When you hire awful subcontractors (like the evidence points in this case), you don't want those people putting files (JavaScript for example) on your own domain and later bat victim of some kind of XSS (or related) vulnerability on your site. It is like using another domain for user generated content, in this case the user generated content is the subcontractor output.
An one of the reasons (of many) I reverted some of my applications modules written in Scala back to Java is the easy of use of the object singletons. Nearly all Scala libraries use them, making using those libraries in a shared context, for example an EAR lib directory or as app server module/plugin a nightmare. Singletons reused between different applications and the only way to maintain isolation is to ship the same library multiple times on each WAR of a EAR wilth multiple WAR.
So no, I don't like languages that make easy to create global state. At least the Java statics are so ugly that is not common to see libraries crippled by their usage (or are Java developers more aware than Scala that global state is bad, I don't think that is the problem)
I find it ironic that the people (Android team engineers) that don't want to use Java enums on Android APIs because they add "bloat" are embracing another language that adds more overhead over plain Java (increased application size for example) than enums could add.
+1. Second advice: don't use password managers with custom formats or custom encryption. My recommendation is Pass, with simple GPG encrypted files. Add the GUI of your choice over it.
It is true on the consumer side, they try at least to follow the minimal requirements to be a good Windows application. the business world on the other side is awful. Applications that don't work if you install on Program Files, that you need to add write permissions to the installation directory, or that need read write permissions on server shares. This is too common on small business targeted applications that I have lost count on the ones I have seen.
A lot of Windows developers have no idea what %appdata% and %localappdata% are (and related directories with user write permissions.
Runner are part of GitLab CI tools. They are daemons that you can host on your own infrastructure in order to run your automated builds or deployments. Details of GitLab CI
and still no way to recharge the phone on the desktop at the office, and listen music at the same time while working, without an USB dock or another dongle, or crappy Bluetooth. And no, not every work environment let you install any kind on media player on your desktop computer.
I screenshot all qrcodes generated by websites that support 2FA, encrypt then with OpenPGP, and store on a safe backup. I can change devices anytime I want without problems, I just reinstall the keys on the application scanning the qrcodes again.
First, the app name is Google Authenticator. Second, it works with more that Gmail, I have my DNS provider, my GitHub and GitLab accounts, my Google accounts, my corporate accounts, etc all inside that application. It works on more that one site because they all support TOTP, an open algorithm, that is what the app, and many other alternatives like FreeOTP.
About what is better is the USB device that an application? The keys are stored on the device, and good devices are designed so keys are unreadable outside of it, only the generated code. Applications are vulnerable to malware on the device running it. The device ideally is less vulnerable of malware, it will be able to intercept current generated codes, but not extract the keys and generate codes themselves (unless the firmware is too buggy that it exposes the keys to the host device)
Newspaper are private companies too but we as the readers expect them to follow some ethical rules about how they publish news and we personally rate them with our trust. That Facebook is a technology company doesn't mean the people can't expect and try to exert pressure on their managers to make them ethical.
The invoker servlet and its default mapping/servlet/* isn't present in old nor current specs. It is not a JEE standard or was. It was a feature many JEE containers copied mainly because Tomcat at that time was the reference implementation (The invoker servlet class was on the tomcat package namespace not on the javax.servet one) , a very bad idea. It is not present in modern containers.
Since 2002 is known that having it enabled was a bad idea. But you know, enterprise software is badly updated.
No, millions of small business just buy computers with Windows Professional installed and join them to a small domain. Only big companies pay again for the Enterprise edition. Those small business are being f...ed removing this policy.
and by the way, the lawsuit has something to do with why I am talking. Twitter is shorting URLs on direct messages. The lawsuit want that stopped. Sending a private long URL using a direct message is being shortened, do you see the relation now?
Well, if you send a long URL, that by being long is very difficult to guess, and Twitter convert it to something so small that can be crawled, It is some kind of sharing. They should not be shorting URLs sent as direct messages, as this vulnerability shows, they are breaking the security of the long URL by shortening it.
I am not saying the Google is sharing anything. They give you a long URL that you can send to people you trust, then Twitter shorten it and that short URL can be crawled easily, au contraire of Google URL that is long enough to be treated like a password like authentication.
Exactly. I know people that send long URLs generated to privately share, like Google photos and send them using Twitter direct messages, believing they are not being shared with the world and they are wrong. Those long URLs know to be relatively secure even by Bruce Schneier are being converted to short ones, and accessible to the public. There is or was a lawsuit related to that
There could be a little truth in that, but no OS make the same mistake of letting the sender of a file decides what is executable or not (sender call it.exe or.scr and it is executable). Only Windows allow the sender to define what icon will be show for a file (sender embed a Word document icon to an executable and that is shown).
There are many ways to make phishing at non Windows users, but then some kind of vulnerability must be used (when opening a document), not a simple stupid trick of sending an executable and people confusing it for other thing. I think the most common one
Trust automatically only the devices detected at boot time. If someone had physical access to replace them before booting then you have worse problems. If your mouse/keyboard break at the same time when plugged (less probable) just press the power button and restart with the new devices. If only one broke then use the other to authorize the replacement
If they are only using the could providers servers as storage, probably true, but if they use them to run applications, keys are on memory to be able to read the data and process it.
I am on a Nexus device, a properly patched Android, but still I removed the MMS configuration from the cellular network AP configurations. I don't use or receive MMS, so there is no need for it. It is another good option.
Slashdot Mirror
When you hire awful subcontractors (like the evidence points in this case), you don't want those people putting files (JavaScript for example) on your own domain and later bat victim of some kind of XSS (or related) vulnerability on your site. It is like using another domain for user generated content, in this case the user generated content is the subcontractor output.
An one of the reasons (of many) I reverted some of my applications modules written in Scala back to Java is the easy of use of the object singletons. Nearly all Scala libraries use them, making using those libraries in a shared context, for example an EAR lib directory or as app server module/plugin a nightmare. Singletons reused between different applications and the only way to maintain isolation is to ship the same library multiple times on each WAR of a EAR wilth multiple WAR.
So no, I don't like languages that make easy to create global state. At least the Java statics are so ugly that is not common to see libraries crippled by their usage (or are Java developers more aware than Scala that global state is bad, I don't think that is the problem)
I find it ironic that the people (Android team engineers) that don't want to use Java enums on Android APIs because they add "bloat" are embracing another language that adds more overhead over plain Java (increased application size for example) than enums could add.
+1. Second advice: don't use password managers with custom formats or custom encryption. My recommendation is Pass, with simple GPG encrypted files. Add the GUI of your choice over it.
WebAssembly
It is true on the consumer side, they try at least to follow the minimal requirements to be a good Windows application. the business world on the other side is awful. Applications that don't work if you install on Program Files, that you need to add write permissions to the installation directory, or that need read write permissions on server shares. This is too common on small business targeted applications that I have lost count on the ones I have seen.
A lot of Windows developers have no idea what %appdata% and %localappdata% are (and related directories with user write permissions.
Runner are part of GitLab CI tools. They are daemons that you can host on your own infrastructure in order to run your automated builds or deployments. Details of GitLab CI
I have not tested this yet but they are working in making Firefox read Windows certificate trust store for certificate authorities
and still no way to recharge the phone on the desktop at the office, and listen music at the same time while working, without an USB dock or another dongle, or crappy Bluetooth. And no, not every work environment let you install any kind on media player on your desktop computer.
I screenshot all qrcodes generated by websites that support 2FA, encrypt then with OpenPGP, and store on a safe backup. I can change devices anytime I want without problems, I just reinstall the keys on the application scanning the qrcodes again.
First, the app name is Google Authenticator. Second, it works with more that Gmail, I have my DNS provider, my GitHub and GitLab accounts, my Google accounts, my corporate accounts, etc all inside that application. It works on more that one site because they all support TOTP, an open algorithm, that is what the app, and many other alternatives like FreeOTP.
About what is better is the USB device that an application? The keys are stored on the device, and good devices are designed so keys are unreadable outside of it, only the generated code. Applications are vulnerable to malware on the device running it. The device ideally is less vulnerable of malware, it will be able to intercept current generated codes, but not extract the keys and generate codes themselves (unless the firmware is too buggy that it exposes the keys to the host device)
Newspaper are private companies too but we as the readers expect them to follow some ethical rules about how they publish news and we personally rate them with our trust. That Facebook is a technology company doesn't mean the people can't expect and try to exert pressure on their managers to make them ethical.
Oracle cloned Red Hat Enterprise Linux (RHEL), RHEL contained GNU Classpath, Oracle distributed GNU Classpath without problems before buying Sun
The invoker servlet and its default mapping /servlet/* isn't present in old nor current specs. It is not a JEE standard or was. It was a feature many JEE containers copied mainly because Tomcat at that time was the reference implementation (The invoker servlet class was on the tomcat package namespace not on the javax.servet one) , a very bad idea. It is not present in modern containers.
Since 2002 is known that having it enabled was a bad idea. But you know, enterprise software is badly updated.
Cabinet open source, only a file manager, actively developed.
No, millions of small business just buy computers with Windows Professional installed and join them to a small domain. Only big companies pay again for the Enterprise edition. Those small business are being f...ed removing this policy.
and by the way, the lawsuit has something to do with why I am talking. Twitter is shorting URLs on direct messages. The lawsuit want that stopped. Sending a private long URL using a direct message is being shortened, do you see the relation now?
Well, if you send a long URL, that by being long is very difficult to guess, and Twitter convert it to something so small that can be crawled, It is some kind of sharing. They should not be shorting URLs sent as direct messages, as this vulnerability shows, they are breaking the security of the long URL by shortening it.
I am not saying the Google is sharing anything. They give you a long URL that you can send to people you trust, then Twitter shorten it and that short URL can be crawled easily, au contraire of Google URL that is long enough to be treated like a password like authentication.
Exactly. I know people that send long URLs generated to privately share, like Google photos and send them using Twitter direct messages, believing they are not being shared with the world and they are wrong. Those long URLs know to be relatively secure even by Bruce Schneier are being converted to short ones, and accessible to the public. There is or was a lawsuit related to that
Follow the link, there is Public-Key Authentication now
NTP authentication
There could be a little truth in that, but no OS make the same mistake of letting the sender of a file decides what is executable or not (sender call it .exe or .scr and it is executable). Only Windows allow the sender to define what icon will be show for a file (sender embed a Word document icon to an executable and that is shown).
There are many ways to make phishing at non Windows users, but then some kind of vulnerability must be used (when opening a document), not a simple stupid trick of sending an executable and people confusing it for other thing. I think the most common one
Trust automatically only the devices detected at boot time. If someone had physical access to replace them before booting then you have worse problems. If your mouse/keyboard break at the same time when plugged (less probable) just press the power button and restart with the new devices. If only one broke then use the other to authorize the replacement
If they are only using the could providers servers as storage, probably true, but if they use them to run applications, keys are on memory to be able to read the data and process it.
I am on a Nexus device, a properly patched Android, but still I removed the MMS configuration from the cellular network AP configurations. I don't use or receive MMS, so there is no need for it. It is another good option.