120 Matching Annotations
  1. Oct 2021
  2. Sep 2021
    1. My father was sharing a book by Brené Brown, Dare to Lead. I shared this website I had created while I was an instructor at the University of the Fraser Valley.

      I pointed him to the TED talk by Brené Brown on The Power of Vulnerability.

  3. Aug 2021
    1. (2) David Fisman on Twitter: “Here’s some really simple modeling that hopefully will help provide some insight into why having a large, unvaccinated minority in Ontario is a problem for the population as a whole.” / Twitter. (n.d.). Retrieved August 23, 2021, from https://twitter.com/DFisman/status/1427940663925092354

  4. Jul 2021
  5. Jun 2021
    1. That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
    2. But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
  6. May 2021
    1. the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
  7. Apr 2021
  8. Mar 2021
  9. Feb 2021
  10. Dec 2020
    1. Go is introducing publicly-visible API changes related to these issues in an upcoming major release, which risks making the vulnerabilities public without explicit public disclosure. 

      Whaaat ?!

  11. Oct 2020
    1. Could you please explain why it is a vulnerability for an attacker to know the user names on a system? Currently External Identity Providers are wildly popular, meaning that user names are personal emails.My amazon account is my email address, my Azure account is my email address and both sites manage highly valuable information that could take a whole company out of business... and yet, they show no concern on hiding user names...

      Good question: Why do the big players like Azure not seem to worry? Microsoft, Amazon, Google, etc. too probably. In fact, any email provider. So once someone knows your email address, you are (more) vulnerable to someone trying to hack your account. Makes me wonder if the severity of this problem is overrated.

      Irony: He (using his full real name) posts:

      1. Information about which account ("my Azure account is my email address"), and
      2. How high-value of a target he would be ("both sites manage highly valuable information that could take a whole company out of business...")

      thus making himself more of a target. (I hope he does not get targetted though.)

    2. That is certainly a good use-case. One thing you can do is to require something other than a user-chosen string as a username, something like an email address, which should be unique. Another thing you could do, and I admit this is not user-friendly at all, to let them sign up with that user name, but send the user an email letting them know that the username is already used. It still indicates a valid username, but adds a lot of overhead to the process of enumeration.
    1. How would you remediate this? One way could be to have the application pad the responses with a random amount of time, throwing off the noticeable difference.
    2. Sometimes, user enumeration is not as simple as a server responding with text on the screen. It can also be based on how long it takes a server to respond. A server may take one amount of time to respond for a valid username and a very different (usually longer) amount of time for an invalid username.
    1. When I received Chris’s comment, my first response was that I should delete my post or at least the incorrect part of it. It’s embarrassing to have your incorrect understandings available for public view. But I decided to leave the post as is but put in a disclaimer so that others would not be misled by my misunderstandings. This experience reminded me that learning makes us vulnerable. Admitting that you don’t know something is hard and being corrected is even harder. Chris was incredibly gentle in his correction. It makes me think about how I respond to my students’ work. Am I as gentle with their work as Chris was to mine? Could I be more gentle? How often have I graded my students’ work and only focused on what they did wrong? Or forgotten that feeling of vulnerability when you don’t know something, when you put your work out for others to judge? This experience has also reminded me that it’s important that we as teachers regularly put ourselves into situations in which we authentically grapple with not knowing something. We should regularly share our less than fully formed understandings with others for feedback. It helps us remember that even confident learners can struggle with being vulnerable. And we need to keep in mind that many of our students are not confident learners.

      I'm reminded here of the broad idea that many bloggers write about sooner or later of their website being a "thought space" or place to contemplate out in the open. More often than not, even if they don't have an audience to interact with, their writings become a way of thinking out loud, clarifying things for themselves, self-evolving, or putting themselves out there for potential public reactions (good, bad, or indifferent).

      While writing things out loud to no audience can be helpful and useful on an individual level, it's often even more helpful to have some sort of productive and constructive feedback. While a handful of likes or positive seeming responses can be useful, I always prefer the ones that make me think more broadly, deeply, or force me to consider other pieces I hadn't envisioned before. To me this is the real value of these open and often very public thought spaces.

      For those interested in the general idea, I've been bookmarking/tagging things around the idea of thought spaces I've read on my own website. Hopefully this collection helps others better understand the spectrum of these ideas for themselves.

      With respect to the vulnerability piece, I'm reminded of an episode of <cite>The Human Current</cite> I listened to a few weeks back. There was an excellent section that touched on building up trust with students or even a class when it comes to providing feedback and criticism. Having a bank of trust makes it easier to give feedback as well as to receive it. Here's a link to the audio portion and a copy of the relevant text.

  12. Sep 2020
  13. Aug 2020
  14. Jul 2020
  15. Jun 2020
    1. Goldman, P. S., Ijzendoorn, M. H. van, Sonuga-Barke, E. J. S., Goldman, P. S., Ijzendoorn, M. H. van, Bakermans-Kranenburg, M. J., Bradford, B., Christopoulos, A., Cuthbert, C., Duchinsky, R., Fox, N. A., Grigoras, S., Gunnar, M. R., Ibrahim, R. W., Johnson, D., Kusumaningrum, S., Ken, P. L. A., Mwangangi, F. M., Nelson, C. A., … Sonuga-Barke, E. J. S. (2020). The implications of COVID-19 for the care of children living in residential institutions. The Lancet Child & Adolescent Health, 0(0). https://doi.org/10.1016/S2352-4642(20)30130-9

  16. May 2020
  17. Apr 2020