260 comments

[ 3.1 ms ] story [ 256 ms ] thread
I have a 2 letter github username and get tagged often, I sometimes "approve the PR".
GitHub even sends me a notification mail when my two letters appear in some large base64-encoded string.
OK, that sounds like a bug unless those two letters happen to be directly preceded by `@`.
base64 encoding does not include spaces and short strings are padded (and there is no '@' in RFC4648), so I wonder how this works too.
Could be one of the sibling encodings, like base85 or uuencoded, perhaps? From afar they could look sufficiently similar to base64 that OP got them mixed up?
There are some encodings with @, but the problem is why it would trigger notification in

  aslkdjfhkj@tanelivasdklfjhasdfasdfasd
or in, the best case:

  faskjdhgfkajshdgfasldfhaksdjf@taneliv
In both cases there are something before @ and it's not \s or ^
I got tagged by accident like this once, and it took me ages to figure out why I was getting emailed about an obscure issue on something I'd never heard of. I think the UX for both parties could be improved quite a bit.
GitHub does say the reason why you’re being notified, both via email and in the Notifications page. In your case it should say “mention”
I've got a three letter twitter (/x?) handle it happens all the time. It's not quite annoying enough to change my username though.
I have my HN username at gmail, and the novelty... wears off. So many recipts, confirmations, random bccs... Where it gets really ugly is gmail's (incredibly dumb, imo) feature where dots don't matter. I've had mulitple people get quite insistent that they own the email tyler.e <at> gmail, which of course routes to...
Yep, I have an incredibly common firstname@gmail.com email address and I get hundreds of emails daily with random bills, reservations, bank statements and so on.
I'm not alone

The number of people who just didn't understand the implications of not using their own email for banks, etc is too many.

The fault is partially on the banks too IMO. Why don't they verify the emails first before sending sensitive information.

It took me forever to get Mint to stop sending me someone’s PII.

Send a fucking confirmation email to set up a financial account, Jesus. There should really be a law.

I registered this username at one of the early big name webmail services. Not unimaginably rare, sure, but neither is it jsmith or the like.

You’d be shocked how many different people have signed up for stuff with that email address that I’ve had for like 20 years (and only ever log into so I can check on the mayhem). I’ve had bank notices, home sale records, 2 people creating Facebook accounts, and plenty of other stuff.

If my name were as common as yours, I think I’d be ready to choke someone.

i have a pretty rare last name (in my company of 225k, there's only one other for example) and I have first initial last name @ gmail since 2005.

The amount of mistaken emails I get is absurd.

I ended up browsing someone else's "Cloud NAS" once. I had to resist very hard not adding a watermark to all his photos saying "stop registering with my email!!!".
I have my first name . last name @ gmail and it’s definitely a reminder of how big the world is. I had previously thought my name was fairly unique. I don’t engage anymore unless it’s a small business trying to get paid.
My girlfriend has a rather uncommon name, but her FirstNameMiddleName@gmail.com gets emails meant for someone else rather frequently. Sometimes it’s even official PII or PHI. She’s tried to let people know but they’re surprisingly sometimes not all that receptive? So I think she ignores it now.
I have a similar issue with my Gmail -- my policy is to try to rectify the issue the first couple times it happens, but then just let it happen. The dull ones I filter away from my inbox, but not the most interesting ones. Some of my favorites:

- Every year the same family in Houston includes me in their email thread about who is bringing what to Thanksgiving dinner.

- I am on the mailing list for a Masonic lodge somewhere in England.

- I get receipts when some guy in Australia orders a pizza from Dominos. I also get McDonalds coupons that I think are meant for the same guy.

- I have at various times been sent the meeting minutes from an AA group in Pennsylvania (I am more persistent with trying to get off this list than the others, given the sensitive nature of it).

- I get the newsletter for 4H a group in Sacramento.

Thanks for starting this thread. I have my first initial and last name for Gmail and it's nice to know I'm not the only one getting all kinds of mail for other people with similar names!
Someone should claim the username "mention". It's gonna be wildly successful.
Unfortunately, it seems to be reserved.
That's funny. Sometimes people experiencing a bug @ me because I've recently contributed to the repository. I just reply "LGTM Approved" and then they get mad. I'm like, I don't care what you check into this project. It's not mine!
Your username should pass the "search engine" test as well

That is, calling yourself a too short or generic name might have been a brag 20 years ago, but now it's just an annoyance

Failing the search engine test is a feature, not a bug.
Parent commenter probably would use the word antifeature for it
I like how their usernames reflect their positions on usernames
Hear hear!
however, taking your name from an Atari Teenage Riot song is forever braggable
;) Glad someone noticed it (or googled it, which to be fair is becoming even more commendable with time)
an ATR demo CD was the very first CD of mine ever stolen, my punk rock friends were blown away
Absolutely, but you gotta remember my man. Some of us made our account on GitHub 14 years ago and named them after our Quake 2 handle from 1997
I try to register @null wherever I go. Most places don't allow it, and the one place that did force changed the name at one point.
What did they change it to?
The empty string, right? That'd only be appropriate.
Spoken like an Oracle developer (Oracle considers NULL and empty string to be equivalent).
The First Name I registered on that account
To lol code?

llOlllO_lllOlOl_llOllOOl_llOllOO

DROP TABLE
Little Nully we call him
عينول is a valid name, which can be poorly transliterated to Ai'null

Explaining the joke: The first letter is ain, written as a3 or 'a in some places. Pronounce a' with a soft stop. Because of this, legal names here sometimes include an apostrophe. Normally it's spelled 'Ainul, but one can misspell it.

Nully Potter?

As in, pointer...

Reminds me of the guy that had the witter account with the handle '@'.
Tagged a coworker when making a git commit message just for traceability. I didn't even know until he said something.
I used to have an email similar to ps@qs.com, and would get a fair amount of email suggesting people would use that as their made up email. In a similar vein I’d like to apologise to knobs@bobs.com for the amount of captive portal spam you receive on my behalf
My new made-up email approach is using admin@$COMPANY in the hopes that they'll send the spam to themselves
You should use info@ instead.
I’d also like to personally apologize to no@thanks.com
Mine is x@x.com, Elon gets those now
... didn't Elon always get those? He founded x.com in 1999 (with some other people).
No, Elon had to repurchase the domain from PayPal in 2017.
I usually use arthur@example.com, guaranteed to be a permanently valid domain name and also not to spam anyone.
noneofyour@business.com
I use dave@null.com. Sorry Dave.
Sorry to a@b.co if you’re out there.
I have used president@whitehouse.gov since the late 90s
Important to keep elected officials on their toes, or who knows what they'll come up with next
Biden: "I don't remember subscribing to hotsexyfiremen.com..."
I'm pretty sure that mailbox these days goes directly to /dev/null — if not, they must have the craziest spam filtering setup.

Isn't this the most popular email address?

Foo@bar.com here. Sometimes I run into places where it’s already registered, and hopefully the pw is baz.
I sometimes get tagged on Github as a timezone.
How did you even get that username? Short ones go so fast, you must have been in the first 1000 users!
There are 17576 three-letter combinations in the English alphabet.
Not to mention all the one- and two-letter combinations!
Well there’s about 1/26th as many of those.
I have a file by each of those names inwhich each bit represents one article that either has the string or not (1 or 0)

I'm sure someone wanted to know that.

There are some more three-character user names if you count dashes and digits, which are also allowed in GitHub usernames. Although I think the first one has to be a letter of the alphabet.
Looks like they were #23,570 (see the URL https://github.com/est.png redirects to)
My ID is #2,715,751 and I still somehow have a 5-letter username
Mine is 23000ish and I still couldn't get "Stavros" (a friend got it first).

EDIT: Wait, how? His ID is 500k or so. Hmm.

Name recycle. For a while I had a username monitoring tool. Names drop, just like domains.
Hmm, I'll need to make sure that GitHub's Stavros... retires, then.
It will be an accident, that much is certain.
Same for #7,xxx,xxx. The space grows exponentially with the number of letters though.
Seems like I'm just slightly older (230381) with a two letter username.
(comment deleted)
I got tzs and based on the tzs.png redirect URL trick from another comment I was number 322633.
I have a two-letter github username and I wasn't even an early adopter. I only bothered creating an account when it was clear that Github was more than a fad and a few of the projects I contributed to moved there. I tried just my initials and it worked.

Having a two-letter username is less exciting than simply a common word or name, though. Once in a while I get mentioned by accident in issues, or added to some organization. Twice I have had someone beg me to give it to them under the rationalization that it was "really cool" and I wasn't really "doing anything" with it...

EDIT: I just looked up my ID and apparently none of the first half-million people to sign up for a github account tried to brute-force the small-username space.

EDIT2: There are a few single-letter usernames with IDs in the millions, so I wonder if those are somehow "kept in reserve" by github admins and given out to friends or what's the story there.

Reset is a fabulous human.
Makes me think: Interesting spam vector: create a PR advertising whatever and then @ a bunch of people you scraped.

Also interesting attack vector: get a easily mistaken @ name and then see what you become reviewer on. Add malicious code to that PR and merge.

Edit: also what is stupid is at work when setting up your organisation security access you can add anyone globally in the combo search. No org-only filter is even available!

And of course most people use weird handles for their work or personal githubs. So using their UI you need to be an excellent human string comparator or make sure you copy and paste each persons handle which you meed to figure out for each person.

Attack 3: create a bunch of accounts with a similar name to people who work at target company and hope you get added to an org’s repo by mistake.

Some people have done it by accident:

GitHub user sends notification to 400k users [2022]

https://news.ycombinator.com/item?id=31627061

Oh that made my day (the file changes that is…!)
This guy is a legend lmao

Totally shite PR.

"Fixes" things with even more typos.

Bumps it all asking to "approve and merge asap"! Lmao!

I don’t know who should be embarrassed here. That org for having 400K members or Github for apparently having no limits on how many emails can be sent out with a simple `@`.

In any case an honorable mention goes to the useless “lock this now” pile-on comments.

We had a bug recently where one of our internal bots didn't correctly parse usernames with hyphens in them, so instead of tagging @tom-jones, it would tag @tom

Sorry everyone randomly pinged by our bot.

Talking about failing to parse names, I remember a co-worker once was working on a form and had added a special character validation field to the name field. The only problem was that it blocked apostrophes, and he was Irish so his form wouldn't actually accept his own name.
He’s not the king of bedside manor

He’s not the Tom Jones who lives next door

He’s not the king of bedside manor

He hardly even lives there anymore.

I used to work at Realm (the mobile database company). In order to keep an eye on what was going on, there was a Slack integration that reposted any mention of @realm on Twitter.

One morning, we woke up to a #twitter channel full of very nearly porn. Young men, scantily dressed, flexing their abs and flashing smiles at the camera.

Turns out someone added a bot on Twitter that would repost things from Instagram to Twitter, except that Instagram allows dots in usernames and Twitter didn’t. I think the IG account was @realm.of.beauty, which was promptly understood by Twitter as @realm.

We had something similar. Public board that went by an acronym that was also used in gay paddling fetish.

You’d be scrolling through hashtags/mentions of us and occasionally be greeted by some young actor being coquettishly tapped on the bare bum with a cricket bat or something.

> tapped on the bare bum

That's a kind of public board too...

I'm also @cmg on Twitter, which used to get plenty of Instagram mentions of this type, as well as people thinking I'm CheckMate Gaming, Canadian Media Guild, Cocaine Muzik Group, Chipotle Mexican Grill and all sorts of wild stuff.
I have @CommonFirstNameCommonLastName on Twitter, and I occasionally get mentioned or DMed by people thinking of an entirely different person. It’s not often enough to be too annoying, though.
I get that at work. looking at my name, you would not think it common, but where I live, not only is it common, there are many of us with the same name at my employer.
I once changed my mobile phone number so the last 8 digits were 69696969. I thought this was hilarious. Then I found out that people have randomly scrawled that number on every toilet cubicle "For a good time call XYZ69696969" and I would get calls all the way through the night, every night.
Wild that people actually call those numbers.
It's a reminder that there are a lot of people out there.
Might be students, I vaguely remember freshers being challenged to call these numbers pretending to be from our rival university.
Jenny? Don’t change your number.
It's been 41 years since the song came out.

Assuming that Jenny was 21 when the song was written, (since there is a chance the number was written on a bar's bathroom wall) she would be at least 62 years old now.

Statistically, there's at least a 1 in 4 chance that Jenny is dead now, and there is no chance that she didn't change her number after receiving 800 million horny crank calls.

It was about 5 years ago when I realized that 8675309 is hitting all of the numbers on the keypad diagonally in stripes from the upper left to the lower right, skipping 1 for some reason.

Probably so he could rhyme 'mine' with 'nine'

When the song came out, almost all phones would have been rotary dial, so this is probably just coincidental.
On the one hand I'm enjoying wondering what the song would be paced like if instead of touch tone speed each number was separated by how long it would take to return to 0.

8 dit-dit-dit-dit-dit-dit-dit-dit 6 dit-dit-dit-dit-dit-dit 7 dit-dit-dit-dit-dit....

ON the other hand, touch tones were invented in the 60's, so it's possible that they had access to the tech to touch dial at that time.

I own a few 867-5309 numbers for different areas. I have them do nothing these days but for a while I let them hit a pbx and we’d get up to 2500 calls a day on each line. Lots of drunk dudes trying to call Jenny.
If I was less scrupulous, I can think of a few ways to easily monetize that. The first and simplest is to have a toll line that charges on call and have a recording on the 867-5309 numbers that refers them to call it.

Whether you go the sultry "really meet Jenny" angle or just try to find something that piques the interest of the average drunk male that would call, just to see what they're being referred to, you'd probably get enough takers to turn a tidy profit regardless of how crappy the ultimate toll line was. I doubt it takes all that much to convince callers that are already drunk and trying to do something they think is mildly funny already.

There's got to be an automated chatbot (or perhaps "voice bot") opportunity in there somewhere. ;)
You need to go to stores in those areas and collect all the rewards points people have gifted to you by putting your number in at checkout!
I once did this by accident when fueling up my car; it just so happened that the gas station's rewards program was linked with the Safeway rewards program, and I happened to be filling up my tank just as the 867-5309 account for my area code hit some critical threshold. Hey presto, 20% off (or something like that; it was a long time ago).
I knew the guy who had 1-800-FUCK-YOU, and he used it to sell those classic bumper stickers: "How's my driving? Call 1-800-FUCK-YOU!"
There's a prank call podcast called The Snow Plow Show, and the guy set up a bot at a phone number that will automatically reply to callers with voice clips from a lady who yelled at him in a prank call one time. So fans of the show will put the number on windshields or craigslist ads so people will call the number and get yelled at, and the calls are all recorded so he can listen back to them later and pull out the better ones.

I think you should utilize a similar technology for your phone numbers.

Hahaha! Never thought I'd see BeverlyBot and Sorry I Dinged Your Car mentioned on HN.

Been listening to RBCP (The guy who does Snow Plow Show and Phone Losers of America) for a long time now. Great to throw on in the background for some laughs at the end of the day while reading.

Cactus cactus!
This was my friend's grandfather's number in my area when I was growing up. His name was not Jenny...
Steve Wozniak had 888-8888 for a while. Which is a très cool number to have, but he was getting hundreds of calls with nothing but random sounds in the background. Eventually he figured out that babies were pushing the buttons on their parent's phones, and all-eights were apparently easy for them to press.

https://www.wired.com/1998/09/woz/

Helluva good read! The early days of personal computing were wild, super interesting time :)
(comment deleted)
There's a vaguely similar situation on Youtube live chat if your display name is 2 chars, anyone mentioning those 2 chars gets highlighted in red. Can make the chat unreadable.
Lol, we also end up tagging Mr Bean (https://github.com/bean) occasionally when discussing Spring @Bean annotations on a pull request, and forgetting to backtick it.
I always try to get the username 'petabyte' or some variation of it, but I was able to get the letter p as a username on codeberg.
As a fellow user with an SI-prefixed username, I hope "hellabyte" is one of the options that you try.
Pete and repeat were in a boat, pete fell out, who was left
I accidentally pasted a backtrace into a github issue outside of a code block. It was a deep stack, with each line prefixed by "#0" "#1", "#2", etc. GitHub decided to turn these into links to the corresponding numbered issues, for every issue, (including back-reference notifications in each of those issues) and there didn't seem to be any way to undo that action.
Oof. There should definitely be an undo button for that, which displays right afterwards.
For QEMU's gitlab issue tracker we deliberately started our issue numbering from a higher number (I think 100 or thereabouts) to avoid that. (We ran into it very early on during the migration from launchpad so it wasn't a big deal to re-number the two or three issues that had already been created with low numbers.)
>there didn't seem to be any way to undo that action.

Well thank God there isn't a button to undo sent mails.

In many email systems there is an undo send feature. Outside of those closed contexts where yanking a message out of the recipient’s inbox is possible, it is generally implemented by waiting a few seconds between when the UI says the message has been sent and when the message is actually sent. During that interval, an undo send option is offered which simply cancels the upcoming send action.
Nothing calls attention to an email better than those messages saying that the sender wishes to retract a message you have already downloaded.
Yes, and those recall messages only exist in the closed systems where such retraction is possible, or in the open systems which send those messages that are more designed for the closed systems.

The implementation I described with a slightly delayed send doesn’t use those recall messages, since the email being sent doesn’t actually get sent until after the delay. I believe this is how Gmail’s version of the feature works, for example.

Sounds like you should... open an issue.
A bigger problem I've had with issue references is in commits. A repo we used as template was using "Fixes #123" in commits messages, to close tickets filled against that template repo. The problem is that when the updated template was merged in the downstream repo, it would close issues in each of them too...
Github has some very dangerous features when it comes to tagging and mentions. For example, when you add someone to an organisation, it autocompletes the username. We had someone with a fairly common name and accidentally added someone else to the org with a close but not identical name. Fortunately they didn't accept the invitation before we removed them again and added the correct person.
I had that happen to me before. I accepted the invitation, looked at their stuff, and then submitted an issue/PR to remove myself. They panicked, I laughed a bit.
Yep, I got added to someones internal company trello board oncr. I commented a few times asking to be removed, and when it didn't happen, I started adding suggestions to their product designs. I got removed fairly quickly.
Right? This bugs me like hell. They make you jump through all kinds of hoops to attestate your source code and use layers upon layers of encryption, but make it the simplest thing to grant someone completely unrelated write access to all of your company’s code. Like what??
you need one of those new fancy GitHub EMU enterprises instead of a normal one. it is driven solely by an identity provider like Okta or AzureAD.

no one outside of your identity provider will ever know about you. your users have a read-only view of the greater github.com, but whatever access you give them within your enterprise.

it's impossible to make anything public in a GitHub EMU enterprise, and your users won't even be able to star repos outside of the enterprise, because that would reveal your presence.

if you can live without any public access to your stuff at all, have a look. you can convert your old enterprise org(s) to a Teams subscription and continue to publish open stuff there, but you'll need personal accounts there, like always.