undefined | Better HN

0 pointsqayxc5y ago0 comments

> No one wants to use something where the consequence of making a mistake is "well I guess you're f_cked now". You're ignoring the entire usability side of computing and innovation.

Wow wow wow, so you're basically saying that users who are capable enough to even need/use decentralised version control systems are too dumb and incompetent to setup Time Machine, Timeshift, or File History? Really?

> There are other ways to verify identity (especially within a social network, where real life people know other real life people), but these companies simply do not want to put the effort it.

So you are suggesting that instead of keeping one piece of information (e.g. a second e-mail address or just a token generator, which can be an app), you instead share your entire private life with these companies? Oh, and by the way - how would you even protect your social media accounts then? 2FA all the way down?

> Trust me, if Nat Friedman somehow loses his email and 2fac at the same time, I can bet you that they would someone find a way to verify his identity and let him back in to his Github account (or honestly any other account).

Trust me, the CEO running the show is in an entirely different category than most of the 50 million other accounts and you (in this case GH) don't even want to have all this sensitive personal information.

The less info you have, the less impact a data leak on the provider's side can have. Why would anyone trust GH with their personal information more than any other tech company?

Mission critical data belongs in multiple location. Full stop. Losing access to a GH account should never be more than an inconvenience if your livelihood depends on it or you value your personal data.

> This is false. Almost every part of cyber-security is a trade-off between security and usability. If you want the most secure system, just turn everything off. Totally secure. But also totally un-useable.

I'm not talking about security in general. I'm specifically talking about deliberately weakening a security measure (here: 2FA) for no reason at all.

Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?

> Not everyone has the privilege to spend a "few hundred bucks on a NAS" and pay for it to be securely stored somewhere.

A USB drive is not a privilege and if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.

Data has become more important than ever, yet people still fail to understand to treat it like they would other valuables. 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup their most important and irreplaceable data - only the privileged and tech gurus can afford that...

Nah mate, think again. It just doesn't make sense to put all your eggs in one basket (allegedly 10s of thousands of proverbial eggs in this case) and then whine about forgetting to change 2FA, having no backups whatsoever, and mixing private and work accounts all at the same time.

This is one of those things that you should learn from and the least you can do is to have a cheap external HDD and a recent backup of your most important stuff.

0 comments

nrmitchi5y ago

> you're basically saying that users who are capable enough to even need/use decentralised version control systems are too dumb and incompetent

Do not put words in my mouth. I did not say that, you just did. I said that usability is a real concern, because no matter what you expect people to do, it will never work perfectly 100% of the time.

> I'm not talking about security in general.

You can say that now, but that's not what you said previously. "There's no such thing as a "trade-off" when it comes to cyber security"

> you instead share your entire private life with these companies?

Again, I did not say that. Github is a social coding network. I am not saying that I have all of the answers as to how this should work, but I am saying that if 1 member of a 100 person organization loses access to their account, and the other 99 members all confirm that their account access was lost via some event and assert their identity, you could have the start of a reasonable recovery path.

> the CEO running the show is in an entirely different category

Not sure what you mean by this. Are you saying that a CEO is just automatically more responsible and not going to lose something? Or are you saying that he's clearly just more important so it's okay to bypass the stated procedure for just him/her?

> Do you leave your house key under the doormat? Do you keep a post-it note with all your passwords taped to the back of your phone - you know, just in case you forget one and for convenience?

This is not even a valid comparison, and you're just trying to be condescending. I don't leave a house key under my mat just in case I lose it. But I also don't expect to never be allowed to enter my house again just because my key is lost.

> if you can't afford a data storage solution I seriously wonder why you have a need for a distributed version control system in a (semi-)professional environment.

Because many people use Github for non semi-professional environments? It is full of amateurs. Just because you don't find someone's work valuable, doesn't mean that they don't. Saying "Well it's not professional, so if you lost it then it doesn't matter" is not correct.

> 20 bucks for a protective case for your phone - no problem. 50 bucks for a half decent 1TB portable USB HDD to backup

You're comparing a 1 time action to a recurring action. I'm not saying that you shouldn't have back ups. You obviously should. But people are human beings. Even if 99% of people have perfect back ups, that's still 560k (according to Github home page numbers) that will have failed backups or some other issue.

PS. you keep widely including the term "decentralized", as if just because git is decentralized, that nothing on Github should matter. For better or for worse, Github has become the central git repository provider for millions of people. Claiming that Github services should be magically decentralized just because git is decentralized is an invalid claim. Because Github is not decentralized.

qayxcOP5y ago

>> I'm not talking about security in general.

> You can say that now, but that's not what you said previously. "There's no such thing as a "trade-off" when it comes to cyber security"

I literally followed that up by "either commit to it fully or don't use 2FA at all". You omitted crucial context there. Now I could have expressed that more clearly, sure, but the context is right there nonetheless.

>> the CEO running the show is in an entirely different category

> Not sure what you mean by this.

What I mean is that the guy is not just "a CEO" - it's the CEO of the very company in question here. So what I'm saying is that someone within an organisation - let alone the head of said organisation - has very different tools at their disposal than can or should be provided to their users.

> It is full of amateurs. Just because you don't find someone's work valuable, doesn't mean that they don't. Saying "Well it's not professional, so if you lost it then it doesn't matter" is not correct.

Amateurs don't lose 10s of thousands of dollars from losing their GH account. Again - omitting context. If your data isn't valuable to you (be that in terms of money of for sentimental reasons) then it doesn't matter indeed. Just like you'd protect physical assets, non-physical assets require protection as well and if you don't do that, said assets cannot be of much value to you, no?

> But people are human beings. Even if 99% of people have perfect back ups, that's still 560k (according to Github home page numbers) that will have failed backups or some other issue.

So what you're suggesting is putting 100% of users at risk because there's the odd chance that someone might lose data? That's just not reasonable at all.

> you keep widely including the term "decentralized", as if just because git is decentralized, that nothing on Github should matter.

Because it does matter in that all you need to do is to keep a local copy of your repo. With a centralised system you'd lose the most important part of the repo: the complete commit history and all branches.

This is not the case with git and "all" you'd lose would be external configuration, issues and Wiki pages, but even those can easily be exported and saved externally.

You can even re-import all of that to a new account if need be. Heck, you can setup triggers that synchronise the entire repo - including issues, projects and wiki to other providers or a local copy if you really want/need to.

The fact that millions rely on services like GH, GL, and BB doesn't change the nature of git.

Again - if your data is important to you - be that for monetary or private reasons - don't keep it in one place. Especially if that place can be locked away from you at any time for any odd reason. I don't understand why people these days have such a hard time understanding this, but using GH implies that you put your data on someone else's machine with little to no guarantees whatsoever.

None of these multi-million and billion dollar corporation deserve any of our trust and using their services comes with strings attached. Whining doesn't help - being aware of this and becoming a responsible and critical user who knows their options is what helps avoiding disasters like this.

PS: you should really start by looking into how git itself works (especially compared to centralised repos like SVN) to actually understand the importance of decentraised version control.

j / k navigate · click thread line to collapse