenches (I have a lot -many that can't be told). That was what I assumed, from the question, and was merely participating in the community.


Well, a good opportunity to say that I don't post here much but I do enjoy your stories.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: