In case anyone else was wondering, not all 8 digit pins are "compromised", although many are, and of course an 8 digit pin has limited security in any automatable scenario.

To get an example that was already in the haveibeenpwned dataset, I wrote a quick script:

  var httpClient = new System.Net.Http.HttpClient();
  httpClient.BaseAddress = new Uri("https://api.pwnedpasswords.com/");

  while (true)
  {
   var password = string.Join("", Enumerable.Range(0, 8).Select(e => Random.Shared.Next(0, 10)));

   var hash = Convert.ToHexString(System.Security.Cryptography.SHA1.HashData(Encoding.UTF8.GetBytes(password)));

   var passwordRange = await httpClient.GetAsync($"range/{hash.Substring(0, 5)}");

   passwordRange.EnsureSuccessStatusCode();

   var allhashes = await passwordRange.Content.ReadAsStringAsync();

   var splitHashes = allhashes.Split(Environment.NewLine);
   
   var compromised = splitHashes.SingleOrDefault(h => h.StartsWith(hash.Substring(5)));
   
   if (compromised != null)
   {
    Console.WriteLine($"Password {password} Compromised! Found {compromised.Split(':')[1]} time(s)");
    Console.WriteLine($"Hash: {hash}");
    return;
   }
   await System.Threading.Tasks.Task.Delay(1_000);
  }

The "most compromised" I've seen so far is "17385382", in the DB an astonishing 119 times. It would only take a few hours to iterate through all pins and collect stats for all pins.

Or they just reactivated his previously canceled account and it still had a pin associated

Apple doesn’t care to fix it either. Why can an app repeatedly turn off the podcast I’m listening to yet I have no recourse to stop it?

I have to keep pressing Play on my airpods. If I’m not using airpods it can be impossible to resume my own audio with the app open.

I've had this a few times on Android (eg the new Subway app). I'm 99% sure it's the latter but not for security, just a fancy splash screen animation that was implemented as a video without thinking about setting it as "no audio".

A lot of those pain points are involved by virtue of being the original developer. Generating a QR code every single minute for every single user can indeed easily lead to issues, but that's much less of an issue when you're able to change the QR code validity to, say, a week.

If you use online validation you can even dynamically rotate them whenever it suits you - either to adjust server load, or as some kind of "every Nth check-in" scheme. Heck, with online validation it doesn't even matter if the rotation service goes offline for a while!

Or just generate a fixed QR code which never changes. You know, like the 8-digit pin the QR code is the alternative for.

OP here. Yeah, "copyright law" was a lazy shorthand, but it reads better than "tortious interference."

PureGym's T&Cs [1] have a ridiculously long "PIN abuse policy" (probably meant to stop people sharing with mates). They can cancel memberships or even retroactively charge for gym use if you "knowingly provided your PIN to another individual."

I'm not a lawyer and don't fancy being the test case for whether entering your PIN on a third-party website/app counts as "knowingly providing" it. Given how their app works, I suspect they might just ban a bunch of accounts instead.

Though now that I think about it, the squat racks are always packed, so maybe I should just distribute the app to people who go at the same time as me.

[1] https://www.puregym.com/membership-terms-conditions/

Look at it this way. If I buy something from a store and pay in cash, and then the cashier takes some money from the register and hands me the change, that's okay. But if I open the register myself and take the money, they call the police.

i.e. just because it's POSSIBLE to do something doesn't mean it's okay to do it.

Having engineers specialized in a specific stack learn on the job for the sake of/while working on a project is a great way to end up with really funky code and poor user experiences. I speak as a developer tasked with doing exactly that several times at a previous job, and the long-term is never pretty. The first code you write is immediately legacy code, but if you're learning as you write for a project that is already in motion, you're usually stuck with that legacy code until someone goes out of business or the rapture comes and they have to do a reorg because half the team was hauled to the kingdom of heaven, and now there's an MBA running the department who doesn't like you and wants to leverage AI to do the block chain.

I used to work in the fitness industry, and we built apps for some big players (not PureGym, though they were a customer for other parts of our stuff). Anyway, we'd often sit in meetings with them to discuss new features. One time, we discussed adding notifications. They got hung up on this -- there were about 8 different departments -- and they decided to add a notification to ask how clean the gym was... because it was "safe". These people, in general, are terrified of scaring away members by bothering them about anything.

But yeah, we cared deeply about the UX/UI, but these things are built by committee and the committee is pretty dumb, very political, and non-technical.

It is a gym app. Realistically as the article says it really doesn't have to change much.

The UX of that app is actually "ok". While it is a wrapper around their mobile site it works well enough.

> So why can’t they learn?

Who "they"? The vast majority of companies don't have a staff of programmers. These apps are outsourced to cheap consultancies.

They are likely using cheap labour from India or something.. the deal went to the lowest bidder.

Isn't that the whole problem?

The core business of automobile companies is not software, but they're being kicked down by software companies.

You're not a software company until a software company shuts you down.

How could Puregym make it easier to unsubscribe? I'm sure I managed to do it in the app just a few months ago.

Heh, I guess so. It's just an uneasy feeling I can't get rid of. Maybe I'm just being paranoid. Then again, I wonder if the said greentexts are AI-generated still. At least the contents are likely to be fakes.

Thank you for the recommendation, but I don’t want to pay a subscription for something I use sporadically, especially (according to the App Store page) an AI-generated app which tracks you. I want to do what the author mentioned: take a static image and add it to Wallet. I don’t mind some legwork.

I mean, clearly, that’s the whole point of the article. What I’m asking is how do you make a wallet pass from a static image. Is is difficult? Is it simple? What are the steps?

This is like if I asked “how do I boil an egg” and you had answered “you can boil an egg yourself”. Yes, I know that. That’s obvious but also unhelpful. The correct (short) answer would’ve been “bring water to a boil on the stove, lower an egg into it, wait around 10 minutes, turn it off and place the egg in cold water for an easier peel”. Or “here’s a link with instructions: <URL>”.

I think ideally you'd do it maybe every day or so, so that if the user goes offline for a while, or the server you're running goes down or something, the pass will continue to work for at least 6 days. It buys you a lot of time to fix things.

The RefreshAt is a week, but if the code is actually valid for a week, it's not clear why a simple screenshot of the code didn't work.

It sounds like this only helps power consumption after you've already run low on power. Seems like processing frequent notifications would accelerate your progress toward that low power state.

> Higher priority push notifications require a user visible UI element

The QR code for a pass sure sounds like a priority user visible UI element.

That’s also really bad. Who wants to carry a wristband around everywhere? Keychain barcode tag works fine.

They're 24/7. There are usually some staff onsite during the day, but all the entry/exit stuff is always through the automated gates.

> Now everyone thinks they are the next Experian and tomorrow a million hackers are going to attack and steal everyone's private info.

But this is demonstrably the case today... I don't think I've gone a week without hearing about some major data-breach.

...my own org got h4x0red a few months ago: our CEO didn't have 2FA enabled on his God-tier global-admin-rights OIDC/SSO login and somehow, someone found our internal login page, had a snoop around, found our Twilio account keys and sold them off to some spammer who then sent spam texts to our customers (fortunately our (immutable) access logs showed there was no further intrusion, but it was still an incredibly unsettling experience considering how uninteresting and un-sexy my SaaS day-job is).

...so if it can happen to me, a random fellow HN troglodyte, then it can happen to you; or the hospital down the street from my old office[1].

In conclusion: we're doomed.

[1] https://therecord.media/seattle-fred-hutch-cancer-center-ran...

...and, of course, all of these companies are just as bad at security as they are at scaling - they don't even have the capacity to understand (organizationally - I'm not anthropomorphizing them) that Experian happened because their servers were breached, not because users' accounts got stolen.

It's pathetic. There should be regulation that prevents overly onerous "security" controls on users accounts.

They do that to match your device ID or cookies with their customer records. Since cookies don't last long they prefer to have you do that every month.

More details here: https://hightouch.com/blog/what-is-identity-resolution

Humorously, after re-learning about em-dashes due to their use by AI (an otherwise forgotten part of high-school English), I started using them more often in my writing. They really do look nicer!

As an academic I’ve always used “delve”, too, so at this point I guess my writing is going to be flagged as AI a lot…

I do note that some of the AI slop I’ve received from students include other fancy Unicode characters (superscript numerals, variant Greek letters, blackboard bold R, etc.) that are difficult to type, and which especially would not be used in e.g. code comments. em-dashes at least can be produced by certain word processors or text IMEs automatically, whereas many of these others require specifically looking for the character.

    No secret. Just vibes.

Since you know the tells of LLM generated text, you'll know that this is a classic: No X. Just Y.

    Proxyman -- pick your poison.

    And if you're from PureGym reading this—let's talk.

There's a mixture of em dashes joining words and double hyphens spaced between words, suggesting the former were missed in a find and replace job.

"And if you're from [COMPANY] reading this[EM DASH]let's talk" is a classic GPT-ism.

    It's like the API is saying "Hey buddy, I know this is odd, but can you poll me every minute? Thanks, love you too."

    Shame Notifications: "You were literally 100 meters from the gym and walked past it"

    It's just a ZIP archive with delusions of grandeur

Clear examples of fluff. Not only do these fail to "add facts or colour to the story", they actually detract from it.

I agree with you that em dashes in isolation are not indicative, but the prose here is dripping with GPT-speak.

There’s no such thing as “AI dashes”. Em-dashes are valid typographical marks which have been employed for literal centuries. The only reason LLMs even used them is because humans do too, as they were trained on that input. It’s your prerogative to not care about proper punctuation, but that in no way indicates that those who do are machines.

I would absolutely write a comment like that in code I was writing for a personal project. I’ve written way worse as well.