168 Matching Annotations
  1. Jul 2019
    1. Authentication (from Greek: αὐθεντικός authentikos, "real, genuine", from αὐθέντης authentes, "author") is the act of proving an assertion, such as the identity of a computer system user.

      The assertion does not need to be about an actor's identity per se?

  2. Jun 2019
    1. Top Reasons Why Your Website Needs An SSL Certificate

      Whether your #website is small or large, it needs an #SSL certificate. Here are the top reasons why your website needs an SSL certificate. If your website is on a shared hosting server, you can get it prepared by the web hosting company.

  3. May 2019
  4. Apr 2019
    1. “Being able to feel safe with other people is probably the single most important aspect of mental health; safe connections are fundamental to meaningful and satisfying lives.”
    2. Trauma victims cannot recover until they become familiar with and befriend the sensations in their bodies. Being frightened means that you live in a body that is always on guard. Angry people live in angry bodies. The bodies of child-abuse victims are tense and defensive until they find a way to relax and feel safe. In order to change, people need to become aware of their sensations and the way that their bodies interact with the world around them. Physical self-awareness is the first step in releasing the tyranny of the past.
    1. Oops, I think that one might even be exploitable… I think I’m going to stop here. This needs a structured effort, not spending ten minutes every now and then. As I said, the codebase isn’t bad. But there are obvious issues that shouldn’t have been there. As always, spotting the issues is the easy part – proving that they are exploitable is far harder. I’m not going to spend time on that right now, so let’s just file these under “minor quality issues” rather than “security problems.”
    2. LastPass has always been stressing that they cannot access your passwords, so keeping them on their servers is safe. This statement has been proven wrong several times already, and the improvements so far aren’t substantial enough to make it right. LastPass design offers too many loopholes which could be exploited by a malicious server. So far they didn’t make a serious effort to make the extension’s user interface self-contained, meaning that they keep asking you to trust their web server whenever you use LastPass.
    3. Some of these actions will prompt you to re-enter your master password. That’s merely security theater

      "Security theater". I dig that term.

    4. LastPass is run by LogMeIn, Inc. which is based in United States. So let’s say the NSA knocks on their door: “Hey, we need your data on XYZ so we can check their terrorism connections!” As we know by now, NSA does these things and it happens to random people as well, despite not having any ties to terrorism. LastPass data on the server is worthless on its own, but NSA might be able to pressure the company into sending a breach notification to this user.
    5. Should you be concerned about LastPass uploading your passwords to its server?

      TL;DR: Yes, very much.

  5. Mar 2019
    1. Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent. Privacy regulation should emphasise the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.

      Horrific conclusion, which clearly states that "sharing of user data is routine" where the medical profession is concerned.

    2. To investigate whether and how user data are shared by top rated medicines related mobile applications (apps) and to characterise privacy risks to app users, both clinicians and consumers.

      "24 of 821 apps identified by an app store crawling program. Included apps pertained to medicines information, dispensing, administration, prescribing, or use, and were interactive."

    1. Hashicorp Vault: One-Time Password para SSH

      Está aí um assunto sob o qual quero aprender! Não é explicitamente coberto pelos tópicos de certificação DevOps, mas dá uma olhada nos assuntos cobrindo ssh e security (procura também por vault em https://wiki.lpi.org/wiki/DevOps_Tools_Engineer_Objectives_V1).

  6. Jan 2019
    1. Who would have thought crypto investors would be U.S. securities law experts by the end of 2018

      <big>评:</big><br/><br/>《金瓶梅》第四十八回有曰:「常言:『兵来将挡,水来土掩』。事到其间,道在人为,少不的你我打点礼物,早差人上东京,央及老爷那里去」。人生如戏,每个人顾及的都是如何演好自己的戏份。好在如今已不是投机倒把等同犯罪的年代,嗅觉灵敏的市场玩家们逢场作戏也无可厚非,但是谁来「打点礼物」制造惊喜呢?2018年,玩家们反倒收获了不少惊恐。<br/><br/>专业的投资者和政客总是能在自己的地盘上长袖善舞,但是在这个野蛮生长的年代,恐怕他们也得多向口译员们学习快速熟悉陌生领域的技能——共情、抗压、不服输,或许称之为「人格特质」更加合适。

    1. vorsichtig in öffentlichen WLAN-Netzen sein

      bei unverschlüsselten Netzwerken (Zug, Bus, Cafe etc.) VPN benützen. Bspw. Freedome oder NordVPN. Beide speichern keine Daten.

  7. Dec 2018
    1. Ultimate Guide To Develop Secure Mobile App

      Mobile applications must be developed using above mention security tips. This can be done by a professional mobile app developer or by hiring a mobile app development company. Make sure include these practices in order to have a completely secure difficult to break the application.

  8. Oct 2018
    1. The NYCLU found nothing in the documents outlining policies for accessing data collected by the cameras, or what faces would be fed to the system in the first place. And based on emails acquired through the same FOIL request, the NYCLU noted, Lockport administrators appeared to have a poor grasp on how to manage access to internal servers, student files, and passwords for programs and email accounts. “The serious lack of familiarity with cybersecurity displayed in the email correspondence we received and complete absence of common sense redactions of sensitive private information speaks volumes about the district’s lack of preparation to safely store and collect biometric data on the students, parents and teachers who pass through its schools every day,” an editor’s note to the NYCLU’s statement on the Lockport documents reads.
    1. As a recap, Chegg discovered on September 19th a data breach dating back to April that "an unauthorized party" accessed a data base with access to "a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password" but no financial information or social security numbers. The company has not disclosed, or is unsure of, how many of the 40 million users had their personal information stolen.

  9. Sep 2018
    1. politicians looking for issues to drum up with have made a whipping boy out of the social networks

      Here, I think the author is just saying that Facebook and Twitter have taken a lot of heat from politicians about the 2016 election, Russian interference, etc. This year, the tech companies are showing that they are "good citizens" by having better security and helping young people register to vote.

    1. DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
    1. When your page links to another page using target="_blank", the new page runs on the same process as your page. If the new page is executing expensive JavaScript, your page's performance may also suffer. See The Performance Benefits of rel=noopener for more information. On top of this, target="_blank" is also a security vulnerability. The new page has access to your window object via window.opener, and it can navigate your page to a different URL using window.opener.location = newURL. See About rel=noopener for a demo and explanation of the vulnerability. Adding a rel="noopener" attribute prevents the new page from being able to access the window.opener property and will ensure it runs in a separate process. The rel="noreferrer" attribute has the same effect, but will also prevent the Referer header from being sent to the new page.
    1. This document outlines Cross-Origin Read Blocking (CORB), an algorithm by which dubious cross-origin resource loads may be identified and blocked by web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.
    1. Cross-Origin Read Blocking (CORB) is a new web platform security feature that helps mitigate the threat of side-channel attacks (including Spectre).  It is designed to prevent the browser from delivering certain cross-origin network responses to a web page, when they might contain sensitive information and are not needed for existing web features.  For example, it will block a cross-origin text/html response requested from a <script> or <img> tag, replacing it with an empty response instead.  This is an important part of the protections included with Site Isolation.
    1. I love the voice of their help page. Someone very opinionated (in a good way) is building this product. I particularly like this quote: Your data is a liability to us, not an asset.
  10. Jul 2018
    1. It is clear that the intelligence and law enforcement communities of the United States — adhering to the principles of patriotism enumerated by Deputy Attorney General Rod Rosenstein on Friday — felt that a message needed to be sent to the Russians that we were on to them.

      Typically, the president would deliver such a message, but this president has proven to be the staunchest defender of Putin and the most active advocate of covering up or denying these attacks. He did it again this week even while aware of the indictments.

      ...

      Trump may deny collusion. But given that this the attack continues, denying it is collusion, distracting from it is collusion, obstructing the investigation of it is collusion — because all these things enable it to go on.

  11. Jun 2018
    1. security

      Hi ,<br> All gov websites holding citizens personally identifiable information should hold a valid third party certificate, as I have seen at most of time, government website do not produce a valid certificate or do not produce any certificate at all , a few examples railway recruitment website which collects candidates personal info, apart from that voter id verification website (http://www.nvsp.in/) also not producing any certificate. in such cases lack of secure communication will help hackers to grab the passed data in between.. Certificates should be mandatory in all local/state / national level government websites.

    1. we must not place the burden of safety on users in terms of who is responsible and who suffers the consequences
    2. IDEAS FOR TECHNICAL MECHANISMSA technique called differential privacy1 provides a way to measure the likelihood of negative impact and also a way to introduce plausible deniability, which in many cases can dramatically reduce risk exposure for sensitive data.Modern encryption techniques allow a user’s information to be fully encrypted on their device, but using it becomes unwieldy. Balancing the levels of encryption is challenging, but can create strong safety guarantees. Homomorphic encryption2 can allow certain types of processing or aggregation to happen without needing to decrypt the data.Creating falsifiable security claims allows independent analysts to validate those claims, and invalidate them when they are compromised. For example, by using subresource integrity to lock the code on a web page, the browser will refuse to load any compromised code. By then publishing the code’s hash in an immutable location, any compromise of the page is detectable easily (and automatically, with a service worker or external monitor).Taken to their logical conclusion these techniques suggest building our applications in a more decentralized3 way, which not only provides a higher bar for security, but also helps with scaling: if everyone is sharing some of the processing, the servers can do less work. In this model your digital body is no longer spread throughout servers on the internet; instead the applications come to you and you directly control how they interact with your data.
  12. May 2018
  13. Apr 2018
  14. Mar 2018
    1. Introducing Subscribe with Google

      Interesting to see this roll out as Facebook is having some serious data collection problems. This looks a bit like a means for Google to directly link users with content they're consuming online and then leveraging it much the same way that Facebook was with apps and companies like Cambridge Analytica.

  15. Feb 2018
  16. Jan 2018
  17. Dec 2017
    1. Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider Wednesday under circumstances researchers said was suspicious and intentional.

  18. Nov 2017
    1. The draft Plan of Implementation for the World Summit on Sustainable Development,recognizes poverty eradication as the greatest global challenge facing the world today andan indispensable requirement for sustainable development.

      Human rights and poverty reduction

    1. The reason that oil reached $117 a barrel last week was less to do with security of supply… than World shortage."
    2. "While the unresolved conflict with Iraq provides the immediate justification" for the US "to play a more permanent role in Gulf regional security," "the need for a substantial American force presence in the Gulf transcends the issue of the regime of Saddam Hussein."
    1. Oil was not the only goal of the Iraq War, but it was certainly the central one, as top U.S. military and political figures have attested to in the years following the invasion
    1. Saddam Hussein deserved to remain in power. But the security vacuum after his fall and the presence of foreign occupiers led to Iraq becoming a breeding ground for jihad and religious extremism.
    2. Saddam Hussein was a nasty, murderous tyrant who brutalized much of his country and was guilty of war crimes
    1. It is widely agreed upon that Iraqi civilian deaths peak in July. But estimates, which hover between 1,000 and 3,500 for that month, vary greatly
    2. Acting on tips from the dictator's bodyguard and family members, U.S. troops find Saddam Hussein hiding out in a one-man hole near his boyhood home of Tikrit.
    3. L. Paul Bremer III, head of the Coalition Provisional Authority in Iraq, signs an order disbanding the Iraqi army and intelligence services, sending hundreds of thousands of well-armed men into the streets
    4. Lawlessness and some skirmishing in the country are written off as the desperate acts of "dead-enders" by Defense Secretary Donald Rumsfeld
    5. U.S., British, and other coalition forces quickly overwhelm the Iraqi Army, though elements loyal to Saddam Hussein who will form the core of a postwar insurgency fight on
    1. We know that there are few sticky security and implementation issues

      Which is probably why @judell’s tate doesn’t show up in Chrome on my system and there’s weirdness with the scrolling once we accept to load unsafe scripts.

    1. the Iraqi government had a difficult time recruiting and training police officers and soldiers to assume domestic security duties. The death of al-Qaeda in Iraq’s leader, Abu Musab al-Zarqawi, in June 2006 did nothing to reduce the violence.
    2. Responsible for countless killings and sabotage, the insurgents targeted coalition forces, new Iraqi security forces and recruitment centres, electrical installations, oil pipelines, and other civilian institutions
    3. Major fighting ended by late April, but acts of common criminality continued, and, as the months passed, a pattern of concerted guerrilla warfare began to unfold. On December 13, 2003, Ṣaddām surrendered to U.S. troops when he was found hiding near Tikrīt, and other major figures from the regime were tracked down and arrested.
    1. when all people, at all times, have physical, social and economic access to sufficient, safe and nutritious food that meets their dietary needs and food preferences for an active and healthy life.
    1. For the last few years, Intel CPUs have Intel Management Engine, which runs its own OS, the Unix-like MINIX. You have no access to it. But it has complete access to your computer.

    1. EFF recommendations for Congress regarding data security and data breaches like the one at Equifax.

      https://www.ftc.gov/datasecurity<br> FTC guide to data security for businesses.

  19. Oct 2017
    1. oston, Newport, New York, Philadelphia, and Charleston were the five largest cities in British North America. Philadelphia, New York, Boston, and Charleston had populations of appr

      Security

    1. DEFCON, the world’s largest hacker conference, will release its findings on Tuesday, months after hosting a July demonstration in which hackers quickly broke into 25 different types of voting machines.

      ...

      Though the report offers no proof of an attack last year, experts involved with it say they’re sure it is possible—and probable—and that the chances of a bigger attack in the future are high.

      “From a technological point of view, this is something that is clearly doable,” said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. “For us to turn a blind eye to this, I think that would be very irresponsible on our part.”

  20. Sep 2017
  21. Jul 2017
  22. May 2017
    1. Tools that might be able to decrypt files encrypted by the WannaCry ransomware. With a little luck, and if the victim hasn't rebooted, the keys can be found in memory.

    1. Certain HP laptops have flawed audio drivers that record all your keystrokes to: C:\Users\Public\MicTray.log

      If these files exist, delete them: C:\Windows\System32\MicTray64.exe C:\Windows\System32\MicTray.exe

  23. Apr 2017
    1. Phishing attack that uses Unicode characters to fake a domain name.

      The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.

      What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.

  24. Mar 2017
    1. Protection Level 0 Limited or none Information intended for public access, e.g.,: Public directory information

      Includes name and email.

    2. Student Directory Data (link is external) (unless the student has requested that information about them not be released as public information) Name of student Address, telephone, e-mail

      Not considered private or high level?

    3. Evaluations

      Anything graded with grade indicated? Or simply gradeable?

    1. There were no prospects of advancement mentioned. I had no choice. I had no means. The door of the flat had been ripped off by thieves, the possessions taken.

      Movement outwards...into box

    1. Sebastian Gorka, President Trump’s top counter-terrorism adviser, is a formal member of a Hungarian far-right group that is listed by the U.S. State Department as having been “under the direction of the Nazi Government of Germany” during World War II, leaders of the organization have told the Forward.

      ...

      Gorka’s membership in the organization — if these Vitézi Rend leaders are correct, and if Gorka did not disclose this when he entered the United States as an immigrant — could have implications for his immigration status. The State Department’s Foreign Affairs Manual specifies that members of the Vitézi Rend “are presumed to be inadmissible” to the country under the Immigration and Nationality Act.

    1. The Justice Department has announced charges against four people, including two Russian security officials, over cybercrimes linked to a massive hack of millions of Yahoo user accounts. [500M accounts, in 2014]

      Two of the defendants — Dmitry Dokuchaev and his superior Igor Sushchin — are officers of the Russian Federal Security Service, or FSB. According to court documents, they "protected, directed, facilitated and paid" two criminal hackers, Alexsey Belan and Karim Baratov, to access information that has intelligence value. Belan also allegedly used the information obtained for his personal financial gain.

  25. Feb 2017
    1. A company that sells internet-connected teddy bears that allow kids and their far-away parents to exchange heartfelt messages left more than 800,000 customer credentials, as well as two million message recordings, totally exposed online for anyone to see and listen.

    1. All along the way, or perhaps somewhere along the way, we have confused surveillance for care. And that’s my takeaway for folks here today: when you work for a company or an institution that collects or trades data, you’re making it easy to surveil people and the stakes are high. They’re always high for the most vulnerable. By collecting so much data, you’re making it easy to discipline people. You’re making it easy to control people. You’re putting people at risk. You’re putting students at risk.
  26. Jan 2017
    1. Jim Arkedis, formerly an intelligence analyst with the DoD.

      Below is how I would assess the credibility of the sources and allegations detailed in Buzzfeed’s recently-released dossier and an explanation of why I believe its two main allegations should be judged on their individual merits as credible with moderate-to-high confidence.

      No, that’s not the same as saying the allegations are 100 percent guaranteed to be true, but I think there’s enough evidence there that it would be irresponsible not to consider how this could impact our nation’s security and what, if anything, can be done to mitigate those potential impacts.

    1. TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.
    1. Thousands of poorly secured MongoDB databases have been deleted by attackers recently. The attackers offer to restore the data in exchange for a ransom -- but they may not actually have a copy.

    1. I shouldn’t have daisy-chained two such vital accounts — my Google and my iCloud account — together.

      Lesson learned: not chain different accounts by "logging in with" (most of the time Google, Facebook, Twitter)

    2. First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up. Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.

      Is it still as eas to enter someone's Amazon account today? Hopefully not. But I'm really not sure...

    3. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com

      This is where email sub-adressing (https://en.wikipedia.org/wiki/Email_address#Sub-addressing) is also useful!

    4. Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file

      Not very complicated to hack, isn't it? Fortunately, Apple now relies on two-factor authentification.

    5. In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover.

      Security is not only the user's business. If the company doesn't do the job, it's useless for the user to be careful.

    6. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.

      Security considered from different perspectives leads to security flaws!

    1. Almost half of eight- to 11-year-olds have agreed impenetrable terms and conditions to give social media giants such as Facebook and Instagram control over their data, without any accountability, according to the commissioner’s Growing Up Digital taskforce. The year-long study found children regularly signed up to terms including waiving privacy rights and allowing the content they posted to be sold around the world, without reading or understanding their implications.
    1. It’s also important to acknowledge that a more isolated, more nationalist America helps Putin in his objectives even while it compromises our own. We need to accept that America was part of, and needs to be part of, a global system — and that this system is better, cheaper, and more powerful than any imagined alternatives. For many years, the United States has been the steel in the framework that holds everything together; this is what we mean by ‘world order’ and ‘security architecture,’ two concepts that few politicians try to discuss seriously with the electorate.

  27. Dec 2016
    1. You should assume that a printer (and probably cameras, or just about any product) includes unique identifying data. With printers, it's encoded as nearly invisible yellow dots.

  28. Nov 2016
    1. 7 Oct 2016 joint statement from DHS and DNI.

      The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.

  29. Oct 2016
    1. A large database of blood donors' personal information from the AU Red Cross was posted on a web server with directory browsing enabled, and discovered by someone scanning randomly. It is unknown whether anyone else downloaded the file before it was removed.

    1. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords."

  30. Sep 2016
    1. Proposed changes to "Rule 41" will make it too easy for government agents to get permission to hack remote computers. Petition Congress to prevent this.

    1. Ronnie de Jonge

      very little data to show yet, just in process of setting up. Looking at the rhizosphere to help increase yield of crops without increasing the need for extra land (i.e. food security).<br> Much lost yield is due to "stress" of various sorts (drought, flood, etc).

    1. A recent Hewlett-Packard printer software update changed the printers so they would not work with third-party ink cartridges. Worse, the change was made as part of a security update.

      https://act.eff.org/action/tell-hp-say-no-to-drm Petition HP to fix this wrongdoing, and promise not to repeat it. They are also being asked to promise not to invoke the DMCA against security researchers who find vulnerabilities in their products.

    1. Until Let’s Encrypt fixes their bullshit, the CAcert certificate stays.

      As of now (2016-09-20), xaymar.com actually does use a certificate issued by Let's Encrypt. It would be very interesting to read a follow-up article about the reasons that lead to this switch. Sadly, I haven't been able to find one.

  31. Aug 2016
    1. What if, as the cybersecurity consultant Matt Tait asked last month in relation to the DNC emails, a source — like, say, a hacker working for a Russian intelligence agency — provided WikiLeaks with a cache of documents that was tampered with in order to smear a political candidate?
    1. "We demonstrate that well-known compression-based attacks such as CRIME or BREACH (but also lesser-known ones) can be executed by merely running JavaScript code in the victim’s browser. This is possible because HEIST allows us to determine the length of a response, without having to observe traffic at the network level."

      HEIST attacks can be blocked by disabling 3rd-party cookies.

      https://twitter.com/vanhoefm<br> https://twitter.com/tomvangoethem

  32. Jul 2016
  33. Jun 2016
    1. Even if you trust everyone spying on you right now, the data they're collecting will eventually be stolen or bought by people who scare you. We have no ability to secure large data collections over time.

      Fair enough.

      And "Burn!!" on Microsoft with that link.

    1. These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible.

      ...

      Tuesday's advisory is only the latest to underscore game-over vulnerabilities found in widely available antivirus packages.

      https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

  34. May 2016
    1. The Defense Department is building a massive information-sharing system detailing national security personnel and individuals cleared for accessing U.S. secrets, to flag who among them might be potential turncoats or other "insider threats."
  35. Apr 2016
    1. In its default configuration, the CJRS web service (either deployed as an executable jar, or a war file in a servlet container) is configured to use the SLURM JobExecutionService, and directly invokes ‘srun’, ‘sbatch’, and ‘salloc’ commands that are available on the host it is running on.A natural consequence of this is that SLURM jobs are submitted using the same user ID as owner of the CJRS web service process. For the purposes of training and demonstration, it is recommended to deploy the application so that it runs as a single, unprivileged user created specifically for the purpose of training. In theory, however, anybody who obtains the executable jar file may run it on a machine they have access to, bound to some random high port exclusive to that user, allowing it to launch SLURM jobs on their behalf via the REST API.

      This will likely not be portable to Docker due to security issues; two separate users will be needed: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface

    1. The Finnish government is currently drawing up plans to introduce a national basic income. A final proposal won’t be presented until November 2016, but if all goes to schedule, Finland will scrap all existing benefits and instead hand out €800 ($870) per month—to everyone.
    1. Short URLs can be brute forced. They should not be used for pages that contain personal information, or pages that allow anyone with the URL to upload files.

    1. HID VertX and Edge controllers for security doors were discovered to have a command injection vulnerability that made it possible for attackers to open them via the Internet.

  36. Feb 2016
    1. In Firefox, one can disable Content Security Policy by changing security.csp.enable to false in about:config

      Websites using Content Security Policy can be annoted with hypothes.is in Firefox by switching (in about:config ) security.csp.enable to false