HackerTrans
TopNewTrendsCommentsPastAskShowJobs

dannyincolor

no profile record

comments

dannyincolor
·vor 3 Jahren·discuss
As usual on HN, I find the pragmatic response about 3 pages down in the replies to an extremely hyperbolic top-level comment.

I also don't want to diminish the concerns around Github or similar orgs losing control of a private key, but the far more realistic concern for the vast majority of threat models is often put to the wayside in favor of what amounts to a scary story. Rather than the straightforward key removal and replacement that this should be, I (and surely many others) have spent all morning combatting this specific FUD that cropped up on HN with leadership and many engineers. It's actually quite detrimental to quickly remediating the actual concerns introduced by this leak.

I understand that security inspires people to be as pedantic as possible - that's where some big exploits come from on occasion - but I really hope the average HN narrative changes toward "what is your actual, real-world threat model" vs. "here is a highly theoretical edge-case scenario, applicable to very few, that I'll state as a general fact so everyone will now wonder if they should spend months auditing their codebase and secrets". Put simply: this is why people just start ignoring security measures in the real world. Surely someone has already coined the term "security fatigue".

It's all just a bit unbalanced, and definitely becomes frustrating when those suggesting these "world is burning" scenarios didn't even take the available precautions that apparently would satisfy their threat model (i.e. commit sigs, as you suggested)

Ok, end rant :)
dannyincolor
·vor 4 Jahren·discuss
Most services I use integrate Plaid. I believe Plaid is just a federated authentication glue that accesses your bank's systems and is granted access to account balances and ACH details (routing/bank account numbers).

It always struck me as an odd product, since I can just plug my ACH info in directly, but it does provide some level of convenience by allowing, say, a roboadviser app to show the embedded balances of my other accounts.
dannyincolor
·vor 4 Jahren·discuss
I feel like the branding really shot it in the foot. If they'd named it something less "startup-y" sounding, and marketed it as secure, instant transfers backed by the banks themselves, they might be in a better position.

I still use it all the time since it's a superior to any other offering for instantaneous high-dollar transfers, but it always feels like a "Venmo got embedded in my banking app" type of interface vs. "my bank is offering a direct payment service to it's other networked banks".

Hard to define, but I do think the marketing/branding/rollout were more to blame than the merits of the service itself (IMHO, Zelle is great).
dannyincolor
·vor 4 Jahren·discuss
So, the current situation if you get scammed via Venmo/PayPal or other electronic payment methods is for the FBI / local law enforcement to subpoena the provider for records about the incident.

Now, imagine all that data is sitting on Federal servers by default. No subpoena required, and fraud systems would be integrated directly with investigative services at the Federal level. This integration should strike fear in the heart of anyone who currently scams via 3rd-party payment providers.

I am bothered that fraud isn't directly addressed in this page, but it's only an FAQ and it'd be silly to think the Fed wouldn't build industry standard (or better) fraud protections into a system they're building from scratch.