heh, the devs were telling me about an issue they solved with caching, sounds like a side-effect

Looks nice!

I'd like to see a feature where I give it a budget, maybe a temperature preference, and it books me a random trip.

I'm not sure I'd worry about that... if the proposed laws were worse, then I think you'd see another SOPA/PIPA style reaction.

And then you have to consider the chances that a response from the administration will actually start an investigation / reformation.

For better or worse though, I guess I'm willing to see where it goes.

If it's anything like ours, they don't like to touch systems that 'work'... They don't have the resources to audit, update, and re-train everyone to use the current version.

Then there are the students hired to build internal tools who wouldn't know SHA1 from Bcrypt/Scrypt...

It's not my dump, so I can't say. I've only been able to verify the university of michigan data is real.

Doesn't look like anything too critical was hit though.

> Doesn't look like anything too critical was hit though.

Except, you know, the password hashes of everybody.

It seems like they "fixed" people being able to read the passwords by replacing the the form value with __USE_EXISTING__...

It's still trivial to automate account takeover though. Here's a PoC to take over pandora accounts on your network using MITMProxy and Tornado: https://github.com/JackWink/Pandora-Account-Takeover-Tool

Thoughts? https://news.ycombinator.com/item?id=3798597

Proof that 99% of generating good conversation on HN comes from a well-phrased title.

No, most of it is timing and simple luck. If you hit the right time of the day (when there are a lot of users present but not a ton of news) and get the first few votes in a good time (which is mostly luck), you'll make the front page.

Actually, proof that a provocative but false headline on HN will still get the sheep to vote up your article. ;-)

For the record, the title was actually edited from what I submitted it as.

...and it is still wrong. They do hash their passwords.

Encryption is not the same as hashing.

That said, when I said the title was edited, I was not referring to myself editing it.

> Encryption is not the same as hashing.

UPDATE: http://news.ycombinator.com/item?id=4552358

If mrb is right, it looks like they are storing it locally without encryption, which is indeed bad.

What I had written before seeing that:

======================================

Yes it is not. As a consequence, they are not mutually exclusive.

The title would be correct if it said, "Pandora stores encrypted passwords locally". Guess how much less interesting your post would be with that title? ;-)

They hash their passwords. They encrypt their passwords.

I'd prefer they only did the former, but the fact that they do the former at all is NOT what most people commenting on this thread understand.

Over 100 days ago... Now I'm outraged that the HN community didn't notice this before! xD

I actually found this a couple weeks ago when I was getting ideas on what they store as their as most likes (like rdio) just use value="password".

Facebook banned the app when the point was to hack another account.

They put the app back up under a new name / context to comply and demo the app.

Exactly...we realized that people were even using Buddy Hack to mess with their friends by "hacking" their own Facebook's, so we pivoted to Hack My Facebook.

Running an older CM7 build on my evo4g, vulnerable to ZurgRush :(

Grab the latest of JMZTaylor's unofficial CM9 nightlies! They are very stable and a huge upgrade from CM7 on my original Evo.

I'll check that out after work today. I was hoping I wouldn't have to ditch CM to get ICS

Yeah, but I'd rather end up with someone with a shared tech interest. I'm not saying that it's not possible with Craigslist, but definitely more likely via HN.

Thanks for the padmapper suggestion! I'll give that a shot next.

Understood, but I'm merely saying expand the cast of your net & you may end up with someone techy nonetheless.