590 Matching Annotations
  1. Last 7 days
    1. The confession-book, I suppose, has disappeared. It is twenty years since I have seen one. As a boy I told some inquisitive owner what was my favourite food (porridge, I fancy), my favourite hero in real life and in fiction, my favourite virtue in woman, and so forth.

      The form of some of these questions in confession albums is similar to modern day security questions asked by banks and personal accounts as a sort of personal password or shibboleth.

    1. An interesting directory of personal blogs on software and security.

      While it aggregates from various sources and allows people to submit directly to it, it also calculates a quality score/metric by using a total number of Hacker News points earned by the raw URL

      Apparently uses a query like: https://news.ycombinator.com/from?site=example.com to view all posts from HN.

    1. U.S. Senate Subcommittee on Communications, Technology, Innovation, and the Internet, "Optimizing for Engagement: Understanding the Use of Persuasive Technology on Internet Platforms," 25 June 2019, www.commerce.senate.gov/2019/6/optimizing-for-engagement-understanding-the-use-of-persuasive-technology-on-internet-platforms.

      Perhaps we need plurality in the areas for which social data are aggregated?

      What if we didn't optimize for engagement, but optimized for privacy, security, or other axes in the space?

  2. Jul 2021
  3. datatracker.ietf.org datatracker.ietf.org
    1. It is similarly intended to fail to establish a connection when data from other protocols, especially HTTP, is sent to a WebSocket server, for example, as might happen if an HTML "form" were submitted to a WebSocket server. This is primarily achieved by requiring that the server prove that it read the handshake, which it can only do if the handshake contains the appropriate parts, which can only be sent by a WebSocket client. In particular, at the time of writing of this specification, fields starting with |Sec-| cannot be set by an attacker from a web browser using only HTML and JavaScript APIs such as XMLHttpRequest [XMLHttpRequest].
    1. Rodolfo: I'm a victim of sexual abuse in the United States and there was a police report made and everything. And I've also been a victim of gang violence. I was never, you can check my background and everything. I was never into gangs or anything, but around the area I lived in there was a bunch of gangs and... I was beat up two or three times bad just by walking home. And it was all documented, I had police reports and everything. And because of that I was in therapy for while. My mother sought out a help from a psychiatrist because of the sexual abuse I had as a child in California, as a matter of fact.Rodolfo: I took Risperdal and a Ritalin, Risperdal for the anxiety and the Ritalin and for the ADHD. So, we tried everything. The mental health side, the mental health asylum, everything. But it was just going to take longer and longer and longer and I was tired of it. I didn't want to be locked up anymore. So, finally I just told my mom, “You know what man, that's it, I'm done. I don't want to do this anymore.” She asked me, “Is this what you want to do?” And I told her, “Yeah.”Rodolfo: She told me, “You know what? I'd much rather see you over there and be free then not being able to see you here at all.” Because there was a lot of people that went to go visit their loved ones and they used to get picked up. Sometimes they wouldn't even let you see your loved ones and right away ask you for your identification, your social security card, your nationality and everything and they would get picked up.Rodolfo: And I always told my mom, “Don't ever come visit me. Don't ever come visit me because if you do, chances are they're going to take you too.” And you know, that would always break my heart because I would want to see my mom. I'd want to see my dad and everything, but I wasn't able to. So, that experience was just horrible.Sergio: When you were in the detention center what were the conditions? Did you have access the medicine you needed? Did you have access to food and water?Rodolfo: The company that made the jail was called GEO Corp and they were actually, I'm not going to lie to you, they actually were pretty good, health-wise, not so much security-wise. A lot of things would happen in there that definitely shouldn't have ever happened. But with the food and everything, it was good. In my opinion it was because of the company. I feel as though if it was up to the government... Thank God it was an independent company that was hired by DHS as opposed to if DHS were to make their own jail, I feel they would be completely different.Rodolfo: It was [Pause] a pleasantly... there's no way to describe it, it was bad. It was bad, but for what it was I guess it was okay. I don't see there being an in-between or any pretty way to paint that picture as to how good or bad it was in there. Because at the end of the day you're deprived of your freedom. You can't just pick up the phone whenever you want and call your loved ones because you've got to pay for that too. You got pay for that. And if you want to take a shower, you have to buy your soap, right? You've got to buy it yourself, you've got to buy everything. And now you're becoming a liability for your family, you're becoming another bill.Rodolfo: You're becoming another bill and that's what I didn't want. So, that's why I started working. And now, older, I'm becoming another bill. So, I don't get it. You're taking us away from the jobs that we have and everything. You know? So, take us back to our country. And I'm not sure if it this is a fact or not, but I was reading when I first got in here, there was a time where there wasn't enough field workers for, I think, avocado—or, not avocado, I think it was oranges or something like that.Rodolfo: And I remember me saying, “Well, there goes all the deportees. There goes all the people you guys deported. Where are the people that were so outraged because we took your jobs? Go ahead, there you go. There are a lot of vacancies, making these open for those jobs, go ahead, man. All yours buddy, knock yourself out.”Rodolfo: But nobody wants to work those jobs, right? You see what I'm saying though, right?

      Leaving the US, Reason for Return, Deportation, Voluntary departure, Family decision, No hope for a future in the US, Detention, Treatment by; Time in the US, Violence, Sexual Abuse, Gangs, Bullying, Fear of, Jobs/employment/work

    2. Sergio: After your mom told you couldn't go on that trip, how did that affect the way you were involved in school, the things you wanted to do, did that change? Is there anything that you...?Rodolfo: I didn't put as much effort as I did anymore. I knew, at the end of the day, I'm not eligible for scholarships. I don't get any aid, I don't get anything. In my mind I thought, “Man, what's the point of really working hard in school if at the end of the day, I'm not gonna get any help?” My mom is having to work to put me through college. No, I don't want this, so I just thought, you know what, I'm just gonna give her what she wants, my diploma, my high school diploma. From then on, if I want to do something, it'll be by my own hand, out of my own pocket. I didn't want her to... Not that I was a burden or anything, my objective was for her not to work that much. That's it.Rodolfo: After she told me that, I'm like, "Well, okay, what's the point of really working hard and putting your best effort into school if, in my position, I won't be able to surpass US citizens." Then the aspect of financial aid, or any aid at all, I'm not gonna have any of that. I tried it with the fake social, but obviously it didn't go through. Nothing happened. Yeah, it changed a lot. It changed the way I viewed everything around me. Like, spring break all my friends would go certain places out of the country, and I used to get invited and, "No, I can't go man, my family doesn't think..." It would always have to be lie after lie after lie. I didn't want to... for one, I always had that idea of like my mom and my family always told me, "Don't ever tell anybody you're an immigrant. If somebody has that knowledge they can do you harm. They can take you away from here, they can take us away from each other."Rodolfo: I'm seeing it now, with the families going across the border, and them being separated. I didn't understand it at the time, and man, now I do understand it. I didn't know how it really was until I finally got put in handcuffs and got shipped to an immigration facility.Sergio: What do you think you would have wanted or end up being before you found out? What kind of things... Like you were on debate team that was—Rodolfo: I wanted to be a lawyer, man, that's what I wanted to be. That's what I wanted to be, a lawyer. It's funny, because when I was younger I wanted to be a lawyer. Then after that I'm like, "I want to be an immigration lawyer, that's what I want to be now. I want to be an immigration lawyer.” I was already on the right track to being a lawyer, but then when that happened, it really opened my eyes more to, "Okay, let's help my people." I didn't realize... I know individuals over there who are citizens, and they're panhandling because they want to. They're on their own addiction or for whatever reason right? Or people who are just living off the government, but then I see some of my family members, or my friends’ family members and they're not citizens but they have businesses.Rodolfo: They have a business, they have trucks, they have houses, they're great. They're not living off the Government, they're not asking for a handout. They're living better than what a citizen is living. It's all about how much work you put in, right? If you hang around people who don't want to do anything, then you're not gonna do anything. I remember Gerald Ford always told me that. He was like, "If you want to be a millionaire, hang around millionaires. If you want to be successful, hang around people who do successful things, but if you want to keep doing what you're doing, and just be a little caddie or whatever, stay here. Stay here and maybe one day you'll do something else."Rodolfo: He was very blunt in that aspect like, "Always do a good job. I don't care if you're a shit-shoveler, you're gonna be the best shit shoveler there is.” That always stuck to me, that's why whatever I do, it's always been 100%.Sergio: That's good.Anita: Can I speak? I'm Anita, I'm the director of this project.Rodolfo: Okay.Anita: I'm really pleased to meet you—Sergio: Likewise.Anita: I'm amazed at your incredible story. When you talked about the trip to DC, the debate club, and you got very sad—Rodolfo: Yeah.Anita: ... what made you sad, and did it make you feeling... Do you remember what your feelings were as you sort of found that all these options were gone to you?Rodolfo: Well, it was just mixed emotions. I felt sad because I contributed to the team a lot. I wasn't just there, and it made me sad because I wasn't going to be able be with my friends, my teammates. It also made me mad because all my life, all my short period, my whole time here in Chicago or whatever, I don't think I've done anything bad. Why shouldn't I have the privilege to go if I put in the same work as they did? Only because I don't have a social security number or a document that lets me buy a plane ticket and go over there? I think about it in a different—at the same time, I was a little kid too—I just cried a lot. That night I just cried a lot because I knew I wasn't gonna go. My mom spoke to the, I'm not sure what my mom told her, but see, I don't think she told her that we're undocumented, and I can't fly.Rodolfo: Yeah, I just remember that night feeling very sad, very sad, but then it turned into anger. It was like, "Man, why can't I?" It was always just that, "Why can't I? I put in the same work, and just because I wasn't born here, I can't fly?" I even looked into bus routes and everything to DC and stuff like that, but my mom was like, "No, you're crazy, you can't go alone." She worked and everything, I just felt sad, mostly sad.

      Time in the US, Immigration Status, Being secretive, Hiding/lying, In the shadows, lost opportunities; Reflections, The United States, Worst parts of the US, US government and immigration, Growing up undocumented, Dreams; Feelings, Choicelessness, Despair, Legal Status, Disappointment, Discouragement, Frustration, Sadness, Jaded

    3. Anita: Did Gerald Ford know you were undocumented?Rodolfo: No, Gerald Ford didn't know I was undocumented, no. I was still very young at that point. My mother and my family always told me, "Don't let anybody know you're undocumented.” If somebody finds out, for whatever reason, there's some people who just are plain out racist or don't want people like me in the States. Sometimes they just do things to... I don't know. That's what I understood and that's what I took in and that's what I applied to my life. It's like living a secret, it was like living a second life or whatever. It’s like, "Oh shit, why do I have to lie, why?" I guess it's neither here nor there now, right? I'm here in Mexico.Anita: That must have been incredibly difficult. I know personally, because I've had to keep secrets.Rodolfo: Yeah, I guess it's one of those things where you think it's never really gonna affect you, until you're in the back of the DHS, the Department of Homeland Security, van. You're next to a whole bunch of people you never met, and they're also in the same position. Some don't even speak English. You don't really understand how immediately it can affect you until it affects you. I never thought it would affect me. Okay, well I mean, I'm working, I'm going to school—I'm in high school—I'm doing this, this and that. Some of my friends who are students already dropped out. Did everything, they’ve already gone to prison and back and everything, and they haven't even hit their 21st birthday.Rodolfo: And I'm still good, I'm still good. I may not be a straight A student or anything, but hey man, I'm still here! Why can't I have the same privilege as you all do? Why can't I get my license? You know how happy I was when I got my license here, damn. I love to drive, that's one of my passions. Always, always, always I love to drive. I couldn't get my license over there. I remember even in high school in drivers ed, I knew what the answer was, but I asked my mom, “Hey mom, can I apply for drivers ed, so I can get my license? “She was like, "You know you can't get your license." Again, one of the primary things, I’m like damn, I'm just not gonna be able to drive all my life? Or if I do drive and I get pulled over—as a matter of fact, that's the reason why I got deported, driving without a valid drivers license.Rodolfo: I never got why the paper said, "Driving on a suspended license." I would always ask them, "If I don't have a license, why is it suspended?" They just told me, "Because you have a drivers license number, but you don't have a drivers license? I'm like, "Okay, so if I have a drivers license number, why can't I get my drivers license?" "You don't have the proper documentation." I'm like, "But I have my..."Rodolfo: One day I thought, “Well why don't I just grab the driver license number and have somebody make me a fake drivers license, and put the drivers license on there?” But see, if I get caught with it, now I'm in more trouble, and now I'm seen as a real criminal, because now I'm going around the system once again. That's why we don't want you here, because you're gonna do things like that. [Exhale] I haven't talked about this in a while. It just makes me want to…I don’t know.

      Time in the US, Immigration Status, Being secretive, Hiding/lying, In the shadows, Living undocumented; Reflections, The United States, US government and immigration; Feelings, Frustration; Time in the US, Jobs/employment/work, Documents, Driver's license, Social security card/ID

    4. Sergio: Did you ever work in the US?Rodolfo: Yeah, I worked all the time, I never stopped. One of the first jobs I had…My uncle worked at a restaurant called, Baker's Square in Chicago. It was on the corner of Tui and Pratt. I really, really, really wanted—I think I was in fifth or sixth grade—a phone. I wanted a phone, it’s called the Psychic Slide. Phones used to flip, but this one slides. I wasn't gonna ask my mom for it, so I asked my uncle. "Hey man, I know you work at Baker's Square and I know around the holiday season it gets really busy. Can I help you? Can I go?" He's like, "Well, yeah, if you want." I used to wake up like 3:00 in the morning, and I used to go and help him out. After that, I really liked making money and I really liked dressing nice, I liked having my nice haircut or whatever. My very, very first job was in Wilmette, Illinois. I was a caddie. Yeah, and then—Sergio: On the golf course?Rodolfo: On the golf course, yeah. Wilmette Golf Course actually. I remember I was always the first one there. They used to choose us, when everybody got there, "Okay, you come with me, you come with me." I used to always go there and there was a gentleman by the name of... Man, I forgot his name. Like the President, Gerald Ford, that was his name Gerald Ford! The only reason I remembered was because of the President. He used to always get there around the same time I got there. He finally asked me, "Do you want to be my personal caddie? I don't want you working anymore with all these other kids, because nobody wants to work. Do you want to be my personal caddie?" I'm like, "Yeah, absolutely." It was going really, really well and everything.Rodolfo: I got to high school, I had a number of jobs. I worked at Subway, I worked at Chili's, I worked at... What was it? Outback Steak House, but then I finally just got to the Cheesecake Factory, and that's where I stayed the remainder of my time. The remainder of my time I stayed there, and I started from the busboy and I finally ended up being a bartender. One of the head bartenders, one of the head servers, they used to pay-out people and everything. Obviously, I didn't have my social or anything, but I was a little bit older than what I really was. When I first got there, when I first, first started working I think I was like 14. Obviously you can't work that young, I think actually, I was 18, at 14.Rodolfo: I didn't see it as anything bad. I knew that if I got caught with my fake ID and my fake social security card I'd get in trouble, but that's why we're there, that's why we worked. I didn't get a fake ID to go party or go get into clubs or bars or anything. The main purpose of it was for me to be able to get a job, and so my mom wouldn't have to work all those hours that she used to work. She used to work at a Burger King, overnight. I used to barely see her, and I didn't want that anymore. I told her, "You don't have to work that much if I start working. We can help each other out, we can, we're a team.” It was only my mother and I until I turned 14, when she met my stepdad. All throughout that, it was just my mother and I.

      Time in the US, Jobs/employment/work, Documents, Careers, Food services, Athletics

    1. Assuming that people trust your site, abusing redirections like this can help avoid spam filters or other automated filtering on forums/comment forms/etc. by appearing to link to pages on your site. Very few people will click on a link to https://evilphishingsite.example.com, but they might click on https://catphotos.example.com?redirect=https://evilphishingsite.example.com, especially if it was formatted as https://catphotos.example.com to hide the redirection from casual inspection - even if you look in the status bar while hovering over that, it starts with a reasonable looking string.
  4. datatracker.ietf.org datatracker.ietf.org
    1. To meet this goal, the path validation process verifies, among other things, that a prospective certification path (a sequence of n certificates) satisfies the following conditions

      how to validate certificate by trust anchor

  5. Jun 2021
    1. Note that you could skip the https:// if you want a shorter command and you’re feeling adventurous with your HTTP MITM concerns, plus you can use the direct GitHub link as well if you don’t trust my redirect pointing there.
    1. If you want, you can try out what the script would do first, without changing anything. $ sh -c "$(curl -fsSL https://r.viktoradam.net/githooks)" -- --dry-run
    2. To try and make things a little bit more secure, Githooks checks if any new hooks were added we haven't run before, or if any of the existing ones have changed
    1. And from a security standpoint, that'd be really kind of scary - no one should have the ability to force me to execute certain scripts whenever I run certain git commands
    2. Luckily there is not a way to force hooks to people upon clone. If there was, you could write a post-receive hook with rm -rf / in it and wipe people's hard disk on pull
    1. A seeming security advantage of MPLS is that it provides a secured and managed link between branch offices and the data center through the service provider’s internal backbone. Public internet connections do not natively provide that same level of protection. But this comparison is deceptive. MPLS does not provide any sort of analysis of the data that it delivers. That is still the responsibility of the MPLS client. Even when traversing an MPLS connection, traffic still needs to be inspected for malware or other exploits, which requires deploying a firewall and any additional security functions at one end of the connection or the other at a minimum. To be fair, many SD-WAN solutions, however, have the same issue. Other than some basic security functionality, most SD-WAN solutions still require security to be added as an overlay solution. And for those organizations that try to add security to their complex SD-WAN connections as an afterthought, the challenge is often more than they bargained for. Fortinet’s Secure SD-WAN solution is different because connectivity is deployed as an integrated function within an NGFW appliance, so every connection automatically includes dynamic meshed VPN capabilities to secure data in transit, combined with deep inspection of that traffic using the wide array of security tools – including IPS, firewall, WAF, web filtering, anti-virus, and anti-malware – that are already part of every FortiGate NGFW solution that supports SD-WAN. This includes the high-speed inspection of SSL and IPsec VPN connections – a function especially important today as nearly 70% of all internet traffic today is encrypted, with many countries encrypting as much as 85% of all webpages visited.
    1. Working with your team over a local network is a speedy method of collaborative work. Issues might arise when Windows security enter network credentials are asked but won't recognize them. Several users reported that you could fix this problem simply by changing the following Advanced sharing settings. First, open the “Advanced Sharing Settings” window. Now expand the “All Networks” section. In the Password protected sharing section, select “Turn off password protected sharing” and save changes.

    1. In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
    2. Therefore, since each method had both an attack vector they opened up to and shut down, I perceived either choice as being equal.
    1. That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
    2. But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
    1. DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc.[1][2] On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems.[3]

      Dutch Certificate Authority gets hacked.

    1. The main security property of personal chattel was often not other TTPs as protectors but rather its portability and intimacy.

      The security properties of personal chattel was not a Trusted Third Party (TTP), but their portability and intimacy.

  6. May 2021
    1. the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
    1. iOS itself is a monopoly that should be opened up to third-party stores and side-loaded apps

      Which would be a security issue - for me it would be a bad decision to force opening iOS.

  7. Apr 2021
    1. Separate Clusters. It is probably most common to see multiple clusters being deployed. This is due to different reasons, with security focused network segmentation being only one of them. Security focused. Application workloads with different security protection levels can be separated by Kubernetes clusters. This makes isolating traffic easier by using traditional firewalls or VPCs to prevent cross-cluster communication. If connections between clusters are required then it can be manually allowed but management can become cumbersome and error prone. For example, one cluster runs the application workloads and a separate one running databases, file storage (such as S3/minio) and other persistent storage for the same project because different security profiles are required for each cluster.
    1. Note: Building a container image using docker build on-cluster is very unsafe and is shown here only as a demonstration. Use kaniko instead.

      Why?

    1. highly

      This should be much more clearly defined IMHO. At the moment if there are no formal requirements in place, it is possible for an admin of an authorized lab to start using labs private key to issue "validity certificates on the side e.g. for profit"... Much more specifics should be defined about how the private keys are stored / protected (e.g. HSM requirements or other similar requirements which are defined by standards) and also limitations as to if e.g. cloud based HSMs are allowed. Also the security requirement should be strictly defined in the arrangements between WHO and national level authorities as well as between national level authorities and healthcare providers. For smaller countries or countries with centralized EHR with lab results the issuance of keys might end within national authority (as it would be signing the SVCs with its keys and no keys shall be handed over to labs/healthcare providers)

  8. Mar 2021
    1. It is critical you put better_errors only in the development section of your Gemfile. Do NOT run better_errors in production, or on Internet-facing hosts.
    1. here is my set of best practices.I review libraries before adding them to my project. This involves skimming the code or reading it in its entirety if short, skimming the list of its dependencies, and making some quality judgements on liveliness, reliability, and maintainability in case I need to fix things myself. Note that length isn't a factor on its own, but may figure into some of these other estimates. I have on occasion pasted short modules directly into my code because I didn't think their recursive dependencies were justified.I then pin the library version and all of its dependencies with npm-shrinkwrap.Periodically, or when I need specific changes, I use npm-check to review updates. Here, I actually do look at all the changes since my pinned version, through a combination of change and commit logs. I make the call on whether the fixes and improvements outweigh the risk of updating; usually the changes are trivial and the answer is yes, so I update, shrinkwrap, skim the diff, done.I prefer not to pull in dependencies at deploy time, since I don't need the headache of github or npm being down when I need to deploy, and production machines may not have external internet access, let alone toolchains for compiling binary modules. Npm-pack followed by npm-install of the tarball is your friend here, and gets you pretty close to 100% reproducible deploys and rollbacks.This list intentionally has lots of judgement calls and few absolute rules. I don't follow all of them for all of my projects, but it is what I would consider a reasonable process for things that matter.
  9. Feb 2021
    1. By default, hashes remove any keys that aren't given as nested filters. To allow all hash keys, set strip: false. In general we don't recommend doing this, but it's sometimes necessary.
    1. Using an implicit intent to start a service is a security hazard because you can't be certain what service will respond to the intent, and the user can't see which service starts. Beginning with Android 5.0 (API level 21), the system throws an exception if you call bindService() with an implicit intent.
    1. that's a point, but I would say the opposite, when entering credit card data I would rathre prefer to be entirely in the Verified By Visa (Paypal) webpage (with the url easily visible in the address bar) rather that entring my credit card data in an iframe of someone's website.
    1. hilarious sarcasm

    2. My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.
    3. I have a Content Security Policy!Oh, do you now.And did somebody tell you that this would prevent malicious code from sending data off to some dastardly domain? I hate to be the bearer of bad news, but the following four lines of code will glide right through even the strictest content security policy.
    4. it is very difficult to spot shenanigans in obfuscated code, you’ve got no chance.
    5. But I’m afraid it’s perfectly possible to ship one version of your code to GitHub and a different version to npm.
    6. The point is, just because you don’t see it, doesn’t mean it’s not happening. It’s been more than two years and as far as I know, no one has ever noticed one of my requests. Maybe it’s been in your site this whole time
    7. Also the URL looks a lot like the 300 other requests to ad networks your site makes.
    8. I’d notice the network requests going out!Where would you notice them? My code won’t send anything when the DevTools are open (yes even if un-docked).I call this the Heisenberg Manoeuvre: by trying to observe the behaviour of my code, you change the behaviour of my code.
  10. Jan 2021
    1. When Snap was introduced Canonical promised it would never replace APT. This promise was broken. Some APT packages in the Ubuntu repositories not only install snap as a dependency but also run snap commands as root without your knowledge or consent and connect your computer to the remote proprietary store operated by Canonical.
    1. Some users download the DEB package and install it manually and manage upgrades completely manually. This is useful in situations such as installing Docker on air-gapped systems with no access to the internet.
    2. The scripts require root or sudo privileges to run. Therefore, you should carefully examine and audit the scripts before running them.
    1. Automatic firmware updates can be accessed from your software settings on System76 hardware. These updates help to promptly quash any threat of security risk to your computer.
    1. Why did I put the kdb in the snap file system? Because the app is sandboxed, so I had no choice.
    2. I run a fairly ancient RedHat Enterprise 6 on my 32-bit test machine and if I need something requiring Gtk3 (such as a latest Firefox or Chrome), I just make a chroot and use debootstrap (from EPEL) to get me a Debian 9 userland for that program. Easy. No bizarre "app stores", no conflicting packages. Do people use Snap app-stores because they don't know how to use the chroot command? Or are they just lazy? If it is because they want the added security of a container, substitute chroot with lxc... Shouldn't be necessary though; if you avoid non-ethical software (i.e App-stores), you are very unlikely to need the added security.
    3. By design, snap apps have no access to /etc. They live in their own little world, but instead of a normal chroot, they are splatted all over the standard Linux filesystem layout. With other bits mounted hither and thither. Its a mess, and subject to change with each release.
    1. "in the Ubuntu 20.04 package base, the Chromium package is indeed empty and acting, without your consent, as a backdoor by connecting your computer to the Ubuntu Store. Applications in this store cannot be patched, or pinned. You can't audit them, hold them, modify them or even point snap to a different store. You've as much empowerment with this as if you were using proprietary software, i.e. none."
    1. At least one Zoom leaker has already been unmasked: a member of the New York State Assembly who apparently filmed his “self-view” while recording a dispute within the Democratic assembly conference over the renomination of the speaker. That may sound careless, but a feature developed by Zoom will allow future leakers to be exposed even without that sort of misstep.
    1. I remember reading Matt Bruenig when I was in college, and he was like, “Well, actually Social Security was the most effective pathway to bring people out of poverty.”  I wrote a story in 2017 called “Why Education Is Not the Key to a Good Income,” and it was looking at this growing body of research that showed it was not your level of education that determined your chances of rising economic mobility. It was these other factors—like what kind of industries were in your community, union density, some of it was marriage. 

      makes sense... the best way out of poverty isn't education... it's money.

  11. atomiks.github.io atomiks.github.io
    1. The CSS automatically gets injected into <head> with the CDN (tippy-bundle). With CSP enabled, you may need to separately link dist/tippy.css and use dist/tippy.umd.min.js instead.
    1. Ensure HTML strings containing user data are sanitized properly to prevent XSS attacks.
    1. JSONP is a relic of the past and shouldn’t be used due to numerous limitations (e.g., being able to send GET requests only) and many security concerns (e.g., the server can respond with whatever JavaScript code it wants — not necessarily the one we expect — which then has access to everything in the context of the window, including localStorage and cookies).
    1. The application is executed in an encapsulated, ring-fenced way, so its files can’t interfere with those on your computer. You can even install multiple versions of the same application, and they won’t cross-pollinate or fight amongst themselves.
    1. Many people are also very wary of PPAs because they can contain anything. While a PPA might say it contains “Music Player”, the owner of the PPA can put anything in it. The deb installed from a PPA has root on your system when installed, so can do anything - good or bad.
    2. but that doesn’t mean that confining applications is not a benefit also to FOSS applications, security is an issue that needs to be addressed with many layers of measures no mater what licensing approach you use to license the software
    3. However there’s more benefit of confining proprietary closed source applications, because they are to audit to the same level
    4. The benefits for developers do reflect on benefits for users, with more software delivered faster and more securely.
    5. But in my apt/deb world, where I use official repositories from my distro, where is the threat from 3rd party ? They are eventually « curated » in partner repository, or in universe
    6. Adding layer of settings and complexity for the end user might also bring bad practices to keep a comfortable use of app’s by installing snap without confinement…
    1. As you already noticed, the extension does not go in an manipulate the hrefs/urls in the DOM itself. While it may seem scary to you that an extension may manipulate a URL you're navigating to in-flight, I think it's far scarier to imagine an extension reading and manipulating all of the HTML on all of the pages you go to (bank accounts, utilities, crypto, etc) in order to provide a smidgeon of privacy for the small % of times you happen to click a link with some UTM params.
    1. When you use target="_blank" with Links, it is recommended to always set rel="noopener" or rel="noreferrer" when linking to third party content. rel="noopener" prevents the new page from being able to access the window.opener property and ensures it runs in a separate process. Without this, the target page can potentially redirect your page to a malicious URL. rel="noreferrer" has the same effect, but also prevents the Referer header from being sent to the new page. ⚠️ Removing the referrer header will affect analytics.
  12. Dec 2020
    1. The only solution that I can see is to ensure that each user gets their own set of stores for each server-rendered page. We can achieve this with the context API, and expose the stores like so: <script> import { stores } from '@sapper/app'; const { page, preloading, session } = stores(); </script> Calling stores() outside component initialisation would be an error.

      Good solution.

    2. One way to do that is to export them from @sapper/app directly, and rely on the fact that we can reset them immediately before server rendering to ensure that session data isn't accidentally leaked between two users accessing the same server.
    1. This would be cumbersome, and would encourage developers to populate stores from inside components, which makes accidental data leakage significantly more likely.
    2. Just realised this doesn't actually work. If store is just something exported by the app, there's no way to prevent leakage. Instead, it needs to be tied to rendering, which means we need to use the context API. Sapper needs to provide a top level component that sets the store as context for the rest of the app. You would therefore only be able to access it during initialisation, which means you couldn't do it inside a setTimeout and get someone else's session by accident:
    1. This is an opportunity to fix a bug: if you're on a page that redirects to a login page if there's no user object, or otherwise preloads data specific to that user, then logging out won't automatically update the page — you could easily end up with a page like HOME ABOUT LOG IN ----------------------------------------------------------------------------------------- Secret, user-specific data that shouldn't be visible alongside a 'log in' button:
    1. Go is introducing publicly-visible API changes related to these issues in an upcoming major release, which risks making the vulnerabilities public without explicit public disclosure. 

      Whaaat ?!

    1. The only completely secure system is the one that doesn't exist in the first place.
  13. Nov 2020
    1. to be listed on Mastodon’s official site, an instance has to agree to follow the Mastodon Server Covenant which lays out commitments to “actively moderat[e] against racism, sexism, homophobia and transphobia”, have daily backups, grant more than one person emergency access, and notify people three months in advance of potential closure. These indirect methods are meant to ensure that most people who encounter a platform have a safe experience, even without the advantages of centralization.

      Some of these baseline protections are certainly a good idea. The idea of advance notice of shut down and back ups are particularly valuable.

      I'd not know of the Mastodon Server Covenant before.

    1. @hypothes.is

      be careful : because you store the page title, when we make annotation on a personal website that stores personal informations in title, hypothes.is users can retieve those informations.

      for example, here I can see that jbarnett mail is jeankap@gmail.com.

      and i can see his mail's title.

      I will find a report option that would be better than this current annotation.

    1. This is addressing a security issue; and the associated threat model is "as an attacker, I know that you are going to do FROM ubuntu and then RUN apt-get update in your build, so I'm going to trick you into pulling an image that ​_pretents_​ to be the result of ubuntu + apt-get update so that next time you build, you will end up using my fake image as a cache, instead of the legit one." With that in mind, we can start thinking about an alternate solution that doesn't compromise security.
    2. So let's say we pull down evil/foo which is FROM ubuntu followed by RUN apt-get update except with a small surprise included in the image. Subsequent builds using those same commands will be compromised.