This is already the law. Since the "Stop Trading on Congressional Knowledge Act of 2012", they already have to disclose any stock trades made by themselves, a spouse or a dependent.

Because this hasn't fixed the issue, and most don't seem to have any shame, these recent laws (originally coming from Ds but Rs have their own version) prevent them from trading individual stocks while in office.

No where in the article do they use "output" to mean from the database engine; they use it to mean "outputting HTML".

No they're not. They're using the word "output" to mean "back into the HTML".

"So the better approach is to store whatever name the user enters verbatim, and then have the template system HTML-escape when outputting HTML, or properly escape JSON when outputting JSON and JavaScript."

The article says DON'T sanitize when putting it into the database. I think contextual escaping counts as "sanitizing input", so the solution of "don't try to sanitize input" is undermined.

"So the better approach is to store whatever [data] the user enters verbatim, and then have the template system HTML-escape when outputting HTML"

With this logic, someone could use a SQL injection. It wouldn't be sanitized as the INSERT is happening, so the SQL injection would be executed.

EDIT: I know he goes on to talk about escaping characters, but the title of the post is "Don't try to sanitize input". My point is simply that SQL injections happen on input, not output. His example of escaping the SQL is at odds with the title of the post.

This solution doesn't match the problem. Even the SQL injection example shows him sanitizing the input, which is at odds with the title of the post. Log4J is a more recent example of it being too late/useless to escape the output.

I think we agree completely!

Right now, his is ubiquitous because everyone has the same word. There's an odd network effect, where posting it on Twitter means something because everyone had the same exact puzzle. Nobody wants to see how you did on 6Word or whatever. It's a fun game, but it's not inherently fun (something like Scrabble already uses the same parts of your brain)... the fun comes from everyone having the same word every day.

He may not monetize it by selling it on the app store (honestly, who would buy? I think most people would just fizzle out rather than pay $1), but he'll definitely end up monetizing it in a unique way... the gigantic success of this will set him up for a huge number of opportunities (awesome job offers! promotions! raising money for a company! higher consulting rate!) that will last long after Wordle does.

If they allowed 3rd party app stores or let users install apps directly on their phone, sure. But why should Apple get 30% of a subscription between me and a company?

You could almost argue that it's worth 30% for the initial discovery in their app store (meh), but I just don't get how anyone could think it's fair for Apple to take 30% of a subscription, when developers don't have a choice but to use the platform.

That's SolarCity, and Elon Musk was chairman of the company long before Tesla acquired it.

Small nitpick, but AMO is just our internal acronym for addons.mozilla.org, which is where all the extensions come from!

I agree with everything you said, but I think the person you're replying to is less upset at the prosecutors/jury, and more upset about the laws in the first place. They protect the rich and powerful, and don't worry about the average person getting hurt.

Disney owns/co-owns ESPN, Hulu, ABC, Fox, A&E, The History Channel, Lifetime, Vice, 20th Century Fox, 21st Century Fox, Touchstone, Lucasfilm, Searchlight, National Geographic, FX, FXX... the list goes on.

Google? I think you mean Alphabet ;)

I think the problem with Netflix is there's a ceiling. Disney (which owns, like, all the IP out there... not to mention theme parks, sports and countless other things) is worth $288bn and Netflix is somehow worth $291bn!?

Sure, Netflix has some decent movies out there... but do you really think their catalogue even begins to touch Disney? Either Disney is undervalued (probably true) or Netflix is overvalued (definitely true), and Netflix doesn't currently seem to have significant momentum.

Source (Nov 2021): https://www.bloomberg.com/news/articles/2021-11-11/netflix-s...

EDIT: I posted a longer list of their IP below, but don't forget that Disney owns a majority of Hulu and their television/movies!

My favorite article from this site is The Missing Missing Reasons:

http://www.issendai.com/psychology/estrangement/missing-miss...

Agreed, and I highly recommend 1Password. But just because they've had problems in the past doesn't mean the framing of this article is fair. The title made me think everyone's passwords were compromised due to a leak or hack, when in reality the article is a rehash of a HN post from yesterday.

This is framed so negatively toward LastPass, which is unfortunate. They stopped all usage of correct passwords they believed were compromised, which is exactly what I'd want them to do in this situation. Them warning users their master passwords are compromised is a good thing! Yet it's framed as though they're admitting to something.

"However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere." That's really hard to verify. I think most users would say that rather than admit they re-used passwords (or used similar passwords that were easy to reverse engineer). Since there only seems to be 2-3 reports of this, and they're self-reported and not cited, it doesn't seem like LastPass was compromised.

I'm not saying I like LastPass (I use 1Password and find LastPass to be much worse), but I haven't seen any indication at this point that LastPass has been compromised at all.

(To be clear, it's very possible I'm wrong and this message won't age well. But so far, it seems like LastPass is doing its job, and I'd want to see more than this before jumping on the blame-LastPass bandwagon.)

Here's another podcast episode about it, and I remember it being really really good. They actually befriend a scammer who is pretty open about how it works:

https://gimletmedia.com/shows/reply-all/v4he6k

Clearly we both agree it's an insecure practice, since you felt it needed a warning.

Now that you know there's an official LastPass importer for 1Password, I'm curious why you're defending your version rather than updating your blog post, unlinking your original HN comment and deprecating the GitHub repo.

I believe you're genuine and just trying to help. If there's an attack, it wouldn't be you doing it – it'd be someone else replacing the binaries on an old 2017 post without you noticing. WordPress is just as insecure as phpBB. Like the other commenter said, "Just because you put a warning label on a bad practice doesn't mean it's a good practice."

There's a level of irony in complaining about LastPass's security, followed by suggestion people run their passwords through random third-party software that you wrote. Even if your code isn't malicious (which I believe), it opens up so many potential attack vectors.

For anyone reading this, please use the official 1Password import functionality, not this: https://support.1password.com/import-lastpass/