>The big reason why C corps are preferable is because S corporation shareholders can only be people -- not other businesses, like VC firms. (S corps also can't issue preferred stock.) An S corporation can't take venture capital without first reverting back to C corp status. But an S corporation can save a lot of money on taxes
I’m sure I don’t know ALL the "security best practices that have been around for 20+ years" and this is perfectly fine as long as I’m able to react quickly. See also https://xkcd.com/1053/.
It's fine if you personally didn't know that. But if I'm paying for a service, I expect the provider to understand basic security best practices that have been industry standard for 20+ years. And if they don't, they should be hiring people who do.
XKCD 1053 is not a valid excuse for what amounts to negligence in a production service.
Author here. What kind of security negligence are you referring to? What would be a specific attack vector that I left open?
Regarding the PSL - and I can't believe I'm writing this again: you cannot get on there before your service is big enough and "the request authentically merits such widespread inclusion"[1]. So it's kind of a chicken and egg situation.
Regarding the best practice of hosting user content on a separate domain: this has basically two implications:
1. Cookie scope of my own assets (e.g. dashboard), which one should limit in any case and which I'm of course doing. So this is not an issue.
2. Blacklisting, which is what all of this has been about. I did pay the price here. This has nothing to do with security, though.
I'm sorry to be so frank, but you don't know anything about me or my security practices and your claim of negligence is extremely unfounded.
> What kind of security negligence are you referring to?
I am not talking about "security negligence". I am talking about "negligence". The negligence was to not follow standard best practices known for over 20 years which led to disruption in your services.
Eric, I think it appropriate to mention, and I'd like to point out the lack of any real documentation (reaching a professional level) related to PSL on the professional working groups touching on these things (i.e. M3AAWG).
There are only two blog posts on M3AAWG in 2023 where it had been used silently (apparently for years), but was calling for support. I would think if it were an industry recognized initiative it would have the appropriate documents/whitepapers published on it in the industry working group tasked with these things. These people are supposed to be engineer's after all. AFAIK this hasn't happened aside from a brief-after-action with requests for support which is highly problematic.
When there is no professional outreach (via working group or trade group), its real hard to say that this isn't just gross negligence on google's part. M3AAWG has hundreds if not thousand's of whitepapers each hundreds of pages. A single blog post or two that mention it insufficiently, won't rationally negate this claim supporting gross negligence.
Why do I mention Gross negligence?, when coupled with loss, it is sufficient in many cases to support a finding of 'malice' without specific intent (i.e. general intent), especially when such an entity has little/no credibility, but is overshadowed by power/authority that is undeserved. Deceitful people that reasonably should know the consequences will go bad, often purposefully structure towards general intent to avoid legal complications and the legal system has evolved. I am not a lawyer, but this paraphrase about gross negligence/general intent/malice did come from a lawyer, its not meant or intended for use as legal advice in paraphrase form, so standard IANAL disclaimer applies. If the that is needed, consult a qualified professional for a specific distinction on this.
The company is more than technically capable of narrowly defining blacklists and providing due process and appropriate noticing requirements.
The situation begs questions of torturous interference, and whether the PSL is being used as an anti-competive mechanistic moat to prevent competitors from entering the market by imposing additional cost arbitrarily on competitors that is assymetric to the costs such companies have with competing services (as oligopoly/monopoly).
In Github's case, I think it was also because a lot of security boundaries were using TLD which led x.github.com potentially grab cookies of y.github.com or worse, github.com itslef
Don't forget the `githubusercontent.com` domain, which is specifically used to host risky, user-generated content, and fully documented in https://docs.github.com/en/authentication/keeping-your-accou... (using an open source component that other companies could also use, if they were interested in similar levels of security)
It looks completely different and is a non-profit:
> Couchers, Inc. is a 501(c)(3) non-profit organization ... [incorporated] in the United States in late 2021, and the project was moved under the purview of this new non-profit in early 2022.
Hey, Couchers backend volunteer here - this is a very good and valid question as many of us have gone through the same disappointment with Couchsurfing.com in the past. This is an excerpt from our FAQs on that topic:
"How will you prevent this platform from ever becoming a for-profit like Couchsurfing™ did?
We fundamentally believe that attempting to make a profit out of couch surfing is a bad idea. It introduces incentives that damage the community and would not make financial sense — the couch surfing idea, based on non-transactional experiences, is not monetizable. This is about societal value, not monetary value.
We are keeping the platform as a non-profit forever. Our plan to follow this relies on three fundamental pillars:
1. We are legally established as a non-profit foundation, and our constitution contains provisions that prevents the company from ceasing to be a non-profit, or transferring its assets to an entity that is not a non-profit.
2. We will carry out a policy of distributed moderation, so that we will engage hundreds of moderators as volunteers around the world to moderate their own communities. We will make the platform reliant on volunteers, and so the entity controlling the platform could not be a for-profit business without violating laws in many countries. The foundation would have to remain as a non-profit to continue operating.
3. Our code base is open source and anybody can spin up an alternative instance. If the community ever comes to feel that the leaders of the platform are not acting in their interest, they can simply fork the codebase, making a copy that is under control of new management.
Finally, we do hope that you can trust our Founders (Aapeli and Itsi) and Board Members in their promise to keep the platform not only community-led, non-profit, and open-source, but in line with the greater interests of the global couch surfing community."
yeah, that's about the time I quit couchsurfing and limited my interactions to community meets. Then it pretty much died out. I couldn't tell if this is the same folks trying to do it right or different folks who believed in the original mission of CouchSurfing.
I happen to have an account with them, and also BeWelcome (what seems to be the closest to popular alternative to the original couchsurfing.org) and TrustRoots, too. Also, the original one, of course.
Thanks for the feedback. It's more correct to say that traffic drops off for 3-4 hours rather than everyone goes offline for 3-4 hours. It's likely to be staggered based on the slope of the curve at that point.
That's a fair criticism. The data suggests that there are different breaks spread out over that 3-4 hour period, not one break of 3-4 hours. I've reworded it accordingly.
It’s accurate for business hours in at least some parts of the country, but it is paired with late closing. Even office workers will be on the job until 8. Popular wisdom attributes it to Franco’s adoption of Central European Time to be aligned with Hitler.
It's like the author has never heard of balance bikes, but they're very common, and have been for over a decade. FWIW, I taught my kid to ride when he was 3 by putting him at the top of a wheelchair ramp and letting him go. Took him 5 seconds, and he was riding around the park by himself by the second attempt. He'd never been on a bike before.
>It's like the author has never heard of balance bikes, but they're very common, and have been for over a decade.
Every time a post like this comes up a bunch people haven't heard of them. I'm sure it helps, especially with really little kids, but honestly kids learn to ride bikes pretty easy once they decide they want to really learn regardless of pedals or not.
I think it must be regional. They're universal in the UK now so there's no way you could have a kid and not know about them. Nobody had them when I was young though. Presumably they just haven't quite infiltrated America yet.
The use case is very little kids. They can use a balance bike about the same time they can toddle about the house (but before they can walk longer distances without support or tumbles).
This. Here (NL) where pretty much everyone can bike and a substantial portion of the population goes to work/groceries/etc. by bike, most kinds start with what we call a 'walking bike' (pretty much the same as a balance bike). Most kids are already pretty fast on them before switching to a bike with pedals.
It's also often recommended not to use training wheels. Just go balance bike -> pedal pike.
Strider bikes. And yes, they are amazing. Ours was 2.5 and she insisted she was ready for a big kid bike. Was peddling that afternoon although couldn’t start alone yet.
Balancing is the easy part. Progressing from stand still, to pedalling, while maintaining balance proved much harder (for my child). However, once mastered, the transition to confident rider was fast, I'm sure mostly thanks to having started on a balance bike early, and never having an interest in those scooters that every other kid seems to love (seemingly at the expense of learning to ride a proper bike)
