Agree that a PIN/Password would have usability problems with a car. Since no car manufacturer intentionally permits you to install software you want, there's no standard mechanism. But if this was standard I think an owner-set PIN would be very reasonable.

They should have provided some mechanism for the real owner to approve updates if the updates aren't all trusted by default.

Their rent control used to have no exemptions, but now it's become very similar to SF rent control. Strict limit on how much rent can go up for current tenants, but can reset close to market rate when there's a 'just cause' vacancy. And all buildings built after X date are exempt entirely. (X=2004 in St. Paul, X=1979 in SF). Developers argued that any rent control at all limited their ability to finance housing projects.

I think results of studies like this were hugely influential to the changes in rent control that followed.

A bit different than Anthropic refusing to assist with any AI development at all, but it's in the same vein and seems not widely known.

edit: reading the whole series of Google's AI Threat Tracker articles also provides some insight into threats Anthropic and others are dealing with

[0] https://cloud.google.com/blog/topics/threat-intelligence/dis...

That said, selector based ad-blocking is still supported in MV3. So might be possible to get most of the functionality with both a MITM-level blocker and an MV3 selector based blocker.

It's interesting this was submitted to HN over 15 times since it was published in February: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

But this is the only submission that's had any traction. Since the content is nearly the same for all submissions, it highlights how getting to the front page can be a bit random. (Though this is the only one that capitalized 'Leveraged' so maybe that's the secret)

I imagine that enterprise companies will be quite interested in this.

Comments URL: https://news.ycombinator.com/item?id=48388292

Points: 3

# Comments: 2

In 2011 Dropbox briefly had an even easier "zero auth exploit". For a couple hours if you typed in any email on the login page, password checking was skipped and you could login to any account. Albeit, you still couldn't reset the user password, just login.

https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...

Here's some companies that offer MCP servers but don't seem to offer an equally featured CLI:

   - Asana
   - Square
   - Linear
   - Dropbox 
   - Canva
   - Slack (sorta)
   - Figma (sorta)

Should they all be offering CLI tools? IMHO, yes absolutely. But an MCP server gets much more interest. I'd rather encourage them to keep improving and supporting their MCP services than telling them to drop it for a CLI.

There's lots of things like this in technology where you end up stuck with the first thing because its popularity perpetuates itself. The QWERTY keyboard I'm typing this on is a prime example. x86 is another one.

Though there might be practical differences though between the excess heat intentionally exhausted, and other heat. Just speaking from a very macro sense.

My 1500W space heater could boil 4.32 gallons of water every hour. But it isn't.

Slight digression: Claude/ChatGPT/etc all can search the web, but Google's AI already has a local copy of the web. It's much faster because of Google's TPUs, but also because Google has a copy of almost the entire web available locally. I recall others testing this and they observe that Google doesn't actually make HTTP requests to sites it references. It just uses its local cache. That's an advantage that all others seem to lack.

Of course, I agree that when I want search, I want search. But personally I've found if I want an LLM to very quickly answer a simple question, the type of thing all of them would do an equally good job on, I prefer Google's for its sheer speed.

I'm surprised they were able to get Stripe to actually state all of this clearly. It's nice that Stripe actually communicates details like this. But you can see the logic behind why many other big companies would just respond with an opaque message like "thank you for your report, it will be handled in the appropriate manner". Because saying the truth gets people more upset.

Some stats I found online report that ~60% of greencards are granted to people already living the US. This memo makes it seem like that route will now be much harder. So while its true that the law as written has always been true, they're definitely pushing for a change that will result in past behaviors no longer being true.

Essentially they're trying to change the rules by aggressive re-interpretation of the existing legal framework, and not actually changing any laws or regulations.

I don't follow all of it, but it seems to be arguing that the "ordinary consular process", leaving the country and applying for a visa from abroad, is the long-established default, and that "adjustment of status", where your immigration/green card status changes while you're already in the US, is merely an extraordinary exception and "a matter of discretion and administrative grace." Even though applying for a green card while in-country (an "adjustment") seems like the only sane and reasonable process.

It feels goofy watching them marshal decades of prior case law to try to frame this as just a "reminder" rather than admitting this is a real change. (Since changing laws is harder I assume)