Im still weary of OpenAI being legally required to retain all of your data even if you delete it [0] . This means everything you expose to this tool will be permanently stored somewhere. Why isn’t this a bigger problem for people?
Even privacy concerns aside… this would be the world’s most catastrophic data leak.
Thankfully the New York Times lost their attempt to force OpenAI to continue preserving all logs on an ongoing basis, but they still need to keep some of the records they retained before September.
I'm not so sure this is much worse than Chrome. Really in today's world if you're not browsing the web like multiple people are looking over your shoulder you're probably doing it wrong. And most of the steps people do to mitigate privacy violations (TOR, pihole, VPNs, etc.) probably make any signal you do put out more scrutinized. The one solution I do like is the iCloud private relay which I hope some reputable VPN vendors pick up soon.
My general understanding is that they browser fingerprint you. And then if that fingerprint is ever detected on a site that also knows your pii they have you. Is that the gist of it or are there more shenanigans I'm unaware of
"They" aren't that interested in PII. They're interested in assigning a unique identifier for you and building as detailed of a profile about you as possible, for targeting ads to you, and more recently tailoring prices to maximize value extraction when you buy something. Focusing on the narrow definition of "PII" as it usually is defined in law is a total distraction. Your email address and name are irrelevant for all of that.
By default, I believe that anything you put in the "omnibox" is sent to Google - even if you don't press enter. So, if you use it as a clipboard of sorts and paste a secret / token / key, it should be considered compromised.
You can validate this by going to chrome://omnibox
> And most of the steps people do to mitigate privacy violations (TOR, pihole, VPNs, etc.) probably make any signal you do put out more scrutinized.
If you're using them correctly there is no way to scrutinize your traffic more, these comments just spread FUD for no good reason. How are "they" unable to catch darkweb criminals for years and even decades, but somehow can tell if it's me browsing reddit over Tor?
My take: if you do it correctly you're a very small minority of people and most would probably be concerned at your level of paranoia if you told them every detail of your setup. Turns out opsec is pretty difficult to achieve. Also unless you're a criminal you're probably wasting a lot of time for no real gain.
I use a pihole, ublock, a vpn for some devices, and I'm using my own OPNSense router w/ very strict settings. The amount of privacy I think I have from all that is next to nothing if someone were actually interested in what I was doing. I'd probably just get one of my boxes shelled and that's the end of that. Mostly what I'm trying to do is block 1) Some for the lulz Russian teenager 2) the shady ad networks hoovering up everything all the time and 3) my IoT devices like TVs and Hue light bulbs from ever accessing any part of the rest of my network.
You'll also notice that darkweb criminals are getting caught more and more frequently these days because governments have decided to no longer tolerate it. I feel bad for you if you're in a ransomware gang these days.
And if you do follow these arrests you'll notice that it's old-fashioned investigations that catch them, by tracing behavior, log in times, etc. The comment I was answering was implying you lose anonymity by using these tools, which you don't
I have friends who are in tech and perfectly aware of the implications but prefer the low effort route. They feel that A. they are not important enough for someone else to care about and B. there is so much data that it is unlikely their data will be seen by anyone.
wear·y
/ˈwirē/
adjective
1.
feeling or showing extreme tiredness, especially as a result of excessive exertion.
"he gave a long, weary sigh"
2.
reluctant to see or experience any more of; tired of.
"she was weary of their constant arguments"
verb
1.
cause to become tired.
"she was wearied by her persistent cough"
2.
grow tired of or bored with.
"she wearied of the sameness of her life"
/ˈwerē/
adjective
feeling or showing caution about possible dangers or problems.
"dogs that have been mistreated often remain very wary of strangers"
> Single sign-on (SSO) is a mechanism for outsourcing the authentication for your website (or other product) to a third party identity provider, such as Google, Azure AD, Okta, PingFederate, etc.
OK, so SSO==OAuth.
What TFA doesn't mention is that we're enabling surveillance capitalism by SSO.
"Who owns the customers" might well be an SMB consideration.
Agreed, they’re conflating things like Google Sign-in with enterprise offerings like SAML. Companies generally give away Google Sign-in for “free” as it’s a great growth vector and gives SMEs a sort-of SAML setup for low cost. It’s also really easy for the vendor to support: you just click the button and you’re in.
Granted, it lacks some of the benefits of SAML, such as permissions assignment from a central source. But this is also why those features are so pricey: enterprise organisations derive the most benefit from it, and have a team dedicated to its maintenance.
They aren't conflating anything. OIDC or SAML should not be "taxed" extra.
I do work for a number of small businesses and they can't afford the "enterprise cost" for things, so there is a shared password vault instead because there is no centralized management of users.
The small businesses all have some form of SSO available, whether they are using Azure Entra ID or Google Workspaces, they have a central location for users, but the cost is prohibitive for most products to get the upgrade to get access to SAML or OIDC for SSO.
But it costs extra. That cost is passed on to the consumer.
The major hurdle is that it's expensive!
Take a typical small business SaaS - providing SSO instead of standard passwords can take more time and effort to purchase or develop and to roll out than the actual SaaS software.
Okay, lets say you buy SSO: offloading to a service is going to cost a minimum of an extra $20/month/user.
Building it? That's going to take months of developer time, not to mention that this is a high-touch/high-feedback feature, which is going to eat up the service employees time.
And then the rollout, which almost always needs a month of external consultants getting everything working correctly.
I'm doing a small SaaS, $15/user/month; if anyone has any good recommendations that aren't going to to cost me a quarter of my current sale price, I'm all ears.
Even if it's DIY, as long as I don't burn a month of dev-time just for integration/deployment.
There likely is an off the shelf OIDC SP provider you can use for the actual "hard parts".
If you already use something like "Sign in with {Google,Facebook,Twitter,Apple}" you are already doing part of it.
I have built several products now with OIDC support for authentication (not authorization) and it has never taken more than a day or two to wire it up.
My advice would be to wait until a big enough customer is willing to pay through the nose for it. You’re “lucky” in that you charge per user so it’s easy to model into your pricing :)
To be clear, SMBs should be allowed to use Google Sign-in or Azure’s equivalent for the base pricing. I think this is table stakes for features (and security).
SAML? No chance. SMEs don’t need it and my comments above explain why vendors will never offer it.
Google Sign-In is locking people to using Google's infrastructure. If an SMB has already deployed using Azure you don't get access using SSO, instead you have to fall back to username/password?
Adding support for OIDC is not that difficult. I prefer OIDC over SAML anyway, but neither is that difficult.
> Adding support for OIDC is not that difficult. I prefer OIDC over SAML anyway, but neither is that difficult.
Since it seems that you know what you are doing (and you've done it before), how about a blog post detailing the steps one would go through when writing some SaaS app for a client who wants SSO?
The issue isn’t writing the code. It’s everything that comes after in terms of user support. The systems are relatively easy to integrate with libraries or products like Auth0.
In which case, I’d look at the documentation that companies put out for SSO to get a feel for the types of issues your customers will face. Make sure your system logs everything (or pay Auth0) and provide this as a feature. It’ll cut down a lot of support calls.
Budget in time for your engineers to sit on support calls and directly work through them with customers. Document every issue you see for your support team. If you can, hire a semi technical person to do this support (especially if you want to scale up). It’ll take a load off your engineers.
If your permission system allows it, enable IDP-initiated login as a must have.
Have a strategy for if a customer locks themselves out with a bad configuration. You’ll need either to force they have a password account or a way to reach out to Support to turn it off for them to try again.
After that, honestly, the issues will be a grab bag of things. They’re generally one-off issues per customer but they can take time while you resolve them.
Finally, most customers are great and get it. Some are great and don’t get it. The last group think they know more than you and clearly don’t. They’ll eat up most of your time.
If it requires configuration on the user’s end then it’s no better than SAML from the vendor's perspective. We’d much rather choose specific providers to hook into, based on the likelihood of increasing sign-ups.
The SMB is the customer, they should already have a single place for all their users and for authentication.
SSO doesn't have to be Google, Azure, Okta, PingFederate, you can run a stand-alone instance of Keycloak for instance and have OIDC and SAML available to provide SSO functionality.
This is really neat. It's similar to the BuJo rapid-logging-inspired system I handspun for myself around Markdown a few years ago that I outlined here:
I'd quit using that one since because too many Markdown editors have forgotten tabs are legal whitespace after a UL bullet, and that there are three different UL bullet characters (and it really doesn't help that the CommonMark examples page only docs `-` and `*`, even though `+` is part of the CommonMark spec too). In particular, without the tab support being implemented, there's no fixed gutter for the BuJo-style sigil and queries get much harder.
But I do miss the idea of those simple bullets. I may have to check out your extension.
Zensurance | Several Developer Roles | Toronto, ON | ONSITE
Zensurance is disrupting the commercial insurance industry in Canada.
We're looking for front/backend devs (React/Node) and UI devs (Tailwindcss, styled-components).
We offer competitive compensation packages based on skill/experience.
We're solving complex problems to manage the complexity that arises with different carriers, coverages, industries, and unique business operations. We are backed by a large insurance carrier and are growing quickly. We believe in employee autonomy, experimentation, informal engineering standards and knowledge sharing. Send us your resume, or even better, some code, and join our team!
Zensurance | Full-stack Web Developer | Toronto, ON | ONSITE Zensurance.com is changing the way small business owners manage their commercial insurance needs. Our recommendation engine assesses a company's insurance needs (e.g., based on peers, industry risks) and then recommends the optimal package. Our fully digital experience then allows the customer to get multiple quotes, purchase and manage without ever having to call or email a person.
Requirements: React / Node. A CS degree or show us an app you built.
For mongo, with existing features or the new transaction feature, is it possible to access the ids that are generated during the update, to use on subsequent updates, as references, without needing to return to the dB client to process or build objects? Could be across collections also
Zensurance | Full-stack Web Developer | Toronto, ON | ONSITE
Zensurance.com is changing the way small business owners manage their commercial insurance needs. Our recommendation engine assesses a company's insurance needs (e.g., based on peers, industry risks) and then recommends the optimal package. Our fully digital experience then allows the customer to get multiple quotes, purchase and manage without ever having to call or email a person.
The general requirements are:
2 to 5 years of software development experience with web technologies. React / Redux / Node.JS. A university degree in Computer Science, Software Engineering OR show us an app you built that blows us out of the water.
Zensurance | Full-stack Web Developer | Toronto, ON | ONSITE
Zensurance.com is changing the way small business owners manage their commercial insurance needs. Our recommendation engine assesses a company's insurance needs (e.g., based on peers, industry risks) and then recommends the optimal package. Our fully digital experience then allows the customer to get multiple quotes, purchase and manage without ever having to call or email a person.
The general requirements are:
2 to 5 years of software development experience with web technologies. React / Redux / Node.JS. A university degree in Computer Science, Software Engineering OR show us an app you built that blows us out of the water.
Zensurance | Full-stack Web Developer | Toronto, ON | ONSITE
Zensurance.com is changing the way small business owners manage their commercial insurance needs. Our recommendation engine assesses a company's insurance needs (e.g., based on peers, industry risks) and then recommends the optimal package. Our fully digital experience then allows the customer to get multiple quotes, purchase and manage without ever having to call or email a person.
The general requirements are:
2 to 5 years of software development experience with web technologies. React / Redux / Node.JS. A university degree in Computer Science, Software Engineering OR show us an app you built that blows us out of the water.
Even privacy concerns aside… this would be the world’s most catastrophic data leak.
[0]: https://openai.com/index/response-to-nyt-data-demands/