This is a great post, it captures the true essence of an engineer. It is funny, intriguing, and inspirational. Congrats! You are a hacker at heart.
When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.
In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.
To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:
var httpClient = new System.Net.Http.HttpClient();
httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");
while (true)
{
var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));
var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));
var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");
passwordRange.EnsureSuccessStatusCode();
var allhashes = await passwordRange.Content.ReadAsStringAsync();
var splitHashes = allhashes.Split(Environment.NewLine);
var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
if (compromised != null)
{
Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
Console.WriteLine($"Hash: {hash}");
return;
}
await System.Threading.Tasks.Task.Delay(1_000);
}
The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.
> Think about this for a second. The physical keypad -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- accepts my ancient PIN without question. But the digital QR code needs cryptographic rotation that would make the NSA jealous.
My favourite inexplicable feature of the PureGym app on iOS is that when you open it, it stops any audio you are listening to. In the same way as if you have opened another audio app. Yet it isn’t playing any sound. Crazy
"and very good reasons for not implementing Apple Wallet"
Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.
This is it. It's a well-established gym chain, their core business is getting subscriptions and making it hard to unsubscribe - not development. If you're lucky, they have a couple of in-house web developers working on website and database maintenance, who then ask a contractor to just "make it run like an app". If you're unlucky, they outsource all their web operations to a contractor that milks them every time they want to change a title from H2 to H3.
So why can’t they learn? We have Google, we have Stack Overflow, we have LLMs. My cynical take is that there’s just nobody there who gives a shit about the UX, most likely the team that built all of their backend stuff is long gone (quit or laid off) and now there’s a skeleton team of the cheapest possible engineers just keeping it running.
I used to work in the fitness industry, and we built apps for some big players (not PureGym, though they were a customer for other parts of our stuff). Anyway, we'd often sit in meetings with them to discuss new features. One time, we discussed adding notifications. They got hung up on this -- there were about 8 different departments -- and they decided to add a notification to ask how clean the gym was... because it was "safe". These people, in general, are terrified of scaring away members by bothering them about anything.
But yeah, we cared deeply about the UX/UI, but these things are built by committee and the committee is pretty dumb, very political, and non-technical.
I’ve used PureGym before, as the author points out the app is terrible, even on a good signal it takes 30s+ to “warm up”, whatever that means. I don’t want the app to “warm up”, I want the QR code right now, I’m left standing outside the gym like an idiot waiting for the bloated app to call a REST endpoint.
It’s probably developed by one or two people, likely not full time, who spend most of their time on it implementing whatever the next special promotion needs, not stuff users want.
Because that’s what they’re told to do with the little time allocated to it.
I was talking more generally about the general design of the app. It is "ok".
I have a really rubbish signal (I live in the sticks in the North West). There was almost no reception on near the gym. It never took 30 seconds. Generally scanning the QR code itself wouldn't get recognised by the scanner. I just ended up using the 8 digit code. This was using the iPhone app.
I ended up cancelling because quite honestly I prefer walking and cycling. But I was using them until earlier this year.
Considering Pure Gym is cheap, has reasonably decent equipment and is kept clean (at least where I am). The app being a bit shit sometimes is like a whatever problem IMO.
Ya and if they add apple wallet they have to do android wallet and then that’s more code to maintain. But they could make the in house app always show the QR code on launch.
I think the even better crown jewel here is that the code is predictable, with no lock-out facility at the gym door for wrong attempts. The format is (or was when I signed up) something in the format
>[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth]
So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995.
If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly,
I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym.
I love reading about this sort of thing. My personal solution to the issues with the app and the wait for it to work (if it worked) was to memorize the pin. I believe I'm still quicker getting in than even the OPs solution, and with less hassle too since I don't need a device or any services.
> A Pass Type ID certificate from Apple Developer Portal
How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.
Did I interpret correctly that this sends a push notification every minute telling your phone to download a new code? If so, that seems like a battery problem…
Yeah, screenshot on Monday, messed with the app that evening, tried using it Tuesday morning -- dead.
I've seen people on PureGym's Twitter successfully refreshing screenshots weekly though, and the API response suggests the same.
That being said, I couldn't find a validation endpoint to check if mine got invalidated by something specific (maybe signing out?) or if there's some other magic happening.
I wonder if opening the app invalidated it, and those people who had it working just screenshot once.
My gym has a similar system but I realised it's time based and the app functions without Internet. I installed the app onto an old android with no sim, logged in at home over WiFi and it successfully regenerated QRs without data
You can send background push notifications which are delivered when the phone is ready for them. They don't deliver when the phone is low battery or in low battery mode. It's specifically made to reduce battery consumption.
Higher priority push notifications require a user visible UI element and ca be delivered regardless of certain low power situations.
It sounds like this only helps power consumption after you've already run low on power. Seems like processing frequent notifications would accelerate your progress toward that low power state.
on security theater: the morons running my garbage company demand not just a email + pass but also security questions in order to login and... pay your bill. That's the functionality available.
Example security question: favorite book. Which is, naturally, case sensitive.
Someone wrote this to prevent people from stealing my password and paying my bill.
In the past, every company thought they were the next Facebook and needed to build complex super-scalable architecture because tomorrow a million users would appear out of nowhere and try to log in at the same time.
Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
> Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.
...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).
...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].
Except in the real world almost every gym I've used just gives you a keychain barcode with your account number and it works fine. You scan in and it checks whether you're current. Maybe shows your picture to a front door attendant on their computer. No complicated cryptography required.
A gym requiring an app would be a hard no from me. I don't know why anyone (especially technical) would put up with that.
...and, of course, all of these companies are just as bad at security as they are at scaling - they don't even have the capacity to understand (organizationally - I'm not anthropomorphizing them) that Experian happened because their servers were breached, not because users' accounts got stolen.
It's pathetic. There should be regulation that prevents overly onerous "security" controls on users accounts.
There has been a spate of Russian hackers recently paying other people's garbage bills, it's becoming an epidemic. The company is right to want to curtail it by asking you for your favourite books, which is the hobbit, not the Hobbit
My utility company used to include the bill amount in their email which I used to pay using my banking app. But no, where is the fun in that! So they built an app, because what is the utility of a utility company without an app, removed the amount from the email so that I can give my fingertips some much needed workout and open the cursed app just to see the amount. I think the app has a feature to pay as well but being the minor lord of pettiness that I am, I refuse to use that and still pay using my trusty banking app.
They do that to match your device ID or cookies with their customer records. Since cookies don't last long they prefer to have you do that every month.
> garbage company demand not just a email + pass but also security questions
thank goodness they do this, because I use the same email + password with my garbage as with my bitcoin wallet, my brokerage account and my online mistress finder app.;
I can't believe this criminal that is writing this. Won't people think of the poor data brokers that are sucking down data from this forced app about who he is, what his device profile is, where is location is etc?
It doesn't to me. I can tell AI writing because it has irrelevant details that don't add facts or colour to the story, but this doesn't have any of that really. The tangents come across as human, not AI doing a bad impression of human.
Things like em-dashes are a really bad way to detect AI because they can be good grammar and improve text readability, same with curly quotes. I use them all the time in my writing, and I wouldn't be surprised if this iOS dev feels similarly as Apple platforms have emphasised this stuff for years.
Humorously, after re-learning about em-dashes due to their use by AI (an otherwise forgotten part of high-school English), I started using them more often in my writing. They really do look nicer!
As an academic I’ve always used “delve”, too, so at this point I guess my writing is going to be flagged as AI a lot…
I do note that some of the AI slop I’ve received from students include other fancy Unicode characters (superscript numerals, variant Greek letters, blackboard bold R, etc.) that are difficult to type, and which especially would not be used in e.g. code comments. em-dashes at least can be produced by certain word processors or text IMEs automatically, whereas many of these others require specifically looking for the character.
> some of the AI slop I’ve received from students include other fancy Unicode characters... that are difficult to type...
This is the bit I'd still caution against. Yes AI does this, but also writing in some software will correct 1/2 to ½, writing in tools that support MathJax will give you nice greek letters, etc. At university I spent days setting up nice LaTeX setups so that I could get good looking documents, including documents that didn't immediately appear to be LaTeX authored.
I think it's best to focus on the content, the writing quality, whether it targets the right audience, and whether it answers the question or just features a lot of words in the right ballpark. Focusing on the specific words and mechanical features of the text is going to catch out the wrong students, and it's going to be harder to justify from your perspective because you can't score a student badly for using an esoteric unicode character.
Since you know the tells of LLM generated text, you'll know that this is a classic: No X. Just Y.
Proxyman -- pick your poison.
And if you're from PureGym reading this—let's talk.
There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
"And if you're from [COMPANY] reading this[EM DASH]let's talk" is a classic GPT-ism.
It's like the API is saying "Hey buddy, I know this is odd, but can you poll me every minute? Thanks, love you too."
Shame Notifications: "You were literally 100 meters from the gym and walked past it"
It's just a ZIP archive with delusions of grandeur
Clear examples of fluff. Not only do these fail to "add facts or colour to the story", they actually detract from it.
I agree with you that em dashes in isolation are not indicative, but the prose here is dripping with GPT-speak.
OP here! Appreciate you actually pulling examples instead of just dropping "this is AI".
> There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
The em dash conspiracy in the comments today is amazing -- I type double hyphens everywhere, and some apps (e.g a Telegram bot I made for drafts, or the macOS' built-in auto-correct) replace them with em dashes automatically–I never bother to edit those out (ok, now this one I put here on purpose).
> It's just a ZIP archive with delusions of grandeur
> Clear examples of LLM fluff that don't "add facts or colour to the story".
Yeah, no that's fair enough, should've known better than to attempt humour on HN.
I've got to say though, pkpass is a ZIP archive, and no ZIP archive should require one to spend 3 hours to sign it.
I enjoyed the humour.
(We’re heading towards a sad world if any attempt at levity in an article is interpreted as evidence of LLM usage by critical killjoys.)
Edit: total random thought: something in your prose shouted ‘Brit’ to me very quickly. Is it possible that part of this is simply cultural differences in humour and writing, and over-interpretation of subtle differences as evidence of LLM use?
Or do LLMs just write in a subtlety more British style because, well, Shakespeare and Dickens and Keats and Milton? Or does ChatGPT just secretly channel PG Wodehouse?
Authors use humour as a form of connection with their audience. It's a way of saying hey I'm a human and I have the same human experiences as you dear reader. Take the first paragraph for example:
> Wednesday, 11:15 AM. I'm at the PureGym entrance doing the universal gym app dance. Phone out, one bar of signal that immediately gives up because apparently the building is wrapped in aluminum foil
It says, "Hey I'm a human who goes to the gym and experiences the same frustrations as you do". Now imagine for a second this paragraph was written by AI. The AI has never been to the gym, the AI doesn't feel impatience trying to pass through the turnstile, the AI has never experienced the anxiety of a dodgy internet connection in a large commercial building. The purpose of any humour in this paragraph is completely undermined if you assume it was actually written by AI.
So please don't conflate being anti-LLM with being anti-humour. It's just the opposite. We want humour because we want to feel a connection with our fellow humans and for the same reason we should also want writing that comes from a human, not a machine.
> So please don't conflate being anti-LLM with being anti-humour. It's just the opposite.
I'm not.
I'm trying to analyse, or hypothesise, why this author's particular writing style seemed to trigger people's nascent LLM warning heuristics.
I considered the humour, because, well, other people brought it up. From the surrounding discussion, it seemed that the jocular writing style was one of the points generating suspicion.
"The crown jewel? Your 8-digit gym door PIN is your API password and you most likely didn't set it yourself. The same PIN that hasn't changed since the iPhone 8 was cutting-edge technology."
This is a great post, it captures the true essence of an engineer. It is funny, intriguing, and inspirational. Congrats! You are a hacker at heart.
When I went to the US for 3 months I joined PureGym and they gave me a PIN number. I cancelled my membership after that, and one day Chrome told me my PureGym PIN had been compromised. 2 years later, I went to the US again, rejoined, and received the same PIN. Massive red flag.
I was also intrigued by the app, the token and PIN, and remember finding a security flaw in the system that activates the hydro massage chairs. It accepts your PIN or any PIN, with no security at all.
> Chrome told me my PureGym PIN had been compromised
This is likely a false positive, if chrome is using haveibeenpwned API.
e.g. A pin of 87623103
Hashes to 558B4C37F6E3FF9A5E1115C66CEF0703E3F2ADEE
We get the range from HaveIBeenPwned:
https://api.pwnedpasswords.com/range/558B4
And search for C37F6E3FF9A5E1115C66CEF0703E3F2ADEE
And see it's "Compromised" and seen 3 times before.
In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.
To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:
The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.> not all 8 digit pins are "compromised"
Sure they have been, I can send you a text file with all of them. It's 850MB, but i expect it compresses very well.
>17385382
That's a truncated 9 digit pin of a unix timestamp.
Well yeah if you’re enumerating every 8 digit number you’re of course going to get parts of larger numbers.
Seems a stretch... What is special about that time?
I've received the same PIN from an entirely different gym chain, albeit one using the same door system.
As you say, a massive red flag indicating it's not using a lot of sources of entropy.
> Think about this for a second. The physical keypad -- exposed to British weather, coated in a mysterious film of protein shake and regret, probably being livestreamed to TikTok by someone's ring doorbell -- accepts my ancient PIN without question. But the digital QR code needs cryptographic rotation that would make the NSA jealous.
Great writing!
My favourite inexplicable feature of the PureGym app on iOS is that when you open it, it stops any audio you are listening to. In the same way as if you have opened another audio app. Yet it isn’t playing any sound. Crazy
Audio apps have greater permissions to run the background, right? Wonder if it’s related to that.
"and very good reasons for not implementing Apple Wallet"
Judging by the screenshots, it looks like a thin wrapper around a mobile-optimized web site, or at best something like Flutter, so the likelihood that they have in-house developers that are sufficiently versed in the dustier corners of Apple's APIs is slim.
This is it. It's a well-established gym chain, their core business is getting subscriptions and making it hard to unsubscribe - not development. If you're lucky, they have a couple of in-house web developers working on website and database maintenance, who then ask a contractor to just "make it run like an app". If you're unlucky, they outsource all their web operations to a contractor that milks them every time they want to change a title from H2 to H3.
So why can’t they learn? We have Google, we have Stack Overflow, we have LLMs. My cynical take is that there’s just nobody there who gives a shit about the UX, most likely the team that built all of their backend stuff is long gone (quit or laid off) and now there’s a skeleton team of the cheapest possible engineers just keeping it running.
I used to work in the fitness industry, and we built apps for some big players (not PureGym, though they were a customer for other parts of our stuff). Anyway, we'd often sit in meetings with them to discuss new features. One time, we discussed adding notifications. They got hung up on this -- there were about 8 different departments -- and they decided to add a notification to ask how clean the gym was... because it was "safe". These people, in general, are terrified of scaring away members by bothering them about anything.
But yeah, we cared deeply about the UX/UI, but these things are built by committee and the committee is pretty dumb, very political, and non-technical.
It is a gym app. Realistically as the article says it really doesn't have to change much.
The UX of that app is actually "ok". While it is a wrapper around their mobile site it works well enough.
I’ve used PureGym before, as the author points out the app is terrible, even on a good signal it takes 30s+ to “warm up”, whatever that means. I don’t want the app to “warm up”, I want the QR code right now, I’m left standing outside the gym like an idiot waiting for the bloated app to call a REST endpoint.
I suspect they don’t care. They have “an app”.
It’s probably developed by one or two people, likely not full time, who spend most of their time on it implementing whatever the next special promotion needs, not stuff users want.
Because that’s what they’re told to do with the little time allocated to it.
I was talking more generally about the general design of the app. It is "ok".
I have a really rubbish signal (I live in the sticks in the North West). There was almost no reception on near the gym. It never took 30 seconds. Generally scanning the QR code itself wouldn't get recognised by the scanner. I just ended up using the 8 digit code. This was using the iPhone app.
I ended up cancelling because quite honestly I prefer walking and cycling. But I was using them until earlier this year.
Considering Pure Gym is cheap, has reasonably decent equipment and is kept clean (at least where I am). The app being a bit shit sometimes is like a whatever problem IMO.
But exactly. The one thing you care about in a gym app is getting into the gym!
The app isn’t PureGyms core business though. I’d rather they spend £200k on extra squat racks in the gyms than on better UX on their app.
I can just memorise the 8 digit entry code and never ever open the app.
> So why can’t they learn?
Who "they"? The vast majority of companies don't have a staff of programmers. These apps are outsourced to cheap consultancies.
They are likely using cheap labour from India or something.. the deal went to the lowest bidder.
Ya and if they add apple wallet they have to do android wallet and then that’s more code to maintain. But they could make the in house app always show the QR code on launch.
I have the app on my phone (I just used to use the pin key pad). It looks like a wrapper around their website.
Because if you know someone's email address, it sounds like you get API access fairly quickly after that?
Also I trust that the scopes that you can ask for are limited appropriately?
I think the even better crown jewel here is that the code is predictable, with no lock-out facility at the gym door for wrong attempts. The format is (or was when I signed up) something in the format
>[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth]
So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995.
If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly,
I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym.
OP here!
> it sounds like you get API access fairly quickly after that?
Yes, that's correct; I am yet to hit the rate-limit but from my experience with the official app/website, it's quite forgiving to failed attempts.
The scope in the post is the one used by the app and other unofficial clients on GitHub [1][2], so I doubt there are more options beyond that.
-- [1] https://github.com/0wain/puregym-api-php-wrapper/blob/main/s... [2] https://github.com/2t6h/puregym-attendance/blob/main/puregym...
I love reading about this sort of thing. My personal solution to the issues with the app and the wait for it to work (if it worked) was to memorize the pin. I believe I'm still quicker getting in than even the OPs solution, and with less hassle too since I don't need a device or any services.
"if we build that feature, we'd have to own it."
"You're right, keep it on the 2028 roadmap"
That would be my experience in tech at least.
I mean, the experience from my department meetings where we discuss the roadmap and plans.
"Does it earns us money? Because doing it does _cost_ us"
It's really that simple (and the to do/wishlist is actually long).
The best thing PureGym could do now? Pay the guy couple of grands for the app AND give him lifetime membership.
Love the writing style, good fun but full of interesting technical detail too
> A Pass Type ID certificate from Apple Developer Portal
How much does this cost? I'd love to create Apple Wallet passes for things, but I'm weary of setting up a Apple Developer account and paying even more fees for just this.
As far as I can tell, it’s included with the base product. But to keep it active you’d have to renew the developer subscription every year.
Did I interpret correctly that this sends a push notification every minute telling your phone to download a new code? If so, that seems like a battery problem…
The article mentions they need to be refreshed every week, so I'd guess at most once a week.
The RefreshAt is a week, but if the code is actually valid for a week, it's not clear why a simple screenshot of the code didn't work.
It seems like it did work and they didn't want to deal with manually updating it weekly
Because you’d have to waste the time to take a new screenshot every week, of course.
I don't know security that well but if the puregym app refreshes the token then the old tokens would expire immediately right?
Nope. As I read it, any token less than a week old would work. So for any user, they have 7 * 24 * 60 tokens live at any time.
He said the code from Monday didn't work on Tuesday
Yeah, screenshot on Monday, messed with the app that evening, tried using it Tuesday morning -- dead.
I've seen people on PureGym's Twitter successfully refreshing screenshots weekly though, and the API response suggests the same.
That being said, I couldn't find a validation endpoint to check if mine got invalidated by something specific (maybe signing out?) or if there's some other magic happening.
I wonder if opening the app invalidated it, and those people who had it working just screenshot once.
My gym has a similar system but I realised it's time based and the app functions without Internet. I installed the app onto an old android with no sim, logged in at home over WiFi and it successfully regenerated QRs without data
no
You can send background push notifications which are delivered when the phone is ready for them. They don't deliver when the phone is low battery or in low battery mode. It's specifically made to reduce battery consumption.
Higher priority push notifications require a user visible UI element and ca be delivered regardless of certain low power situations.
It sounds like this only helps power consumption after you've already run low on power. Seems like processing frequent notifications would accelerate your progress toward that low power state.
> Higher priority push notifications require a user visible UI element
The QR code for a pass sure sounds like a priority user visible UI element.
Only if it’s visible, from the sound of it these are background notifications so that the QR code can be ready if you open the pass.
I’ve always used the physical PIN code to get in because I just instinctively don’t trust the app to load reliably; never felt so validated
Both the PIN and the app feel like terrible ideas. The gym I go to uses NFC wristbands, for the turnstiles but also for the lockers.
I've never been to a PureGym; if you guys use a PIN-pad to enter does that mean they're like those unattended 24/7 gyms?
...or if they do have an attendant there, why can't they let you in with a friendly greeting like they used to in some imagined past?
They're 24/7. There are usually some staff onsite during the day, but all the entry/exit stuff is always through the automated gates.
on security theater: the morons running my garbage company demand not just a email + pass but also security questions in order to login and... pay your bill. That's the functionality available.
Example security question: favorite book. Which is, naturally, case sensitive.
Someone wrote this to prevent people from stealing my password and paying my bill.
In the past, every company thought they were the next Facebook and needed to build complex super-scalable architecture because tomorrow a million users would appear out of nowhere and try to log in at the same time.
Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
> Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.
But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.
...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).
...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].
In conclusion: we're doomed.
[1] https://therecord.media/seattle-fred-hutch-cancer-center-ran...
Except in the real world almost every gym I've used just gives you a keychain barcode with your account number and it works fine. You scan in and it checks whether you're current. Maybe shows your picture to a front door attendant on their computer. No complicated cryptography required.
A gym requiring an app would be a hard no from me. I don't know why anyone (especially technical) would put up with that.
...and, of course, all of these companies are just as bad at security as they are at scaling - they don't even have the capacity to understand (organizationally - I'm not anthropomorphizing them) that Experian happened because their servers were breached, not because users' accounts got stolen.
It's pathetic. There should be regulation that prevents overly onerous "security" controls on users accounts.
There has been a spate of Russian hackers recently paying other people's garbage bills, it's becoming an epidemic. The company is right to want to curtail it by asking you for your favourite books, which is the hobbit, not the Hobbit
My utility company used to include the bill amount in their email which I used to pay using my banking app. But no, where is the fun in that! So they built an app, because what is the utility of a utility company without an app, removed the amount from the email so that I can give my fingertips some much needed workout and open the cursed app just to see the amount. I think the app has a feature to pay as well but being the minor lord of pettiness that I am, I refuse to use that and still pay using my trusty banking app.
They do that to match your device ID or cookies with their customer records. Since cookies don't last long they prefer to have you do that every month.
More details here: https://hightouch.com/blog/what-is-identity-resolution
> garbage company demand not just a email + pass but also security questions
thank goodness they do this, because I use the same email + password with my garbage as with my bitcoin wallet, my brokerage account and my online mistress finder app.;
Enjoyed reading it
I have no idea if this was written by AI, and frankly I don't care. I really enjoyed reading and appreciated the humour.
I'm curious to see how easy this would be on Android and to have an auto updating QR code widget on my home screen.
Wallet is spelled incorrectly under subheading “The Swift backend nobody asked for”
I can't believe this criminal that is writing this. Won't people think of the poor data brokers that are sucking down data from this forced app about who he is, what his device profile is, where is location is etc?
this reads like chatgpt dribble
It doesn't to me. I can tell AI writing because it has irrelevant details that don't add facts or colour to the story, but this doesn't have any of that really. The tangents come across as human, not AI doing a bad impression of human.
Things like em-dashes are a really bad way to detect AI because they can be good grammar and improve text readability, same with curly quotes. I use them all the time in my writing, and I wouldn't be surprised if this iOS dev feels similarly as Apple platforms have emphasised this stuff for years.
Humorously, after re-learning about em-dashes due to their use by AI (an otherwise forgotten part of high-school English), I started using them more often in my writing. They really do look nicer!
As an academic I’ve always used “delve”, too, so at this point I guess my writing is going to be flagged as AI a lot…
I do note that some of the AI slop I’ve received from students include other fancy Unicode characters (superscript numerals, variant Greek letters, blackboard bold R, etc.) that are difficult to type, and which especially would not be used in e.g. code comments. em-dashes at least can be produced by certain word processors or text IMEs automatically, whereas many of these others require specifically looking for the character.
> some of the AI slop I’ve received from students include other fancy Unicode characters... that are difficult to type...
This is the bit I'd still caution against. Yes AI does this, but also writing in some software will correct 1/2 to ½, writing in tools that support MathJax will give you nice greek letters, etc. At university I spent days setting up nice LaTeX setups so that I could get good looking documents, including documents that didn't immediately appear to be LaTeX authored.
I think it's best to focus on the content, the writing quality, whether it targets the right audience, and whether it answers the question or just features a lot of words in the right ballpark. Focusing on the specific words and mechanical features of the text is going to catch out the wrong students, and it's going to be harder to justify from your perspective because you can't score a student badly for using an esoteric unicode character.
"And if you're from [COMPANY] reading this[EM DASH]let's talk" is a classic GPT-ism.
Clear examples of fluff. Not only do these fail to "add facts or colour to the story", they actually detract from it.I agree with you that em dashes in isolation are not indicative, but the prose here is dripping with GPT-speak.
OP here! Appreciate you actually pulling examples instead of just dropping "this is AI".
> There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.
The em dash conspiracy in the comments today is amazing -- I type double hyphens everywhere, and some apps (e.g a Telegram bot I made for drafts, or the macOS' built-in auto-correct) replace them with em dashes automatically–I never bother to edit those out (ok, now this one I put here on purpose).
> It's just a ZIP archive with delusions of grandeur > Clear examples of LLM fluff that don't "add facts or colour to the story".
Yeah, no that's fair enough, should've known better than to attempt humour on HN.
I've got to say though, pkpass is a ZIP archive, and no ZIP archive should require one to spend 3 hours to sign it.
I enjoyed the humour. (We’re heading towards a sad world if any attempt at levity in an article is interpreted as evidence of LLM usage by critical killjoys.)
Edit: total random thought: something in your prose shouted ‘Brit’ to me very quickly. Is it possible that part of this is simply cultural differences in humour and writing, and over-interpretation of subtle differences as evidence of LLM use?
Or do LLMs just write in a subtlety more British style because, well, Shakespeare and Dickens and Keats and Milton? Or does ChatGPT just secretly channel PG Wodehouse?
Authors use humour as a form of connection with their audience. It's a way of saying hey I'm a human and I have the same human experiences as you dear reader. Take the first paragraph for example:
> Wednesday, 11:15 AM. I'm at the PureGym entrance doing the universal gym app dance. Phone out, one bar of signal that immediately gives up because apparently the building is wrapped in aluminum foil
It says, "Hey I'm a human who goes to the gym and experiences the same frustrations as you do". Now imagine for a second this paragraph was written by AI. The AI has never been to the gym, the AI doesn't feel impatience trying to pass through the turnstile, the AI has never experienced the anxiety of a dodgy internet connection in a large commercial building. The purpose of any humour in this paragraph is completely undermined if you assume it was actually written by AI.
So please don't conflate being anti-LLM with being anti-humour. It's just the opposite. We want humour because we want to feel a connection with our fellow humans and for the same reason we should also want writing that comes from a human, not a machine.
> So please don't conflate being anti-LLM with being anti-humour. It's just the opposite.
I'm not.
I'm trying to analyse, or hypothesise, why this author's particular writing style seemed to trigger people's nascent LLM warning heuristics.
I considered the humour, because, well, other people brought it up. From the surrounding discussion, it seemed that the jocular writing style was one of the points generating suspicion.
The AI dashes mixed with the manual double hyphen AI dashes makes it likely
I don't like the baseless LLM accusations, but the code comment
> // Device wants updates! Store that push token like it's bitcoin in 2010
...really had me raising my eyebrows. Along with the mixed em-dash and hyphens and the AI generated images on the page.
I would absolutely write a comment like that in code I was writing for a personal project. I’ve written way worse as well.
There was a few spelling mistakes
Ah yes, because we all know that ChatGPT is capable of writing coherent texts with consistent humour and details on a technical topic.
The word you’re looking for is “drivel.”
100%
"The crown jewel? Your 8-digit gym door PIN is your API password and you most likely didn't set it yourself. The same PIN that hasn't changed since the iPhone 8 was cutting-edge technology."
Reads directly from ChatGPT