Yeah, I mean every company is different.. but every place I've worked spelled out quite clearly what you can and can't (mostly can't) do with company resources and even to some what you can do on your own within adjacent areas.

It seems unlikely the company was unaware of this side project so one assumes he had some level of blessing, but then again I'm a long time spotify user and had never heard of it..

Blame better tooling. It used to be a pain in the ass to pull external dependencies into a project and ensure they were properly packaged and distributed. It was worth it to just implement something yourself vs adding something from a third party.

Now we've got powerful build tools that make this trivial. Bit of an old-man trope, but many younger devs will google "how do I X" and copy+paste the first solution they find (usually including a new dependency to their build tool of choice). I've seen projects with multiple libraries that do the same general thing because someone googled different problems at some point. And of course all those dependencies pull in their bucket of dependencies and so on.

Depends on how they define failure.

The whole mobile/web game space is filled with companies that poop out low effort games in bulk with no expectation of longevity. This is pretty much the popcap games business model in a nutshell and seems to be working well enough for them.

Very few software shops are staffed 100% with experts, or even solid developers. Even some solid developers are not specifically experienced in dealing with security.

If this actually matters, you need to either:
1) Have rigorous code reviews prior to anything going into a public facing repository
2) Not provide junior devs the sensitive production credentials in the first place

I tend to lean towards #2. Hide the actual credentials behind whatever your preferred method is (injected secrets, environment vars, whatever). Have a solid dev environment so devs don't need to do much on actual production systems. Ideally your dev environment is automatically blown away routinely and new credentials are generated.

Relying on every developer in your project to always do the right thing is never going to be a good answer.

Canadian and I have no love for Meta, but yeah, there is no tense standoff.

Meta basically called Canada out on its BS law, and now Canada is either going to back down when they realize they have no leverage and will probably face the same from other big platforms, or this will just be a thing on all platforms and the content creators this aimed to help will be absolutely fucked.

Yes!

I have an account I used a very long time ago from my dumb student days and forwarded to the real account I use now.

At some point I lost access to it. I don't think it was hacked, but I have no sweet clue what the password or security questions are set to. Anyway, the address itself was involved in several data breaches, and now I get a constant stream of sketchy shit hitting it (attempts at creating all manner of accounts, responses from those stupid petition sites that don't validate email, etc). I filter this stream, but it's existence still bugs me and I'd be entirely happy for it to just stop existing. Even if someone re-creates it and controls it, I'm at least 99% sure anything actually tied to me is long dead or I've migrated.. but I'd still probably try to re-register it just to be sure (and leave it to collect all the junk but at least not be firing it at my main email).

"internet is full of shitbags" isn't on topic. Corporations are full of amoral, cocaine soaked greedy, selfich bastards with absolutely no empathy is.

the corporations are full of shitbags, news at 11

FTFY. Oh, and an offtopic educational link for you grocers and foreigners and others who don't understand English:
https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.angryflower.com%2F24...
I see enough of that shit on Farcebook. Note, I've been staying away from /. for the same reason, the normals have taken over the site.

That's why they changed it from "Unidentified Flying Object" to "Unidentified Aerial Phenomena". The one I saw a half century ago was certainly not a space ship, unless Douglas Adams was right about scale, because it was smaller than a basketball. It was bright and fuzzy, rode next to my car for a couple of miles until I crossed a stream, when it zigged at 45 MPH at a right angle and followed the stream.

I wondered what it was for years before I learned about ball lightning, which is what it had to have been. My guess is ball lightning is a lot more common up there where the fighter jets play.

It's time to sell the company to Elon and retire.

Just be remembered for Facebook and amihotornot, as opposed to a dystopic VR system with Nintendo 64 graphics, and retire with your reputation as intact as it will ever be.

I think this is a very individual thing. Security always comes at the cost of convenience and flexibility. Different users have different use cases and may want a difference balance.
Sure, "literally nothing but the unlocking mechanism" should be an option for the ultra-security conscious. That wallpaper and clock display are just needless attack surface! On the other hand, I like seeing summary notifications and events.. I live the kind of life where someone stealing my phone and seeing the subject of even my most sensitive of notifications is an acceptable risk for the convenience it provides me. Likewise I like being able to answer calls (or nope out of them) without unlocking my phone first.

I may have been reading too much into it, but I kinda thing that was his point...

The tech behind it is cool, but I don't have much interest in the letters themselves.

Unfortunately for who knows why, the summary ignored the cool stuff.

We've all heard the usual best practices spiel. This is the argument for:

a) Having well oiled exit procedures
b) Having finer granularity with respect to access
c) Backups

Backups don't help with the unauthorized access, and well oiled exit procedures only helps when someone is fired or rage quits very suddenly. Really the finer granularity is what you want. I'm guessing random part time employee in submission didn't need access to the board minutes or random customer mortgage applications, but managing need to know/access restrictions is complex and expensive and most companies just decide to trust their employees wholesale and hope for the best, maybe restricting a small subset of particularly sensitive stuff but basically giving everyone access to everything else.

None of this is new and little will likely change unless forced, at least these guys seem to have had backups.

Its a shame he pretty much went radio silence (aside from his side channel) for like half a year. I feel like he was starting to accumulate a decent audience (though not sure how much that really mattered to him), and few probably know his alternate channel even exists and probably assumed he'd just given it up.