I read the one on the left but choose the shorter one.
The interface wastes so much screen real estate already and the answers are usually overly verbose unless I've given explicit instructions on how to answer.
The default level of verbosity you get without explicitly prompting for it to be succinct makes me think there’s an office full of workers getting paid by the token.
Playlists allow spotify to create a moat. It encourages you to listen to (and build) playlists, that wouldn't then be easily available if you try to switch platforms
For those unaware, there are services like TuneMyMusic [1] and Soundiiz [2] that allow you to transfer playlists between platforms for a fee.
Spotify did shut down certain API endpoints last month [3] though, so there's no guarantee these services may continue working for Spotify. Worst case scenario you'd have to download your data [4] and then figure out a way to create playlists on the other platform.
Advertising an Apple-owned app within another Apple-owned app is not the same as Microsoft putting 3rd party ads in the primary interface for launching applications in the OS.
We understand it well enough to know that animals suffer, yet still commit on the order of a Holocaust per hour (in terms of number of lives)[0]. We have accepted that we don't care enough.
What is "suffer" in this context? Are you saying "pain", or are you positing some "meta-pain" that is worse?
Also, why is pain important to you? The pain of non-human things has zero moral weight. I know it's a popular spirituality that gives pain moral weight, but as far as I can tell some 20th century philosophy jerkoff invented it out of nothing and everyone accepts that "reducing pain" is important without even trying to rationalize it.
I haven't "accepted that I do not care enough", it's that no one can supply a good reason to care in the first place. To me, it seems as if the rest of you are all trying to replace the last religion you stopped believing in with another that's just as bizarrely stupid.
Well, my point was made in reference to the original comment which said
> If consciousness is not well understood, how is AI on silicon allowed, or any computing machines at all
Which implies that we should care about some kind of suffering inflicted on conscious beings. My argument was that we don't care about AI suffering because we don't really care that much about suffering generally, because of what we chose to do to animals.
How can you stop that? An intelligent AI will send emails, create companies, hire people, and literally anything else you can do digitally in order to create means by which it can manifest itself into meatspace.
Maybe unrelated, but I think some people do this to check (at least partially) what email is tied to an account. E.g. if you suspect an anonymous instagram user to be your friend Bob, you can invoke the reset email procedure to see
Folks in the thread noted that the recovery code sent was the same each time, which leads me to think it might have been a phishing attack. Send email that looks like FB recovery, but have the links go to some ___domain you own and snarf up creds, including MFA etc.
Not in my case; I've had two password reset emails in the past 3 days (having had none since February) and both have gone simultaneously to the different email addresses I have on the account, with different codes on all the emails (even the ones sent at the same time), and the click-through URL is certainly on the legit Facebook ___domain.
A variant I've seen was "We've sent you a recovery code to your email at gmail.com". I think it's useful for login name based authentication, since people will have multiple email addresses and may forget which one they used for that account.
(we have a 15 year old who's made at least four, probably more different gmail addresses for different purposes. Ironically, the one he used to sign up for porn includes his real first/lastname)
Best practice would be to display this message no matter whether the email address is correct or not, to avoid leaking information. Many sites do this.
The GP is talking about a situation where you are not asked for an email address. You ask for a password reset for the username @coolanonguy. The website tells you that the reset email was sent to an obscured email address. The obscured email allows you to confirm (with high likelihood) or deny (with certainty) that @coolanonguy is your friend whose email address you know.
on the systems where i had to do this for my account i usually get a message like: "an email has been sent to the address registered with this account"
The benefit is that people often don't remember which email they used for a service. They check their "main" email inbox but don't remember that they used their student email address 8 years ago when they signed up. By providing a hint they know which inbox to check and don't get frustrated because the email isn't coming.
So it is a privacy tradeoff for better UX. If it is a good tradeoff will depend on how much you value each.
I have many email addresses. I don't necessarily know which email address is associated with my account. Therefore, the user benefits from knowing which email inbox they should check.
That said, it could be that the security risk outweighs that convenience.
That is the security researcher perspective, but it’s a UX nightmare resulting in a lot of confusion for normal users, because they don’t get any info if they even have an account or are trying to use the correct email address.
I used to think info about whether an account exists should not be leaked in the password reset flow, and I designed sites this way, but then someone pointed out that in practice a hacker would then just move to the account sign up flow to check for the existence of an account. (If account exists, you cannot make another with that email on most sites.) I never had a good response for that. I now lean toward the idea that not providing info is just not worth the bad UX.
> If account exists, you cannot make another with that email on most sites.
Many sites require you to verify your email before you can use your account. If you wanted to avoid leaking whether an account existed, you could show them a message like "if this account doesn't already exist, a message has been sent to your email asking you to verify it". If the account did exist, you might send an email like "someone tried to create an account with your email".
Ah, sorry, I see now, but the underlying point is the same. You should not reveal any information. A "We have sent an email to the address associated with the account" would be sufficient.
The amount of disclosed information, and it's utility, is non-zero, but simply weighs less than the amount of damage from not hinting which account to check.
Accounts can grow to be 20 years old and even a "normal" person who is not actively using lots of addresses for security, will still end up having used several in the fullness of time and completely forgotten about some, yet, may still have or can regain access to them if only they knew to go look.
You don't see how that can happen or really be a problem? Oh well, consider yourself informed that it does happen and is a problem.
Not if you have multiple email accounts. Many times these codes reset in just a few minutes, you should try to avoid forcing users to spend time logging into every single email they can remember just to wait for an email to pop into one of them. You can show a few characters of an email or the first character of the ___domain to give a lot of info out in relative safety.
Everything is about tradeoffs, and the only objectively wrong answer is this dogmatic "never do $X" nonsense.
Well.. I have a theory. Maybe the threat actors are sending the recovery email with the hopes that the target does not engage. Then, the threat actor can indicate that they "no longer have access to this email address" to force recovery to an alternate address. Then, perhaps they have gained access to some people's old alternate email addresses either through credential stuffing or recreating deleted email accounts. If so, the TA can finish the reset and take over the account.
I actually lost my Instagram account because, I believe, it filled in my email field with a dummy one, [email protected] and then when I had to do verification, I could never recover the account. I believe it was in the very early days of Instagram although it's possible there was user error on my part in this case.
It is too bad because for symmetry I used the same use name in a number of places (not the one I have here).
I lost a yahoo account because I put in incorrect information (I claimed to be 99 year old female or some such thing) and then forgot the password. I never really did anything with my yahoo account though, so it doesn't matter other than I couldn't unsubscribe to some mailing list.
Lost my Yahoo account because it forwarded mail to another account and so I never logged in to it. Then Yahoo deleted it for inactivity ... No warning issued, just gone one day. So now I'm locked out of my YouTube account because it wants to send a verification code to the Yahoo address.
