Or it stores the hashes of all combinations (or the subset it'll ever ask)? Only 8*7*6*5/4! = 70 combinations for an 8 char password... there might be other more efficient algos, though.
But it's worth noting that doing this is also very insecure...
Or it stores the hashes of all combinations (or the subset it'll ever ask)? Only 8*7*6*5/4! = 70 combinations for an 8 char password... there might be other more efficient algos, though.
I have a startup which builds a web-based enterprise product. A year ago we launched a companion app that provides a fraction of the functionality of the desktop application, just enough to help our customers extract the key information they need when they're on the road.
All of a sudden a few days Apple decides we have to implement in-app payments. I explained them that this is an enterprise product for an arcane industry and that our customers require quotations/invoices raised to their procurement department and would not pay several hundred to several thousand dollars through the app. They insist we have to implement in-app payments despite not helping our customers nor our business. We don't have automated billing at all, not even on our desktop product. The requested change means months of development for no value (at this point).
No way to appeal. We can currently not update our app and if we don't implement in-app payments in an unspecified time our current version will be pulled too.
> The digital asset has soared more than 600 percent this year, compared with gains of 15 percent for the S&P 500 Index -- which might explain millennials' attraction.
It really puzzles me that a website geared towards engineers, scientists and other nerds from across the world would use imperial units in such a news article.
I use DocuSign on a regular basis for work and have received over 20 fake emails in the last few days. These emails are particularly well drafted (as far as phishing emails go) and are easily mistaken with the real thing. DocuSign has yet to send out any warning message to its customers. Pretty poor handling from their part...
What they should *immediately* do is expire all passwords and force users to reset their password on next login.
I had the same issue with my Nexus 5X... like many others (https://code.google.com/p/android/issues/detail?id=220971). After much discussion they finally replaced the device, but with one that is likely prone to the same issue (judging from the manufacturing date of the replacement device). In a few months I'll most likely experience the exact same issue, but then outside of the warranty period. Not cool!
So, the 13" does have an AG (= anti-glare) version, but unfortunately this cannot be combined with i7, 16GB RAM or 1TB SSD. If you want these then they force you to take the high res glossy screen. Who thinks of these things??
I haven't seen the AG version yet, so cannot comment on how it compares with a real matte screen.
> And that has been getting worse with the EU... not better.
Can you give me some examples? Our family business has been importing and exporting goods (motor vehicles) from all over Europe for over 40 years, and I can tell you that things have improved GREATLY because of the European union. Just to give you an idea, when the business just started a motor vehicle imported from for example Italy could not be registered in other European countries without making alterations because regulations were so different. In addition all the paperwork that was required would easily take up several hours per vehicle im/exported.
I'll update my Nexus 5 to Lollipop once XPrivacy (http://repo.xposed.info/module/biz.bokhorst.xprivacy) becomes available. XPrivacy is waiting for Xposed to add ART support to the framework.
Alternatively, I would consider installing Cyanogenmod 12 M1 (http://www.cyanogenmod.org/blog/the-l-is-for-lollipop) which has some of the same capabilities of restricting application permissions as XPrivacy (although less fine-grained).
I've been using BitTorrent Sync for a year or so now. The main feature that was missing for me was the ability to set up an untrusted node which does not get access to the unencrypted data but can serve as a fast 24/7 proxy and backup system.
This functionality has now been added, although it's still in beta and only officially available in the API, not in the client... but a very simple hack makes it available in the client. This opens BitTorrent Sync open to 3rd party sync providers or cheap VPS.
The interface is still a bit quirky and designed for techies, but has also improved over time. Overall very happy with BitTorrent Sync.
I'm not sure if I really understand where Mozilla is heading... I chose Firefox over Chrome because of a) secure password sync'ing across devices (real end to end encryption for cloud storage and master password for local storage) and b) addons on Firefox mobile version.
Recently they decided to implement another password sync'ing scheme as the old one (based on pairing devices) was apparently too hard to use for the modal FF user (stats showed that less than 1% of their userbase was using old sync). Unfortunately the new system is by design not nearly as secure as the old system. After a few weeks of enabling the new sync'ing tool I randomly noticed that passwords no longer got sync'ed correctly. Turned out that the new sync system does not work when a master password is enabled. No mention of this in the release notes, no warning message during installation.
With the new sync system we not only get less security by design, on top we're no longer able to locally protect stored passwords with a master password. That means that every malicious/buggy application on your computer is able to read _all_ your saved passwords in plaintext. Take a look at https://bugzilla.mozilla.org/show_bug.cgi?id=995268 for the details. Password sync'ing security is now at par with Chrome, so b) is now the only reason why I'm still staying with FF.
If you take the time to read the bug report it really feels that Mozilla is losing touch with the power users in their pursuit of the average user. They forget that power users influence the rest...
Anyway, I think it's rather ironical that they are doing this security thing while they are knowingly removing security features at the same time.
The Mozilla devs seem to think that disk encryption is a better solution than an encrypted password file... but they forget that an encrypted disk does not protect against vulnerable/malicious applications reading your password file. Or leaving you computer unlocked for a few minutes. The old sync version will be removed 'as soon as possible' (in the dev's words) so at that point we'll have to choose between not upgrading, not sync'ing or not locally encrypting the password file.
Please consider voting for the bug on Bugzilla. This might help too: https://input.mozilla.org/en-US/feedback.
So, the new FF finally implemented a more userfriendly sync functionality. Apparently less than 1% of its users was using the old (but very secure system). The new sync system is (unsurprisingly) similar to Chrome's sync system: you create an account, when you log in your info is encrypted based on your account password and uploaded to Mozilla's servers.
What I cannot get my head around is that Mozilla claims they cannot access your data (as they don't know your password) but that they are able to reset a lost password... how can that be a secure system??
Also, in the new version it's no longer possible to use a master password... if you want to use sync all your password will be in plaintext (well, obfuscated) in FF's password file. Any malicious or vulnerable application can get access to ALL your passwords. https://bugzilla.mozilla.org/show_bug.cgi?id=995268
I was wondering if this release works out of the box on a Macbook Pro. Does anybody know?
Thanks, Chris.
small script for dynamic and resilient ssh tunnels
on
SSH Tunnels How-to?
·
· Score: 1
Below a small script that makes a dynamic (SOCKS) tunnel that automagically reconnects when your connection goes down for whatever reason... when you re-invoke the script while the tunnel is already up, then it gets killed and re-created.
Using this script my tunnel stays up for days in a row and I don't have to do anything when I move my machine from our coporate wired network to my personal wireless home network.
I use this script in combination with privoxy to ensure that dns requests are also done over the tunnel (as most browsers would otherwise leak dns requests).
Finally, the speed of the solution is about 50% of what I have with the proxy off... in my case my server is not the bottle neck, but it seems that connections are less parallelized when using this solution.
--- #!/bin/sh if ps aux | grep -q autossh;
then sudo -u me killall autossh fi if !(sudo -u me ssh-add -l | grep 82:54:1b:9e:47:b6:96:5f:52:e7:a9:fd:18:0a:c2:3b); # fingerprint
then sudo -u me ssh-add fi sudo -u me autossh -f -D 10000 -CN me@myserver.org
Idd, this is a very, very useful feature of Mozilla/Firefox.
In Firefox you can set this feature in Preferences - Privacy - Allow sites to set cookies & Keep cookies until I close Firefox. Also permanent cookies are accepted, but simply treated as session cookies. Sites that you do want to allow permanent cookies, you can just add to the exceptions list.
I would recommend everybody to put on this option! Almost all sites work correctly and you still have a reasonable amount of privacy.
There is btw an extension 'allow cookie' that makes it possible to add sites to the exception list (both allow and disallow) with an easy key combination. Very useful.
Slashdot Mirror
Or it stores the hashes of all combinations (or the subset it'll ever ask)? Only 8*7*6*5/4! = 70 combinations for an 8 char password... there might be other more efficient algos, though.
But it's worth noting that doing this is also very insecure...
Or it stores the hashes of all combinations (or the subset it'll ever ask)? Only 8*7*6*5/4! = 70 combinations for an 8 char password... there might be other more efficient algos, though.
Mine does the same (HSBC).
I have a startup which builds a web-based enterprise product. A year ago we launched a companion app that provides a fraction of the functionality of the desktop application, just enough to help our customers extract the key information they need when they're on the road.
All of a sudden a few days Apple decides we have to implement in-app payments. I explained them that this is an enterprise product for an arcane industry and that our customers require quotations/invoices raised to their procurement department and would not pay several hundred to several thousand dollars through the app. They insist we have to implement in-app payments despite not helping our customers nor our business. We don't have automated billing at all, not even on our desktop product. The requested change means months of development for no value (at this point).
No way to appeal. We can currently not update our app and if we don't implement in-app payments in an unspecified time our current version will be pulled too.
Thanks, Apple.
... could be an interesting use case.
... is probably the day they start making vacuum cleaners.
> The digital asset has soared more than 600 percent this year, compared with gains of 15 percent for the S&P 500 Index -- which might explain millennials' attraction.
I wonder about the causality in this sentence...
It really puzzles me that a website geared towards engineers, scientists and other nerds from across the world would use imperial units in such a news article.
I use DocuSign on a regular basis for work and have received over 20 fake emails in the last few days. These emails are particularly well drafted (as far as phishing emails go) and are easily mistaken with the real thing. DocuSign has yet to send out any warning message to its customers. Pretty poor handling from their part...
What they should *immediately* do is expire all passwords and force users to reset their password on next login.
I had the same issue with my Nexus 5X... like many others (https://code.google.com/p/android/issues/detail?id=220971). After much discussion they finally replaced the device, but with one that is likely prone to the same issue (judging from the manufacturing date of the replacement device). In a few months I'll most likely experience the exact same issue, but then outside of the warranty period. Not cool!
So, the 13" does have an AG (= anti-glare) version, but unfortunately this cannot be combined with i7, 16GB RAM or 1TB SSD. If you want these then they force you to take the high res glossy screen. Who thinks of these things??
I haven't seen the AG version yet, so cannot comment on how it compares with a real matte screen.
> And that has been getting worse with the EU... not better.
Can you give me some examples? Our family business has been importing and exporting goods (motor vehicles) from all over Europe for over 40 years, and I can tell you that things have improved GREATLY because of the European union. Just to give you an idea, when the business just started a motor vehicle imported from for example Italy could not be registered in other European countries without making alterations because regulations were so different. In addition all the paperwork that was required would easily take up several hours per vehicle im/exported.
I'll update my Nexus 5 to Lollipop once XPrivacy (http://repo.xposed.info/module/biz.bokhorst.xprivacy) becomes available. XPrivacy is waiting for Xposed to add ART support to the framework.
Alternatively, I would consider installing Cyanogenmod 12 M1 (http://www.cyanogenmod.org/blog/the-l-is-for-lollipop) which has some of the same capabilities of restricting application permissions as XPrivacy (although less fine-grained).
Nope, only the phone division of Nokia was sold to Microsoft... this product is by one of the other divisions of Nokia not part of Microsoft.
I've been using BitTorrent Sync for a year or so now. The main feature that was missing for me was the ability to set up an untrusted node which does not get access to the unencrypted data but can serve as a fast 24/7 proxy and backup system.
This functionality has now been added, although it's still in beta and only officially available in the API, not in the client... but a very simple hack makes it available in the client. This opens BitTorrent Sync open to 3rd party sync providers or cheap VPS.
The interface is still a bit quirky and designed for techies, but has also improved over time. Overall very happy with BitTorrent Sync.
I'm not sure if I really understand where Mozilla is heading... I chose Firefox over Chrome because of a) secure password sync'ing across devices (real end to end encryption for cloud storage and master password for local storage) and b) addons on Firefox mobile version.
Recently they decided to implement another password sync'ing scheme as the old one (based on pairing devices) was apparently too hard to use for the modal FF user (stats showed that less than 1% of their userbase was using old sync). Unfortunately the new system is by design not nearly as secure as the old system. After a few weeks of enabling the new sync'ing tool I randomly noticed that passwords no longer got sync'ed correctly. Turned out that the new sync system does not work when a master password is enabled. No mention of this in the release notes, no warning message during installation.
With the new sync system we not only get less security by design, on top we're no longer able to locally protect stored passwords with a master password. That means that every malicious/buggy application on your computer is able to read _all_ your saved passwords in plaintext. Take a look at https://bugzilla.mozilla.org/show_bug.cgi?id=995268 for the details. Password sync'ing security is now at par with Chrome, so b) is now the only reason why I'm still staying with FF.
If you take the time to read the bug report it really feels that Mozilla is losing touch with the power users in their pursuit of the average user. They forget that power users influence the rest...
Anyway, I think it's rather ironical that they are doing this security thing while they are knowingly removing security features at the same time.
The Mozilla devs seem to think that disk encryption is a better solution than an encrypted password file... but they forget that an encrypted disk does not protect against vulnerable/malicious applications reading your password file. Or leaving you computer unlocked for a few minutes. The old sync version will be removed 'as soon as possible' (in the dev's words) so at that point we'll have to choose between not upgrading, not sync'ing or not locally encrypting the password file.
Please consider voting for the bug on Bugzilla. This might help too: https://input.mozilla.org/en-US/feedback.
So, the new FF finally implemented a more userfriendly sync functionality. Apparently less than 1% of its users was using the old (but very secure system). The new sync system is (unsurprisingly) similar to Chrome's sync system: you create an account, when you log in your info is encrypted based on your account password and uploaded to Mozilla's servers.
What I cannot get my head around is that Mozilla claims they cannot access your data (as they don't know your password) but that they are able to reset a lost password... how can that be a secure system??
Also, in the new version it's no longer possible to use a master password... if you want to use sync all your password will be in plaintext (well, obfuscated) in FF's password file. Any malicious or vulnerable application can get access to ALL your passwords. https://bugzilla.mozilla.org/show_bug.cgi?id=995268
Doesn't sound like an improvement to me...
Combination of Firefox with master passport (for password encryption) and Weave (for passport syncing/backup) works for me...
http://mozillalabs.com/weave/
Hi,
I was wondering if this release works out of the box on a Macbook Pro. Does anybody know?
Thanks,
Chris.
Below a small script that makes a dynamic (SOCKS) tunnel that automagically reconnects when your connection goes down for whatever reason... when you re-invoke the script while the tunnel is already up, then it gets killed and re-created.
Using this script my tunnel stays up for days in a row and I don't have to do anything when I move my machine from our coporate wired network to my personal wireless home network.
I use this script in combination with privoxy to ensure that dns requests are also done over the tunnel (as most browsers would otherwise leak dns requests).
Finally, the speed of the solution is about 50% of what I have with the proxy off... in my case my server is not the bottle neck, but it seems that connections are less parallelized when using this solution.
Cheers,
Chris.
My homepage.
---
#!/bin/sh
if ps aux | grep -q autossh;
then sudo -u me killall autossh
fi
if !(sudo -u me ssh-add -l | grep 82:54:1b:9e:47:b6:96:5f:52:e7:a9:fd:18:0a:c2:3b); # fingerprint
then sudo -u me ssh-add
fi
sudo -u me autossh -f -D 10000 -CN me@myserver.org
I thought that size didn't matter.
;-)
That's what they say to you
Idd, this is a very, very useful feature of Mozilla/Firefox.
In Firefox you can set this feature in Preferences - Privacy - Allow sites to set cookies & Keep cookies until I close Firefox. Also permanent cookies are accepted, but simply treated as session cookies. Sites that you do want to allow permanent cookies, you can just add to the exceptions list.
I would recommend everybody to put on this option! Almost all sites work correctly and you still have a reasonable amount of privacy.
There is btw an extension 'allow cookie' that makes it possible to add sites to the exception list (both allow and disallow) with an easy key combination. Very useful.
Cheers,
Chris.
Let's validate Acid2's CSS: CSS validator.
Somehow, after reading this extremely interesting remark from Asa, I get a bit troubled when you mention him as the (unofficial) spokesman of the Mozilla Foundation...
Chris.
"X like the letter, or like the word"
But not both?