652 Matching Annotations
  1. Last 7 days
    1. Many companies send our passwords via email. Whether these emails come from our IT department, a colleague, a SaaS solution or elsewhere, it's not a good idea to send and receive passwords via email.

      Send passwords via email? A bad idea!

      Many companies send our passwords via email. Whether these emails come from our IT department, a colleague, a SaaS solution or elsewhere, it's not a good idea to send and receive passwords via email.

  2. Apr 2022
    1. You cannot override defaults via query parameters - this is for security reasons. The only defaults that can be overridden are dynamic segments via substitution in the URL path.
    1. > So disabling JS completly via about:config is not a solution. It is. Works for me (yes, no NoScript, the real thing). My main Firefox profile is like that, then I have a secondary profile for the cases I really need it for — that gets used less than once a month. Oh, and no cookies either. Luckily, hackaday works fine like that (even cookieless commenting: big kudos and thanks! That’s why I keep returning here). And LWN (I temporarily enable cookies to post), and more than 95% of the sites I care about. As it turns out, I care less and less for the other 5%: so this number is actually shrinking.
    2. I fully agree the best solution for security is “javascript.enabled = false”
    3. Lets go back to the original “browser as a document” instead of “browser as OS”.


    4. As I said up-thread, it was promised from Day 1 that browsers would always execute client-side Javascript safely. That was central to its acceptance.
    5. You don’t need microsecond timing on a freaking website – except maybe in graphics and sound, and such functionality could be wrapped and secured in an API. So think that browser makers deserve a bigger slice of blame for making their users so vulnerable. User safety needs to become important again.
  3. Mar 2022
  4. Feb 2022
    1. he transitionary approach is advisable when datasecurity plays a vital role.



    1. gives the man and his kinship group certain rights of control over the woman
  5. Jan 2022
    1. an accident in which there is a collision with terrain, water, or obstacle during the course of a flight, without indication of loss of control.

      Controlled Flight into Terrain CFIT

    1. For example, suppose your API returns a 401 Unauthorized status code with an error description like The access token is expired. In this case, it gives information about the token itself to a potential attacker. The same happens when your API responds with a 403 Forbidden status code and reports the missing scope or privilege.
    2. Now, assume your client attempts to access a resource that it MUST NOT access at all, for example, because it belongs to another user. What status code should your API return? Should it return a 403 or a 401 status code?You may be tempted to return a 403 status code anyway. But, actually, you can't suggest any missing permission because that client has no way to access that resource. So, the 403 status code gives no actual helpful information. You may think that returning a 401 status code makes sense in this case. After all, the resource belongs to another user, so the request should come from a different user.However, since that resource shouldn't be reached by the current client, the best option is to hide it.
    1. Special case: Can be used instead of 404 to avoid revealing presence or non-presence of resource

      eh? instead of 404? I would actually say that:

      • 404 is as good or better at avoiding revealing presence or non-presence of resource; probably better because 401 implies that we found the resource but that they needed to be signed in in order to access
      • normally one would use a 404 instead of a 401/403 (usually instead of a 403) to avoid revealing presence or non-presence of resource.

      I think they know which is the correct, as evidenced by how they said about 404 below: "User/agent known but server will not reveal anything about the resource, does as if it does not exist." — I think this must have just been a typo.

    1. Mabry says if you own a Hyundia or Kia, you better add extra security so you don't become the next target.

      Apparently, there is an issue with key fob security on 2020 Kia Sportage and Hyundai models.

      Also, Columbus Police and 10TV don't know how to spell Hyundai or use spell check.

  6. Dec 2021
    1. Edge computing is an emerging new trend in cloud data storage that improves how we access and process data online. Businesses dealing with high-frequency transactions like banks, social media companies, and online gaming operators may benefit from edge computing.

      Edge Computing: What It Is and Why It Matters0 https://en.itpedia.nl/2021/12/29/edge-computing-what-it-is-and-why-it-matters/ Edge computing is an emerging new trend in cloud data storage that improves how we access and process data online. Businesses dealing with high-frequency transactions like banks, social media companies, and online gaming operators may benefit from edge computing.

    1. ‘Security’ takes manyforms. There is the security of knowing one has a statistically smallerchance of getting shot with an arrow. And then there’s the security ofknowing that there are people in the world who will care deeply if oneis.
  7. Nov 2021
    1. When the embedded document has the same origin as the embedding page, it is strongly discouraged to use both allow-scripts and allow-same-origin, as that lets the embedded document remove the sandbox attribute — making it no more secure than not using the sandbox attribute at all.
    1. Before we prove this lemma, we explain why such a lemma is useful for proofs in the quantumrandom oracle model.

      one-way-to-hiding lemma

    1. Pretty much anything that can be remembered can be cracked. There’s still one scheme that works. Back in 2008, I described the “Schneier scheme”: So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

      Good advice on creating secure passwords.

    1. A full-featured software TPM is a large and complicated software stack

      To the point of being a security risk. Some TPM had vulnerabilities due to the number of functions and their complexity to implement.

    1. It's all too complex for our little brains to handle. And like any situation of excess complexity, we collapse dimensions until we have a structure we can comprehend. The problem, in this case, is that our simplifications create tunnels large enough for the trucks of hacker to drive through—with ease.
    2. As many have observed, login is a broken system. Until we can be identified by factors that are unique to our personhood (biometrics, etc.) that we don't have to remember or store somewhere, these problems will persist. People have too many passwords for too many accounts.
    1. That's not how flatpack works; the executable is hidden in a container and you need to set up the whole environment to be able to call it. Delivering a well-isolated, not-to-be-run-from-outside environment is the whole point.
    1. Continuous threat and system behaviormonitoring• Management of access rights and privileges• Use of testbeds for assessing new threats in fielded systems• Supply-chain diligence• Certification and accreditation standards • Formal methods for identification of vulnerabilities
  8. Oct 2021
    1. A combination of good cross-site scripting hygiene, a secure HTTP only cookie for authentication and a CSRF token is a good combination for building a secure ecosystem for your PWA and web API.
    1. And at the end of the day, Gates is not accountable to governments or to communities. He was not elected, and there is no mechanism for him to be recalled, challenged, or held responsible for faulty policies. He could suddenly decide that he was no longer interested in supporting agriculture in Africa. In that case, the new food system Gates is importing to the African continent would collapse. Political and economic systems are being drastically altered, all at the whim of one person, one foundation.In fact, the differences between this situation — powerful individuals and institutions deciding to mess with the social, political, and economic realities of countries — and the earlier form of colonialism are thin. It’s still advertised as “good intent” and the desire to “civilize” an “uncivilized” people. The only difference is that neocolonialism is quieter and more covert. By design, it provokes less outrage. But the essential power structures remain the same.

      Concentrating power to one individual is dangerous. Large portions of the food security of African nations should not be so vulnerable to corporatism.

  9. Sep 2021
    1. t's also why it is so annoying to people who actually know what they are doing, when randomly the browser decides to take over a function provided for decades by the OS network stack, and with no notice start bypassing all the infrastructure they set up to their liking (like your hosts file) and funelling all their browsing habits to some shady company (Cloudflare).
    1. This is more secure than simply opening up your server’s firewall to allow connections to port 5901, as that would allow anyone to access your server over VNC. By connecting over an SSH tunnel, you’re limiting VNC access to machines that already have SSH access to the server.
    1. Remote Access is something that we are really excited about because it will allow our support team to give you a seamless and high level of support that is truly unmatched. When you need extra help, you can enable the Remote Access toggle with a single click. This will send a secure token to the Elegant Themes support staff that they can use to log in to your WordPress Dashboard. No passwords are shared and there is no need to send the token to our team yourself. It all works seamlessly in the background. While remote access is enabled, our team will be able to log in to your website and help explore whatever problems you are experiencing. You can even enable it preemptively before chatting with our support team so that we can jump right in if necessary. By default, our support staff will have limited access to your website using a custom WordPress support role. You can also enable full admin access if requested. Remote access is automatically disabled after 4 days, or when you disable Divi. You can also turn it off manually after an issue has been resolved, and of course, Remote Access can only be enabled by you, the website owner, and not by Elegant Themes or anyone else. The Remote Access system is wonderful because it saves tons of time during support chat, and it saves you the hassle of having to debug certain complicated issues yourself. It allows us to take a hands on approach to solving problems quickly, instead of wasting hours or days chatting back and forth.
    1. a class of attacks that were enabled by Privacy Badger’s learning. Essentially, since Privacy Badger adapts its behavior based on the way that sites you visit behave, a dedicated attacker could manipulate the way Privacy Badger acts: what it blocks and what it allows. In theory, this can be used to identify users (a form of fingerprinting) or to extract some kinds of information from the pages they visit
  10. Aug 2021
    1. You cannot break security if you do not understand a system better than the people who made the system, and you cannot defend your organization if you do not understand how those systems work to the same degree.
    2. "Highly complex memorized secrets introduce a new potential vulnerability: They are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets."
    3. Forcing employees to use a complex password with special characters in it means everyone is just going to add an exclamation point at the end of their existing password. This is why your accounts payable clerk has a yellow sticky note on their cubicle wall with their password on it. They just want to get their job done, and you're making it harder for them with no discernible improvement to security.
    1. Zoom told its users that their video calls were end-to-end encrypted when actually they were protected by TLS encryption. Zoom generated and stored the keys to its users’ encrypted information on its servers rather than on its users’ devices, meaning anyone with access to those servers could monitor the unencrypted video and audio content of Zoom meetings. These servers are located around the world, often in countries where companies can be forced to share user data with law enforcement organizations. What’s worse is that, according to the most recent lawsuit, Zoom’s response made it clear that it “knew that it did not use the industry-accepted definition of E2E encryption and had made a conscious decision to use the term ‘end-to-end’ anyway”.
    1. The confession-book, I suppose, has disappeared. It is twenty years since I have seen one. As a boy I told some inquisitive owner what was my favourite food (porridge, I fancy), my favourite hero in real life and in fiction, my favourite virtue in woman, and so forth.

      The form of some of these questions in confession albums is similar to modern day security questions asked by banks and personal accounts as a sort of personal password or shibboleth.

    1. An interesting directory of personal blogs on software and security.

      While it aggregates from various sources and allows people to submit directly to it, it also calculates a quality score/metric by using a total number of Hacker News points earned by the raw URL

      Apparently uses a query like: https://news.ycombinator.com/from?site=example.com to view all posts from HN.

    1. U.S. Senate Subcommittee on Communications, Technology, Innovation, and the Internet, "Optimizing for Engagement: Understanding the Use of Persuasive Technology on Internet Platforms," 25 June 2019, www.commerce.senate.gov/2019/6/optimizing-for-engagement-understanding-the-use-of-persuasive-technology-on-internet-platforms.

      Perhaps we need plurality in the areas for which social data are aggregated?

      What if we didn't optimize for engagement, but optimized for privacy, security, or other axes in the space?

  11. Jul 2021
  12. datatracker.ietf.org datatracker.ietf.org
    1. It is similarly intended to fail to establish a connection when data from other protocols, especially HTTP, is sent to a WebSocket server, for example, as might happen if an HTML "form" were submitted to a WebSocket server. This is primarily achieved by requiring that the server prove that it read the handshake, which it can only do if the handshake contains the appropriate parts, which can only be sent by a WebSocket client. In particular, at the time of writing of this specification, fields starting with |Sec-| cannot be set by an attacker from a web browser using only HTML and JavaScript APIs such as XMLHttpRequest [XMLHttpRequest].
    1. Rodolfo: I'm a victim of sexual abuse in the United States and there was a police report made and everything. And I've also been a victim of gang violence. I was never, you can check my background and everything. I was never into gangs or anything, but around the area I lived in there was a bunch of gangs and... I was beat up two or three times bad just by walking home. And it was all documented, I had police reports and everything. And because of that I was in therapy for while. My mother sought out a help from a psychiatrist because of the sexual abuse I had as a child in California, as a matter of fact.Rodolfo: I took Risperdal and a Ritalin, Risperdal for the anxiety and the Ritalin and for the ADHD. So, we tried everything. The mental health side, the mental health asylum, everything. But it was just going to take longer and longer and longer and I was tired of it. I didn't want to be locked up anymore. So, finally I just told my mom, “You know what man, that's it, I'm done. I don't want to do this anymore.” She asked me, “Is this what you want to do?” And I told her, “Yeah.”Rodolfo: She told me, “You know what? I'd much rather see you over there and be free then not being able to see you here at all.” Because there was a lot of people that went to go visit their loved ones and they used to get picked up. Sometimes they wouldn't even let you see your loved ones and right away ask you for your identification, your social security card, your nationality and everything and they would get picked up.Rodolfo: And I always told my mom, “Don't ever come visit me. Don't ever come visit me because if you do, chances are they're going to take you too.” And you know, that would always break my heart because I would want to see my mom. I'd want to see my dad and everything, but I wasn't able to. So, that experience was just horrible.Sergio: When you were in the detention center what were the conditions? Did you have access the medicine you needed? Did you have access to food and water?Rodolfo: The company that made the jail was called GEO Corp and they were actually, I'm not going to lie to you, they actually were pretty good, health-wise, not so much security-wise. A lot of things would happen in there that definitely shouldn't have ever happened. But with the food and everything, it was good. In my opinion it was because of the company. I feel as though if it was up to the government... Thank God it was an independent company that was hired by DHS as opposed to if DHS were to make their own jail, I feel they would be completely different.Rodolfo: It was [Pause] a pleasantly... there's no way to describe it, it was bad. It was bad, but for what it was I guess it was okay. I don't see there being an in-between or any pretty way to paint that picture as to how good or bad it was in there. Because at the end of the day you're deprived of your freedom. You can't just pick up the phone whenever you want and call your loved ones because you've got to pay for that too. You got pay for that. And if you want to take a shower, you have to buy your soap, right? You've got to buy it yourself, you've got to buy everything. And now you're becoming a liability for your family, you're becoming another bill.Rodolfo: You're becoming another bill and that's what I didn't want. So, that's why I started working. And now, older, I'm becoming another bill. So, I don't get it. You're taking us away from the jobs that we have and everything. You know? So, take us back to our country. And I'm not sure if it this is a fact or not, but I was reading when I first got in here, there was a time where there wasn't enough field workers for, I think, avocado—or, not avocado, I think it was oranges or something like that.Rodolfo: And I remember me saying, “Well, there goes all the deportees. There goes all the people you guys deported. Where are the people that were so outraged because we took your jobs? Go ahead, there you go. There are a lot of vacancies, making these open for those jobs, go ahead, man. All yours buddy, knock yourself out.”Rodolfo: But nobody wants to work those jobs, right? You see what I'm saying though, right?

      Leaving the US, Reason for Return, Deportation, Voluntary departure, Family decision, No hope for a future in the US, Detention, Treatment by; Time in the US, Violence, Sexual Abuse, Gangs, Bullying, Fear of, Jobs/employment/work

    2. Sergio: After your mom told you couldn't go on that trip, how did that affect the way you were involved in school, the things you wanted to do, did that change? Is there anything that you...?Rodolfo: I didn't put as much effort as I did anymore. I knew, at the end of the day, I'm not eligible for scholarships. I don't get any aid, I don't get anything. In my mind I thought, “Man, what's the point of really working hard in school if at the end of the day, I'm not gonna get any help?” My mom is having to work to put me through college. No, I don't want this, so I just thought, you know what, I'm just gonna give her what she wants, my diploma, my high school diploma. From then on, if I want to do something, it'll be by my own hand, out of my own pocket. I didn't want her to... Not that I was a burden or anything, my objective was for her not to work that much. That's it.Rodolfo: After she told me that, I'm like, "Well, okay, what's the point of really working hard and putting your best effort into school if, in my position, I won't be able to surpass US citizens." Then the aspect of financial aid, or any aid at all, I'm not gonna have any of that. I tried it with the fake social, but obviously it didn't go through. Nothing happened. Yeah, it changed a lot. It changed the way I viewed everything around me. Like, spring break all my friends would go certain places out of the country, and I used to get invited and, "No, I can't go man, my family doesn't think..." It would always have to be lie after lie after lie. I didn't want to... for one, I always had that idea of like my mom and my family always told me, "Don't ever tell anybody you're an immigrant. If somebody has that knowledge they can do you harm. They can take you away from here, they can take us away from each other."Rodolfo: I'm seeing it now, with the families going across the border, and them being separated. I didn't understand it at the time, and man, now I do understand it. I didn't know how it really was until I finally got put in handcuffs and got shipped to an immigration facility.Sergio: What do you think you would have wanted or end up being before you found out? What kind of things... Like you were on debate team that was—Rodolfo: I wanted to be a lawyer, man, that's what I wanted to be. That's what I wanted to be, a lawyer. It's funny, because when I was younger I wanted to be a lawyer. Then after that I'm like, "I want to be an immigration lawyer, that's what I want to be now. I want to be an immigration lawyer.” I was already on the right track to being a lawyer, but then when that happened, it really opened my eyes more to, "Okay, let's help my people." I didn't realize... I know individuals over there who are citizens, and they're panhandling because they want to. They're on their own addiction or for whatever reason right? Or people who are just living off the government, but then I see some of my family members, or my friends’ family members and they're not citizens but they have businesses.Rodolfo: They have a business, they have trucks, they have houses, they're great. They're not living off the Government, they're not asking for a handout. They're living better than what a citizen is living. It's all about how much work you put in, right? If you hang around people who don't want to do anything, then you're not gonna do anything. I remember Gerald Ford always told me that. He was like, "If you want to be a millionaire, hang around millionaires. If you want to be successful, hang around people who do successful things, but if you want to keep doing what you're doing, and just be a little caddie or whatever, stay here. Stay here and maybe one day you'll do something else."Rodolfo: He was very blunt in that aspect like, "Always do a good job. I don't care if you're a shit-shoveler, you're gonna be the best shit shoveler there is.” That always stuck to me, that's why whatever I do, it's always been 100%.Sergio: That's good.Anita: Can I speak? I'm Anita, I'm the director of this project.Rodolfo: Okay.Anita: I'm really pleased to meet you—Sergio: Likewise.Anita: I'm amazed at your incredible story. When you talked about the trip to DC, the debate club, and you got very sad—Rodolfo: Yeah.Anita: ... what made you sad, and did it make you feeling... Do you remember what your feelings were as you sort of found that all these options were gone to you?Rodolfo: Well, it was just mixed emotions. I felt sad because I contributed to the team a lot. I wasn't just there, and it made me sad because I wasn't going to be able be with my friends, my teammates. It also made me mad because all my life, all my short period, my whole time here in Chicago or whatever, I don't think I've done anything bad. Why shouldn't I have the privilege to go if I put in the same work as they did? Only because I don't have a social security number or a document that lets me buy a plane ticket and go over there? I think about it in a different—at the same time, I was a little kid too—I just cried a lot. That night I just cried a lot because I knew I wasn't gonna go. My mom spoke to the, I'm not sure what my mom told her, but see, I don't think she told her that we're undocumented, and I can't fly.Rodolfo: Yeah, I just remember that night feeling very sad, very sad, but then it turned into anger. It was like, "Man, why can't I?" It was always just that, "Why can't I? I put in the same work, and just because I wasn't born here, I can't fly?" I even looked into bus routes and everything to DC and stuff like that, but my mom was like, "No, you're crazy, you can't go alone." She worked and everything, I just felt sad, mostly sad.

      Time in the US, Immigration Status, Being secretive, Hiding/lying, In the shadows, lost opportunities; Reflections, The United States, Worst parts of the US, US government and immigration, Growing up undocumented, Dreams; Feelings, Choicelessness, Despair, Legal Status, Disappointment, Discouragement, Frustration, Sadness, Jaded

    3. Anita: Did Gerald Ford know you were undocumented?Rodolfo: No, Gerald Ford didn't know I was undocumented, no. I was still very young at that point. My mother and my family always told me, "Don't let anybody know you're undocumented.” If somebody finds out, for whatever reason, there's some people who just are plain out racist or don't want people like me in the States. Sometimes they just do things to... I don't know. That's what I understood and that's what I took in and that's what I applied to my life. It's like living a secret, it was like living a second life or whatever. It’s like, "Oh shit, why do I have to lie, why?" I guess it's neither here nor there now, right? I'm here in Mexico.Anita: That must have been incredibly difficult. I know personally, because I've had to keep secrets.Rodolfo: Yeah, I guess it's one of those things where you think it's never really gonna affect you, until you're in the back of the DHS, the Department of Homeland Security, van. You're next to a whole bunch of people you never met, and they're also in the same position. Some don't even speak English. You don't really understand how immediately it can affect you until it affects you. I never thought it would affect me. Okay, well I mean, I'm working, I'm going to school—I'm in high school—I'm doing this, this and that. Some of my friends who are students already dropped out. Did everything, they’ve already gone to prison and back and everything, and they haven't even hit their 21st birthday.Rodolfo: And I'm still good, I'm still good. I may not be a straight A student or anything, but hey man, I'm still here! Why can't I have the same privilege as you all do? Why can't I get my license? You know how happy I was when I got my license here, damn. I love to drive, that's one of my passions. Always, always, always I love to drive. I couldn't get my license over there. I remember even in high school in drivers ed, I knew what the answer was, but I asked my mom, “Hey mom, can I apply for drivers ed, so I can get my license? “She was like, "You know you can't get your license." Again, one of the primary things, I’m like damn, I'm just not gonna be able to drive all my life? Or if I do drive and I get pulled over—as a matter of fact, that's the reason why I got deported, driving without a valid drivers license.Rodolfo: I never got why the paper said, "Driving on a suspended license." I would always ask them, "If I don't have a license, why is it suspended?" They just told me, "Because you have a drivers license number, but you don't have a drivers license? I'm like, "Okay, so if I have a drivers license number, why can't I get my drivers license?" "You don't have the proper documentation." I'm like, "But I have my..."Rodolfo: One day I thought, “Well why don't I just grab the driver license number and have somebody make me a fake drivers license, and put the drivers license on there?” But see, if I get caught with it, now I'm in more trouble, and now I'm seen as a real criminal, because now I'm going around the system once again. That's why we don't want you here, because you're gonna do things like that. [Exhale] I haven't talked about this in a while. It just makes me want to…I don’t know.

      Time in the US, Immigration Status, Being secretive, Hiding/lying, In the shadows, Living undocumented; Reflections, The United States, US government and immigration; Feelings, Frustration; Time in the US, Jobs/employment/work, Documents, Driver's license, Social security card/ID

    4. Sergio: Did you ever work in the US?Rodolfo: Yeah, I worked all the time, I never stopped. One of the first jobs I had…My uncle worked at a restaurant called, Baker's Square in Chicago. It was on the corner of Tui and Pratt. I really, really, really wanted—I think I was in fifth or sixth grade—a phone. I wanted a phone, it’s called the Psychic Slide. Phones used to flip, but this one slides. I wasn't gonna ask my mom for it, so I asked my uncle. "Hey man, I know you work at Baker's Square and I know around the holiday season it gets really busy. Can I help you? Can I go?" He's like, "Well, yeah, if you want." I used to wake up like 3:00 in the morning, and I used to go and help him out. After that, I really liked making money and I really liked dressing nice, I liked having my nice haircut or whatever. My very, very first job was in Wilmette, Illinois. I was a caddie. Yeah, and then—Sergio: On the golf course?Rodolfo: On the golf course, yeah. Wilmette Golf Course actually. I remember I was always the first one there. They used to choose us, when everybody got there, "Okay, you come with me, you come with me." I used to always go there and there was a gentleman by the name of... Man, I forgot his name. Like the President, Gerald Ford, that was his name Gerald Ford! The only reason I remembered was because of the President. He used to always get there around the same time I got there. He finally asked me, "Do you want to be my personal caddie? I don't want you working anymore with all these other kids, because nobody wants to work. Do you want to be my personal caddie?" I'm like, "Yeah, absolutely." It was going really, really well and everything.Rodolfo: I got to high school, I had a number of jobs. I worked at Subway, I worked at Chili's, I worked at... What was it? Outback Steak House, but then I finally just got to the Cheesecake Factory, and that's where I stayed the remainder of my time. The remainder of my time I stayed there, and I started from the busboy and I finally ended up being a bartender. One of the head bartenders, one of the head servers, they used to pay-out people and everything. Obviously, I didn't have my social or anything, but I was a little bit older than what I really was. When I first got there, when I first, first started working I think I was like 14. Obviously you can't work that young, I think actually, I was 18, at 14.Rodolfo: I didn't see it as anything bad. I knew that if I got caught with my fake ID and my fake social security card I'd get in trouble, but that's why we're there, that's why we worked. I didn't get a fake ID to go party or go get into clubs or bars or anything. The main purpose of it was for me to be able to get a job, and so my mom wouldn't have to work all those hours that she used to work. She used to work at a Burger King, overnight. I used to barely see her, and I didn't want that anymore. I told her, "You don't have to work that much if I start working. We can help each other out, we can, we're a team.” It was only my mother and I until I turned 14, when she met my stepdad. All throughout that, it was just my mother and I.

      Time in the US, Jobs/employment/work, Documents, Careers, Food services, Athletics

    1. Assuming that people trust your site, abusing redirections like this can help avoid spam filters or other automated filtering on forums/comment forms/etc. by appearing to link to pages on your site. Very few people will click on a link to https://evilphishingsite.example.com, but they might click on https://catphotos.example.com?redirect=https://evilphishingsite.example.com, especially if it was formatted as https://catphotos.example.com to hide the redirection from casual inspection - even if you look in the status bar while hovering over that, it starts with a reasonable looking string.
  13. datatracker.ietf.org datatracker.ietf.org
    1. To meet this goal, the path validation process verifies, among other things, that a prospective certification path (a sequence of n certificates) satisfies the following conditions

      how to validate certificate by trust anchor

  14. Jun 2021
    1. Note that you could skip the https:// if you want a shorter command and you’re feeling adventurous with your HTTP MITM concerns, plus you can use the direct GitHub link as well if you don’t trust my redirect pointing there.
    1. If you want, you can try out what the script would do first, without changing anything. $ sh -c "$(curl -fsSL https://r.viktoradam.net/githooks)" -- --dry-run
    2. To try and make things a little bit more secure, Githooks checks if any new hooks were added we haven't run before, or if any of the existing ones have changed
    1. And from a security standpoint, that'd be really kind of scary - no one should have the ability to force me to execute certain scripts whenever I run certain git commands
    2. Luckily there is not a way to force hooks to people upon clone. If there was, you could write a post-receive hook with rm -rf / in it and wipe people's hard disk on pull
    1. A seeming security advantage of MPLS is that it provides a secured and managed link between branch offices and the data center through the service provider’s internal backbone. Public internet connections do not natively provide that same level of protection. But this comparison is deceptive. MPLS does not provide any sort of analysis of the data that it delivers. That is still the responsibility of the MPLS client. Even when traversing an MPLS connection, traffic still needs to be inspected for malware or other exploits, which requires deploying a firewall and any additional security functions at one end of the connection or the other at a minimum. To be fair, many SD-WAN solutions, however, have the same issue. Other than some basic security functionality, most SD-WAN solutions still require security to be added as an overlay solution. And for those organizations that try to add security to their complex SD-WAN connections as an afterthought, the challenge is often more than they bargained for. Fortinet’s Secure SD-WAN solution is different because connectivity is deployed as an integrated function within an NGFW appliance, so every connection automatically includes dynamic meshed VPN capabilities to secure data in transit, combined with deep inspection of that traffic using the wide array of security tools – including IPS, firewall, WAF, web filtering, anti-virus, and anti-malware – that are already part of every FortiGate NGFW solution that supports SD-WAN. This includes the high-speed inspection of SSL and IPsec VPN connections – a function especially important today as nearly 70% of all internet traffic today is encrypted, with many countries encrypting as much as 85% of all webpages visited.
    1. Working with your team over a local network is a speedy method of collaborative work. Issues might arise when Windows security enter network credentials are asked but won't recognize them. Several users reported that you could fix this problem simply by changing the following Advanced sharing settings. First, open the “Advanced Sharing Settings” window. Now expand the “All Networks” section. In the Password protected sharing section, select “Turn off password protected sharing” and save changes.

    1. In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
    2. Therefore, since each method had both an attack vector they opened up to and shut down, I perceived either choice as being equal.
    1. That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
    2. But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
    1. DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc.[1][2] On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems.[3]

      Dutch Certificate Authority gets hacked.

    1. The main security property of personal chattel was often not other TTPs as protectors but rather its portability and intimacy.

      The security properties of personal chattel was not a Trusted Third Party (TTP), but their portability and intimacy.

  15. May 2021
    1. the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
    1. iOS itself is a monopoly that should be opened up to third-party stores and side-loaded apps

      Which would be a security issue - for me it would be a bad decision to force opening iOS.

  16. Apr 2021
    1. Separate Clusters. It is probably most common to see multiple clusters being deployed. This is due to different reasons, with security focused network segmentation being only one of them. Security focused. Application workloads with different security protection levels can be separated by Kubernetes clusters. This makes isolating traffic easier by using traditional firewalls or VPCs to prevent cross-cluster communication. If connections between clusters are required then it can be manually allowed but management can become cumbersome and error prone. For example, one cluster runs the application workloads and a separate one running databases, file storage (such as S3/minio) and other persistent storage for the same project because different security profiles are required for each cluster.
    1. Note: Building a container image using docker build on-cluster is very unsafe and is shown here only as a demonstration. Use kaniko instead.


    1. highly

      This should be much more clearly defined IMHO. At the moment if there are no formal requirements in place, it is possible for an admin of an authorized lab to start using labs private key to issue "validity certificates on the side e.g. for profit"... Much more specifics should be defined about how the private keys are stored / protected (e.g. HSM requirements or other similar requirements which are defined by standards) and also limitations as to if e.g. cloud based HSMs are allowed. Also the security requirement should be strictly defined in the arrangements between WHO and national level authorities as well as between national level authorities and healthcare providers. For smaller countries or countries with centralized EHR with lab results the issuance of keys might end within national authority (as it would be signing the SVCs with its keys and no keys shall be handed over to labs/healthcare providers)

  17. Mar 2021
    1. It is critical you put better_errors only in the development section of your Gemfile. Do NOT run better_errors in production, or on Internet-facing hosts.
    1. here is my set of best practices.I review libraries before adding them to my project. This involves skimming the code or reading it in its entirety if short, skimming the list of its dependencies, and making some quality judgements on liveliness, reliability, and maintainability in case I need to fix things myself. Note that length isn't a factor on its own, but may figure into some of these other estimates. I have on occasion pasted short modules directly into my code because I didn't think their recursive dependencies were justified.I then pin the library version and all of its dependencies with npm-shrinkwrap.Periodically, or when I need specific changes, I use npm-check to review updates. Here, I actually do look at all the changes since my pinned version, through a combination of change and commit logs. I make the call on whether the fixes and improvements outweigh the risk of updating; usually the changes are trivial and the answer is yes, so I update, shrinkwrap, skim the diff, done.I prefer not to pull in dependencies at deploy time, since I don't need the headache of github or npm being down when I need to deploy, and production machines may not have external internet access, let alone toolchains for compiling binary modules. Npm-pack followed by npm-install of the tarball is your friend here, and gets you pretty close to 100% reproducible deploys and rollbacks.This list intentionally has lots of judgement calls and few absolute rules. I don't follow all of them for all of my projects, but it is what I would consider a reasonable process for things that matter.
  18. Feb 2021
    1. By default, hashes remove any keys that aren't given as nested filters. To allow all hash keys, set strip: false. In general we don't recommend doing this, but it's sometimes necessary.