You can think, how much would their marketing team have to spend to get the same results that the algorithm contract gave. I'm not a marketing expert, but I'm sure they have metrics like consumer sentiment, name recognition, number of users visiting the site, google search trends, etc. There could also be benefits in recruitment, and that can be estimated based on how much you'd have to pay an external recruiter to bring in candidates the applied, or other things like that.
It was in the news a lot, and was discussed on a lot of tech sites. Plus it gets people talking about their recomendation algorithm, and makes people thing Netflix subscription is more valuable becasue it recommends good shows. It wouldn't be cheap to get the amount of media that they got through more traditional marketing.
Right, but that is a lot of what I'm asking. What makes you think those are all better due to this contest? If I recall, a lot of why it was making the news was because Netflix was already popular in the industry. They certainly weren't that new of a name.
The main one I don't think I would have doubts about is the recruitment. But, I don't recall them being a place that needed recruitment help, even at that time.
To be clear, I found the thing fun to consider. I certainly am not upset that they did it. I do harbor a gut feeling that its ROI is greatly overstated.
Heh, I actually interviewed with Reify during my last job search (where I ended up taking the job I was eventually laid off from). They weren't interested back then :/
They weren't interested as they might have had a better candidate. That is typically the reason. It is not about you not passing a metaphorical "bar" at least that is the case for senior positions.
I have been recruiting quite a lot and at the end of the cycle you go through making difficult choices. Often times you get 2 good candidates and only one spot. So you compare them and pick a better one. The dismissed candidate can be picked next year due to lack of better candidates.
Unless it has been clearly stated in the reply that you seemed to be below their expectation of a senior candidate. And even then... a lot can change over the year and if you feel like you are better you have every right to reapply. Most companies will inform you of reapply policy terms if your are outside of it.
Say you are invited to your friends apartment in an apartment building, but none of the apartments have locks. So you decide to open up some other random apartments and look through their things, who is responsible?
We don't need to reach for analogies to observe that while the theoretical ideal is to report it after just one false access, that no significant damage was done by accessing just a few more via human manipulation of the browser URL, with no recording or sharing of the results. From a human perspective, no damage was done.
Whether that legally crosses a line involves a whole lot of details that few, if any people here, will be able to speak to, because of the complication of the law, and HN's conclusion as to the legality is of marginal interest even if someone competent were to give an opinion.
We can speak to the fact that even if it does technically cross a line, a prosecutor really ought to use their discretion to not prosecute since nobody was hurt. We can say that because that's just an opinion. I expect we don't have very many people here who actually want the book thrown here (though, as always, enough read this that it's probably non-zero).
I don't think quantifiable significant damage should be the bar we use, though that should act to moderate the consequences.
OP admitted to continue changing URLs in order to check out what plans other companies were getting and what they cost. That means OP downloaded lists of employee names, ages, SSNs, and other data. If I were an employee at one of these other companies, I'd be pissed at OP for that. I'd be even more pissed at the people who built the marketplace website for making the rookie security mistake that allowed it, but it's absolutely not ok to download other people's information when you shouldn't have access to it, and use that to your own advantage.
Sure, I don't think this is something that should be prosecuted as a CFAA violation with big fines and jail time. That's not a proportionate response. But I also don't think we should signal that it's ok to look at (and use!) other people's data just because someone else forgot to lock it up properly. I think, for example, something on the level of a parking ticket would be appropriate here.
If OP had changed the URL once, found the vulnerability, and then immediately closed the page and reported the problem, I would see nothing bad in what they did. But they didn't merely do that, and IMO crossed the line in their subsequent actions.
There's no evidence from the original comment that anyone invoked any legal lines. Instead, they seem to be upset that the person they reported the incident to asked them questions about exactly what they did rather than being effusively grateful.
That's not even close to the same analogy though. This would be like knocking on the door, asking if you can come in, and the person living there letting you in. Then getting mad about it later even though they let you in.
More like your friend let you into their apartment but then got upset that you went into the dining room when they only intended for you to go into the living room.
No, this is more like if you asked the landlord to let you in, and then they did, without the permission of the tenant. The tenant would completely be within their rights to be angry about that. Both at you and the landlord.
I think that's a valid response if the person letting you in wasn't expecting you and didn't want you there. Like, what are you doing knocking on random doors and going into random places just to look around? That's not honest behavior. Honest behavior is that if you know you're not supposed to have access to a thing, you shouldn't obtain access to the thing even if you technically can. I think it's pretty clear that you shouldn't have access to another company's healthcare plans. The first one is a mistake, maybe. The subsequent browsing and comparison shopping of restricted materials is definitely not okay though, and the harsh, suspicious response was warranted.
>if the person letting you in wasn't expecting you and didn't want you there.
Then they shouldn't have let you in. How are you completely absolving them of responsibility when all they had to do was say "Who the hell are you? No, you can't come in."
Well, to go with the analogy more: I leave my door unlocked because I'm expecting someone. There's a knock at my door and I yell "Come in" without looking at who is at the door. Not an unreasonable thing, happens all the time. When I finally look, I find you in my house, going through all of my things, for no reason other than you wanted to gain insight on my financial situation.
Do I bear responsibility for letting you in? Yes. Should you be there? No. Should you have knocked on the door? No. Should you have tried the same at my neighbor's house and every house on my block? No. In this metaphor and in the original context, everyone is acting with honest intent except the actor knowingly trying to access obviously confidential documents.
No one said anything about legality. I'm still going to yell at you to gtfo and never come back again, and I don't see why it would be surprising that I would.
Let's drop the metaphor. The original story was that someone accessed a number of documents they weren't supposed to but technically could, and the question was whether or not that it was reasonable that the owners of the documents were upset with that.
I argue there was good reason to be upset given the facts on the ground. In this particular situation, the original poster was there to access their own document. Having accessed someone else's document, that would be the point at which the behavior crosses from legitimate to illegitimate if it continues. Leaving at that point would be one appropriate response. But systematically going through a number of different documents goes beyond a mistake and into the realm of intentionally exploiting this security issue for unauthorized purposes. That's when it crosses from "honest mistake" to "dishonest exploitation".
I have no idea about the illegality of the issue. But the fact is plain that this person was not the intended recipient of the documents, they knew they weren't the intended recipient, and then after realizing the nature of the exploit, they continued to use it.
This is not the same as knocking on a door for a legitimate reason, being let in, and then the person inside being mad you're there. It's knocking on a door for no reason or a malicious reason, knowingly doing something inside the resident doesn't want you to do, and then wondering why they are mad at you.
The only person to be upset at is the one who didn't put access control on the site. That was a publically available endpoint. The better analogy is putting something private on a public bulletin board and being mad if someone read something you didn't want them to.
A billboard is a broadcast message though, whereas an HTTP request is more like a back and forth exchange between two participants. So I think the original knock->response->enter is a better metaphor.
You let me in knowing exactly who I was. You showed me some stuff I wanted to see, but sitting right next to it, out in the open, was stuff you didn't want me to see. All I had to do was look somewhere other than where you were pointing, and I did that. And then you got mad at me for looking at the stuff and called the police.
> All I had to do was look somewhere other than where you were pointing, and I did that.
The way you phrase this makes it seem like accessing the documents was a mistake. Maybe the first one was, but I think the thing you are missing about the OP's story is that the behavior was repeated. I think the first instance was arguably okay. But subsequent access with the knowledge that what they were accessing was not intended for them is in my eyes beyond a mere misunderstanding.
You also have to remember that having physical or digital access to a thing is not the same as having permission to view the thing. For example, if a "Top Secret" document is delivered to your house with your name and address attached to it, if you read it without the appropriate clearance you will still be in trouble. The legality of such a thing is well established in that case, but the principle is the same: even though you have access to a thing and all you have to do is move your eyes in some direction to see it, the act of seeing it is still at minimum an ethical breach (why are you looking at things that you know don't belong to you?).
I guess this is the fundamental philosophical and ethical question: do you believe you are entitled to know any information as long as you have the technical ability to physically or digitally access that information? What if I have medical records on a screen in a room you are in, and all you have to do is move your eyes over to see my most personal info? Are you entitled to read that information because it's visible to you? Or do you think you owe it to others not breach their privacy even though you have the ability to do so? Would you be mad if someone violated your privacy, and then retorted with "well you should have a had implemented some better technology to prevent me from moving my eyes in that direction"? I guess in that scenario you would have to blame yourself and your technological abilities, and not the person violating your privacy.
I was thinking of a similar analogy but I don't think it holds.
The right analogy would be if I was in the apartment complex and I said to a door not mine "I'm home open up!" If the door opened and I did it intentionally, am I liable?
I still feel like yes but since you have to request the document and receive it I think it's different than just checking locks.
People of all ages suffer from confirmation bias. Analogies can be useful because they allow someone to appreciate the logic of an argument while temporarily dissociating from strongly-held opinions. After the framing moves back to the question under debate, the logic might stick. At least all parties might understand everyone’s perspective better after a few analogies are exchanged.
The analogies in this thread are mostly only furthering confirmation bias.
Because any physical analogy is such a poor representation of how a website actually works, everyone just cherry-picks the analogy that demonstrates the logic they believe should apply, and then tries to constrain the argument to that logic via analogy.
Indeed -- it is like if arguments were things to transport, and analogies were cars... wait, no, they are railroad cars.
So the argument is a heist occurring on a train, so we've got the thing that we're trying to heist (which would be our point) and then we're shifting it from one car to another. And some of the analogies here are clearly like passenger coaches, but others are more like those... coal transporting car, whatever they are called... and at some point we move to the inappropriate railroad car and drop the point in the coal which obscures it.
Anyway, the point is that at some point you really just hope that some conventional train robbers will show up and derail the whole thing because it has gotten too convoluted to follow.
Nope, opening an unlocked door is still considered break&enter. AFAIK, the "unlocked door" can even be a beaded curtain. Turns out that the legal definition of "break" in this context is extremely old and doesn't correspond to lay usage anymore.
But I think that a better analogy would be asking the apartment manager to see your payment history and getting handed the entire apartment building's ledger.
One solution would be to force Apple to break up into seperate firms. So you have Apple App Store, and Apple app maker as seperate firms, and Apple app maker is required to be treated as any other app developer in the app store.
You could turn the argument around. Seat belts pretty much only protect the person wearing the seat belt, while vaccines protect the population in general by stopping the spread of Covid.
So people should have the freedom to harm themselves by not wearing a seat belt but vaccines should be mandatory to stop covid from spreading everywhere.
> vaccines protect the population in general by stopping the spread of Covid
This is a bit too strongly worded, and is borderline misinformation.
The current mRNA vaccines are imperfect - they do not provide sterilizing immunity - and consequently people who are vaccinated can still be infected and transmit the virus.
There is a small but growing subset of the scientific literature raising concerns about this - the keywords you can search for are vaccine induced immune escape. But I'll save you some time and link you to an accessible peer-reviewed paper on the subject as an introduction [1].
FWIW I agree that vaccines are useful - particularly for vulnerable demographics - and present very low risk of complications for an individual. That said, many people are unaware of the potential second order consequences of mass vaccination.
Furthermore, many people are unaware that previously infected and recovered individuals have robust and durable immunity to SARS-CoV-2 [2][3]. These are strong arguments for a strategically targeted vaccination campaign - the opposite of compulsory vaccination for everyone.
Seatbelts do improve the safety for other people. Car crashes are not always just bang and then the rescuers come and maybe save survivors. A good blow to the head from being flung about can daze or knock you out, and you may lose control of the vehicle after that. If you're wearing a seatbelt there is a much greater chance you stay conscious and still have partial or full control of the vehicle after a minor collision. So hopefully it doesn't turn into a much worse one.
Here in Ontario, you can let your 14 year old drive around without a seatbelt, or a license, in a car on private property. But on public roads, seatbelts. That seems reasonable to me.
If you're in the back seat of a car, without a seat belt, in a collision you may turn into a projectile which can potentially injure or even lead to the death of someone in the front seat.
That's conjecture. A conclusion from this study[1] is that vaccines correlate with dominance of fitter variants. That suggests that it's possible that vaccines allow them to propagate.
"the decline in lineage diversity was indeed correlated with increased rates of mass vaccination. Furthermore, the decline in lineage diversity was coupled with increased dominance of the B.1.1.7 (alpha), B.1.1.617 (delta) and P.1 (gamma) variants of concern, suggesting that these variants may be “fitter” SARS-CoV-2 lineages.”
I suppose the big downside of the flood of preprints on COVID19 is that any particular position can be supported, however briefly, with some study before peer review [hopefully] cleans things up.
It sounds like you're arguing that vaccination helps fuel variants because without vaccination there wouldn't be any hinderance to the original virus rampaging through the population and thus no selection pressure. Though as people developed natural immunity, I don't see how we wouldn't end up in the same place, just with more dead people.
I don't think we can conclude natural immunity and vaccine immunity would result in the same outcomes. Vaccines wouldn't exist if we thought that being vaccinated and not being vaccinated resulted in the same thing. If those differences exist, it's not outlandish to think there may be differences in evolved virulence and severity too. That's certainly conjecture too though.
Good point - just wanted to mention: see my comments elsewhere in the thread for more peer-reviewed papers that further support the idea you mentioned.
> From a variant that only exists because of unvaccinated people
I don't blame you for believing this because rhetoric from Fauci and others is constantly pushing this idea.
But if you want to be well informed you should at least be aware of a couple major counterpoints.
First, people who have been infected and recovered have robust and durable immunity that is at least equally as effective as vaccination [1][2].
Second, the current mRNA vaccines induce a highly targeted immune response to the spike protein, which - when coupled with mass vaccination - applies tremendous selective pressure on the virus [3][4][5]. This can actually further enhance the fitness of the virus. I've linked to several more peer reviewed papers to further demonstrate my points [6][7][8] - these are serious concerns being put forth by highly regarded researchers at top institutions in the country.
> while vaccines protect the population in general by stopping the spread of Covid.
This is common misconception about the COVID-19 vaccines and about several other vaccines. They don’t necessarily stop infection/transmission, but reduce the symptoms and prevent you from ending up in the ER.
Those who downvoted can find this basic information on CDC, WebMD, JH, BMJ, etc
> This is exactly what I was thinking about. If Copilot is fair use, it means that all proprietary source code, as long as they're publicly available to read, will be free to use as training materials for a hypothetical free and open source machine learning project, which I think would be a good thing. An example is a proprietary program released under a restrictive "source available" license, you can read it but not reuse it under any circumstances (and I believe these projects are already included in Copilot's training data). This is why I said fair use can be a good thing and a ruling to reduce the scope of fair use can potentially be used by proprietary software vendors against the FOSS community.
FWIW this seems to be the current interpretation of copyright laws when it comes to machine learning, at least in the US. The only questions I've really seen about the legality of Copilot is about it reproducing code and whether that reproduction is fair use or not. But few are arguing that training the model itself on any available source is violating fair use.
> FWIW this seems to be the current interpretation of copyright laws when it comes to machine learning, at least in the US.
I think this is a sensible take. An AI should be able to learn to program from any source code it can see, just like a human.
> But few are arguing that training the model itself on any available source is violating fair use.
People argue this all the time on HN.
But these same people seem to believe it is just pasting bits of code it has seen before together, so I suspect they don't have the technical or legal understanding to comment sensibly.
In a little over 100 years we've gone from the first powered flight to flying a helicopter on Mars. We might not be mining asteroids in 5 years but it isn't unreasonable to think it could happen in our lifetimes.
Part of the problem is that Manton the interview panel do feel like they're wasting their time. It is valuable to the company but for the engineers, they want to get back to coding or whatever else they are working on.
It isn't fair to the person applying because they didn't pick the people on the panel, but if the one doing the interviewing doesn't hide their feeling it's obviously not great.
That's true. I want to say that that's Google's fault right? Because not everybody is on the team you're interviewing for (I might be wrong)? At Apple you are interviewed by the team, who presumably needs another person to assist them.
Also, regardless of whether or not they want to be there, it's a bad look for the company. Somebody took a day off to talk to you, it's only fair that an interviewer reciprocates
Can confirm everything you said is true and that at Google you'll likely never see your interviewers once you start working there but at Apple you'll be working with your interviewers on a daily basis.
It has upsides and downsides, like as you said you had to go through 3 different on-sites (one for each team), but you'll get a good sense of the team before getting an offer (and they'll get a good sense of you). I like the Apple method much better but I had an unusually bad Google interview process so it's possible other people had better experiences.
> at Google you'll likely never see your interviewers once you start working there
Can confirm that this is largely true, with an asterisk.
The interview panel (for SWE candidates) is indeed drawn at random, but it's becoming more and more common to conduct fit interviews for specific roles. This is usually done by the hiring manager, in rare cases also involving other people (e.g. the tech lead).
The good thing about interviewing with your teammates is they will be invested in making it success if they recommended you. If you never see the interviewer again then they have no skin in the game.
Some of the difficulty is that the team may be hiring people because they're currently under-staffed. I've been on teams before where we're 3 engineers on a team that we're trying to hire up to 6 people. It's really hard to both try to keep up the work of 2 people, even in maintenance, and spend hours every week on trying to hire the replacements. Even if the company is good about reducing demands for new work after a departure, it's generally true that you're hiring BECAUSE you need more people on the team, which often means that team is overworked already.
In a union, the leadership is negotiating for you. So the person in charge of your employment that the union is replacing is you, not management. They could negotiate things like more PTO, better conditions, or a larger bonus instead of a straight base pay. But as the employee you might want straight up higher base pay. Or maybe the union gets a promotion process that values seniority more than performance. It might save you from a political process or having to play the game, but can hurt other people.
The idea is that unions help the collective and will get a generally better deal then you might get on your own. But again the isn't going to get everything from management and they have to decide what to prioritize. So if your priorities are different than union leadership your wishes might get left behind to help more other people.
I can’t really imagine a union negotiating in the interests of privileged, mid six figure, 1%er software engineers. Even if it is made of us. That’s a little bit cravenly capitalistic for the kind of people who would be running a union in San Francisco. Rather, I think it would say that we, the members, are the powerful, and we have an obligation to use our collective power and wealth to advance broader left causes.
I don’t really want to get into it with my coworkers over exactly what our issue profile is, nor accept what I think the loudest voices will say. I prefer to choose my political organizations separately from my job.
Now if it’s truly going to just self-interestedly fight for our already well served interests, sure.
I think there's one other possibility. It could be stolen to study and reverse engineer. You're probably looking at state actors instead of random third parties, but enemies of Russia would probably want to see the level of technology they're using. And states trying to develop their own nukes might be able to learn a lot from having a first hand example.
It was in the news a lot, and was discussed on a lot of tech sites. Plus it gets people talking about their recomendation algorithm, and makes people thing Netflix subscription is more valuable becasue it recommends good shows. It wouldn't be cheap to get the amount of media that they got through more traditional marketing.