Something I've realized after using chatGPT since the preview released is that I am still responsible for knowing what the possibility space is for what I want to do.
This helps in two ways. First, it helps me formulate my requests of ChatGPT. Second, it helps me discover incorrect output which I can then either fix myself or make a subsequent request of chatGPT.
I consider ChatGPT an extremely eager junior dev who makes mistakes by moving too quick in this slice of time. (Im sure it'll get much better very, very soon).
The other day I asked it to write Terraform to deploy a certain app. (Not for real world, just testing what it would do.) It wrote some terraform for AWS and then I specified “for gcp” and it did that.
So... what advise is there for technology comfortable people who want to mitigate the effects of data leaks like these? It seems like data provided is will be exposed eventually and company size doesn't seem correlate with data safety.
For example should people be advised to rotate phone numbers every N amount of time?
The basic stuff helps a decent amount. Assume your name, phone, email, address are all public. Don't reuse passwords, ever (use a password manager), use 2fa wherever possible, ideally not the SMS kind. Use a password manager that has a tie-in with haveibeenpwned or whatever so you know asap to change your creds.
Some extras: use unique email addresses per site if you can. Some setups allow infinite aliases. Then you can blackhole one that gets leaked, and you can know where it got leaked from.
If you can, have a separate setup (completely separate email account(s), not just aliases, and even separate hardware to access them if you can) for very important accounts, the ones that would ~ruin your life for a good bit if they got taken over (bank, retirement, etc.)
There's also credit monitoring type stuff, which I've never been clear how useful it is, but might be worthwhile. You also may get it free if some company you use has a leak and they try to PR it away that way.
I think there's some way to basically lock your credit against new accounts, I need to look into that someday, don't know the details or if it even exists.
Assume your name, phone, email, address are all public.
Someone on HN will invariably point out that this is how it was for the last hundred years, and it was only when we made computers powerful enough to abuse the information that this level of privacy became a concern.
I remember the days when your name, address, and phone number were public information. I paid something like $15/month to keep it out of the phone book.
What I recently learned, browsing through old books that a local library was throwing away, is that sometimes those phone book listings would also include things like a woman's maiden name, and the name of her husband, and/or marital status. Something like:
Smith, Margaret C (nee Jones, widow of George): 202-555-1212
To be honest, that's close to how it should be in an ideal world. But US companies went down the obviously-moronic path of treating social security numbers as passwords and now we're stuck.
Eventually the bulk of the world will probably end up with some sort of government-managed crypto-ID, but it's sure going to take the US a long time to get there.
I live in Norway, which has a similar system, so I can’t answer for op, but the answer here is, no. Your “social security number” is not ever used as a password or other form of presumably secret key. While you probably don’t go blabbing it everywhere, there’s not much you can do if you know mine. You would also have to physically steal my phone and also learn my secret pin, or break into my fire safe in order to successfully use my personal number for anything. Address and phone number are the same thing, that’s just where you mail things to, it’s not used as a secret key.
I live in France and while we do not have public records (or just a very few), we do not have identifiers that can be easily used to do something nefarious. Our social security number, or the tax one is not used anywhere as a secure identifier (as opposed to, say, US with their SS# that is tragically comical).
We do like secrecy, though, and opening up the tax reports and addresses would be a 12 on the Richter scale of earthquakes. I do not know whether that would be good or bad but it would lead to all sorts of social unrest.
No, instead they use this radical method called actually identifying the person they're about to give a bunch of cash to instead of trying to pretend a username is a password.
>Some extras: use unique email addresses per site if you can. Some setups allow infinite aliases. Then you can blackhole one that gets leaked, and you can know where it got leaked from.
If you pay for ProtonMail, you get a SimpleLogin Premium for free, which makes the creation of dummy/alias emails a lot easier. They're owned by the same company.
I've been using alias addresses since forever, though with Tutanota, not Proton (due to cost & nice app). It's great when you can simply deactivate an address and the spam stops coming.
That sounds nice. I use bitwarden's "plus addressed email" generator I think it's called, the downside being that I need to specifically blackhole anything that bypasses the plus-addressing, or it'd be easy for anyone that actually looks to bypass.
There still is the chance that some spammer will figure out that "blah+any-random-string" works for my email, but I'll deal with that if someone bothers someday. I'd just need to add an allow-list or something probably.
Yeah definitely; the "+" alias is built in to most emails (like, it works on Google/Proton at least). I'm more just saying that if you pay for ProtonMail (and therefore care about privacy more than the average person) you get another service for free that doesn't expose your "real" email if someone cared to look.
Someone can look at joe+spam@joeschmo.com and figure out Joe's "real" email address. Something like SimpleLogin (sorry, not a shill for them, I swear) gives you a completely new email/domain (and lets you set up your OWN domains), which then forwards to your proper inbox.
Yeah it's definitely a better pattern, I hope more companies create something like it. I think I heard Apple is doing something similar maybe? I seem to recall Fastmail has one too, pretty sure I saw it in the bitwarden settings last I went in there.
Apple does this with email forwarding aliases on your phone; I can sign up using a generated Apple relay, which then pushes to your main email. I don't like it that much, mostly because you're still kind of locking into the Apple ecosystem, though.
The advise is to do literally nothing about it. What effect do you think this specific leak has on you? What kind of adversary do you think will be able to benefit from this data, and how?
The reality is that the data is useless trash, and there is no indication that this has actually leaked from Facebook or is showing any kind of security problem in their systems.
That remains to be seen. People are fairly ingenious when it comes to abusing information and information runs the world now. I will offer an unrelated example, partially because I do not want to give ideas on how to benefit from this. Do you remember when certain entrepreneurial billionaire offered a checkmark for sale, which resulted in people impersonating companies and manipulating their stock price[1]?
Like with most things, any tool is worth what one is able to do with it.
<< The advise is to do literally nothing about it.
I would not advise to panic, but doing nothing is not exactly great advice either. Some re-assessment of one's current security posture may be warranted.
> Like with most things, any tool is worth what one is able to do with it.
Yes, and given an attacker will not get new capabilities from this data, it is worth nothing.
Any attack that could be feasibly run with a list of nothing but phone numbers associated with some (unknown) WhatsApp account could be done without that list just as easily. That's because of two things: a) phone numbers within a given country are easy to enumerate, b) the WhatsApp account space is dense, i.e. the odds of any legit phone number being used for WhatsApp is high.
> I would not advise to panic, but doing nothing is not exactly great advice either. Some re-assessment of one's current security posture may be warranted.
If you can't formulate a realistic threat from this data, how can you possibly re-evalate your security posture in light of it? You need a threat model for that. Pondering about the security of one's digital life can of course be worthwhile in general, but advising anyone to do so in the context of this linkbait is just advising them to waste their time.
In your Twitter example, the impersonation did not come as a surprise. People were predicting that outcome within minutes of Musk announcing it. Can you make a prediction about what bad things will happen to the people whose phone number is in this dump, compared to people whose phone number isn't there?
<< If you can't formulate a realistic threat from this data, how can you possibly re-evalate your security posture in light of it?
You do have a point and it is possible I misunderstood the 'value proposition' from this data set.
From the forum referenced in the article:
"Name / Whatsapp Number - Country Wise "
What I see in that post is name field ( or potentially just a number ) and country field. If I was a person buying it, the main benefit would be "being able to reach a seemingly random ( unless it is separately checked against some other available list/s ) individual in a desired geographic location". As you correctly assessed, by itself it is not a terrible security threat.
<< Can you make a prediction about what bad things will happen to the people whose phone number is in this dump, compared to people whose phone number isn't there?
Yes ( although admittedly, mostly because "bad things" is sufficiently generic to allow for it and I already admitted I think you are right on the security aspect ).
Fraud-wise this is a perfectly sufficient set of information ( current valid numbers likely corresponding with real phone numbers ) as those tend to be number games anyway ( one out of how many answers a spam email type of deal ). In that area, the most common scam lately is grandson scam[1] or romance scam[2]( those having extra benefit of less likely being reported even if others point it out to the victim ). Seniors do seem to use Whatsapp in the old country partially due to price and reliability ( dunno how common it is in US though ) so they fit that target demographic, but that assumes fraudster can reliably identify a victim set of seniors ( or burn existing set with a more generic pitch ). For non-seniors, crypto scams seemed very common lately ( and how many people just click yes, when an invitation pops up ) although recent crash likely made it less desirable.
In other words, I think you are right about not doing anything specific security-wise, but it may be worthwhile talking with your social circle if they use Whatsapp since they may now see an increase in unsolicited calls/messages/invites and benefit from a conversation about about safety online in general.
People should be advised to not use phone numbers at all.
There was a joke "all phone numbers leaked" list that just listed everything from 000-000-0000 to 999-999-9999. If there is no other information associated (names, pictures, emails, anything) then this leak is of almost comparable severity.
There's an important difference between people being able to do inefficient paper-based one-off `SELECT ... LIMIT 1` queries when needed and the entire world being able to find new and exciting ways to search, join and mix data at great speed—the latter tends to enable new and exciting ways for the data to be used both for commercial gain, criminal purposes, and abusive trolling. (See: the history of internet harassment for the last 20 years.)
Pointing out that we used to put all the phone numbers in a book published by the phone company and now we don't is historically true but practically unimportant, just as "hey, sorry to hear your house got broken into, but you know, people in IDYLLIC_RURAL_HAMLET don't even lock their front doors like you BIG_CITY folks do" isn't useful unless giving up living and working in BIG_CITY and moving to IDYLLIC_RURAL_HAMLET is actually a practical option, which most likely it isn't (and if that were to happen en masse, IDYLLIC_RURAL_HAMLET would suddenly find they'd also need to lock their front doors if their population increased by a factor or two).
Who could have predicted that technological change might lead to shifts in social attitudes? Or, indeed, that the rules, principles and institutions we collectively create to make society bearable have to adapt to said changes?
Not using WhatsApp isn't going to magically secure your details online.
As per GP's point, most services eventually seem to leak data, so it may as well be saying "Don't go online".
Compare that to the alternate response which provides solid actionable advice for how to limit exposure when these services ultimately leak your data, and you can see why that post was downvoted to oblivion.
Full disclosure: I'm just a hobbyist game dev with experience with arduino, and volunteering at my local robotics competition.
I would recommend getting into arduino. It's fun to buy little components, build little circuits, and see how your ability to program can have a physical manifestation.
As for programming concepts -- yes kinematics and inverse kinematics will allow you to move robotic limbs to certain points in real space.
And you'll find yourself wanting a larger conceptual framework to put those technical bits. That's where things like finite state machines, hierarchical finite state machines, behavior trees, and/or goal oriented action planners may come in handy. This grouping of concepts is often called "ai programming" but whatever you decide to call it, they're algorithms to decide what to do at any given slice of time.
Obviously follow your own path in this subject; follow the bits that resonate with you.
Have you tried Nix[1]? The learning curve was a bit steep for me, but I think I finally started "getting" it and it absolutely solves this problem for me. Now I'm at the point where if I install Nix on any computer, VM, whatever, I can just pull in my configs via home manager[2] and everything Just Works. It's seriously one of the best package managers I've ever used, and I can't imagine going back to anything else. Windows support is only via WSL, so this might be a non-starter for you.
I like the idea, is there anything in this space already?
I'm imagining a GUI where you select from a list of items like "Python Development", ".NET Development" etc, and it somehow pushes out that configuration to your machine(s).
Not sure how many people would be willing to pay for it though?
I have an ansible playbook that I can run to add/remove things, set configs etc
My dotfiles has a script called 'update-machine' that pulls the latest playbook, and runs it. I can go from a blank machine to having everything I need in 10 mins or so.
Solutions like gitpod or Github Codespace are going exactly in that direction. Sure, they are not on your machine. But thats exactly why they can make it reproducible, no side effects with other installed software or configurations.
For me, it was "Behavior Trees in Robotics and AI: an introduction"
What conceptually helped me out was the idea that behavior trees (BTs) are hierarchical finite state machines (HFSMs). I read that and thought "woah!"
I've been fascinated by behavior trees ever since I learned that they were a big thing in Halo. It's charming to me to think that video games are able to help out in robotics, as the book pontificates on briefly.
I was thinking about getting a part time job at a coffee bar for the weekends (mostly for fun). I'm a little glad I didn't pursue this because I'd hate to lose my primary job as an engineer just because I wanted to sling some espresso again. I doubt that would happen because...
It's a much different scenario than what is usually talked about with these stories (2x full time vs full time + part time). Still, I wonder if there is (or soon will be) someone who has a part time job and will get fired for it?
Again, I doubt it because I don't think people looking into the scenario would think that's the right outcome. But you never really know I suppose!
If that's something that you actually want don't let this stop you. Just tell your boss what's up. Not because you don't have the right to work on the weekends, because it could be incorrectly flagged as a conflict of duties and you want to get ahead of it. If they see you're on two payrolls, they might jump to the conclusion that it will interfere with your primary job
Any advice for others going through this phase of their life? I have a terrible feeling this will be me; when I think of having a child I do think about it as if I will only be living for someone else (which is fine) but I have ambitions I want to materialize.
How has living a post child life given you more insight into your pre child thoughts?
This helps in two ways. First, it helps me formulate my requests of ChatGPT. Second, it helps me discover incorrect output which I can then either fix myself or make a subsequent request of chatGPT.
I consider ChatGPT an extremely eager junior dev who makes mistakes by moving too quick in this slice of time. (Im sure it'll get much better very, very soon).