The criteria for my list is that they are taken from real life misspellings, mostly from facebook or youtube comments but also from news media. I have noticed that a lot of people don't bother to consider the proper spelling of words but rather they just spell a word however it sounds to them. So apparently some people pronounce these words the same. Feel free to make your own list of multinyms that fit your own criteria.
Warning, very broadly generalizing now, but here goes...
> I have noticed that a lot of people don't bother to consider the proper spelling of words but rather they just spell a word however it sounds to them.
This is my "spot the native English speaker" trick. Some native speakers consistently type "your" no matter if they mean "your" or "you're", and either "their" or "there" whenever they should have used one of "their", "there" or "they're".
My experience is that people who have learned English as a second language don't make this particular mistake as much - although we make tons of other mistakes, of course!
My guess is that the cause of this is that native speakers learn the language mostly by listening, long before they learn to read and write. Consequently, to them a word is primarily defined by its pronunciation. Its spelling is a secondary property that's attached years later.
For second language speakers, a word's spelling is usually something they're exposed to immediately when they learn the word - in many cases even before they learn how it's pronounced. To them, the spelling is what primarily defines a word.
It's a bit frustrating. I tend to get confused when "your" is used in place of "you're", and I usually have to reread the sentence once before I decipher the meaning.
Having a nonstandard American dialect is even worse. Texas dialects have a much broader set of larger contractions than coastal and Midwest accents. Autocorrect becomes an active enemy when I'm trying to type "I'd'nt've" or "y'couldn't'v'nt'd".
I dunno man. I'm just typing what I hear & say. The first is "I do not think I would have done that", more or less. The second is "I could not have done that" but with an agreeing second negative? Like a hill people "I wouldn't do that if I weren't you."
Hmm, that seems to stray from the general definition of "multinym" as used in the OP.
If we did stick with the idea of pronunciation, some of the examples from your list could be included if we allow regional accents, e.g. steel-still, peel-pill. However, those accents would also include many other sets not in the OP. barren-bearing particularly stands out, because I can't think of any accent that pushes those together audibly.
In American English, terminal d's and t's usually sound the same unless the speaker takes deliberate care to enunciate them, so that would cover the greater and pedal cases.
> First of all, please do not ignore this email, this is not a scam attempt nor am I trying to sell anything, I am just alerting and looking for help closing down a security issue […]
I can't tell if people are being deliberately dense as a way of punishing me for having a critical opinion, not reading the rest of the comments before responding to me, or genuinely do not understand what I am getting at.
A hallmark of a nefarious email (particularly scams but some sales attempts) is that they aim to deceive you. Humans famously have the capability of lying. Someone telling me they are _not_ selling something or scamming me doesn't actually tell me what they want, and it does not provide me with enough information to know that they are not, in fact, scamming me. It just lets me know they don't want me to think I am being scammed.
>A hallmark of a nefarious email (particularly scams but some sales attempts) is that they aim to deceive you.
The very first email has literally everything the company needs to locate and fix the issue without having to sign anything, log into anything, or pay anything.
That is the opposite of a nefarious email.
Nefarious "beg bounty" emails will tell you that you have an issue and then not tell you where it is -- asking for money before revealing the issue.
FWIW, I get several of these emails per week, as the first-reader of security@ emails, and they're almost always scams, sales pitches, or poorly-disguised bounty sniffers.
I can't even count the number of times I've been informed that Wordpress.com (.com, not self-hosted) has severe vulnerabilities. And those are the plausible reports.
But I always respond professionally and with civility, obviously, because if they have useful information for me, I want to hear it.
In defense of the researcher: Their message was better than most, and explained the issue found directly instead of couching it in BS claims. That's good.
In criticism of the researcher: They should have linked to their website where they publish reports, and been more plain about their modus operandi from the outset. Let the company know exactly who they're dealing with, and what to expect. Stating it in a sentence is "good", but linking to the evidence is much more credible.
I've been on both sides of this relationship. My dumbest experience was with a large bank (HQ in the Netherlands, but operating in several countries including the US and AU, and now acquired by a US bank). I reported a total account compromise vulnerability which would affect 12.5% of their users. I thought my email would be well-received and the (very simple and externally-obvious) issue quickly resolved. Instead I got threats and hostility from some SVP IS nitwit. I told him to go pound sand obviously, and it took them a week to fix the problem. My SO was a customer (which is the only reason I noticed the issue), but not for long. :)
Agreed that the wording to fully understand my intent might not be present on the email and is only achieved when you look at the whole email and what information I provide etc, I've been trying different things to see what works as unfortunately I get ignored totally, A LOT.
That is also the reason there is no direct link to my publications on the actual emails, another link to add suspicion of phishing that leads to being ignored.
I do provide a link to my index with all my public finds on the signature of the email though.
Also a google search of my handle which I sign and mention on the email would get multiple hits for reputable news websites such as Databreaches.net, TechCrunch, The Register, Publimetro, but doesn't seem companies do much vetting at all before ignoring the alerts.
I think your blog post was a bit juvenile. Amusing maybe, but you're a professional and there's no need to resort to name-calling. Let the toddler's behaviour speak for itself. You don't need to laugh at them in public. It's fun though, I get it. Just gratuitous.
My recommendation to you, to turn your email report from "good" to "great", would be something like this:
------------
> Hi, I'm an independent security researcher and I publish my findings under the name "Yyyy". My primary website is yyyy.com and I've had reports published in Blah, Blah, and Blah. A quick web search will tell you more about me and my background.
> I'm writing to report an issue I noticed in toddlerceo.com. Specifically:
> (your good and complete list of specifics here, including exposure risk and high level mitigation notes if practical).
> My intent is to improve the security of the Internet, and to write about the kinds of issues I've discovered. The issue I've described here will make for an interesting and valuable article, but I don't want to publish until you've had a chance to fix the issue, so my standard procedure is to delay publication for 30 days. I'll work on the article now, and schedule it for publication on March 24th, 2025.
> Please let me know if you need any more details on the issue I've found.
----------
This may be more than they deserve! But that's OK, because you're a professional and if you are lucky enough to get a professional on the other side of the conversation, you will earn their respect, at no cost to you.
And let's be honest: your motivation for writing this article is self-promotional. You want work. Impress the CEO/security officer/etc, and you will get work, or referrals for work. So it may be more than they deserve, but it works in your interests too.
>They should have linked to their website where they publish reports, and been more plain about their intentions from the outset.
I don't get this. Their intentions should be clear by the fact that they reveal the entirety of the issue (what's wrong, why it's wrong, where to find it) in the first email. They don't ask for money, hide information behind further correspondence, or anything else that would raise suspicion.
The company has everything they need to locate, verify, and fix the issue without having to ever interact with the security researcher again. That's about as obviously well-intentioned as you can get.
But as the reader of lots of these emails, I'm always happier to hear from someone who is able to establish their credibility and intentions with public evidence from the beginning of the conversation.
I'd like to know that I'm dealing with a professional, who takes their work seriously. And I'd like to know if I'm going to be dealing with fallout from next month's feature article as a matter of course, or if I'm being extorted to avoid publishing. (This is a thing).
>I'd like to know that I'm dealing with a professional, who takes their work seriously
As a sender of these emails, my credibility is established when you go to the location I say there's sensitive data being leaked, and you find sensitive data being leaked. Nothing else should matter.
Are you just going to keep data exposed publicly if, for example, some curious kid notified you instead of a professional?
Hostility to good-faith security research, as shown in the OPs article and in some of the comments here (not specifically you), makes everyone worse off.
Having myself received hostility, demands to prove my credibility, and legal threats when sending notifications like OPs, in most cases now I don't bother to notify anyone. Instead, the data just sits there, accessible to the actual bad guys. Hurray!
No, your "correctness" is established. The credibility of your report is established.
But your credibility as a professional non-extortionist is absolutely still in question, unfortunately.
Again, I've been on both sides. Being the only professional in the room is sometimes the way things work out. But that's OK, because you can walk away from the conversation still being the professional, and they cannot. This pays dividends.
I've run across people years later who apologized for being a jerk in our previous exchange. They were under pressure, didn't fully understand, felt insecure, blah blah whatever who cares. But they realized their error and got smarter for it. And I gained their respect. That doesn't work if you don't stay professional.
If I'm asked to be more professional or to prove my credibility to someone leaking the data of their customers, I just laugh. I owe nothing to the company being negligent. A notification email with all the pertinent details is what you get.
If a company isn't going to act on it after confirming my "correctness" just because they want me to show them my diploma and resume, that says a lot more about the company than it does me.
But don't fret, as I said the number of companies that forced me to jump through hoops to report a security issue, or threatened me after reporting one, has made it so I don't often bother anymore. Hopefully someone with a more professional tone emails instead, before the data gets sucked up by Lazarus Group or whoever.
Of course you don't owe them anything. And the disclosure is a gift, unless you also use it for self-promotion, which is the usual compensation model aside from bounty programs.
But if you want to improve the ratio of reasonable-to-hostile responses, it's worth spending an extra couple minutes composing your presentation in the most digestible way. Also it's good for business.
If you're serious about helping to improve the net, or being a good netizen, you'll understand that recipients come in all shapes, and you have the best chance of achieving your goals if you make a small extra effort.
If you're at all worried that your report will evoke a hostile response, you always have the option of reporting it anonymously. I've done this, and it does work (vulnerability gets fixed).
Or if you just want to laugh at the colossal morons who don't take you as seriously as you believe you deserve, then sure whatever.
> if you don’t have an explicit type hint in a variable declaration, even readers that are using an IDE have to do TWO jump-to-definition actions to read the source of the variable type.
This isn’t necessarily the case. “Go to Definition” on the `val` goes to the definition of the deduced type in the IDEs and IDE-alikes I’ve ever used.
> No, they had the option of having a real conversation in private about what we could do to improve the overall situation.
Abusing others individually in public, but expecting a quiet word on the side about “the overall situation” when it comes to your own behavior. I hope you realize something from this.
I want superiority de-coupled from technical expertise in the minds of the people who have the latter.
Taking his personal struggles out of kernel development and onto Hacker News was the escalation – pointing out his hypocrisy is only trying to get people who agree with him to realize that they’re wrong.
`I want superiority de-coupled from technical expertise`
So you want to take the power to produce taken away from the producers and coalesce it into the hands of those who do not produce for the sole purpose of controlling those who do produce.
I was there, part of a small community writing apps pre-SDK.
Neither, I, nor anyone else, can promise you it wasn't just a simple $ calculation.
That being said, literally every signal, inside, outside, or leaked, was that apps / public SDK, if it existed meaningfully before release, had to be accelerated due to a poor reaction to the infamous "sweet solution", web apps.
I agree its logically possible, but I'd like to note for the historical record that this does not jive with what happened, at the time. Even setting that aside, it doesn't sound right in the context of that management team. That version of Apple wasn't proud of selling complements to their goods, they weren't huge on maximizing revenue from selling music or bragging about it. But they were huge on bragging about selling iPods.
It "scales to zero" as soon as the request stops as far as billing is concerned.
However, the image remains "warm" and incurs zero cost once the last request ends. So I usually have a `/heartbeat` endpoint for this purpose and point a Cloud Scheduler job at it.
I haven't read the docs to figure out the exact heuristics of when it becomes "cold" again.
You clicked on a video from Real Engineering titled “How Nebula Works” hoping to get answers to legal and financial questions? I think videos with titles like “How Internal Combustion Engines Work” would also deliberately dodge legal and financial questions. Because they’re not what the video is about.
The creator of the channel Legal Eagle is also one of the six main Standard Broadcast owners (with Real Engineering) mentioned in the article, so it sounds like we are waiting for the Legal Eagle "How Nebula Works" video.
