Read the two sentences following the one you quoted. It's not talking about OpenSea collecting your web address. It's talking about the OpenSea client-side website loading and executing arbitrary HTML loaded from a remote location specified by the NFT creator, which the NFT creator can control. If I create an NFT with an animation url set to `http://my-website/arbitrary-code-i-can-change-any-time.html`, I can execute whatever JavaScript scripts I want in the client-side browser of anyone who views my NFT on OpenSea's website.
Right. But if I include an arbitrary link to a cryptocurrency mining script in my comment right here, hackernews' website won't load it into your browser and start executing it as soon as you view this comment, with no interaction needed from you. If they did, that would be bad.
Oh yeah, sure. I think we're on the same page here. It's literally no different than an XSS vulnerability (done on purpose or otherwise), which basically boils down to: yeah, don't do that.
Oh wow, the fond memories I have of playing my brother in SuperMelee. I can't believe that after 10 years of being largely dormant an update was released a few months back. I'm excited to try this out! If ever I can muster the spare time, I'd love to work on an extension/framework to allow this game to be network playable.
I grew up on the Atari 800 and it has a special place in my heart. It's hard to overstate the prevalence and impact of the 8502, as well.
I am thinking of getting another one (my parents gave mine away when I moved out) and seeing about how far I can push it as a pseudo-dumb terminal. What lightweight protocol can be leveraged with most "pre-rendering" done via a special proxy? I wonder if it could ever get close to practical.
This seems like the way it should be. Why should new music connect to newer audiences better than the best of breed from days past?
Of course freshness will always need to be there but there's a lot of back catalog to consume that will be "new to you" and it will only get deeper as time marches on.
Streaming services have made it easier to have nearly everything at your fingertips.
Been listening to a lot of lesser known 80s pop like The Time and Five Star and, gods, its like we've just largely given up on writing damn good hooks and melodies in exchange for vibes and soundscapes (of course not speaking for all modern pop but a distinct chunk). It helps that The Time had a few songs written by the frontman's cousin, Prince.
If you look at Google's messaging products timeline, it's an embarrassing mess. If you viewed it in reverse-chronological order, it actually looks like progress.
I've never seen such a careless disregard for a user base combined with the cognitive dissonance of new product releases. Hangouts, Duo, etc aren't circling the drain, they're already in the sewer.
May the original Gchat (with open APIs) rest in peace.
> Needless to say, I will never again use gmail for critically important things.
That's a hot take. If it was critically important, you'd have 2FA and a recovery phone number associated with it - which would have prevented you from getting stuck in a trust-fail situation to begin with.
Use whatever service you want, but your takeaway from this situation is a bit absurd.
Edit to add: I'm not saying Google's algorithm is perfect here, but relying on heuristic voodoo ("I use the same IP, so I should be fine") for "critically important things" instead of using well-established means of securing access to critically important things (e.g. 2FA, backup mobile number) is a bit insane.
I have 2FA and a recovery email on my Gmail account, yet I have run into this issue. If Google thinks something is suspicious, it will decline your 2FA codes and recovery attempts—it will just tell you that you entered the wrong code. Only after you finally get back in do you find an email in your inbox explaining that the correct code was entered, but Google blocked it because it was suspicious.
This happens to me from time to time, and the only way I can get back in is through Android. I keep an Android phone on hand at all times for this very reason.
Don’t blame the human for inadequate preparation; I assure you, no amount of preparation will save you from Google’s AI.
Agreed. The moment we allow AI to take the blame for irresponsible decisions made by the humans who designed and maintain said AI, is the moment we stop holding people accountable for real damage done.
Account lockouts are bad enough, but more serious things driven by AI are bound to reveal their fallibility. I sincerely hope tech workers have the integrity to take responsibility, judging by the current political climate and its participants' willingness to venture into thinking (surrounding the value of human life, among other things) that was considered taboo not long ago.
The moral and practical capacities of AI will reflect the limits of those designing them, at best.
Some time ago I used to run a userscript which replaced all occurrences of "Artificial Intelligence" and "AI" with "Artificial Idiocy". Added some charm to buzzword-heavy press releases :D.
This is an incredibly harsh and naive take. Authenticating logins at scale is an incredibly hard problem. There are tons of phishing campaigns and attackers seeking to get access to Google accounts all the time.
That they sometimes get it wrong sucks, but calling their attempts to do so "actual stupidity" is pretty rude.
> If Google thinks something is suspicious, it will decline your 2FA codes and recovery attempts—it will just tell you that you entered the wrong code.
Seriously! What! The! Hell!
I too have thought before that having 2FA (and linking a phone number, which I hate to do) would avoid tripping in such situations and that the systems would consider a different situation (like a different IP address/location, a different browser) as reliable enough with 2FA. But this irks me a lot.
I don’t really use Gmail much and have other paid alternatives, but I have some old stuff that may be mildly inconvenient if I were to lose them. Need to download the data and dump these accounts.
If you're entering a code, the 2FA method you're using is still susceptible to mitm-style phishing attacks, which is what this kind of location based check is securing against. You'd need a push notification or yubikey based 2fa check to get the same level of security.
AIUI, they do send push notifications if you happen to have a mobile device that's logged in to the same account. Maybe they should do the same for the "suspicious login to an unused 'secondary' account" scenario? They're already sending "recovery" emails, so it wouldn't be that big of a change.
I have several YubiKeys linked to my account. It will decline those as well. It demands that I sign in from Android sometimes, seemingly for no reason.
That's especially weird. I've had Google decline TOTP/Google Authenticator and SMS one time when I was troubleshooting a OAuth issue, but declining U2F? Are you logging in from various different VPN servers daily, or just through the same few ISPs?
No VPNs, just my home network with an IP address that rarely changes. What seems to throw it off is when I log in from "conflicting" platforms, particularly iOS + Android. I also have multiple iPhones for work, and it very much dislikes that.
When it gets in this state, nothing will work besides going to g.co/sc on Android--it can't be any other platform, regardless of how long I've had the device--and approving the code request there. If I approve it from any other device, even with a YubiKey, it'll give me a code on g.co/sc, but I'll be told it's invalid and I'll get one of those emails telling me the code was correct but declined due to suspicious activity.
I appreciate the attention to security, but c'mon, it's a YubiKey, and I'm logging in from my usual residential location.
If we reason from good faith and consider that this is intentional and not a bug, have you considered that Google did not implement "blocking suspicious 2FA" just to mess with you?
That perhaps this deals with a very real threat? Google has no incentive to make it difficult for you to log in, it's the exact opposite.
The problem is not really that they do it, but that they don't adequately inform users about this risk and that they fail to offer proper support and alternatives when it gets triggered. If they offered proper support a whole lot of the user despair and anger would disappear.
I agree to some extent, but also consider that whoever designed this may not be as intelligent or as widely experienced in certain matters as is necessary for the real world.
I have no doubt it deals with a real threat. That doesn’t change the fact that I’m regularly unable to log into my Google account.
Usually it happens when I’m using multiple devices simultaneously—for example, Android and iOS. It’s understandable that Google considers that to be suspicious, but if Google isn’t going to learn on its own, there needs to be some way for me to confirm that nothing is amiss. It’ll ignore everything from TOTP codes to YubiKeys.
I have an opposite anecdote: I moved to iOS but kept my (4-year-old) Android device active, and now I basically hop between a few iOS devices (but just one iPhone) and a Pixel 2 regularly. The only account that appears to dislike that is my work Microsoft 365 account that demanded I reauth all devices a couple times.
Not saying it's not true (I believe you), just that it's not designed to be a suspicious case, at least.
It’s definitely a point that should be made. Typical TOTP tokens are weak MFA in takeover scenarios. Especially considering that people have a bad habit of syncing them between devices.
What a lot of the grumpy posters here probably aren’t mentioning is that many ate probably doing high risk signal stuff like running through public VPNs. Google and Microsoft know a lot about what you are doing and what scammers do. They score risk accordingly.
With Google’s nonexistent customer service I’d be afraid of being locked out for any arbitrary reason and having no recourse no matter what recovery procedures I prepared for.
Contrast that to my bank where I can go to the branch, show ID, and get problems logging in resolved.
A plug from a very satisfied customer: I pay $5/month for Fastmail. I've emailed support before and reached a human within hours. They helped me with my problem, because it was their job and I'm paying them to do it.
Email is too important to rely on a free service which has a history of shutting people out, at any time, for any reason.
I prepay for the 3-year package and it comes out to $3/mo or something. I'm not going to stop using email, and Fastmail is fantastic so I'm not going to switch away, so it's worth prepaying.
Yep, Fastmail is great. Google cannot be trusted. With google you are the product, not the customer. The Fastmail service and features are better than gmail as well.
Still the problem with Fastmail is the same as with Google. Leaning on 3rd party service that you have no control of. There are so many things that could go wrong there, they can be hacked, go bankrupt, closed by authorities, insided. Everyone should have an appropriate personal disaster recovery plan that includes stuff like recovering from loss of service supplier.
Well, there's always a risk profile no matter what you do. But the risk profile with a company that's obsessed with AI and doesn't believe in having any customer support is much higher than one that you pay and has very good customer support.
Fastmail has been extremely responsive to any random minor issues that have cropped up for me or the several people I got to transition to their service over the last 7 years.
Fastmail was blown offline by a couple of DDoS attacks recently. Both of them impacted my ability to access Fastmail, but I suppose you didn't happen to try to access your account during those attacks.
I live in a third world country on little island in the middle of the Pacific Ocean, yet have had Google respond within minutes every time I've had an issue (multiple times over the past decade). They have provided support both by phone and chat. I pay them 2 figures a month.
+1 on this. I’ve actually had them call me back proactively multiple times on a simple case too. Obviously it’s all anecdotal. But I have been happy with them (when paid)
I was wondering that as well because I have Google One. When I go to the support page it claims 24/7 support for phone and chat in 2-3 minutes and e-mail support within 24 hours.
I have no idea what Google One is, but I get that level of support for the $12/month I pay them for Google Suite and have had great support experiences multiple times over the past decade.
If you have a Pixel, there's also chat + phone support in the help menu, though I'm not sure whether they handle account issues. (I used it a couple times because of, you guessed it, hardware issues)
I have a few thousand dollars I earned with Adsense a bunch of years ago. They suspended my account and prevented me from getting the money. Every now and then I get a letter from some auditor that says I can claim the money. Just need to login to my google account. Needless to say google customer service hasn’t helped. Definitely need some class action suits to change their behavior, and I hate class action suits.
Quite. If you play the game then all is well but if you don't then you are given very short shrift and no recourse to a higher power or anything at all.
There is very little oversight. If you fall afoul of the "algorithm" or whatever bollocks is running the show, then you have to fall back on calling them out on the socials. Get enough traction on that and lo: "soz, lol, we failed here but your <whatevs> is important to us ... in this case ... etc ..."
I personally had a great experience with google support when I once stupidly locked myself out of my account. The whole thing was resolved in about 3 days.
However, google customer service is definitely erratic since loads of other people have had bad experiences. The best thing to do if you're using Gmail is to enable 2fa and backup the recovery codes offline and somewhere safe. This could probably get you into your account without needing to talk to support.
I have never heard of anyone anywhere ever being able to access Google support once they were locked out -- you need to be logged in to access what little tech support they offer.
Something can be critically important for a person to access on-demand and not be something they’re especially concerned about an attacker accessing. Two completely unrelated dimensions of access needs.
They are not mutually exclusive. An attacker accessing a service can hinder or even completely stop your ability to access that service (i.e. change your password).
Actually, I specifically declined setting up a recovery phone number because I accessed it from the location where receiving codes would be impossible on my phones. I always accessed it from the same IP using my own VPN server, entered the correct password, and still Google decided that they are 'not sure that it is not really me, try again later'. No thanks.
What about downloaded back up codes ? Phone push approval? U2f key? Authenticator app? Can't imagine complaining about being shut out if you didn't have at least one or all of these set up. Google even nags you about setting these up.
It might be 2FA's very purpose, but I've found that a 2FA-less account is a lot more distrusting of logins. Some of my relatives don't have 2FA set up and they got more "verify it's really you" prompts compared to my personal MFA'd account.
I do wonder how many people will be locked out of their lives when they change phone numbers. 2FA across the industry seems to have rolled out this critical dependency without drawing enough (IMHO) awareness.
While failures are often worth celebrating (don't fear failure, learn from your mistakes, etc) there's a line there somewhere where this type of "toast to the rejects" can cross over into something else. Sour grapes? "I didn't want that stupid grant anyway!"
Failure is a loaded word. It should be expected that you don't achieve your desired outcome with many things in life. The real problem is a generation of people have been raised to be entitled.
Well, the _real_ problem isn't just that they've been raised in a way that leads to entitlement, but that what they have been taught to feel entitled to was actually a pipe dream.
While the boomers were all busy buying property and starting businesses, they were also unwittingly making it impossible for their descendants to do the same (or to the same extent) whilst in the same breath telling them (perhaps in honest belief) that they too could have anything they wanted.
Setting the bar so high makes even slight failures hit that much harder.
How did boomers make it impossible to do the same? Real estate is unaffordable, boomers refuse to retire, they had a better economy. That's my understanding of the zeitgeist. What did I miss?
I think it would greatly help to better understand what it is you are looking to manage here (or what your concerns are). Is there really perennially sensitive information your SMS messages? In my experience, most of them are ephemeral in utility (e.g. an OTP or a reminder).
So two immediate questions arise:
1. Do you have a perceived sense of risk/vulnerability to not deleting SMS messages? Why?
2. Assuming there's something more to cover other than #1, what is the problem you are actually trying to solve here?
Just wanted to point out you have a minor typo in there: > In recent months, everyone has been pouring over the US Bank Secrecy Act
(should be "poring over")