Yeah, I mean every company is different.. but every place I've worked spelled out quite clearly what you can and can't (mostly can't) do with company resources and even to some what you can do on your own within adjacent areas.

It seems unlikely the company was unaware of this side project so one assumes he had some level of blessing, but then again I'm a long time spotify user and had never heard of it..

Blame better tooling. It used to be a pain in the ass to pull external dependencies into a project and ensure they were properly packaged and distributed. It was worth it to just implement something yourself vs adding something from a third party.

Now we've got powerful build tools that make this trivial. Bit of an old-man trope, but many younger devs will google "how do I X" and copy+paste the first solution they find (usually including a new dependency to their build tool of choice). I've seen projects with multiple libraries that do the same general thing because someone googled different problems at some point. And of course all those dependencies pull in their bucket of dependencies and so on.

Depends on how they define failure.

The whole mobile/web game space is filled with companies that poop out low effort games in bulk with no expectation of longevity. This is pretty much the popcap games business model in a nutshell and seems to be working well enough for them.

Very few software shops are staffed 100% with experts, or even solid developers. Even some solid developers are not specifically experienced in dealing with security.

If this actually matters, you need to either:
1) Have rigorous code reviews prior to anything going into a public facing repository
2) Not provide junior devs the sensitive production credentials in the first place

I tend to lean towards #2. Hide the actual credentials behind whatever your preferred method is (injected secrets, environment vars, whatever). Have a solid dev environment so devs don't need to do much on actual production systems. Ideally your dev environment is automatically blown away routinely and new credentials are generated.

Relying on every developer in your project to always do the right thing is never going to be a good answer.

Canadian and I have no love for Meta, but yeah, there is no tense standoff.

Meta basically called Canada out on its BS law, and now Canada is either going to back down when they realize they have no leverage and will probably face the same from other big platforms, or this will just be a thing on all platforms and the content creators this aimed to help will be absolutely fucked.

Yes!

I have an account I used a very long time ago from my dumb student days and forwarded to the real account I use now.

At some point I lost access to it. I don't think it was hacked, but I have no sweet clue what the password or security questions are set to. Anyway, the address itself was involved in several data breaches, and now I get a constant stream of sketchy shit hitting it (attempts at creating all manner of accounts, responses from those stupid petition sites that don't validate email, etc). I filter this stream, but it's existence still bugs me and I'd be entirely happy for it to just stop existing. Even if someone re-creates it and controls it, I'm at least 99% sure anything actually tied to me is long dead or I've migrated.. but I'd still probably try to re-register it just to be sure (and leave it to collect all the junk but at least not be firing it at my main email).

I think this is a very individual thing. Security always comes at the cost of convenience and flexibility. Different users have different use cases and may want a difference balance.
Sure, "literally nothing but the unlocking mechanism" should be an option for the ultra-security conscious. That wallpaper and clock display are just needless attack surface! On the other hand, I like seeing summary notifications and events.. I live the kind of life where someone stealing my phone and seeing the subject of even my most sensitive of notifications is an acceptable risk for the convenience it provides me. Likewise I like being able to answer calls (or nope out of them) without unlocking my phone first.

I may have been reading too much into it, but I kinda thing that was his point...

The tech behind it is cool, but I don't have much interest in the letters themselves.

Unfortunately for who knows why, the summary ignored the cool stuff.

We've all heard the usual best practices spiel. This is the argument for:

a) Having well oiled exit procedures
b) Having finer granularity with respect to access
c) Backups

Backups don't help with the unauthorized access, and well oiled exit procedures only helps when someone is fired or rage quits very suddenly. Really the finer granularity is what you want. I'm guessing random part time employee in submission didn't need access to the board minutes or random customer mortgage applications, but managing need to know/access restrictions is complex and expensive and most companies just decide to trust their employees wholesale and hope for the best, maybe restricting a small subset of particularly sensitive stuff but basically giving everyone access to everything else.

None of this is new and little will likely change unless forced, at least these guys seem to have had backups.

Its a shame he pretty much went radio silence (aside from his side channel) for like half a year. I feel like he was starting to accumulate a decent audience (though not sure how much that really mattered to him), and few probably know his alternate channel even exists and probably assumed he'd just given it up.

Would be nice if they added an option to bring your profile with you.

Sounds silly, but I can't be the only one with family that still use my account not to save money but because they don't want to lose all their lists and recommendation history and all that.

In defense of sim racing, I don't think its an entirely apt analogy.

Racing involves physical stamina to stand up against the g-forces, overriding your natural fear of death, and a lot of technical skill.

Sim racing can't really do the first two and thus I agree isn't really a replacement for real racing, but it does a hell of a good job at that last one. With an expensive (but not insanely so) sim rig and modern software you can get pretty damn close to emulating the actual behavior of a race car. Submission wasn't lying about those pavement seams either... they laser scan those tracks to mm precision.

I find with netflix and youtube and similar, there is a decent chunk I like and make the effort to have a local copy, but there is a much bigger chunk of content where once is enough. That is, the casual browsing stuff.

I can absolutely see the same being applicable to games. I'm not much of a gamer, but I do have a steam library of games that I've played through, got my value out of, and have never had the desire to revisit. Sure I've got some classics that I occasionally dust off, but a big chunk of them would be right at home in some kind of rotating library.

A classic but very effective strategy, especially at a given price point.

Netflix is this for me. Even with the price creeping up, I tend to think about the series I occasionally binge watched and not the 6 months or so in between when I might not even visiting the site. Its just nice knowing the option is there.