If that were the case then the other statements within bullet 1 are completely irrelevant, and the relevant information has been omitted. That would be a far greater assumption than taking the statements at face value and connecting the information we have into coherent logic

TBH that’s a logic fail on your part.

In bullet point (1) we have two important statements

Statement A: “I can’t make the food”

Followed immediately by the explanation…

Statement B: “I am dealing with an illness that makes me unable to eat solid foods and extremely sensitive to smells”

The only way Statements A and B can be related is via the smell. Being unable to EAT solid foods wouldn’t prevent OP from MAKING the food. The only possible explanation is that the sensitivity to smell is what makes them unable.

That’s, like, really basic reading comprehension skills. 🤷

ENORMOUS +1 for Sunshine + Moonlight. I’d play just about anything shy of a twitch shooter on it, if your network is nice and stable

Let em figure it out. Wasting their time is a core strategy in reducing their impact and will to continue cheating

I certainly didn’t share it myself but it’s possible my old boss did!

TBH, in my very personal opinion the third party anti-cheat apps are like 50% placebo. Just makes people feel better. They are very protective of their “secret sauce” but I can say none of them are anywhere close to perfect. The thing they’re best at is taking the easy stuff off our plates so we can focus on the more difficult problems of hardening the game itself and analyzing telemetry.

For the same of checking uniqueness it’s probably fine to just ignore them. Yeah, it sucks if johndoe@obscure.domain and john.doe@obscure.domain can’t sign the same petition but outside of the big email services I imagine that kind of collision is pretty rare

Right I’m saying I always thought that was an optional feature, determined by the person who created the petition. I don’t think it’s a universal requirement for all change.org petitions

My understanding is that signing a petition and creating an account aren’t necessarily linked, and it’s up to the person who created the petition whether verification is required.

Yes! I LITERALLY just set up my stuff there a few days ago for TSA Precheck and CBP because I’m heading to Japan next month. I love what they’re doing.

Oh yeah don’t get me wrong, I think change.org as a product is hot stinky garbage. I don’t take anything they produce seriously lol

I just don’t expect them to do anything differently under the current circumstances is all heh. And their business is married to the design at this point, so I don’t see them pivoting any time soon. As you suggest, they need a competitor that can do it right to come along and actually produce some kind of meaningful results in the political arena, but that’s a whole other can of worms.

I literally have an idea for this, and am kinda just sitting on it until I find the right people. I’ve been on the lookout about 10 years now for a) someone with a comprehensive understanding of constitutional law and b) someone with a comprehensive understanding of political finance and lobbying, both of whom also need to be progressive and interested in 501©(3) work. A bit of a unicorn :p

As it ever will be, much as it may pain our moral sensibilities.

Re: CoD - I loved it. Laughed my ass off. Absolutely a big fan of creative approaches to getting cheaters to tell on themselves. I proposed something similar to my team when we had a problem with players manipulating the position of objects in the world so they were directly in front of the player: add an object of the same type inside map geometry and attach a “kill volume” to it, so it was like a landmine. Move the object in front of the player and they instantly die :P Wish we’d done it but couldn’t get the level designers’ time to implement it unfortunately

One we did do though: back when the product I worked on was on PS3 one of the big problems was hacked consoles spoofing platform entitlements (the thing that tells the game what purchases they should have access to). So we added an entitlement that couldn’t be acquired in any legitimate way, and gave you a specific item in game. Then we just checked player inventories once a week for anyone with that item and banned their account, their console, and any account that played on that console for a meaningful amount of time. Did the same thing with an item you could only get to by clipping through geometry. Even put the word “intrusion” in the item’s name haha.

The cheats are so technically complicated at this juncture that the creative stuff is often the most effective. I mean, people are literally voluntarily installing hypervisor rootkits to run the cheats, so they can talk to their drivers below even the kernel. It’s so hard to come to with technical solutions to a problem like that that doesn’t wind up costing massive server processing power to validate every input.

Funny you mention the robocall thing… I’m literally leaving a company that works on that problem (though not as their primary business) Wednesday. It was a short stint - mostly because they are resistant to solving massive technical debt problems and I’m not trying to doom my future self - but what I witnessed was…depressing. Getting anything done was like pulling teeth, and that’s with the recent FTC pivot to taking this stuff more seriously. STIR/SHAKEN is a reasonable start but it still has almost no teeth behind it.

I’m with you on the identity issue. I mean, if we’re being really honest, the only people losing out by not implementing strong personal identification verification are the legitimate end users because the threat actors have gotten so unbelievably good at fingerprinting user behavior. And it’s only going to continue getting worse. With ML growth as unfettered as it is, there is nothing we can do. So I’d much rather take the reigns and make identity verification a robust feature instead of a bug we can’t squash.

Good info! Sounds like a nightmare :x

Yeah, I can’t say their solution is the most elegant but it certainly makes a kind of sense when their criteria for success is “maximize participation while satisfying ‘uniqueness’ critics”

You’re not wrong, but this isn’t really a security matter, it’s an “apparent uniqueness” matter. Their goal, I assume, is to satisfy critics enough that a given petition’s participants are sufficiently unique while keeping the barrier to filling out the form as low as possible. So they end up in a situation where neither of perfect, but they’re both “good enough” for what the business needs.

I dealt with this in the anti-cheat space: my goal was never to remove all cheating, because that’s too expensive (insanely so). My goal was to make the public believe they weren’t playing against cheaters too often. If the solution was forcing the cheaters to perform at a level that was just below the most skilled human players, that was actually a success, because if the players can’t differentiate between cheaters and pro players, then they can’t effectively determine how prevalent cheating actually is.

Part of me hated that we had to treat it that way, but another part of me understood that if I pushed too hard on “eliminating cheating” my department would become more costly than it was worth and they’d pivot away from gameplay that needed anti-cheat at all

Requiring SMS validation is a massive barrier to entry and not a viable option for a service like Change.org that relies on a certain level of participation.

There’s literally another comment made at almost the same time as yours complaining blocking the use of + and such is too high a barrier to entry and just the devs being lazy. Meanwhile your suggestion is raise the barrier to entry even higher if you care about uniqueness of submissions

It’s a no-win situation for Change.org so they went with something that meets their business needs. Can’t really expect much else from them tbh

I don’t think the reason they’re being used is relevant to their problem though. “Think like an attacker” wins the day here: as an attacker, I don’t care what it’s meant for, only how I can use it to my advantage. If it’s something they observed as a problem, I understand why they would want to stop it.

As for “-”, yeah, I don’t have a particularly good explanation for that one except the assumption that it’s something similar to + addressing on a different service.

I imagine because it can’t be used to add additional junk characters to the address, they probably just strip them out before doing their string comparison

Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that’s a problem because it allows a single email account to fill out the form many times.

Ideally, they would simply truncate everything after and including those symbols but it’s possible other services have different rules (maybe yahoo let’s you prepend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution

Security professional here. This is legit a good call on their part. It’s because those types of addresses won’t bounce emails but aren’t necessarily in your control; it’s very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.

You own your domain, obviously, so it’s really as simple as creating a forwarding/alias address of “changeorg@domain.tld”. If creating a forwarding/alias address is that much of a problem for you I suggest that you likely shouldn’t be hosting your own email in the first place.

Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly

Susanne, you’re all that I wanted of a girl https://youtu.be/wNF_B6_AiPE

Right? Waymo is already several times safer than humans and tesla’s garbage, yet municipalities keep refusing them. Trust is a huge problem for them.

And yes, haters, I know that they still have problems in inclement weather but that’s kinda the point: we would be much further along if it weren’t for the unreasonable hurdles they keep facing because of fear created by Tesla