I once signed up to a service (privately run VPN thing) run by a university club that required confirming a real university student email address without having such an address. So, you needed to click a confirm link sent to "studentfoo@uni.tld".
Then, mostly as a goof, I tried signing up with an address like "studentfoo@uni.tld@example.com" where I controlled the second domain. Lo and behold, the confirmation email showed up in my catchall inbox on that domain.
Pretty sure the only check the site did was .contains("@uni.tld") and assumed it was good enough. (or whoever wrote it put it in as a backdoor) Really regret not reporting that bug to them.
I'm more into the juxtapositions of interactions between idiots vs experts, specialists vs generalists, startup-billionaire vs unemployed-drug-addict-hacker, and the level of insight that can be gained from these conversations.
I believe that the civility, and desire for unfettered conversation (avoiding ad-hominem, flame-wars. etc···) are more of an instrumental-goal of this process, than the true goal.
I don't really know why the comments on hn are the way they are, and I doubt anyone ever will. But that's what keeps me coming back here.
It's the only place on the internet I can get this kind of thing, whatever it is.
I do have to say, there's something special and unique here. Like the userbases of wikipedia, stack overflow, 4chan, or twitter, there's something here that's impossible to recreate and worth preserving.
Depends on a few factors in my experience, but when I had been locked out of an old email for 5 years because I knew the password but didn't own the associated phone number anymore, I had to know when my account was created (month and year), answer the security questions correctly, and know the full phone number associated with the account - and it still required a human review after a few days before I was able to reset the password (and I still had trouble changing the old phone number to my current one but I somehow managed).
The only account for which I could definitely provide this information would be my work email. It’s kinda of ridiculous to make this part of the criteria for resolving potentially huge disruption to a person’s life.
Is there a list of devices anywhere for which this doesn't work?
It's worked in anything I've tried (haven't tried latest iphones) with only a momentary power switch on it.
I was under the impression it was some kind of legal requirement somewhere, and that's why it was so standard.
It's one additional resistor, I think. The first lot of raspberry pi 4s had that same problem, and I've seen it in other hardware that uses type-c to charge.
Cosmic rays can come from any angle, and even pass through the entire earth without impacting anything. (millions of them are zipping through you and your RAM, right now! electrons barely dodging out of the way in time.)
I think (but have no reference) that the amount of cosmic rays the planet blocks by being in the way is dwarfed by the effects of the magnetosphere and solar rays.
Slight nit-pick: Neutrinos are the ones that are zipping through you and the Earth. They interact with things very rarely and have no real charge anyway. The rays you'd worry about with computer hardware are photons (gamma rays) with high energy enough to create new charged particles. Also other charged particles like muons and their decay cascades.
Are there any details on who's providing this app, who's running the site, and what they'll do with collected data?
The ToS and privacy policy are identical, and only refer to an app called "velo" and a company called "copilot LLC", and that their method of contact is "Joe Blau."
This seems very strange to me. (unless this is a "move fast, break things, collect GDPR fines" sort of thing)
Using a blowtorch as a heat-source is common in extreme overclocking, to heat up VRMs and memory modules up enough to boot the machine, and keep it working.
liquid helium might get into the device itself and cause other problems. (e.g. iphones stop working in the presence of helium)
Apple's iOS ToS specifically forbids downloading and executing code by the app. (with a definition of "code", and "execute" somewhere in the document)
While you could technically hide this from them during the review stage, apple can stop any app from functioning on any iOS device connected to the internet by revoking the certificate, if they discover it at a later stage.
Are there noteworthy apps that break this term in the wild?
Any level of a game contains at least some logic like NPC behaviors, event triggering etc. and I'm sure scripting is a standard component of every single game.
Have you heard of Thimbleweed Park? It's basically a VM executing an adventure game language (like the creator's SCUMM VM in the past).
That's on the App Store.
Now if we specifically look at the downloading part, that would mean games on iOS cannot download new levels, which I think is done by a lot of games.
I don't think my original comment was clear about how I view the ToS as a hammer Apple made for themselves to wield. Not for the good of anyone, but apple.
Their goal here being to cover their ass and have a rule, that you already "agreed" to follow, to point at when they want to get rid of your app.
Apple's legal tech has always been years ahead of their electronic tech, I'm honestly curious to see if epic's got some sort of counter to apple's usual legal shenanigans.
In the court hearings, Epic explained how they implemented their payment processor change addition without catching Apple's notice. The app simply asks the Epic servers for a list of payment processors available to display to users, and at review time it was only the Apple one. A week after the update, they added another entry to the DB, and now there's a second option, without modifying app code.
But it allows downloading and executing interpreted code. See paragraph 3.3.2 of Apple Developer Program License Agreement.
So you can have significant portion of your app in say javascript, which you can update OTA.
E.g. react native apps have most of their functionality in js and can use services like code push to update themselves without app store and it doesn't violate Apple ToS.
Then, mostly as a goof, I tried signing up with an address like "studentfoo@uni.tld@example.com" where I controlled the second domain. Lo and behold, the confirmation email showed up in my catchall inbox on that domain.
Pretty sure the only check the site did was .contains("@uni.tld") and assumed it was good enough. (or whoever wrote it put it in as a backdoor) Really regret not reporting that bug to them.