I used to work for an online poker outfit. The boss wanted weak bots populating the tables so that we looked popular. Of course, he had a “crack team” of bot writers for playing on “other sites” to make money, too.
Might be another somewhat interesting perspective - not sure how filling in the details from my summary above could be big news. But sure, I’d write it up if it seems interesting enough to someone.
This was early in the online poker hype. I worked there for about a year, and they didn’t last long after I left the company. Forum posts from when they were still in business showed players suspected bot activity. The company wasn’t all that big, and I’m sure the lack of player trust did them in.
The "standard" strategy is to play GTO (game theory optimal). There are solvers out there (like GTO Wizard) that show you the "optimal" play for every situation, which is used as a baseline, and then players deviate to exploit specific player tendencies.
GTO trees are far too complex to fully memorize, so nobody can play perfect GTO. But you can do a lot of solver work to get reasonably close.
I won a tournament on a cruise against a guy who I think was doing this. He was one of the people at the table who had a consistent tell and that helped me beat him heads up.
Maybe not GTO specifically, but I got the impression that he was playing the math and doing it well (especially since it came down to the two of us at the end).
The tell was a very common one. Anytime he liked what he saw, either hole cards or on the flop, he would quickly glance at his chip stack (thinking about a bet). Probably didn't even realize he was doing it. When it got to head to head, if he glanced at his chips...I'd fold early. If he didn't, I'd bet into him until he eventually folded.
Four times a day, I get an email notification that someone requested a password reset for my Microsoft account, which gives me a six-digit number to recover my account. So every day, an attacker has four shots in 1,000,000 of stealing my account by just guessing the number. They've been doing this for years.
If the attacker's doing this to thousands of accounts - which I'm sure they are - they're going to be stealing accounts for free just by guessing.
I wrote up a security report and submitted it and they said that I hadn't sufficiently mathematically demonstrated that this is a security vulnerability. So your only option is to get spammed and hope your account doesn't get stolen, I guess.
I have added what I think they call login alias to my account. This blocks logins using the normal account username (which is my public email address), and only allows them via the alias (which is not public and just a random string). Not a single foreign login attempt since I enabled the alias.
You can enable it on account.microsoft.com > Account Info > Sign-in preferences > Add email > Add Alias and make it primary. Then click Change Sign-in Preferences, and only enable the alias.
This sounds a lot like Steam, where the name on your profile page is a vanity string that you can change whenever you want, but the actual username in their system is an unrelated (and immutable) ID.
I had to make my Outlook email primary again on my Microsoft account, unfortunately, because of how I use OneDrive. I send people share invitations and there are scenarios (or at least there were the last time I checked) where sending invitations from the primary account email is the only way to deliver the invite. If your external email alias is primary, they'll attempt to send an email from Outlook's servers that spoofs the alias email :/
If they are doing this to 125,000 accounts, they should get an average of one account per day, right? So on average it would on average take them 342 years to get any specific account, but as long as they aren't trying for any particular account, they've got a pretty good ROI.
I guess the fix for this would be exponential backoff on failed attempts instead of a static quota of 4 a day?
Why would doing this to 125K accounts give them access to one account per day? The chances of guessing 6-digtis pin code for each account is the same (10^6) regdless of how many accounts your are attacking
No, this means there is a 98% chance you get _at least_ 1 account.
`1-1/1,000,000` is the probability you fail 1 attempt. That probability to the 4millionth is the probability you fail 4 million times in a row. 1 minus _that_ probability is that the probability that you _don't_ fail 4 million times in a row, aka that you succeed at least once.
The expected number of accounts is still number of attempts times the probability of success for 1 try, or: 4 accounts.
What are the chances of getting 500,000 guesses (4 each for 125,000 accounts) wrong ? My math says 60%, so probably not one account per day, but if they keep it up for a week and everything else holds, there's only a 3% chance they haven't gotten any codes right.
Imagine the extreme case, where they pinged one million accounts and then tried the same code (123456) for each one. Statistically, 1 of those 1,000,000 six-digit TOTP codes will probably be 123456
I get a similar message constantly for an old Instagram account - "sorry you're having trouble logging in, click here to log in and change your password!"
I had the same issue on a useless old account. Could see the IP addresses of the sign-in attempts, they came from all over the world, all different ISPs, mostly residential. Nearly every request was from a unique /16! If botnets are used for something this useless, I dread to think what challenges at-risk people face
Adding 2FA was the solution
I couldn't find the method they were using in the first place, because for me it always asks for the password and then just logs me in (where were they finding this 6-digit email login option?!), but this apparently blocked that mechanism completely because I haven't seen another sign-in attempt from that moment onwards. The 2FA code is simply stored in the password manager, same as my password. I just wanted them to stop guessing that stupid 6-DIGIT (not even letters!) "password" that Microsoft assigns to the account automatically...
I was authenticating a set of scripts five times for each run with MFA. Once, it asked me for six MFA prompts with no disambiguating info.
Did I click “Yes” to the attack the fifth time, or was the sixth the attack? Or was it just a “hiccup” in the system?
Do I cancel the migration job and start from the beginning or roll the dice?
It’s beyond idiotic asking a Yes/No question with zero context, but that was the default MFA setup for a few hundred million Microsoft 365 and Azure users for years.
“Peck at this button like a trained parrot! Do it! Now you are ‘secure’ according to our third party audit and we are no longer responsible for your inevitable hack!”
All of the prompts users get these days in an effort to add "security" have trained users to mindlessly say "yes" to everything just so they can access the thing they're trying to do on their computer; we've never had less secure users. The cookie tracking prompts should probably take most of the blame.
I know with the last major macOS update, nearly every app is now repeatedly asking if it can connect to devices on my network. I don't know? I've been saying yes just so I don't have stuff mysteriously break, and I assume most people are too. They also make apps that take screenshots or screen record nag you with prompts to continue having access to that feature. But how many users are really gonna do a proper audit, as opposed to the amount that will just blindly click "sure, leave me alone"?
On my phone, it keeps asking if I want to let apps have access to my camera roll. Those stupid web notifications have every website asking if it can send notifications, so everyone's parents who use desktop Chrome or an Android have a bunch of scam lotto site ad notifications and don't know how to turn them off.
Microsoft allows you create a second "login only" account username to access your e-mail and other services. I was having the same problem as you but much worse. Check into it, only takes a few minutes to setup.
Does adding MFA not protect you against this? If you are secured by a TOTP on top of your password, it should not matter if they manage to reset your password.
Somewhat, but imho the Microsoft MFA is also full of similar flaws.
As an example: I've disabled the email and sms MFA methods because I have two hardware keys registered.
However, as soon as my account is added to an azure admin group (e.g. through PIM) an admin policy in azure forces those to 'enabled'.
It took me a long time debugging why the hell these methods got re-enabled every so often, it boils down to "because the azure admin controls for 'require MFA for admins' don't know about TOTP/U2F yet"
Last time we were in Japan, we were walking around in Hakone and thinking the same thing. Then we stumbled upon a (literal) video game treasure chest. Inside there was a journal, stamps, and stickers to contribute your stories to.
Making less money isn't really the risky part about founding a startup. The risky part is missing out on years of other life experiences, stressing (or losing) your closest personal relationships, failing and feeling personally responsible for disappointing everyone you convinced to believe in you, and developing an anxiety disorder (or worse) from chronic long-term stress.
Author's suggestion that they could have taken a "similar level of risk" as an early employee by taking secondaries as a founder is way off, IME.
Having been employee #10 a couple times now, there is a lot of that even when you aren't a founder. It would be nice if the 'de-risk your life' stuff this article describes for founders was also available for early employees.
Work a high salary job and buy lottery tickets or 0DTE options instead. Half joking. Look at the success rate of outlier comp through liquidity as an early startup employee. If professional stock pickers can’t pick better than index funds, what makes you think you can do better picking startups, spending non renewable time, working for years vesting common shares that you might get liquidity for eventually, assuming they have any positive value.
If you want to get wealthy, there are more efficient, less effort ways. If you want to suffer with low chances of success based on all available data, well, help yourself to the firehose of startup jobs.
You're not just "picking a startup". That early, you're also a big factor in whether it succeeds. Betting on yourself is different than buying a lottery ticket. (Maybe just as irrational for a lot of people, but still.)
Advanced sports stats have the notion of "contribution above replacement value", the idea being it isn't just what you do, it's what you do relative to whoever they could (relatively easily) replace you with.
The startup failure/success rate already have some level of "smart, motivated staff" baked in. So you're really making a bet on how much better you are than the average early stage startup employee.
You (not “you”, but the persona for this discussion) are not special and will likely fail, based on startup failure rates. Certainly, you will put effort forth, but that is only tangential to odds of success. If you enjoy the experience and don’t need monetary resources, sure, knock yourself out. Just recognize the opportunity cost, that the odds are stacked against you, and if you succeed, you were as lucky as you were skilled.
I’ll take the lottery ticket over me any day, not because I suck, but because I am human. Even exceptional humans fail. I don’t drink the exceptionalism koolaid.
People, especially sw devs, love this narative but it's just not true. It's not all luck like the lottery but the combination of things outside your control might as well make it so for early employees at a startup. But hey, you did get that vp of whatever title...
When you work for a startup you have a ton of insider information not available to outsiders, even investors. If you think your startup won’t be successful then obviously just find a different job.
> I have been an early or first engineer at five different companies and have had three liquidity events in a 9-year career.
A "big" success is a 10+ year journey. For an early employee, it is perfectly acceptable to give a few weeks' notice and move on to the next lotto ticket. This doesn't work for a key founder-exec -- they're likely going to commit to a decade working on one big problem, and investors want to incentivize them to shoot for the moon & stick with it for the long haul.
It's definitively not the same for an early employee.
Having been a key early employee at a failed startup, horseshit.
The employees bear the burden too, if they're working their asses off at an early stage startup they believe in the cause just as much. Viewing founders as somehow magically special is a symptom of the broader misguided hero worship the US has right now.
I'm sorry this isn't true. Your name wasn't on the line when you took the investment, and the OP pointed out with his "5 startups in 10 years" line, it's very easy for early employees to walk away. That isn't as available to founders.
There is much more burden (reputational, financial, emotional) on the founders.
I've been a founder, and I've been a key early employee. It is very different.
It's unfortunate that subjective well-being was left out of this, because that's the one that looks like it might be getting worse. Arguably, it's also the most important.
The study that looked at subjective well-being in 16th century Spain concluded that subjective well-being mirrors subjective economic inequality. Without going too deep, it seems that relationship continues to hold in the modern time period of which you speak. Subjective economic inequality has increased, and subjective well-being has declined.
But that does question just how important subjective well-being is if all it is is your perception of how much better off someone else is.
FF7 Remake and Rebirth are both incredible, but Rebirth's sales are significantly lower. I'm hoping this doesn't make them reduce investment for the third installment.
My guess is dinosaurs holding onto the "good ole days" of the "console wars".
Remake and Rebirth were both seriously, and needlessly, kneecapped by their own parent company.
The exclusivity deals are to blame.
One year exclusive on console(and in terms of Rebirth, a console that few people own because of short supply at launch and lack of games throughout its now apparently finished tenure), then one year exclusive on a single pc game store(the one I refuse to use), then, finally, wide release, but by then everyone excited about the game has heard about their friends playing it or watched a streamer and so once they are finally ALLOWED to play the game the purchase is less of a intriguing prospect.
I think the original moved a lot of CONSOLES, but to think that sort of purchasing power STILL exists is a fever dream that is dangerous to the parent company's own goals. (pun intended ;)
You can definitely tell while you're playing it. It's probably the best-looking game I've ever seen and it has a pretty unbelievable amount of content.
Let me reply again, game development in my eyes is insanity personified.
If it's engine or interop, it's wild. It always has been.. We used to have memory and space limits, now we have no limits but time. I adore and praise every game developer. It's a tough field.
The major poker sites claim that they have really good (and very top secret) bot detection. I'm skeptical.