I think the law does not specify how the previously used prices are supposed to be displayed. In Germany grocery stores used to display it in the smallest possible font in a foot note.
They got sued, lost, and now they have to display it more transparently. Absent of EU specifics about how such prices have to be displayed, national courts can make their own rulings based on their national law.
A while ago I was seriously sick + in a hospital (for a few months). The doctors told me that I won't be able to resume my regular job (software engineer). At the same time I was in a lot of pain – unable to sit, walk, stand. It was not really clear how it all would end.
I got deeply depressed and just wanted to die. The pain was just too much - even with controlled pain medication in a hospital setup.
I called the German crisis hotline almost every night and they were usually very very helpful. They listened - sometimes for 1-2 hours. In 90% of my calls I felt way better after calling them. They really are well trained and some of the personalities I talked to were pretty impressive and interesting… They have seen a lot…
That's understandable. I went through a period of chronic pain and, had it continued, I likely wouldn't be alive today.
The mechanisms protecting us from non-existence by millions of years of evolution can be eroded by pain. It's not something you realize you even have to lose until you've experienced it firsthand. I certainly never expected it, and it's hard for me to imagine what I'd intended while going through it.
At the risk of going “No True Scotsman” on this assertion, I would point out that providing such services has been increasingly lucrative and it is a growth industry where new providers are arising constantly, and existing ones are expanding vigorously.
That means that the space for fraud, waste, and abuse is gigantic. I have, on occasion, perused the FOIA lists of de-licensed providers, and this list reads like a watchlist of dangerous religious cults, because that is literally what they are.
Imagine if the state and taxpayers could fund a variety of new religious movements in efforts that would be lauded as “health care”. It is absolutely amazing.
Many unlicensed or unscrupulous recovery facilities have been scooping addicts off the streets, because you taxpayers are funding “housing” and “treatment” that is so attractive to client and provider alike. Drug-addled Indigenous men willingly hop into unmarked vans that cross state lines to drop them into homes (literally looking like private homes in residential neighborhoods) where they supposedly get treatment “for free”.
Those outpatient facilities that are invisible only need to get a patient hooked so they keep coming back every month, and that’s a guaranteed paycheck. Everyone you see living under bridges and in sewers, they represent billable hours for outpatient clinics. They are far more valuable than they appear because of the taxpayer dollars that support their ongoing “treatment” and “recovery”. It’s probably not worthwhile to get them off the streets, because of how valuable they already are!
Reagan moved to close the asylums after One Flew Over the Cuckoo’s Nest, but if you drive through the cities today knowing what to look for, you’ll see enormous BH facilities going up like mu$$$hrooms, literally.
Not to mention the unspoken costs to sanity of the workers themselves. BH is always hiring and there are always job openings, even for the mentally ill themselves to be “peer support”, so often your treatment will involve one or more people with mental illness already. Nurses and doctors burn out. Have you ever seen Harry Potter and how many teachers for Defence Against the Dark Arts he had? It’s exactly like that.
In fact, the new national crisis line is established as a funnel, to funnel new and existing clients back into the “treatment and recovery” systems, because there is so much profit in keeping them there.
There is a unique character to grifting and fraud in the BH industry. Look at other entitlements such as housing. With HUD/Section 8 they pay for rent, and it goes to housing or it doesn't. It may go for low-quality housing or overpriced housing, but typically it puts a roof over one's head. Or SNAP: it pays for food. Fraudsters may find a way to trade it and use it illicitly, or purchase nothing but tri-tip steak, candy and Sprite, but that's food and it goes in your belly. Any cash-based entitlements that go into a citizen's pocket, they have qualified and applied and run the gauntlet of paperwork for that; generally they spend that money on well-being, but that's personal money in the bank, and will not fund institutionalized fraud.
With BH treatment, what is paid for? What efficacy does it have? How does it work? Nobody really knows. Is more better? What are the best methods? Nobody really knows. BH success comes down to obedience and compliance.
Furthermore, we've discussed mass shootings in here a bit, and I just want to mention how the BH system encourages and increases mass shootings. There is nothing like a melange of psychoactive drugs in someone's system to give them S.I. and H.I. We saw it as early as Charles Whitman and we saw it again at Columbine. Listen to the news: anytime an active shooter "had a history of mental illness" they were probably hopped up on drugs to do the deed. There's a Broken Window Fallacy at work, only it's about broken lives, human violence, and hospitalization. So think about that when you call for more funding, more legislation, more treatment: it's an ourobouros that would make Trent Reznor suffer.
Clinics, as I said, are new religious movements. HUD and SNAP cannot fund the establishment of new religions. What could possibly be more ripe for exploitation than vulnerable religious adherents and cult members (who firmly believe that they are medical paitients!) and juicy tax dollars that pay for amorphous "services"?
My partner in the USA texted a state-wide hotline for mental health. What she got was a simple not-even-chatGPT chatbot that ignored everything she said and, quite frankly, made it worse. It makes me absolutely furious.
I think that the people inside the US healthcare system mean well, but unfortunately the system itself is setup purely to generate exponential profits off illness. I think that the range of therapy, and sometimes medication that we have available to us is a fucking godsend and I'm glad that it's improving, but the number of gates in front of getting any of it are often completely impossible for someone who is in physical or mental peril.
Both me and my wife have been homeless, and there is -no support- for this. There's "support" on paper, but the reality of it is that most shelters have turn you away because they're underfunded and overfilled. Receiving support is a difficult thing to navigate when you're doing well, which makes a lot of the hurdles impossible to navigate when you're not doing well.
It would be cheaper and vastly more effective to simply give people UBI, a place to stay (there are hundreds of thousands of places with no homeowner and actively rotting in the UK, because they've been bought up by a conglomerate and neglected), and addiction support/mental health support. The research even supports the efficacy of doing this, and various pilot programs show that it's vastly more effective and cheaper. But hah! It doesn't seem like it should work because of the lies that have been told about the homeless, and it's not convenient to the narrative of "you just gotta work harder. I guess it's your fault you're poor" so I guess we're not getting it anytime soon.
Imagine if you and 1,000 of your neighbors called the 9-1-1 dispatch for a little heart-to-heart.
This number in the USA is designated for people in crisis, and a crisis responder is going to be under time pressure to resolve your crisis or hand off the situation to some other team as it de-escalates.
My county also has a “Warm Line” that everyone is encouraged to call, but they do set timers. Once your timer runs out, they tell you how long to wait, and then you can call back.
If your case is so involved that it requires extensive discussion, then they can refer you to a clinic or local professional who can help, you know, during normal business hours.
Mental health care often involves long conversations, but the mentally ill can also chew up enormous airtime by talking, and talking to the wrong person. The crisis operators are not therapists and they’re not paid to establish relationships.
I wonder what they can really achieve in 5 minutes beyond sending the police to do a mental health hold on you? I always thought these lines in the USA were just ways to rat yourself out to get a mental hold (imprisoned, at your own astronomical cost) and then your civil rights (guns) revoked.
Having been imprisoned at a hospital, though not for mental health (falsely accused as drug smuggler by insane cops), I think I'd rather risk suicide if I were in such a state, rather than alert someone who would send the authorities.
No, I don't think that the establishment of crisis lines or putting more resources to work, will result in such an increase. It is a question of moving the funnel and allocating better resources.
The MH Crisis Line may prevent unfair arrests and jailings. It may prevent certain altercations with law enforcement. It may prevent, or at least accurately predict, domestic violence incidents and so forth. The problem with 9-1-1 is that calling for an Emergency resulted in the dispatch of armed police and/or paramedics and firefighters who were poorly equipped to deal with the autistic ADHD non-verbal manchild having a meltdown. Also, many communities are filled with hatred for cops and other first responders in uniform. Sending them can cause secondary incidents and violence.
So if you've got a Crisis Line with people equipped for mental health stuff, then you can send the correct responders. Many municipalities have already established teams like in a "Care Van" who can connect with citizens, establish rapport, and get them referred to services, non-violently, but really urgently.
That will make all the difference. Perhaps it will result in more, or fewer, involuntary hospitalizations, but it represents a solid funnel into those services and allocates more resources to deal with incidents that would only be exacerbated by armed and militarized police/fire/EMTs.
At least you’re honest. And I don’t think it’s rare. I know some Bay Area high end escorts and they say overworked programmers are the bread and butter.
Carbon offsetting is risky. You plant a tree and you don’t know if it will die. You create a swampy area to absorb co2 and 10 years later it dries out due to global warming. Offsetting should be used if there is no other way to reduce emissions in the first place. Same is true for sucking carbon out of the air and storing it somewhere… it’s expensive and it should not be the default - we need offsetting and carbon segregation for the really unavoidable stuff
Sucking carbon out of the air using fully renewable energy (solar/wind) is a great thing to do! ... once we've fully decarbonized all other energy use and we have extra, left-over renewable energy.
Like how it happened for Bartender, another macOS app which required a lot of permissions. It was sold to a company and they told no one, until a user noticed via the now defunct MacUpdater that the app signature changed.
Ben Surtees (Bartender’s original developer) burned all the good will accumulated over years in one moment. Never again can anyone trust software under that name.
Bartender was not a supply chain attack! The app was sold for monetary reasons to another developer for monetary reasons.
There were no targets involved. There were no nation-states involved. There were no attacks involved. You might not like the new developer, but this whole discussion of a nation-state and 9 figure payoff is totally ridiculous.
Various intelligence agencies are willing to pay 2-3M for a working exploit for iphone or android. I think that they would be fine with paying 50M for a userbase that has a high population of devs, admins, etc. Being able to backdoor someone like this in the right organization down the line is probably worth 50M.
> Various intelligence agencies are willing to pay 2-3M for a working exploit for iphone or android.
Little Snitch is not a working exploit for iPhone or Android.
> I think that they would be fine with paying 50M for a userbase that has a high population of devs, admins, etc. Being able to backdoor someone like this in the right organization down the line is probably worth 50M.
No, sorry, this is absurd. A ton of products have a high population of devs, admins, etc. These are not getting acquired by intelligence agencies. Give me one example. There's nothing inherently valuable about this population.
Who is a Little Snitch customer worth 50M to attack? Name them.
Depends on the target and what you can get. Think about Bartender, an app requiring an insanely high level of trust and permissions, which was quietly sold.
If you know of someone specific you want to target who uses it, the investment could pay off.
For example, we know from your blog posts that you use LittleSnitch. Someone who wanted to target you might do a lot to spy on you by buying LittleSnitch, probably.
Think of your own apps, too. I don’t think you’d do the same that Ben Surtees did and sell everything in secret, but then again I don’t personally know you. You may have a price that I’m not aware of. For that reason alone, even as I trust the current code is not nefarious, I can never give StopTheMadness access to every website and can only use it selectively, which is inconvenient.
The point is that it shows it can happen. You’re a browser extension developer, surely you know how often it happens that developers of popular extensions are approached by shady businesses and sometimes do even sell.
> You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.
As someone else has pointed out to you, not hypothetical.
> Nobody wants to target me. Nobody cares about me. I am insignificant.
You give yourself too little credit. I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people. Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.
> surely you know how often it happens that developers of popular extensions are approached by shady businesses and sometimes do even sell.
Yes, developers of free extensions who sell for a pittance.
I don't have a popular extension. My extension is relatively expensive and thus unpopular. I don't have enough users to be interesting to shady businesses. My extension is more valuable to me than to anyone else, because I, one person, can make a living from it.
> As someone else has pointed out to you, not hypothetical.
That link seems a bit silly. There's a screenshot with no explanatory context whatsoever. There's a list of items, many of which look quite mundane and uninteresting. Certainly it is not suggesting acquiring the company for millions of dollars. It sounds like someone—could even be an intern for all we know—is interested in attacking the app from the outside.
> I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people.
What is the value of compromising these people? Oh noes, the CIA can now write Daring Fireball articles!
> Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.
What chain? I have no third-party dependencies. If someone can compromise Apple's operating systems, then my software or Little Snitch is the least of our worries.
I do specifically and intentionally avoid using NPM, because of frequent compromises. Little Snitch is not even JavaScript, so no worries there.
> My extension is more valuable to me than to anyone else, because I, one person, can make a living from it.
I believe you, and as a fellow indie developer trust you and your intentions and that you’re careful to not be compromised. But if I’m being honest with myself I don’t have concrete proof of any of those. So I trust but also try to limit the blast radius if anything goes wrong. Does that make sense? I think you might agree there.
Your blog helps with that trust and with understanding the human behind it.
> Certainly it is not suggesting acquiring the company for millions of dollars.
Alright, yeah, I see we’re talking a bit past each other in that regard. You’re right that’s how the conversation started (before I joined in) but I don’t care for that angle fully either. I agree there are more plausible ways to achieve the objective.
> Oh noes, the CIA can now write Daring Fireball articles!
Not sure that’d be a downgrade. Maybe they could fix the Markdown perl script, too. Joking aside, I think there would be better targets, like someone on Apple’s Passwords team.
> What chain? I have no third-party dependencies. If someone can compromise Apple's operating systems
I don’t mean it in the sense of software dependencies, but in the sense that some app you use would compromise you. You know macOS’ permissions are mostly security theatre. We know people inside Apple use third-party apps. I can imagine ways of exploiting that, given a bit more knowledge of people from inside (which could be gathered from working there for a while, trawling social media, maybe reading Gruber’s emails, …).
> I do specifically and intentionally avoid using NPM, because of frequent compromises.
> I don’t mean it in the sense of software dependencies, but in the sense that some app you use would compromise you. You know macOS’ permissions are mostly security theatre. We know people inside Apple use third-party apps. I can imagine ways of exploiting that, given a bit more knowledge of people from inside (which could be gathered from working there for a while, trawling social media, maybe reading Gruber’s emails, …).
You seem to be waffling here between targeted and untargeted attacks.
There's a world of difference between compromising me or an Apple employee and compromising my software or Apple's software. You don't magically get the latter from the former.
Untargeted attacks are just looking for the usual stuff, e.g., money. They don't care about who the victims are or what else they have.
It would require a targeted attack to insert mallicious code into my software or into Apple's software. You claim, "I can imagine ways of exploiting that," but I don't actually believe you. If you can imagine it, then explain exactly how.
There's no evidence that anyone is targeting my software or that anyone has any reason to target my software. Even if I downloaded a typical malware app from the web, that wouldn't result in malicious code getting shipped in my software.
I'm not aware of anyone on the Apple Passwords team using my software, so if someone were trying to attack me to get to them, that's seems a bit fruitless, to use a pun. In any case, the chain from compromising me, to compromising my software releases, to compromising an Apple engineer, to compromising Apple software releases, is convoluted to the extreme and would require much more specifics than anyone has given here (or is capable of giving).
In any case, I'm quite careful—though not tin foil hat paranoid—about which software I download and run on my Mac, and I've never downloaded malware in more than 20 years as a Mac user. Obviously I'm careful about my own privacy and security, since I use Little Snitch too!
> You seem to be waffling here between targeted and untargeted attacks.
Why do you think it matters? Little Snitch is used by enough people that it would be completely worthwhile as just an asset. With an infinite budget you don't look for the exploits once you have the target; you accumulate the exploits, and use them as you get targets.
I don't know how you think these apps are useful for small-time criminals to exploit, but governments somehow wouldn't be able to figure out a use for them. It reeks of "I have nothing to hide."
Maybe they use Little Snitch just to figure out what you're running, use another exploit to get into that, get blackmail material on one of your family members through connections made from files on your computer, and offer not to release it and to donate $500K to your project (that they'll set up for you, and will come from some obscure European foundation's fund), or "invest" (with no expectation or even mechanism for getting a return) into your LLC if you insert code into your software. Or even simply accept a pull request, which will be totally deniable if the code gets caught, and the pull request eventually traced to a Chinese/Russian/Iranian/North Korean IP.
I have no idea what evidence you expect people to leave. The goal is not to leave evidence. Why would someone announce that they were interested in you or targeting you?
Yes, the number is silly. But that makes the danger even more relevant. They could really get it for a couple million to a couple of people, and double or triple that payment (or stretch it out over a long period) to make sure everybody knows to shut up about it.
(Taking this reply as an excuse to write a concurring rant...)
Also, once you've compromised somebody's integrity and got them on the payroll, why not use them for other things? They can join other projects, they can sit on foundation boards, they can become tech media personalities, etc., etc....
There's nothing tinfoil about this. It's cheap and easy. You could subvert every open source project in the world for less than the cost of one fancy plane, or a few fancy missiles. The CIA went in on a crypto company, got it to weaken everyone's crypto, and likely killed the son who inherited it from the previous owner. "Nation-state buying Little Snitch" is not some crazy fantasy, it's a mundane scenario (I'm sounding like LLM today, I think.) Even though OpenSnitch could be compromised even more cheaply, they show all their code.
Also, aggressors don't just use carrots, they use sticks. The Altman sister stuff for example (true or not, works even better if it's true) certainly seems like a stick. Top of the world, then suddenly a jury (easily subverted by a state) puts you in prison or takes away control of your company, and now you're killed (or "kill yourself") in prison or otherwise. Now your widower and your sister own the company, and they say yes to everything. If my multi-billionaire brother molested me, you'd never hear about it because he would have trivially given me enough money to forget about it and him. I wouldn't be filing any lawsuit. Makes me suspect that he's being resistant to something.
> Said motivation could be a nation state handing them $XXX million dollars
You're missing the most important part of the motivation here: why in the world would a nation-state give a damn about Little Snitch, especially to the tune of $XXX million dollars?
A nation-state could pay $XXX million to your significant other to spy on you. But again, a nation-state doesn't give a damn about you.
>why in the world would a nation-state give a damn about Little Snitch, especially to the tune of $XXX million dollars?
Per user hacked, it can be very cheap¹ compared to bribing anyone. And give data/access that SO can't get.
State is not interested in you until it does. Being Jewish, Polish, Gypsy, Gay. Or just WrongThinking. Or maybe it becomes super cheap and easy to process all information?
1: it can even be free. You either give us backdoor to all your users or you rot in jail. Here's a complementary beating up or pictures of your kids, to argument our position further.
> it can even be free. You either give us backdoor to all your users or you rot in jail.
It is already a thing, at least in UK and AU [1]:
> Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.
Well, that is obvious, is it not? It means They are interested in The Plan and have enough power that a vague comment is all you gonna get. Cannot have Them finding out that we are on to Them. Though of course, The Plan already accounts for that, so They already know and will do Something about it. Want facts? Wake up, do your Research!
In my previous company, we "simply" used fixed versions for our dependencies. And we had our own NPM registry that only had already approved packages for specific version. Approval required a security review by someone from the Security team… At first I was super annoyed by this. But I started to like this approach. It also reduced surprises while developing in a team… "it works on my machine" was rare since everyone was using the exact same versions. And moving to a newer version was done on a regular basis but it was an intentional thing we did.
they run it throuh a tool that checks online whether any cves relate to that version. They don't care whether you actually hit the vuln, if there's a cve it's "bad". That's usually the level i see.
I mean the union is correct in this case. Robots will replace jobs. A union’s job is to make sure there are jobs for people in the company they are already in.
Usually unions would speak the truth (“robots = jobs go away”) but pair this with some suggestions: eg trying to upskill the affected worker so that they can be moved to a different department).
While I was working in Germany I always felt better at a company with a strong union.
Fundamentally the union should be getting the workers a fair deal for their labour (conditions and wages); once the union starts interfering with the technical aspects or blocking labour saving investment it quickly sours the whole arrangement.
It's not even about blocking investment, they just want to make sure the employees still have jobs. You can invest if you find something else to do with the employee.
The main problem with unions in Germany is that they block companies from adapting to changes in the environment quickly. Companies become heavy behemoths and end up suffering from it, which ends up damaging their own employees as well.
I can try convince you. In unionized companies one can’t fire employees from the 53rd birthday. That makes them similar to care home at the end. Young folks come and go and are minority at the end. Dynamics decrease not from the size, but from getting old. Since the salaries are more or less the same the oldtimers have maxed out bonuses. What do young guys get? Basically nothing since the bonus pool must be distributed equally in the company.
I like the concept of the union, but I think that IG Metall is not the good implementation of that. At least not for white collar workers.
Isn’t “nothing is truly safe” a common saying on HN? Safe is an absolute term and since nothing can be safe people usually avoid using safe as a standalone attribution to something. It is usually qualified in some way.
I was just curious. This “nothing is safe” is just burnt into my brain and simply wanted to know the reason because it sounded so far fetched that safe is not absolute. But I totally agree.
They got sued, lost, and now they have to display it more transparently. Absent of EU specifics about how such prices have to be displayed, national courts can make their own rulings based on their national law.
reply