Posts by doublelayer

Re: Just say NO

"If MS genuinely want to train their LLMs on bug hunting, I wonder if they used their own, closed, source code in the training data? I bet not."

I bet they did, but on a specific bug-finding model which they don't release. They may release another one, trained only on public data because anything trained on might leak out and they don't want their internal code to leak. Neither of them will matter because these junk reports are generated by people using conveniently available tools like GPT and Gemini and Claude which all can write code and find errors in code and all sorts of specialized work as long as you don't mind them mostly being wrong when they do it. Those models weren't built to find bugs, so any ability to do that is one of a few types of luck.

Re: A barrel of rotting fish...

Having seen and handled submissions to security reporting and bug bounty programs, I doubt it. You could do that as a disruption tactic, but mostly because it would let you hide in some noise. Whenever a bug bounty is offered, there are people who want to collect it and think it is easier than it actually is. Anyone setting up one is or should be deliberately choosing to receive useless or basic reports which they will have to reject in the hopes that actual problems are also reported there. If there are bounties involved, I'm sure lots of the AI reports are generated in the hopes of a payout.

However, there is also the well-meaning simpleton who really just wants to help. They don't have the knowledge to be a contributor, but they figure they can use these new LLMs, because after all they read that article about Google using AI to find more vulnerabilities, and those will find vulnerabilities for them. The coders will then be freed from their need to do the same thing and they can spend all their time fixing the things the LLM identified. The people sending in the prompts are unaware of the problems with LLMs. I've seen such people, not to my knowledge for security reports, but in many other areas. They're not helping, but they sincerely want to be and think they are. I contend that a lot of these reports are those two causes, meaning any deliberate disruption is hiding among that crowd, not making up the majority of it.

Re: Just say NO

Because:

1. They don't have a database of all GPT outputs. That would take a lot of disk space, and as much as they like storing everything, they aren't actually storing literally everything.

2. They don't surveil every comment or message sent through GitHub, let alone those submitted by GitHub users on other mechanisms.

3. If they decided to do both of those things, comparing every issue with every GPT output with a fuzzy match would be really computationally expensive.

4. That is to say nothing of the privacy implications of all three of those things. I know big tech tends not to care as much about privacy as you or I would like them to, but there are still laws that would affect them if they did that.

Re: Future of Privacy Forum

Operate isn't the right word in the sentence though:

"As a result of the lack of consensus on how companies should operate the DNT preference"

That sounds like they don't know how to set or read the header. I suggest "respond to", which gives us:

"As a result of the lack of consensus on how companies should respond to the DNT preference, most sites do not respond to DNT as a consumer’s choice not to be tracked."

Re: If it's optional why is anyone surprised?

"That header could make it harder for web sites to claim they had my informed consent when i tell them with every request that i do not consent to tracking so it could be used in court when laws like GDPR are in effect."

There are two problems with this. To have an effect, you would actually need to get the company concerned into a court, which mostly doesn't happen even though GDPR exists. Even if you do, DNT is generally not considered sufficient evidence of your lack of consent because it is one bit which is automatically sent. Most users who are sending it don't know that they are, which is the reason the sites that ignore it provide when called upon to explain why they ignore it (evidently saying "we make more money that way" was considered too honest). That is sufficient evidence for a site to collect your "informed consent" some other way, and having done so, they will use that evidence in court and explain that it should outweigh a switch that applies to all sites and is turned on by default, or at least was at the time. Judges will probably accept that because, when you do give informed consent to one site, you probably don't alter your settings to omit the DNT header when visiting that site. A judge would and should test whether their proof of your consent is valid, but DNT is not going to work as evidence.

Re: Tracking

Please post all your browsing history for the past week. Clearly, you must be fine with us looking through that because what harm could that do? Oh, and by posting it, you also give consent for me to sell that, along with any other data I can glean, to the highest bidder. Then the second-highest bidder. In fact, all the bidders that bid over the price I decide.

Re: Tracking

Except that GDPR isn't really being enforced very much and DNT did not count as rejection of tracking. It didn't count as acceptance either, but it was sufficiently vague for sites to ignore it and use their other methods of collecting consent which are less automatic, less likely to get people to deny consent, and more random and thus difficult to plan for. Some of them might also not be GDPR compliant after all, but since nobody is enforcing, it mostly doesn't matter.

The problem with DNT is that it didn't do anything to protect users. It did come with two downsides. The small one: one more bit in a fingerprint. The large one: convincing users that this was actually helping their privacy when it did nothing at all.

"Plus the comment about 'low vaccination coverage'.. Vaccinations against what?"

Against everything. The article lists several diseases: "acute pneumonia, influenza, COVID-19, measles, and malaria", and there are vaccines for many of those. The rates for each one are low in that region. Hence, there are a number of things that we already know about which could be the cause there. When an outbreak occurs in a population that is mostly vaccinated against those things, then it tends to be either a vaccine-resistant mutation of one of those or it's a new thing. If it happens in an area where people are not resistant to those, then it could be a mutation or new thing or it could be preventable deaths from something we wouldn't catch, and that makes it harder to find out what exactly was causing it.

"Interestingly, if you were able to look into the future some 2~3 thousand years ago, and the time compression such a distance would induce, and the need to condense the global situation into a few words, would you describe the present times as a time of war, disease and famine?"

If I'm working at the global level, there's a reason to call it a time of war. You could make an argument for disease, but not as strongly at the moment. Famine is not a word I would use. While there are deaths from starvation, they're limited in location compared to my bronze age vantage point and most others have access to lots of food almost all the time.

If I'm looking at a global level with an understanding of percentages, no to all of those words. There are wars and diseases and famines, but they're quite small compared to populations. From my actual position in the modern day, that's no comfort to me, let alone to the people who are suffering, but in the unfeeling world of multimillennium statistics, the number of people who are not in a war zone are a larger proportion of the world's population than at many other times in the past. The same goes for those dying from a disease. A person living three thousand years ago, especially as that saw the relatively rapid collapse of several large civilizations, might want to know how likely individuals are to die from those causes, and they'd find that the answer is very unlikely compared to themselves.

Yes, I do remember netbooks. I remember how they died, even though I liked them, because some users refused to buy them because they were underpowered. That's exactly why you can't only go with cheapness; at some point something becomes too underpowered to be in demand. Netbooks could have stayed a niche product and tried to appeal only to enthusiasts like me, but they tried for a mass market approach without the hardware to match and a lot of people who bought one tried to do things the hardware was not capable of.

I don't know that M.2 is that for the 500. I'm not planning to buy one anyway, since although I have a bunch of Pis, I don't use many as desktops and when I do, I am fine connecting a keyboard of my own to it. I could see why someone might think it was, since that allows for significant speed increases over an SD card, and when I have seen people use Pis as desktops, speed is often something they comment on if they use it for long enough. However, most people using a Pi as a desktop are in the enthusiast category which should be more aware of the limitations and more willing and able to work around them, so that might not be as big an issue. It would probably limit people trying to sell them to the general uninterested user, but I don't think that's likely to work in the first place so it may not be a good reason to change the hardware. As I said in my original comment, I did not come to argue one of these sides. I came to explain how your disagreement about what was best was not entitlement on the part of someone preferring NVME. Those who have a stronger preference could discuss this with the reasons behind their preferences.

Re: re: I suspect that last one isn't particularly profitable....

Why does this matter for most programs? Most of the time, you're not plugging your program into the init stack, which is why most programs run identically if there's systemd or not. In those exceptions, it's usually because your program is running as a service, so you need two service definition files, one for each system, and that takes about ten minutes. Only a few programs are going to interact with the init system in a complex enough way that the choice of one would directly impact the program. If that's your reason why homebrew software is being disallowed, I think your idea of homebrew software is probably not the most accurate.

Re: Pictures, pictures, pictures

In a case that you put the main board in? That's at least what I've done. I have too many USB keyboards to justify buying another one that's probably of similar quality to the ones I got for free. Clearly, some people find value in having them integrated that isn't making sense for me.

Re: Off-grid computing

You're going to need a pretty huge power bank. It's the perpetual problem of the Raspberry Pi, at least for me. I wanted to do so many things with them that involved powering them from a battery, and it always worked... for a couple hours, but my laptop worked for a lot more hours and my phone even more. There is a reason that every new Pi has come with the release of a higher current 5V power adapter. We just made the leap from the 4's 3A one to the 5's 5A one. In both cases, that's not actual power usage because those values are intended to provide lots of expansion room for peripherals. However, if you try to run a Pi 5 off a 2A adapter, chances are that it will work just fine for quite a long time until it suddenly doesn't and you have to get more power, something that is frustrating for the knowledgeable user and even more so for the user who thinks something must be broken because they don't know why the computer just rebooted itself.

A laptop with a more powerful processor might consume more power when at maximum CPU, but its CPU, unlike the Pi's, was designed to shut parts down when idle, meaning that average usage is probably lower. It also comes with a battery that's designed for that power profile, whereas the power banks you're likely to use are mostly intended for charging phones and do things like reassigning loads when multiple devices are plugged in, sometimes dropping power to all of them for a second until they've done it. The Raspberry Pi doesn't appreciate that. If you really need to run without power, you need to plan out your equipment more thoroughly.

Re: re: I suspect that last one isn't particularly profitable....

"That said, I would like to know why there are so many 'Opened but never used' Pi 400s on ebay."

Probably a combination of two groups: A) people assuming that they can buy anything with the Raspberry Pi label on it and resell it at a massive markup. It worked for Zeros and during the pandemic, but some of them are going to be disappointed and I would expect those trying it with the 400 to be some of those people. B) people who thought the 400 was cool, but eventually decided that it wasn't all that different from a normal Pi with a keyboard plugged in.

"And why these machines are not being sold in high street stores to give them more penetration amongst domestic users."

The stores don't want to try to explain to their employees, let alone their customers, what Linux is and how they're going to have to image an SD card to make this computer turn on. Raspberry Pi doesn't want to try to convince stores to sell these with the typical retail markup when they can already sell them online.

"I would also like to see a simpler OS that would allow more homebrew software."

What about Linux is not allowing for more homebrew software? I can at least understand what a simpler OS would be, though not why you want it, but I'm not sure what is reducing the allowance for user-written software.

"So you expect RPi to procure the extra components, integrate them into the design, and drop the price?"

Is that what they said? I don't see that in their comment. What I see is a suggestion that they consider adding M.2 support, potentially increasing the price, in order to have a better product. It would cost slightly more to have that on the board, but at the scale they're producing them, not a lot more. The chips they're using already support NVME, so the parts that would need to be added aren't very disruptive or expensive. They clearly believe that the enhancement would be worth the cost.

And that is not entitlement. That is a preference. They're expressing their opinion that the 500 is not as good as it easily could have been. You are free to express your preference that the additional cost would not justify the NVME support, and thus that the 500 as it exists is better than their suggestion. Then you could debate how much adding the hardware would have costed and how many people would have benefited from it, and probably at the end go away with the same opinions. None of that is a sense of entitlement.

Re: Pictures, pictures, pictures

That would go against the nostalgia involved in having a keyboard attached to the computer. Maybe there's a benefit other than that, but I don't really know what it is. One fewer cable doesn't worry me very much, and it lets me have a keyboard of my choice. Still, they are selling enough of these that they made another version, so people must like having the keyboard and computer integrated.

Re: Keyboard layout

We all get used to a layout. I don't think there's a better or a worse one, just a normal one and the one that you keep making mistakes with because the keys are in the wrong places. For example, if you're used to an ANSI layout*, you might get used to a longer shift key and dislike the little key they shoved in between the shift and Z key which you keep hitting when you want to capitalize something, whereas if you used the ISO layout and were now given an ANSI one, every time you try to run a command and hit something other than enter because they made it thinner would get on your nerves.

* For once, this isn't a US versus everyone else thing. ANSI keyboards, what has been called the US keyboard layout for this thread, are commonly used in a lot of countries, not just the US. ISO is common in many European countries, but most other continents have more ANSI keyboards.

Re: Keyboard layout

"The reason why USians call it "Pound" is back in the day of 7 bit ASCII, on many serial terminals (and printers) sold in the UK, there was a switch or a menu setting that changed the "#" for "£" on both the keyboard and the screen."

Not quite. It goes back farther, at least as far as when someone needed non-digit inputs to a phone and decided to put a # on one of them. The United States called and still calls that the "pound key", in the same way that a lot of other countries call it the "hash key", and Canadians call it the "number key". Can I explain why those names got chosen? No, I can't. It does predate a lot of terminals and computer usage, though, suggesting that the names for the symbol might have come before both the phone and the computer usage.

Re: What are they actually worried about

I think your question stems from a misunderstanding of what the law as written says they need to do.

"Why don't TikTok just make the changes that were requested and continue to do business ?"

Because the changes that are required are to either shut down or to sell their app. If they shut down, they get no more money. If they sell their app, they get a one-time bit of money, but no ongoing revenue from a very profitable thing. That thing works the same way globally (except for China). That means that they either have to sell only the US part to a company which will now be able to compete against them with an identical product to theirs, or they have to sell their operations in every country except China in order not to create that mess for themselves. The least damaging situation for TikTok's current owners is a years-long administrative morass, which they don't have enough time to complete anyway, and would earn them far less than they would earn from operating their app normally. I'm not surprised in the least that they hate this and want to prevent it; they have no other good options. That doesn't mean that they'll get what they want, but they've been backed into a corner and predictably chose to try fighting their way out as hard as they can.

"What is it that they are actually fighting against ? Is it just the case of having a US based headquarters or is there something else going on which is less obvious to me?"

It's not about where their headquarters is. It is that the current owners, at least the Chinese ones, are supposed to not own it anymore. This law intends to remove them from control, which means removing them from ownership. They do not like this idea because they see TikTok as theirs, since they created and paid for it, and they want to keep running it. The law that was written does not have any middle ground for them.

Re: MVP

You expect that they would have a quality standard on one of their products? I'm sure they're trying to fix this, but for something that will only be used as a toy, it really can't be the top thing on their priority list. I'm sure others are working on generative video systems that can do a better job, but those will be aiming their products at things like animation studios which can afford to put a lot of effort into verifying and regenerating until they get something that they accept because they already do that and more for manual processes. OpenAI, on the other hand, is trying to sell this to individuals who don't have as good a reason to use the tool and likely not the willingness to use it in the ways necessary to repair the effects of a brute force training process.

Re: "We'll know more about Intel's future when it gets a new CEO."

And at that point, we are going to have some problems. Sure, right now it doesn't seem like we're starved for good processors. AMD makes some pretty nice ones and the ones from Intel are, while more power hungry, still getting us some good benchmark figures at prices we can stand. Without meaningful competition, we have a lot to lose. The possibility that's often described is that ARM competes with AMD for desktop, RISC-V competes with ARM for mobile, and nobody needs Intel to be competitive. Maybe that will happen. I think it is more likely that we don't switch away from AMD64 fast enough that ARM and AMD are meaningful competitors in many areas. I also don't have the same hopes for RISC-V's meteoric ascendancy that some believe is around the corner. I think Intel's suffering will be ours too some day.

Re: I have one major worry about IPv6

While I grant you that someone wanting to claim a difference in the router could phrase that the way they did, that's not what they meant. What they meant was that a NAT connection has only one IPV4 address, and thus only one port 80, whereas an IPV6 network has more than one and thus more than one port 80. I'll concede that they should have said "network" instead of "box" in that sentence.

You're right that a lot of homes won't need very many, if any, connections. This doesn't matter very much to me. We can ignore those people and consider only those who actually care about inbound connections, and for any of them, IPV6 offers significant advantages. A Ring camera doesn't need to have a public port because it calls out to Amazon's servers and only talks to them. A privacy-respecting one might self-host, which you could do with a directly accessible public port or with a network setup of your own choice. Ring benefits if we don't get public access, whereas personal control benefits if we have that flexibility. Some people who currently don't understand why IPV6 would help them, including some who don't know what that is at all, would also benefit from that. Randomly changing addresses are also not much of a concern, because ISPs are unlikely to randomize the IPV6 prefix you were assigned because they have plenty of those, and your devices don't have to change their address at all. Some machines are set to do that, but that's an option, not a requirement. Meanwhile, ISPs generally reclaim IPV4 addresses if the network gives them up because they are a scarcer resource, so changing addresses are more likely there.

Re: I have one major worry about IPv6

"(1), completely irrelevant to home and small business,"

Home I'll grant you, though some home users (me, for instance), wouldn't mind being able to publicly address multiple machines without a manually-maintained port forwarding and DDNS setup. When you consider CGNAT which prevents any public ports and covers billions of home users, there's another reason. But true, a lot of home users won't notice the switch. Small business is not so uncaring. Some small businesses actually have some infrastructure that benefits from public IPs.

"(2), mostly irrelevant to anybody using a load-balancing front end."

Rubbish. Load balancing does not eliminate the benefits of IPV6. You still put a load balancer in front of your servers here, but when you need to identify and locate those servers, you have an easier time of it rather than shoving everything into the 10.0.0.0 space and hoping that nothing overlaps. You can also have multiple addresses for multiple servers. If you direct all those addresses to a single load balancer because your load can take it, fine. If you want to have a different server outside the balancer, for instance one that you intend to be available in the case of a failure of the balancer, you can do that. Of course, most of the people who are in such a position have some IPV4 addresses to spare and do that because they have already paid for the ones they'll need. With IPV6, you won't have to participate in five-figure auctions for a /24.

Re: I have one major worry about IPv6

No, it is not an implementation issue. It's not that your individual devices can't have their own port 80s, but that only one thing can receive packets directed to your only public IP's port 80. You can implement several ways to have traffic sent to different internal devices, such as:

1. Direct your traffic to one server which reads the request and sends it to whichever machine can handle that request.

2. Have a machine acting as a load balancer across multiple internal devices.

3. Have different ports forwarding to your devices and include those in the links you give to users.

4. Implement a custom protocol which includes a specific device identifier with every packet and make sure that whatever is talking to you speaks it and your networking equipment understands it.

What none of those solutions does is let you have a single IP and port, sent to one of multiple independent devices, because that is not possible. It is not possible on IPV6 either, and the reason that it can handle this is that you have enough addresses that anything you want to be publicly contactable can have its own address and all the ports to itself.

Re: IPv6 network topologies are a godsend

And what kind of block did you have in the 1980s? I'm guessing you had no scarcity problems because that's when individual companies were getting /8s or /16s. It's really easy to assign addresses in a network like that. What's harder is assigning addresses to a country that only gets /24s because all those big blocks already disappeared. I think the record is St. Lucia, which in fairness, is a pretty tiny country with only 150k people living there. They get one /24.

"So I should basically be able to assign myself an IPv6 address and the chance of a collision with someone else's address is remotely minuscule."

You have two choices:

1. Get a normal IP block, which you'll get automatically if your ISP supports IPV6*, and assign yourself an address inside it. The chance of a collision is zero unless your ISP screwed something up, and if they did, you'll find out quickly and you'll have someone to complain to.

2. Assign yourself a random IPV6 address and your chance of collision is very small indeed. Your chance of actually getting any traffic is also pretty small, since that's not your address and the routing tables know it.

* Generally, residential ISPs give a /64 to the average customer and larger blocks, /56s or /48s are common, if you ask for a dedicated block.

Re: I have one major worry about IPv6

Yes, they are directly reachable, but you have to keep several things in mind:

1. If you have a firewall, they're as secure as your IPV4 addresses. You probably have a firewall.

2. If you have a firewall, but you have UPNP turned on, then your IPV4 boxes are punching their own holes in the firewall meaning they're more directly reachable than the IPV6 hosts are.

3. Finding and harassing a random address is a lot easier for IPV4, where I can sweep every address in ten hours from one machine or five minutes from a botnet than IPV6, where your incoming pipe is most often the limiting factor to a random or sequential search.

NAT has often provided a basic firewall-like service to people who won't set up their own, although UPNP makes a lot of it worthless, but it is certainly not required. If you know why NAT was sort of helping, you know all you should need to to set up a basic firewall or at least check that you already have one, and you should take that step. The rest of people is why a lot of network hardware has firewall software on it, usually set to a basic config anyway.

I have an NAT setup over IPV6, which is intended as a privacy measure because it mixes lots of devices' traffic from one outgoing address which changes on a cycle. That isn't proven to help, I just thought it might and had some time to write the rule, but it also doesn't provide any security that I didn't already have with my firewall. If you prefer that method, you can have IPV6 and NAT together.

In the whole address space, there are 2^n /n blocks. There are therefore 4096 valid /12 blocks. However, some of those are already assigned for local usage, some are assigned, and some aren't part of an open block.

Also, Huawei did not get a /12 block. APNIC got a /12 block. They then gave Huawei a /17 block inside it. In the whole address space, there are 131,072 of those.

"I dimly remember that baryonic matter is estimated to be around 2^88 particles."

Where did that figure come from? I'm not sure it's correct. For example, the sun's mass is approximately 2*10^30kg. That's 2^101 kg. That would make for some very heavy particles even without including any other stars. Having searched for the information, I think you might have used this article which comes up with a number of 10^80 (2^266).

It's also annoyingly vague about what a particle is, as I am not a physicist. For example, is a neutron a particle? If it is, do the proton and electron that make it up not count as two particles? If not, will they when the neutron comes apart? When that happens, does the proton count as one particle or are we going to count the quarks and gluons?

Re: Good for Huawei

I'm not sure I understand what your suggestion is, and I'm not sure your suggestion would work at all, and I'm not sure your suggestion would be a good idea even if it did work.

"Huawei has 18 regions ? Each region could use the full IPv4 range and, with NAT translation between regions, business is done."

The article says they have 39 regions, but I doubt it matters, so let's ignore that. So if I'm understanding your plan correctly, and there's a possibility that I'm really not, we're going to let all those regions use all 2^32 IPV4 addresses, minus some outward facing NAT endpoints. Just using the 10.0.0.0/8 block isn't going to be large enough. In that case, what happens when a customer is assigned the internal IP 104.18.4.22. How do they identify whether they're trying to access themselves or The Register (that's one of their IPV4 addresses)? For that matter, how do they identify if they're going for that address in a different cloud region? I understand how you can encode that into something the routers will interpret and redirect properly, but I don't understand how you identify it in the first place. Every server and application would need to know that there are at least three things any IPV4 address could mean: this region, the internet, or a different region which needs to be identified. Huawei-written software can be given a special address struct to do that, possibly just an 8-bit integer identifying the region or the internet attached to the normal four-byte address, but that won't work as well for user-written software. Software people buy in is going to have an even harder time of it.

Even if you did that, what would happen for all the machines accepting traffic that hasn't already been set up? NAT works well enough if you only open out, but a lot of those devices are the ones that people are opening out to, meaning they need to have somewhere to accept connections. A single IP can only host 65536 services before running out of ports. It's likely that any server will have more than one of those, as even a basic HTTP server generally has three (HTTPS, HTTP, and management, usually SSH). Lots of things use more ports than that, including internal devices making up the network. Is this really better than IPV6, and if so, why?

Maybe this person had more reasons to expect calls out of hours. My phone remains on overnight. It never rings then normally, but if someone I care about does call, they likely have something bad going on that they need help with.

Re: "They also didn't understand time zones very well."

I've seen that, and not just from Americans and Canadians. For example, a British person setting up a meeting for a time in GMT even though the UK was in summer time at the time. Fortunately they used the GMT label and not UTC, because if they had said UTC I probably would have believed them and used it.

The problem is that there can be a fine line from a normal thing I'm happy to help with to people taking liberties that are causing problems, and it's not always systemic. As I said in a different comment, I have been fortunate that most jobs I've had have not abused their access to my personal contact information, which is why my colleagues tend to have mine.

However, I have had the problem with things like email. For example, when I wrote and maintained a piece of internal software, people could email me with support requests and I would be happy to answer them. Most users did this rarely, and in that case, I didn't object much even if their question could be solved without my help with the documentation we already had. A small number of users, however, decided that I should be emailed every time they had any question, no matter how minor, and that if I didn't respond quickly, they should just send more emails. That kind of thing can cause several problems. It wasn't my manager or my team. It wasn't even very many of the users. It was just a few people causing problems for everyone else. The risk with answering the odd call is that you suddenly get more odd calls.

Re: Warren's big mistake

"If you're supposed to be on call and contactable by the company whenever, you're either high enough up the pecking order that your salary justifies this sort of thing, or you're paid to be contactable."

Or it's just expected, which might switch from reasonable to not reasonable very quickly. I've had several jobs where I could theoretically be on call any time of the day or night, and they did not run this by me beforehand, but so far, these have not actually called me in in the middle of the night so I've not complained.

Also, the HR database wouldn't be an automatic GDPR fail depending on what "unprotected" means. If it means that they didn't bother to have any access controls or to encrypt the data, yes, that's a GDPR problem. However, neither of those are necessary for your manager to use it to get your phone number, as that is data they would normally have a legitimate reason to access, for example if they need to contact you because you haven't been online for some time. It would be very difficult to make that a GDPR issue, as the problem is their abuse of the number, not their access to it in the first place.

Re: Warren's big mistake

I agree, though I have so far been willing to let them send normal voice calls, SMS messages, or OTP codes to my personal device. Anything more than that and they can buy a device to do it. Their IT department gets no administration rights over any personal device whatsoever. Fortunately, I have never had that particular contact method abused by managers.

Re: This lawsuit is bravo-sierra IMHO

The problem, again, is not that Amazon decided that they weren't willing to provide the service. The problem is that they decided they weren't willing to provide the service, didn't tell those who paid for the service, continued charging customers for the service, and continued to claim that the payment was in exchange for the service they weren't providing. You are in a similar situation, apparently. If they promise something and, through their own fault fail to provide it, then they are short-changing you. If an ISP tells you that your line has 100 megabits per second but the highest you've ever seen is 23, they need to fix it or they're committing fraud. If they can't, they are perfectly able to cancel your service, relabel it as 25, and try to sell it again with the lower price that will likely be necessary for the lower speed. The same logic works for shipping times.

Re: Exactly what the AG is doing

They may know about the thefts, although you're being rather extreme by blaming all the residents for crimes committed by... well presumably some of the residents but you haven't even proven that. They may not be aware of Amazon's responses to the crimes, because as the article demonstrated, Amazon didn't tell them this directly. For those who are actively stealing, the message is clear: don't have Prime, because you can probably steal enough to outweigh the benefit you would get from a Prime subscription. For everyone else, you're not only punishing them for things they didn't do and can't stop others from doing, you're also justifying charging them for the punishment. Would it be fair if companies started doing similar things based on the actions of someone who lives near you?