ITS A TRAP! If your app is successful their infrastructure will see all the traffic, your responses and will be able to mimic what you do and kick the husk of your app in the weeds. (Unless your function comes from some massive unique dataset they can’t by access to.)

How would they mimic zillow or canva??

Does not work so great on mobile. Site content just scales down to a small unreadable text.

Most of your uses will visit on mobile

Thank you. Yes, agreed. Canva is still restricted with the mobile resize feature so will have to explore a workaround..

I’ve seen airline training videos about in flight battery fires. But I’ve never considered the risk of ear buds catching on fire. Normally, you should feel them heating up before they catch but they might just blow, that would be very sore. Also if you’re sleeping with buds in you could end up with a fire before you woke up.

Pro Tip: see who is short selling

From the privacy page of the app developer

“ In addition, according to relevant laws, regulations and national standards, we may share, transfer, and publicly disclose personal information without your prior authorization and consent in the following situations:

Those directly related to national security and national defense security; Directly related to public safety, public health, and major public interests; Those directly related to criminal investigation, prosecution, trial and execution of judgments; In order to protect the life and property of the personal information subject or other individuals, but it is difficult to obtain the consent of the individual; Personal information subjects disclose personal information to the public on their own; Collect personal information from legally publicly disclosed information, such as legal news reports, government information disclosure and other channels.”

Under Chinese law everything is national security if the state asks for it.

The last sentence looks like they give themselves permission to collect as much information about there users as possible

In any case I can’t see any way they are compliant with GDPR.

The issue that many schools face is that companies complain the grads - even with PhDs - are not able to do anything useful in the workplace. When my wife did her PhD more than 10 years ago (in the UK) she was required to take a stack of ungraded workshops under the label “professionalizing the PhD” it was totally annoying waste of time for her. The stuff was “basics of Excel”, “Research poster making”, “ intro to Adobe suite”, etc this was done because the university had received feedback that PhD grads could literally do nothing useful when hired.

From the article. “About 60% of the grades handed out in classes for the university’s undergraduate program are A’s, up from 40% a decade ago and less than a quarter 20 years ago, according to a report released Monday by Harvard’s Office of Undergraduate Education”

Harvard is currently under a lot of pressure from donors , courts ( loss of case on admissions), and political pressure from US administration.

Awarding 60% A’s does not help them make the case that they know what they are doing and should just be allowed to carry on.

Kinda interesting- of course until it hacked. But honestly it does not look like something I would want to carry around.

That was a very interesting discussion. I had seen last week a magnet fail to stick to a stainless camping cup and was puzzled. I have worked in metal forming in the past but did not do a lot with stainless. So really interesting

I see a lot of comments here about using some browser that will allow ME to see sites I want to see, but I did not see a lot about how do I protect my site or sites of clients from being subjected to this. Is there anything proactive that can be done? A set of checks almost like regression testing? I understand it can be a bit like virus builders using anti virus to test their next virus. But is there a set of best practices that could give you higher probability of not being blocked?

> how do I protect my site or sites of clients from being subjected to this. Is there anything proactive that can be done?

Some steps to prevent this happening to you:

1. Host only code you own & control on your own domain. Unless...

2. If you have a use-case for allowing arbitrary users to publish & host arbitrary code on a domain you own (or subdomains of), then ensure that domain is a separate dedicated one to the ones you use for your own owned code, that can't be confused with your own owned hosted content.

3. If you're allowing arbitrary members of the public to publish arbitrary code for preview/testing purposes on a domain you own - have the same separation in place for that domain as mentioned above.

4. If you have either of the above two use-cases, publish that separated domain on the Mozilla Public Suffix list https://publicsuffix.org/

That would protect your domains from being poisoned by arbitrary publishing, but wouldn't it risk all your users being affected by one user publishing?

Allowing user publishing is an inherent risk - these are good mitigations but nothing will ever be bulletproof.

The main issue is protecting innocent users from themselves - that's a hard one to generalise solutions to & really depends on your publishing workflows.

Beyond that, the last item (Public Suffix list) comes with some decent additional mitigations as an upside - the main one being that Firefox & Chrome both enable more restrictive cookie settings while browsing any domains listed in the public suffix list.

---

All that said - the question asked in the comment at the top of the thread wasn't about protecting users from security risk, but protecting the domain from being flagged by Google. The above steps should at least do that pretty reliably, barring an actual legitimate hack occurring.

Thank you for your thoughtful and helpful reply.

> Is there anything proactive that can be done?

Befriend a lawyer that will agree to send a letter to Google on your behalf in case it happens.