It’s not invading, yet. Just buying or psyopping is more likely than fighting NATO.

If I threatened someone until they sold me something that they made very clear they did not want to sell noone would call it "Buying" and we shouldn't either. It would be extorting. Under no circumstances are we buying Greenland at this point, anything that happens is something else.

Extorting is more accurate. But definitely not invading.

Extortion is the right word here.

The problem is that virtually the entire new world and much of the old world was acquired by force and threats of force that has been legitimized over time. So yes, I think this is clearly extortion and any sale that takes would be coerced.

But ever was it thus.

For sure in the future I'm sure the US will teach that it was a fair deal and nato was corrupt anyway but I hate to see the whitewashing of it going on already like it's a casual land purchase offer

> It’s not invading, yet. Just buying or psyopping is more likely than fighting NATO.

Threatening to invade (which the Trump administration has been explicitly doing) is about as damaging as invading in the long run, either way we have sent the message loud and clear that the US is no longer a reliable ally and everyone has to shift away from the post-WW2 world order.

I think that’s harder than just buying/hypnotizing/invading/whatever.

If we exit the Antarctic treaty, then so will everyone else and there’s multiple competing claims.

The US is on the verge of becoming a pariah within NATO. The Antarctica treaty ain't nothing compared to that.

It’s definitely easier to mine in Australia.

But you can do both. It’s about marginal profitability, not absolute.

Do people think we must pick just one place to mine?

You can do both, but why would you? It's not like we've tapped out Australia. And until we have, why bother with Greenland if the same money invested in Australia, or Sweden, or Canada would yield more profit?

You’d do both because up can. Why mine in Australia when you have the US or Canada, etc etc.

The idea would mine in all places where it’s marginally profitable until your capital is fully committed.

Maybe, people previously thought it was not worth it to mine in greenland and thats why there is no noticable mining operation. But what do i know about cost-ratio or thinking.

I'd rather get nothing, because a thoughtless blob of text being pushed on me is insulting. Nothing, otoh, is just peace and quiet.

I’d much rather get nothing. An AI letter isn’t worth the notification bubble it triggers.

“I collected tons of money from Hitler and think Stalin is, like, super bad.” [sips Champagne]

Of course, the scale is different but the sentiment is why I roll my eyes at these hypocrites.

If you want to make ethical statements then you have to be pretty pure.

Are any of us better? We’re all sellouts here, making money off sleazy apps and products.

I’m sorry but comparing Google to Stalin or Hitler makes me completely dismiss your opinion. It’s a middle school point of view.

We had elections during the civil war, 0.000001% chance the 2028 elections get changes.

My mom sends me AI videos of cute cats doing the impossible (flying around the room, washing raccoons, etc). When I told her they were AI, she said “so what, they’re cute”

Say more.

Brave has about 300 employees and don’t break out engineers [0]. One of them is Brandon Eich so that counts for a bunch.

Their revenue is only $52M so kinda what Mozilla would earn off their endowment.

[0] https://getlatka.com/companies/brave.com

That's all b.s. of the ripest kind.

Latka are not reliable. And you assumed Brave were profitable?

Brave make a Chromium fork and a search engine. Does a search engine or a web browser engine require more people?

Brave doesn't make their own browser engine.

I found the info not actionable because it wouldn’t say what actual values were posted.

I have a common name Gmail account. The password is rather complex and I would be surprised if it leaks as only I and Google know it. However, I would get reports that it’s on the dark web with blanked out password values. So I never knew if they actually compromised or just something else.

They would also report when some random site that used my Gmail address as user id was on the darknet that I don’t care about. I don’t care if my fidofido account is leaked. I never use it and if I did, then I would reset.

I think if the data were useful Google would have kept this up.

I bet they keep tracking though, just keep the reports internal.

> I found (it) not actionable

Tangental, but I found 'Have I Been Pwned' useless too because you can't enter your email and find leaked passwords associated with the address, instead you have to enter each password (and repeat for every password you want to check).

I know there's an explanation that the raw password is not being sent and instead being hashed locally and only part of the hash is sent. But I don't know how to verify that and it feels wild to type passwords into a random website. (if anyone knows how to verify HIBP does only what it says it does [rather than blindly trust and hope for the best], would love to read more about it)

I always thought that it could be reasonably simple to have a safe alternative. Have people enter a SHA256 of their password instead, and match against a database of other hashes.

Almost everyone interested in checking for password leaks knows how to generate SHA256 of a string. And those who don't shouldn't put their passwords on the internet.

Or even better, generate hash for all passwords in the database, package these hashes together with a simple search script and let people download it. That way, you are not sending any information anywhere, and noone can exploit the passwords, because hash is a one way function.

Then again, that download could be really large. I admit I have no idea how much storage would that take. But it's just text, so easily compressible. And with some smart indexing, it should be possible to keep most compressed and only unpack a relatively small portion to find a complete match.

Then again, I have virtually no background in cryptography, could be something horribly wrong with this.

That's already what is happening...

When you do a check on https://haveibeenpwned.com/Passwords nothing is sent to the server. Instead the password is hashed locally and a list of the hash range is downloaded, which contains all the hashes and the number of occurrences.

The server doesn't receive the password, neither in plain-text nor hash form.

They meant you submit the checksum instead of your password. Replace "Password to check" with "Checksum to check"

It would be easy enough to add this as a "secret" feature:

* user submits password * gets hashed client side * server compares it against stored hashes * server also re-hashes the stored hash, and compares it against the hash received from the client

This would effectively mean that either entering the password, or the password hash would correctly match, since when entering the hash you are effectively "double" hashing the password which gets compared to the double hashed password on the server.

The upside is that users who don't understand hashing or don't feel like opening a sha256 tool wouldn't have to change their behavior or even be confused by a dialog explaining why they should hash the input, while advanced users could find out about the feature via another channel (e.g. hackernews).

The downside would be that it adds an extra hash step to every comparison on the sever. It's hard to know how expensive this would be for them.

Care to explain how you can tell what scripts gp was sent for the page https://haveibeenpwned.com/Passwords and what scripts he will be sent on future visits?

Well of course a hostile actor could use this incredibly accessible resource to test a bunch of emails and find their passwords.

Though perhaps there could be a service where you enter in an email address and it sends an email to that address containing the passwords. That would be a slightly more complicated server to set up though

Im 99% sure this is exactly what HIBY used to do, and changed their processes. I'm unsure if this was due to government pressures or what

OK, I would pay for this service.

It doesn't use any information that's not already exposed.

It reveals the extent of my problem to me.

> (if anyone knows how to verify HIBP does only what it says it does [rather than blindly trust and hope for the best], would love to read more about it)

I recall HIBP documents their hashing protocol so that it should be possible to have a non-web client you can trust more.

https://haveibeenpwned.com/API/v3#PwnedPasswords

There's an API[0] that takes a prefix of a hash.

I don't know how to verify what the website does, but I think that in a few minutes I'll be able to put together a CURL call that does what we're hoping the website does.

[0]https://haveibeenpwned.com/API/v3#PwnedPasswords

Bitwarden's web vaults has a reports feature which allows you to check this in bulk.

I never got the Google dark web reports, but my credit card used to send me reports constantly saying that my email address was 'found on the darkweb.' Okay, that's not useful information. If it showed me if there were associated passwords, that might be helpful, but just saying my address was found on the darkweb is meaningless. My email address is public information.

The worst part is, it was an email address I hadn't used in about 10 years, and they wouldn't let me take it out of the report.

Well you could change the email address you use for the financial services only, and keep it secret. Then it would be harder to impersonate you.

Or, use a service that lets you generate an address for each business you deal with or use case you have so you can treat them as disposable. After chasing down spammers and companies selling my info, including my email, I found this was easier to keep up with and is more effective. Spam me once or sell it to another company, and I burn that address, replacing it with the original company if I really need them to keep in contact.

I tried to do that but found out there's almost no services that I would want to treat my account there disposable. If I bother to provide them my email address -- I usually also want to access my account there later (e.g check order status).

There are tens of services where I'd like it disposable, but hundreds of services where account is warranted. And some of those thousands will be compromised some day.

I'd distinguish between an address one can choose to dispose of in an organized way versus an account you don't want to lose access to.

I have my own domain, and pay a hosting company to manage the e-mail, which means it's easy to have ton of forwarding-only addresses for different purposes.

This means that I register with mybank123@domain, if that ever leaks I can log in with them and change my e-mail to a new forwarding-address of mybank456@domain. Then retire the older one.

You can do this with aliases. For example Firefox's relay (or you can do it with a website and cloudflare). They'll also give you a catchall domain so you can either have generated emails like "adafergtrees@mozmail.com" or "NameOfArbitraryBusiness@deepsun.mozmail.com". If you want to trash an email you can do that too.

Well, I could, and actually did. Like I said, I couldn't get that email address out of the report.

Yeah.. I have a five letter email that's a common first and last name @ gmail.com. I second everything you said. Getting report hits every few days are useless given how few sites do any kind of validation. :-/

> I have a five letter email that's a common first and last name @ gmail.com.

What are the common two-letter first or last names?

Ng, Le, Li, Lu, Wu, Xu, Xi, Fu… come to mind immediately for last names.

For first names… Jo, Ty, Al, maybe?

If you have a two letter last name you need a three letter first name to make five. Joe, Bob, Sam, etc.