77 Matching Annotations
  1. Jun 2021
    1. However, the cookie containing the CSRF-TOKEN is only used by the client to set the X-XSRF-TOKEN header. So passing a compromised CSRF-TOKEN cookie to the Rails app won't have any negative effect.
    2. In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
  2. May 2021
    1. the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
    1. The NoScript extension for Firefox mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing authentication & payloads from POST requests sent by untrusted sites to trusted ones. The Application Boundary Enforcer module in NoScript also blocks requests sent from internet pages to local sites (e.g. localhost), preventing CSRF attacks on local services (such as uTorrent) or routers.
  3. Mar 2021
  4. Dec 2020
  5. Oct 2020
    1. That is certainly a good use-case. One thing you can do is to require something other than a user-chosen string as a username, something like an email address, which should be unique. Another thing you could do, and I admit this is not user-friendly at all, to let them sign up with that user name, but send the user an email letting them know that the username is already used. It still indicates a valid username, but adds a lot of overhead to the process of enumeration.
    1. Landi, F., Marzetti, E., Sanguinetti, M., Ciciarello, F., Tritto, M., Benvenuto, F., Bramato, G., Brandi, V., Carfì, A., D’Angelo, E., Fusco, D., Lo Monaco, M. R., Martone, A. M., Pagano, F., Rocchi, S., Rota, E., Russo, A., Salerno, A., Cattani, P., … Bernabei, on behalf of the G. A. C.-19 G. T. (n.d.). Should face masks be worn to contain the spread of COVID-19 in the postlockdown phase? Transactions of The Royal Society of Tropical Medicine and Hygiene. https://doi.org/10.1093/trstmh/traa085

  6. Sep 2020
  7. Aug 2020
    1. ReconfigBehSci {@SciBeh} (2020). it's definitely worth considering a broad range of ideas...but does this not run into the same difficulties that plagued "shielding"? Twitter. Retrieved from: https://twitter.com/i/web/status/1297563172723929088

    1. Sherrard-Smith, E., Hogan, A. B., Hamlet, A., Watson, O. J., Whittaker, C., Winskill, P., Ali, F., Mohammad, A. B., Uhomoibhi, P., Maikore, I., Ogbulafor, N., Nikau, J., Kont, M. D., Challenger, J. D., Verity, R., Lambert, B., Cairns, M., Rao, B., Baguelin, M., … Churcher, T. S. (2020). The potential public health consequences of COVID-19 on malaria in Africa. Nature Medicine, 1–6. https://doi.org/10.1038/s41591-020-1025-y

  8. Jul 2020
  9. Jun 2020
  10. May 2020
    1. Chu, H. Y., Englund, J. A., Starita, L. M., Famulare, M., Brandstetter, E., Nickerson, D. A., Rieder, M. J., Adler, A., Lacombe, K., Kim, A. E., Graham, C., Logue, J., Wolf, C. R., Heimonen, J., McCulloch, D. J., Han, P. D., Sibley, T. R., Lee, J., Ilcisin, M., … Bedford, T. (2020). Early Detection of Covid-19 through a Citywide Pandemic Surveillance Platform. New England Journal of Medicine, NEJMc2008646. https://doi.org/10.1056/NEJMc2008646

  11. Apr 2020
  12. Dec 2018

      Notes from reviewer

      I choose to review an article from Indonesia and written by Indonesians to show international readers the diversity of science, language, local context as the background of the paper, and the level of science that plays as the basis of the papers. Here I also point out that reviewers should not be influenced by common perspective on the level of science in SE Asia (especially Indonesia) and then use that measurement to assess the paper, rather, the reviewers should understand the benefits of the paper for local problems. Not all papers were written to solve the world's largest problem.

      I will be writing the overview of the comment in English and Indonesian language and write more specific comments in various locations only in Indonesian language.

      General comment

      • This paper is very important to the current situation in Indonesia, which suffering from many and continuous geohazards, hence this paper should be properly exposed in Indonesian media, concerning current tsunami situations.

      • More testing in various local environments should be conducted to improve the tent's design and how to set it up under eg: soft ground after tsunami.

      Specific comments

      • Methods:

        ** the author should include the material selection process in the method, because this is the most important bit in this paper. The fact that this was a multi years project should be pointed out in form of citation to the previous documents.

      • Future development:

        **this article should be developed further by including the variability of local condition to the material selection process.

        ** the authors should also test the material and design with the existing standards for shelters, eg: from UNHCR (United Nations High Commissioner for Refugees), IFRC (International Federation of Red Cross).

        ** to give more information, I suggest the authors to upload the previous documents/reports and all suplementary materials to the OSF (since the OSF allows them to upload multiple files in various formats).

        ** it would be interesting as well to test out the tent in the field and share the comments from the authorities (eg BNPB or Basarnas).

      Closing comment

      By publishing this research in Indonesian language, the authors have made their main point to directly contribute to the society instead of only chasing their fame by publishing it in international journal.

  13. Oct 2018
  14. Apr 2018
  15. www.ecosystemmarketplace.com www.ecosystemmarketplace.com
    1. North America

      North America section of report

    2. In North America, biodiversity offset and compensation programs are well-developed, particularly the US wetland and species compensation programs and Canada’s fish habitat compensation program. In total there are 14 active programs and 5 in development in North America. The region sees a minimum of $1.5-$2.5 billion in compensation payments per annum. This region also hosts the most offset credit banks of any region in the world. The United States has seven active programs and three in development. Payments total $1.5-$2.4 billion annually. Around 700,000 cumulative acres (283,280 hectares) have been restored or protected through US programs. The two largest offsetting programs, wetland and species mitigation, offer three mechanisms for achieving compensation: do it yourself, pay into a fund, or buy a third-party credit. Within this third form of offset credit baking there are 615 active and sold-out banks in the country

      size of North America's mitigation market

    1. Last year, the US Department of Agriculture’s Office of Environmental Markets, together with Ecosystem Marketplace publisher Forest Trends and the Environmental Protection Agency, published an online Atlas of Ecosystem Markets, which you can access here. 8.   The Jobs are Robot-Proof Environmental regulations didn’t kill coal; natural gas and renewables did. Regulations didn’t stifle the western oil boom, either; that was low energy prices. Even if Trump & Co do prop the coal sector, jobs won’t go to people; they’ll go to machines, which took most of the jobs America lost in the last decade. BenDor’s research shows restoration jobs are evenly divided between white-collar planners, designers, and engineers and the green-collar guys doing the actual earth moving and site construction. Almost all involve time in the great outdoors, and they can’t be exported or done by robots. 9.   The Jobs are Cost-Effective Because restoration work is labor-intensive, the money goes to people instead of machines, and every $1 million invested generates 33 jobs on average. Every $1 million invested in oil, on the other hand, generates 5.2 jobs per $1 million invested. In coal, the figure is 6.9 jobs. 10.  It Doesn’t Stifle Business Some industry groups claim the Endangered Species Act blocks development, but researchers reviewed 88,000 consultations between 2008 and 2015 and found that no projects had been stopped or even changed in a major way to protect habitat. Even proponents of the system concede, however, that the permitting process is slow and tedious. 11.  It Can Be Improved While the FWS administers credits for mitigation of endangered species, the Army Corps of Engineers approves mitigation credits for streams and wetlands, and they’re notoriously underfunded. This leads to long and costly delays, according to unpublished research that BenDor conducted with Daniel Spethmann of Working Lands Investment Partners and David Urban of Ecosystem Investment Partners. Delays are so costly, they argue, that companies in the restoration sector might be better off paying 50-fold higher permitting prices that would give the agencies the staff needed to properly process permits, akin to expedited building permits, rather than paying banks the interest on loans for land where environmental improvements are being held up. ← Ecosystem Marketplace Home Page


    1. In 2008, EPA and the Corps issued revised regulations governing compensatory mitigation.12 These regulations established equivalent and effective standards for all three compensatory mitigation mechanisms: mitigation banks, in-lieu fee mitigation, and permittee-responsible mitigation. Since mitigation banking is the most reliable form of compensatory mitigation, these regulations establish a preference for the use of banks when appropriate credits are available.

      See above note

  16. Sep 2017
    1. The government might well impose martial law as it sought to control the situation, hunt for the perpetrators, and find any additional weapons or nuclear materials they might have

      Primary focus should be on mitigation of effects

  17. Jan 2016
    1. Since the operators of part 15 devices are required to cease operation should harmful interference occur to authorized users of the radio frequency spectrum,

      Mention of the operator's duty to prevent interference.

      Language is usually "operator", occasionally "owner or operator"

  18. Dec 2015
    1. verify that new software can be legally loaded into a device to meet these requirements

      And this is the required means, that the router vendors prevent loading of software that does not meet the desired ends. Previous documents instead specified that DD-WRT not be loaded.

      The FCC document is no longer available: please see http://web.archive.org/web/20150803065407/https://apps.fcc.gov/kdb/GetAttachment.html?id=1UiSJRK869RsyQddPi5hpw%3D%3D&desc=594280%20D02%20U-NII%20Device%20Security%20v01r02&tracking_number=39498

      It is cited in https://via.hypothes.is/http://www.wired.com/2015/09/hey-fcc-dont-lock-wi-fi-routers/

    2. The instruction manual furnished with the intentional radiator shall contain language in the installation instructions informing the operator and the installer of this responsibility.

      Language re mitigation that should be required of router vendors

    3. DFS functionality

      IMHO, This is arguably a requirement that should be true for any country.

    4. operating frequencies, output power, modulation types or other radio frequency parameters

      Mitigation: IMHO, this section should be split into two, one stating the mission, and one suggesting mitigations in a "not limited to" format.

      In particular, I'd welcome mitigations such as

      • "For devices receiving their geographical location from a network service such as DHCP, the device shall used the specified country as the default location for which to set operating frequencies, output power, modulation types or other radio frequency parameters that are country-specific." and

      • "For all devices using location information to set RF parameters, the purchaser/operator shall be provided with a way of changing the location to the United States.

      • "For all devices where the location is not known, the device shall default to a constructed set of RF parameters that will be legal in at least the United States, and preferably in any country.