Major YouTube channels are typically managed by multiple people through the channel management features and brand accounts. I don't think it's possible to even log in to the brand account (which has a generated email address like channel-000000000000000000000@pages.plusgoogle.com) instead it can only be accessed through an authorized user's account (which are distinct from the channel, i.e: it's not the email address that would be surfaced by this attack). Granted, things have changed over the years, so there may be old channels lingering with Google account linked email addresses, but from what I can tell, all channels were converted a while back.
edit: My hunch is that the channels the OP's attack was able to target are not actual channels but rather YouTube users (who have a "channel" because that's how YouTube represents users): so "YouTube User" is the correct description of this attack, which is distinct from what you're thinking of as a channel.
I think this is a vast overestimation. The majority of people notice every payment they make every month, a Netflix subscription is a choice that they would not continue to make if they were not using Netflix. Those of us who can afford to pay Netflix whether we watch it or not are the minority of wealthy people. I think you would be surprised to learn how many normal people juggle different subscriptions by cancelling/subscribing each month.
I have personally met people who, like me, really don't have cash to splash; but who, unlike me, and to my surprise, have literally told me "I pay for all the streaming services every month, whether I use them or not, there's no way I could be bothered to cancel/re-subscribe". So, from my limited anecdotal experience at least, no, it's not a vast overestimation, and in fact it's probably often not about how wealthy people are either - it's about how many people out there are willing to pay for the privilege of set and forget, rather than having to think about one more thing on a regular basis.
I think both statements are somewhat true. And we can look to COVID to see some evidence of this because when everyone was suddenly home and wanting to consume TV, Netflix had to lower the bit rate on even their premium tier to keep up with demand.
If Netflix wasn’t relying on a degree of inactivity with in their infrastructure then they wouldn’t have needed to lower the bit rates.
It makes sense, when you think about it. Over provisioning is a common practice when dealing with expensive finite resources. For example ISPs have been doing this for decades, offering households higher individual bandwidth than is available if every household within a local radius was to fully max out their throughput. VMWare also offers this to allow individual VM to consume more RAM than the total available on the host.
The key is not to over provision so much that it becomes noticeable under “normal spikes” — and I think we can all agree that COVID was anything but normal.
Please consider getting in touch with a problem gambling hotline. This isn't Internet snark--going into debt to play the stock market game is a serious red flag.
NVDA's market cap was already 12.5% of the entire yearly US-GDP, at a P/E of 10 or 20 once their growth slows to me that implies that their profits are expected to be 0.5-1% of the US GDP. Just nvda alone, not the LLM foundation models + application layers and so on built on top their hardware.
Even in the most optimistic case, I find it hard to imagine that nvidia alone captures much more than 1% of the US GDP as profits for the next 20 years or whatever their investor's horizon is.
Nvidia's P/E numbers are lower than almost all of their major competitors. You can't look at Nvidia's ratio alone and say "this seems overvalued" without also acknowledging the fact that the entire industry looks ridiculous by the same analysis.
I'd even agree with that argument, I just don't think it's the one you're making.
I think we agree - my response was narrowed to respond to "NVDA is going to soar". The whole segment looks overvalued and the implication (at least to me) seems to be that AI will capture 10-20% of GDP in profits (not even revenue) starting soon for 10-ish years.
I don't have the numbers, but I wonder how "internet company" (very loosely) profits compare to GDP - I could imagine the AI ecosystem reaching similar profits eventually.
Btw, imo their P/E is mostly this good because they're currently selling hardware at margins better than many software companies, I doub that this will/can last. For example, when FB/MS each are spending $50B+/a on GPUs, can they justify say $100M/a on a crack software dev team to make their stack work on other GPUs (ie replace the oft-argued CUDA moat within a year or two)?
Yes, you need to get better at filtering. Yes, it has always been like this. Public job listings have always attracted mostly junk.
The typical good candidate becomes a good candidate through years of experience. The years of a good candidate's experience has exposed them to many people, many people who would love to work with the good candidate again. And so when the good candidate is looking for a new opportunity, or even when they're not looking, there's a bunch of people waiting in the wings, longing for the opportunity to hire them. A good candidate is probably not going to end up trawling job listings. A bad candidate probably is.
Public job listings aren't all bad as they can bring in candidates that you might not have otherwise encountered... and these can be very influential and beneficial hires, but in general, public job listings are for the people who couldn't find a job otherwise. You're looking for a diamond in the rough.
Your company is doing the right thing by pausing the search, it is a very bad use of time. Find people through the founder's and employee's personal networks. A vouched-for candidate in the hand is worth 1,000 applications in the bush. If personal networks aren't an option, the alternative is to do what candidates hate: keep your applications open without the goal to fill a specific role by a specific date but rather to wait for the right candidate to come along.
The best hires I’ve ever been around have been from a previous connection to someone. It’s so much easier. Unfortunately, none of our small team had someone fitting who wasn’t looking to make a job change at this point.
I do have a few friends that may be interesting within the next quarter though, so I’m crossing my fingers.
Some companies are just very selective, i.e: they're hiring the right people not the best candidate. Most of us get jobs because companies need to fill a role and we're the best candidate of a bad bunch... most of us (whether we have 22 years and a fancy title or not) would not get a job at a company that hires carefully because we're probably not a good fit for their very niche view of what a good hire is.
I agree and there's nothing that disincentivizes companies from "over-soliciting applications". Having 100000 applicants vs 100 has no downside other than:
1) you need to literally post your application URL more places.
2) you might not get through skimming or auto-screening / OCR-ing all the resumes/apps.
From an incentives POV, the job application space does not properly incentivize saving the mental energy and time of either recruiters or applicants.
Automation and reduced friction has made the situation a kind of arm's race and mess.
It makes total sense for a startup to be highly selective. But being overly selective at the CV/application stage is dumb. If they really do have some really highly specialized requirement that should be on the advert. If they don't then being having a high rejection rate at the CV screen stage is going to be easy - it's easy to reject people, but you're overwhelmingly likely to screen out the few candidates that are actually a good fit. So sure, expect a low success rate but a low reply rate is an indicator the company isn't serious about hiring.
If you're getting so many applications that you have to apply such a harsh screen that you're likely losing most of your good candidates via false negatives then you shouldn't be soliciting more applicants to apply. This is what this thread is about - if you're saying these guys are getting so many applications they have to start just brutally cutting CVs almost arbitrarily then they definitely shouldn't be posting on HN about their vacancies. Not least because they're poisoning the well.
This is a real issue - I once got approached by a recruiter for a company, it was a good fit, I think I would've walked the interview and been a great hire - I'd heard of them before. The founder had acted like a dick head to one of my friends, I just immediately turned it down. There is a cost to very publicly treating people poorly. People don't seem to understand that these things that big companies might get away with due to scale, smaller companies cannot. People talk.
> And neither does a guilty verdict in a court of law
We all agree to live in a system where a guilty verdict reached BT a jury of your peers means that you were legally found guilt. That still doesn't technically mean you did it, but it does mean you are legally deemed guilty.
Is the court system flawless? Absolutely not, I've seen that first hand. But guilt, in a legal sense, has a definition and is directly linked to that jury verdict.
I think that's just a quirk of HackerOne's username system. The username daniel was previously owned by another account (now known as daniel-hamid) which submitted a bug to Adobe. If you go through @hackermondev's tweets (starting in 2018) they are without question a kid (making games in Roblox and Minecraft) and then started to show an interest in hacking in 2020 (which lines up with when they created their HackerOne account). The claim of being 15 years old is plausible (presumably with parents / guardians who are accomplished in technology).
As you say, it depends on the person but I think for most people an acceptable definition is "deanonymization reveals PII". What qualifies as PII depends on the context/jurisdiction but typically an IP address would be considered PII whereas country (or a similar broad region) would not.
The counter point is that anyone who cares about being anonymous is using methods to disguise their identity that cannot be compromised by this attack, e.g: a VPN. Plus, there are much more effective versions of this attack, like sending a link to an endpoint that you control -- getting someone to click a link isn't hard if you're considered trustworthy enough to send them notifications. And less technical versions, like correlating when the user is online vs. offline with timezones around the world.
The method that both Apple and Cloudflare use in their own privacy software (iCloud Private Relay for apple, WARP for Cloudflare) is specifically based on the idea that your region is not information that reveals your identity. If you enable Apple Private Relay, your origin IP will be obscured but the IP your traffic is routed through will be in the same country -- same principle.
> The counter point is that anyone who cares about being anonymous is using methods to disguise their identity that cannot be compromised by this attack, e.g: a VPN.
Yes unless Apple is doing Apple things and ignores VPNs for things like push notifications…
Not everyone who indirectly cares about anonymity is an activist who feels they need to go to great lengths to disguise their identity. Sometimes anonymisation is part of a process, and the ability to collect potentially deanonymizing data this way is still a privacy breach.
E.g. imagine sending otherwise anonymised participants in a clinical trial a questionnaire, containing an image. The owner of the image could then partially deanonymize the trial participants. Or voters. Or demonstrators in a rally.
Not everyone who cares about privacy is Edward Snowden material.
I am not sure I understand what you mean by "trustworthy enough to send them notifications". Do you need anything other than one's phone number to send them a signal message?
The recipient would need to have this enabled, though it is by default. You can deactivate allowing others to initiate chats with you from your phone number (Settings > Privacy > Phone number)
On iCloud public relay, go to settings and select “use country and time zone” instead of “use general location.”
Now you’re no longer “within 250 miles,” hell my phone geo IPs everywhere from Louisiana to New Jersey , which are not even “in my time zone,” but there you go.
This setting was pissing meta/Facebook off big time because they also couldn’t narrow me down to a precise geographical area, resulting in much nagging and whining about “was this you signing in from [shreveport]?” and frequent account lockouts , password resets, and endless requests to approve my logins from a device that’s already logged in before I finally said to hell with it and deleted FB a few days ago.
I figure if a privacy setting makes meta mad , then it’s .. probably … a good setting. Must really irk them trying to sell location relevant ads when my state changes every other time I unlock my screen.
It’s a combined behavior of using private browsing and refusing to install their app, thereby giving them a permanent supercookie no matter what my IP is, so if you don’t like the sound of this it [might not] affect you if you use their apps. “X” does it too, just look up “inferred identity+ twitter” on google.
I’m editing out a tall claim in the last paragraph of this for some other time when I’m less tired and have sources next time we’re on the subject.
What's old is new. Does anyone remember the forum signatures that would display the viewers IP address and location on a little wooden signpost held up by a troll-looking creature?
I was fascinated by this once I learned how it worked. At the time I was learning php and wrote a script that would draw graphics based on the requesting ip address and return as gif, then used that as my avatar on a few phpbbs. Learned a lot.
My friend would figure out the username, but he never did it maliciously, just for the challenge. Forums would show you which user was viewing a thread...
https://support.google.com/youtube/answer/7001996?hl=en-GB
edit: My hunch is that the channels the OP's attack was able to target are not actual channels but rather YouTube users (who have a "channel" because that's how YouTube represents users): so "YouTube User" is the correct description of this attack, which is distinct from what you're thinking of as a channel.