Do you understand what OAuth is? It’s like an API key but less likely to be abused. This is a good thing. It helps security in many ways and makes security flows more safe than carrying around a token.
I really feel sad about the state of security and its bit hard to unwrap in one paragraph which makes it more challenging. Let me try to be bit more verbose
Cloudflare API Keys - You create them and then use those keys directly against cloudflare API's to manage services/infrastructure in your account. How you create the keys is may be a different kind of challenge.
OAuth flow in discussion here - You are using a third party service (which registers themselves as a the client application with cloudflare), this service is going to prompt you for OAuth flow and redirect to Cloudflare, not (only) to authenticate you but it will get a access token on your behalf (your cloudflare account) from Cloudflare. Whatever this THIRD PARTY service uses this token for your behalf is going to incur infrastructure cost for your account.
Yea and if you need to use that service then an API key does the same thing. People were giving these services the API keys which isn’t great. You can argue that third party services aren’t a good idea, but then why are you using cloudflare? I don’t understand why you think this is a security issue, if you don’t trust a third party service don’t use it. You have to approve the permissions, they don’t just steal them.
Sorry if I was rude earlier but saying OAuth is some security flaw made me think that you didn’t understand what it was about; it’s just a way to grant permissions to a third party you trust. If you do then I’m curious why you think it’s flawed.
Maybe he doesn't. And I know that I don't (at least not in depth). And that's the frightening thing here. Using a protocol that many don't understand for access to valuable resources
Your go to a third party web site. They send you to your OAuth provider, like cloudflare. Cloudflare asks you to login if you’re not logged in, then asks if you want to give that party certain permissions. You say yes or no and then click approve and then you get redirected back to the third party site. They get a secure token and can use that to access the services with permissions you approved. If you don’t trust the third party then don’t approve it.
It is like an API key but you never have to touch it. The third party can encrypt it and store it securely and it never has to be copied and pasted. You can use this on backend services that need to access things too. I recently wrote an OAuth client for MCP servers for something I’m building (not gonna advertise here because that’s rude) and it’s very nice once you read the spec.
You picked probably the only semi-straightforward thing about part of one of the OAuth specs, then hand-waved away the other 95% of the necessary related specs, knowledge, and experience for getting an implementation working robustly and securely for a non-trivial use case.
Unfortunately American culture is cursed, you can’t expect it to fix itself after trump leaves. Trump it’s ultimately a product of America’s culture over the past decades. He’s not the one who caused it, but he’s another symptom of it.
I don’t really want to explain why I think American culture has been cursed for ages, but this isn’t the place, my point here is that Trump is a criminal grifter and sexual assaulter and more, and that’s because American culture loves that sort of thing now and the road from high trust to low trust started 50 or more years ago, not just when trump became an issue. He’s horrible and needs dealt with but so does American culture in general to prevent more trumps.
We should just make gambling illegal online again, things were fine back when you couldn’t gamble online then, at least in the USA, the fucking supreme corpo guzzlers (formerly the Supreme Court) interpreted the laws according to their owners will and now we have gambling online.
Could you please stop posting unsubstantive comments and flamebait? You've unfortunately been doing it repeatedly, and we've had to ask you many times not to. It's not what this site is for, and destroys what it is for.
Usually I agree with your calls on things being unsubstantive, but this one kinda seems fine? I don't think it's flame bait, just emotive language? And the substantive point being made is that online gambling should be illegal.
(apologies if arguing about mod decisions is frowned upon, I didn't see anything in the rules about it)
You haven’t said anything, or at least I haven’t seen it. There’s no inbox here and I don’t always read old comments. If you have pointed it out before I don’t care, I haven’t seen it. If you want to point something out, then maybe email me about it the just time you see it, otherwise I’m not trolling through my old threads that often so you’ll have to accept that this is the first I’ve seen you ask.
I’m respect your wishes but you can’t say you have told me anything if I didn’t see it here, sorry Dan but that’s only fair since there’s no way for me to see your message unless I randomly go back.
If you want to ensure people see these messages, then that’s a feature you’ll need to add. I’m fine with you using the email on my account for this purpose, too, but I’m not fine with getting a single message from you here and you expecting me to have seen anything else you’ve said in the past. As far as I’m concerned this is the first I’ve seen you ask me about this.
These are the previous moderation replies, and you certainly saw some of them, since you responded. Interestingly, sometimes your responses were positive and sometimes rather hostile (e.g. https://news.ycombinator.com/item?id=43877994). But we're not asking you anything different than we ask of others here.
There’s no flame bait here just some swearing and rough language. I’ll cut back because you asked (once, I’ve not seen your responses other than this one), but I don’t think I’m out of line.
Also if people were downvoting my comments it’d be different but it’s just you for a frw recent ones down modding then, because before you get here they were up or even. Moderators should focus on those truly displaying bad behavior, I’m just swearing and saying relevant things.
I have a very long history of good comments here, arguing otherwise seems suspect, honestly.
I’ll back off like you say but I don’t agree at all. I’ve read the guidelines and tend to follow them.
Edit: I see like 3-4 questionable comments from me, two of who’ve are barely questionable. I get what you’re saying about the language but it’s really amazing you’ve targeted me here today, this us such low hanging fruit here, don’t you have better things to deal with? I’ll write better comments but I’m just really annoyed at your characterization of my behavior, it is very unfair in my eyes. I’ve done very good comments for ages and emotional language like this is rare for me. I expect better from mods here.
I appreciate the expression of feeling here! I know it sucks to get upbraided by moderators (and we don't enjoy it either). But it's definitely not personal. The moderation response would have been the same regardless of user, since we're not focused on usernames to begin with.
What attracts our attention are, in this order: (1) a post that breaks the site guidelines; (2) the other comments by that account; (3) whether we've posted moderation replies to that account before. It's true that that the username is what links (1), (2), and (3), but what we're paying attention to is mostly the content.
I think one factor here may be the tendency, which we all have, to underestimate the provocation in your own statements and overestimate it in others [1]. Those two distortions compound into quite a skew [2], and makes it easy to feel like one is being singled out or treated unfairly [3].
Beyond that, when you run across other posts breaking the site guidelines and going unmoderated, it's easy to jump to the conclusion that the moderators are biased or secretly agreeing with those other posts. But this is a mistake. Overwhelmingly the reason for this is simply that we didn't see those other posts. We can't moderate what we don't see, and we don't come close to seeing everything on HN (or even 10% of it) - there is way too much. [4]
This comment was unnecessary and very distracting from a far more interesting discussion in the replies to the commenter you are attempting to condescend.
Exactly. Gambling in the real world involved friction. That plus a certain social stigma if you gambled outside of “mainstream” casinos.
And this helped weed out all but the most addicted gamblers. Now there is no friction, the platforms are free to create dark patterns to encourage problem gambling, and the vice has zero social cost.
The dark patterns aren't just in online gambling. Nowdays, a lot of brick-and-mortar casinos encourage, or even require, clients to create an account (often framed as a "members club" or "rewards card"), which is used to track the client's activity at the casino and target them with promotions tailored to their behavior. These can be used in some really troubling ways, e.g. by identifying clients who may have a gambling problem and targeting them with promotions to come back to the casino more often, to stay longer, and/or to start placing larger bets.
The worst dark pattern I saw for gambling was in Lithuania: in supermarkets, they sell scratch cards right next to the credit card terminal. If you are a recovering addict, you just can't avoid the trigger, at the worst moment.
The court ruling was a good one, and anticipated. The federal government can either allow all gambling, or ban it all. They can’t pick and choose states where it may be allowed.
Before online gambling went wild in the US, most brick and mortal gambling was one of three sources: (1) Nevada (Las Vegas, etc.), (2) Atlantic City, New Jersey, (3) Native American tribes. There were also some other odd locations, like river boat gambling on the Mississippi River or "cardrooms" in California. As a result, most Americans did not live close to a casino. Now, you can do it from your smartphone.
And federal law said states other than Nevada and New Jersey had to ban gambling. The court said they can’t do that. They could ban gambling nationwide in federal law.
There wasn't some mass movement of people doing online gambling that led to the dam bursting and it getting legalized, though. Courts just made a different decision and opened it up one day and as far as I know there wasn't even mass lobbying about it?
>The Court announced a 7–2 judgment in favor of Murphy on May 14, 2018, reversing the Third Circuit.[25] Justice Samuel Alito wrote the majority opinion, joined by Justices John Roberts, Anthony Kennedy, Clarence Thomas, Elena Kagan, and Neil Gorsuch and in part by Justice Stephen Breyer.[26][27][28] The majority opinion agreed that §§ 3701(1) of PASPA commandeered power from the states to regulate their own gambling industries and thus was unconstitutional. It followed New York v. United States and reversed the Third Circuit decision.
Most states had lotteries before this though. At least those brought in tax money and were designed to be relatively fair. Online gambling can shut down your account and refuse to pay if you get too big of a payout, and their money isn't going towards public schools.
The problem with visual only loot boxes is that people will pay for rare skins and so everyone still gambles on that stuff. I don’t know if they solved that, used to be you’d buy the keys to unlock them and hope to profit from selling a skin. Adults should also be protected against dark patterns like this.
Sure but I’m not saying it’s not legal right now, I’m saying fuck the corps, free speech is for humans. Fuck the Supreme Court of a ~decade ago, too, for fucking this up.
Collective rights are real. We don’t need to sanctify them. But let’s not swing the other way. That way leads back to kings, where personal riches and power trump collective action.
My wife calls it sim sickness, because she can’t do any POV type games like racing or fps, too. She can play WoW or third person games if they’re zoomed out enough.
She also got motion sickness until she turned on the Apple dots.
Yah this judgment and arrogance is so annoying in tech. And worse it stops us from learning. Some of the best lessons of my career were when a new developer asked a question often taken for granted or we implemented a design pattern to make coding more approachable.
reply