> The greatest scam of Google and Apple is convincing millions of developers to learn Swift and Kotlin to make apps on their stores that can be swiftly (pun intended) removed from their stores
I certainly won't defend Apple and Google's app store monopolies and control. However, Kotlin was actually a case of Google listening to the developer community. Google could have, and wanted to, push Dart (see Flutter) on Android. But the Android development community was already adopting JetBrain's Kotlin. Google listened and embraced Kotlin instead of pushing their own thing. It was not a hostile act.
Dare I say Google embracing and pushing Kotlin on the Android ecosystem was the last good thing I can remember Google doing. The language is such a joy to to work in without the pitfalls that come with Scala
I don't know, Compose is fantastic as well. The way the runtime, foundation, and UI libraries are layered make it a breeze to extend, and the layout system is the only sane one I've used. Overall Compose is a paradigm shift that is too-often compared to React, Flutter or SwiftUI by those who haven't written code using it.
Our dev team is looking to switch as soon as we have time to learn it. I assumed it was going to be like React from the one tutorial I've done of it so far, which already excited us.
I'm also a little worried about missing components currently available in XML, although I know you can mix and match, but not sure how that actually is in practice.
I don't think the point was Kotlin and Swift vs. Java and Objective-C, but merely these native languages (listing the current generation) instead of, say, JavaScript.
Ironically, when testing an example Google search from this thread, this thread came up. So HN doesn't block Google completely, but maybe has poor SEO so it rarely shows.
The original response was essentially blaming affected users, saying it was credential stuffing. Now they changed their story. If there is any credibility to the credential stuffing story, they should ask all users that received the email change password, not just say change it out of an abundance of caution.
Obviously something changed as the emails just started going out recently. Maybe it was a recent code change introducing a bug on their end, that's fine software has bugs, but they could explain it. Maybe attackers are doing something different, which is triggering an old bug causing incorrect emails. Or maybe LastPass still doesn't really know and is just giving a potential reason, like they did earlier saying it was credential stuffing.
I'd already stopped using LastPass years ago and deleted my account when this current mess started, so they weren't really going to win me back anyway. But the (current) response to this incident leaves plenty of unanswered questions.
I haven't used LastPass since, at the latest, 2017. I had actually deleted all my passwords from my LastPass vault, but originally kept the account because of LastPass's password sharing feature, though I stopped using that as well. I believe I had the LastPass extension installed on both Chrome and Firefox, on both Mac and Ubuntu. I primarily used Chrome on Mac. I did have uBlock Origin on those setups as well, but I really doubt that's the vector, it's likely just incredibly popular with all users of Hacker News. My LastPass password was globally unique and between 15 and 20 characters long (with some symbols and digits). This password shows no matches at https://haveibeenpwned.com/Passwords . I considered sharing the password here, but just in case an old version of my vault is out there somewhere somehow I'm not going to. My understanding is that such a password would be so incredibly impractical to brute force that it's not worth considering. Unless I'm outdated/wrong on that, that means the password leaked in clear text (or hashed with a broken hashing method). As I haven't typed that password since at least 2017 and I can't imagine LastPass is storing passwords in clear text, I'm inclined to believe the password was stolen in clear text from client machines (either LastPass extension exploit or malware) in or before 2017. It's weird they were not used earlier, but as LastPass doesn't allow new IPs by default, maybe the attackers knew this and were sitting hoping an additional exploit would allow their user. But now they're just trying in the off chance someone clicks the "That's me" link in the email. This doesn't explain the more recent claims, personally I'm inclined to disregard them as unrelated noise (user confusion, reused password, etc).
Almost identical case except I think I last used my account in 2018. No matches in haveibeenpwned. Password not saved anywhere (written only) and hasn't been typed in years.
I’m a LastPass user. I change my master password every 6 months. I received the attempted login from Asia email also. So… it isn’t just some exploit from 2017.
Thanks -- my own case is pretty much identical to yours. My LastPass account was from 2017, and haven't used it since. I can also suspect a LastPass extension exploit from 2017 i.e. that's maybe how my password was stolen.
(I actually found an email from LastPass dating back to 2017 where they were confirming that a vulnerability with their extension had been fixed. The subject of that email is "Security Update for LastPass Extensions" and it dates back to March 31st, 2017)
I also agree with you that the attackers may have been hoping this time that some people would click the email link by mistake.
What's most baffling to me are the 3 independent reports of people changing their passwords, and getting the "Someone just used your master password" emails again i.e. the same attackers that attacked you and me somehow also having access to these new passwords. That can be explained in some ways (those 3 people are currently infected with the same malware) but that explanation seems, to me, very unsatisfying.
Excellent comment. For "constructive separation", if giving him benefit of the doubt, the relevant employment term seems to be Constructive Dismissal (or discharge or termination).
https://en.wikipedia.org/wiki/Constructive_dismissal
"when an employee resigns as a result of the employer creating a hostile work environment. Since the resignation was not truly voluntary, it is, in effect, a termination. For example, when an employer places extraordinary and unreasonable work demands on an employee to obtain their resignation, this can constitute a constructive dismissal."
There is an about:config setting called privacy.resistFingerprinting that does a handful of things, I believe including canvas fingerprinting. It also disables site specific zoom though (as that could be used for fingerprinting) which I find rather annoying.
The non-nightly Firefox Preview for Android doesn't support add-ons. I imagine the title is just to emphasis that add-ons such as uBlock Origin work with this nightly.
