didn't the underlying API they built upon ramp up their pricing and effectively price them out?
like a precursor to reddit's own API pricing changes that made it hard for 3rd party clients to compete.
The saving grace with these API wrappers is that local models being a thing can still let them hedge against the underlying AI labs eating up their stack.
It appears the individual was unable to distinguish a display name from the actual email address (common phishing tactic of having something like admin@company.org as the email display name while the actual email address is a random throwaway). [1]
Good reminder to use a password manager as well (as it would also catch the 'npnjs' typo squatted domain too).
Similar incident happened to the HIBP guy who mentioned ignoring the password manager safeguards due to being half asleep while on the plane.
Also keep in mind you can disable install scripts in npm from running (if you happen to not do your development in an isolated environment) via configuring your .npmrc with
>the individual was unable to distinguish a display name from the actual email address
This is wild to me, not just because they're a developer but they even know about SPF/DMARC. Also, the content of the email being them asking to reverify your email sounds suspicious and illogical. I know people make mistakes, but it's just crazy, and shows the importance of companies training employees to not fall for phishing emails.
Dunno, this is also a failure of email client UI which is designed around a naive world with no bad actors just so it looks cute.
The sender email address could be more prominent.
All link URLs could be visible.
Emails from new senders could have some sort of warning/alert. I used to use an email client that let you approve incoming email addresses, and it once saved me from a Coinbase phishing email since it made me double check the sender since it was marked as unapproved.
We can't keep blaming the victim when our own software works in the favor of bad actors. You're going to let your guard down one day.
This will break many things that rely on installation scripts to work properly.
Use a better package manager that always disables installation scripts and lets you whitelist only those you absolutely need (like pnpm — which asks you post-install if any scripts were necessary, and reruns those you confirm).
Also avoid horrible tire fires like eslint that require several hundreds of unvetted dependencies. If you work alone and are disciplined, it's perfectly possible to write good TS without a linter. If not — use biomejs.dev (zero external dependencies) or `deno lint`.
Also node can easily be isolated from the rest of the system through bubblewrap/firejail:
Biome has a 5000+ line cargo.lock file. That’s a lot of dependencies. You just don’t see them directly in npm. This is the reason I dislike Rust and prefer Go. Rust is the JavaScript packaging culture applied to systems programming.
> 2. They support premium domains, so you can be struck by lightning and randomly have the price of your domains dramatically jacked up (had to drop a domain due to this).
Do you have an example of this as it is against ICANN's rules IIRC.
The only instances I have seen about this were the posts here on HN when someone didn't read the registration price being at a discount compared to the renewal price thereafter.
If there is of course a legitimate instance of reclassification into a premium domain after the fact, you have a big case on your hands.
I did not take screenshots at the time so I can not prove it.
But I remember that I specifically spent effort/time to pick a name that was not marked as premium and double/triple checked before registering. Then about 3 months after I had registered it, it all of a sudden showed as premium in my account.
From my perspective it doesn't really matter much if they made it premium after I had registered it or if it was always premium and they hid that fact and gave me an invisible discount. The end result is the same.
> When I was young my father said to me: “Knowledge is power, Francis Bacon.” I understood it as “Knowledge is power, France is bacon.”
> For more than a decade I wondered over the meaning of the second part and what was the surreal linkage between the two. If I said the quote to someone, “Knowledge is power, France is Bacon,” they nodded knowingly. Or someone might say, “Knowledge is power” and I’d finish the quote “France is bacon,” and they wouldn’t look at me like I’d said something very odd, but thoughtfully agree. I did ask a teacher what did “Knowledge is power, France is bacon” mean and got a full 10-minute explanation of the “knowledge is power” bit but nothing on “France is bacon.” When I prompted further explanation by saying “France is bacon?” in a questioning tone, I just got a “yes.” At 12 I didn’t have the confidence to press it further. I just accepted it as something I’d never understand.
> It wasn’t until years later I saw it written down that the penny dropped.
Thank you! I was trying to find the original essay I learned it from. I’m now pretty sure it was by Poe, but all I can remember is the main advice: avoid common metaphors.
I vaguely remember one of the metaphors in the essay was about a chicken coop melting, or something like that. It was vivid enough to leave a big impression.
“ Dying metaphors. A newly invented metaphor assists thought by evoking a visual image, while on the other hand a metaphor which is technically ‘dead’ (e. g. iron resolution) has in effect reverted to being an ordinary word and can generally be used without loss of vividness. But in between these two classes there is a huge dump of worn-out metaphors which have lost all evocative power and are merely used because they save people the trouble of inventing phrases for themselves.”
If the worst is a public mea culpa and following the agreements you should've done in the first place, that barely seems like a deterrent to infringe the license.
Might as well create a crawler bot on github and slurp up all the GPL/AGPL for your new AI-coding startup, iterate fast, make profit, then pay a pittance in legal fees and a small "We're sorry".
The fines and penalties are deferred. If they violate the agreement again, they pay. They're basically on the equivalent of probation, which is what the plaintiffs wanted in the first place.
> The titles are misleading (purposely, because it attracts interest)
I am neutral to this conversation but thought you might not want to justify this point as it is against the spirit of HN. Specifically in the guidelines:
> Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize.
Which would give the submitter permission to change the title to something more substantive.
When you read the posts and when you don't rely on titles, you can see the point that the author argues.
2FA does suck, it's not a pleasant experience but it is necessary. If something sucks, it does not mean that you don't have to or should not have to use it. There are things that hinder user experience but are immense for security, like 2FA is.
Making judgment based on title is silly, and if the spirit of HN is to judge without facts - then I apologize. Carry on as you were.
The strawman argument against the author, based on the title that provokes thought, is not a sign of intellectual discussion.
> and if the spirit of HN is to judge without facts - then I apologize.
Although snarky, I am sure you would appreciate if HN doesn't devolve into sensationalist titles such as: "PHP sucks" ad nauseam since there are plenty of social media networks that get flooded with titles like that already.
Just as we (the audience) in good faith read and judge based off of the merits of the article's content - one could also argue that an author should treat the audience with similar courtesy of not needing to:
> misleading (purposely, because it attracts interest)
Not saying this applies to this article since in my subjective view I didn't find the title misleading or egregious.
You might also be interested in seeing the recent edit history of titles on HN
I have over 20 domains with cloudflare. I have been transferring all my domains to cloudflare one by one over the years and now I am worried about getting randomly flagged like this.
Does anyone know if cloudflare has provided any justification?
Are we at HN's mercy to publically shame them to get them to fix this if it's happens to us?
While I use and enjoy their other services, I would advice taking this incident into consideration about their registrar services that "prevents transfer-out of domains, sets to 'pendingdelete'"
like a precursor to reddit's own API pricing changes that made it hard for 3rd party clients to compete.
The saving grace with these API wrappers is that local models being a thing can still let them hedge against the underlying AI labs eating up their stack.