Ah yes, the chimneys.
2021 is the year of Google Robot Santa.
230 posts • joined 16 Jun 2014
> Personally, I believe that any mind expansion or mood change possible with street drugs is also possible by other non-drug means - e.g., fasting, meditation, and physical activity. There is long history of such.
Yes. This training is a bit easier if you know what you're looking for, though. (In a "now I know what I can give my consciousness permission to do" kind of way.)
AFAICT, even the proponents of psychoactive substances for mental health reasons don't say this is a pill that will fix your problem – it's possibly a way to make it easier to see things from a novel-to-you angle that will make it easier to do all the other stuff, like CBT, even if your current brain patterns try very hard to keep you in a routine that isn't healthy for you.
Works the other way around, too. I have accounts in some places where I literally don't know the password and don't store it. The company I might order something from once every five years? It's faster just to do a password reset.
(I vaguely recall even The Bruce thinks this is a valid mode of operation, but don't quote me — or him — on that. Also, he has surprising views on on-paper passwords.)
Yeah, fine motor axis parallel is a bit difficult, and I curse people who stack their menus three levels deep.
The original (W95? 98?) drivers for my Trackball Optical had a setting that let you set the y axis at a not-90° angle to the x axis to help with that. (Say what you will, the old MS peripherals are pretty sturdy. I think my TO is old enough to vote now and still runs like a champ, as long as your fingers provide a bit of grime to keep it running smoothly.)
Things even went iffy a couple of weeks ago. For values of iffy being "frequency went 0.3Hz off spec": https://www.entsoe.eu/news/2021/01/15/system-separation-in-the-continental-europe-synchronous-area-on-8-january-2021-update/
I'm so glad all I manage is a bunch of webpages for entitled academenteds and not power plants.
Well, Margaret Ferrier and Dominic Cummings did that for them…
(Meanwhile, in "not all people are idiots", Kramp-Karrenbauer actually camped in her MoD office in Berlin instead of driving all the way across Germany to self-isolate at home.)
I'll be the first to admit I've manually IMAPped about once or twice in my life, but there was no place in the communication where I would even have been able to transmit an user agent.
So what's the data flow? App takes developer token to request to let end-user generate an app-specific transient IMAP passphrase? Which yes, is safer, because it can be revoked separately from other login credentials.
Still works fine in my VMs, and it registers as a five-button HID anyway, but I guess the specialized driver that, amongst other things, let you tilt the x and y axis, won't work anymore.
Still a fan of these beasts. Bought one in 2003 and it's still going strong.
Software costs money, too. (My "favourite" example is a purveyor of fine almost-never-breachable(tm) VPN solutions, a veritable fortiress of data security, who is very proud that they support RFC-complaint *OTP. Well yes, but the way to import the shared secrets is dongled to hell and back, so they still get to charge you money for nothing and you can't bring your own *OTP app.)
That being said, as with everything else in security, it's a tradeoff consideration. Would my elreg account warrant authentication by blood sample? Hardly. Can you afford to lose all customers who can't/won't use smartphones? Along with all using smartphones (authenticator and service app on the same device weakens security)? What's your fallback to re-authenticate when the 2nd factor is lost? If it involves a phone line, you've gained nothing. If it involves postal mail or physical presence, it will be slow.
"Unexpected honker in the masking area", and a shop assistant in full beekeeper hazmat suit will eventually shuffle over to sullenly swipe a card through the door to let you in.
(Also, unrelatedly: even though I never spent a second wondering what Dabbsie's voice sounds like, I didn't expect it to sound like that. Is that something that only happens to me?)
"""Support is working on getting it mentioned on status.zoom.us."""
Yeah, I know workplaces like that. "Do you know who can put things onto the status page? I usually ask Jack, but Jack seems to be on vacation since I got no reply? No, he's not marked as away. You know people always forget. I tried opening a ticket, do you know if anybody reads that queue? I really have no time to find somebody to do this, I get fifteen mails per minute from customers asking about this that I need to answer."
Beer, 'cause helldesk staff deserve one.
at that point in the sentence, you should have become vvvverryyyy suspicious. And I say that even though I would probably benefit from the new API.¹
Also, what's this "[the API] will come with a higher barrier to use [than asking nicely]"? Are we seeing another step to Appstorification of the free and equal interwebs? "Yes, we have that API, but you can only use it from vetted code that you download through our AMP AppstoreMoneyProgram. This ensures your libraries and page will load quickly from our CDN, wherever in the world your users are. We even include 5000² free³ downloads every month⁴."
² subject to change ³ 49.99 setup fee; developer membership required ⁴ offer valid until September 9852, 1993
As if "there'll be collateral damage" ever stopped a browser vendor. Basic auth in iframes, not showing www/m prefix even if what's shown has no A/AAAA record, the default changing from rel="opener" to rel="noopener", abandoning the CA/B forum, the list goes on and on. We are rapidly heading back towards "best viewed in X/Y/Z because Y/Z/X is broken".
Where's the SecureBoot flaw in there? It hands over control to a boot loader with a valid digital signature, which is the only notion of "trusted" at that point, and the fix on SB's side is a revocation list that invalidates that particular signature.
The flaw, if any, is that buggy software got signed, but putting that at SecureBoot's door is like saying CAs should miraculously not issue and revoke certificates for sites running old Wordpress versions.
I would be entirely unsurprised if there are boot loaders which have gone through formal verification, i.e. are mathematically proven to work correctly (on an abstracted machine model, i.e. still vulnerable to compiler and CPU microcode bugs)
I'm not worried about the 8% that report 5+ incidents. "Prof sends a mail to students and uses CC instead of BCC" is a data breach that technically needs to be reported. Frankly, "prof has former student's mail still in address book" is probably an incident in and of itself because the reason for processing is gone.
I'm worried about the 92%, because I fear 91% don't look or don't report, and only 1% is running a proper shop.
(And we all know that all it takes to make a university stop dead is a handful of current or former students requesting the full extent of information GDPR entitles them to. Yes, that includes paper files.)
From my experience (in Edumacation), it is exactly the "very important people" who would insist that a single helpdesk person should of course be able to imMEdiately set a new password, without callback or other further identification, after all they already have the cheek of not giving out the original value of the password.
Point one: I've seen people who've done setups like that, by accident of incompetence. (I.e. they threw everything they had into the certificate bundle, including now-expired intermediate and root certs.) Not all browsers handle this. I don't recall if it was Firefox who'd pick an arbitrary certificate chain and fail if that one wasn't valid. Could've been Chrome, too.
Point two: I've not checked in detail, but I wouldn't be surprised if certificate transparency logs reject requests to log a certificate for the far-future. (And I don't think trusted CAs issue un-logged certs anymore.)
This – though, since both the GoDaddy hack and this one have rumors about infected sshd binaries, I'm not entirely convinced it's not the forwarding aspect of the protocol that is part of the issue. (I.e., if you connect into an infected host, it uses forwarding to log "you" into other nodes. That still doesn't explain the privilege escalation to modify sshd in the first place, though.)
> They would have to steal your hopfully protected private key...
Well yes. The certificate is public anyway, the common parlance of "compromised certificate" can be a bit misleading there. (And no, a new certificate does not mean it must be a new private key.)
The extent to which you can protect the private key can be limited on servers you want to restart without human interaction.
>> Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats
> Not that clear - if there's a major certificate-based threat then 1 year is absurdly long.
They have a point, in a very roundabout way – remember the joke about the clock flashing on your microwave because you just can't be arsed to read up how to set it and you forgot from the last time around and you think it's really not that important? That's what certificate hygiene is. Wait till it fails, tell the customer to click ok, find out the guy who did it the last time retired, and then find out how to do it yourself, and forget until next time. Until it's frequent enough for you to actually learn (or automate away).
How is it a pain? Don't ask me, ask the people running dnssec-tools.org or mozilla add-on update servers, those being two examples that come to my mind of sites that ran around with expired LE certs for quite a while.
It's a fun sport if you're so inclined: compare the certificates in use with the public ledger of issued certificates. If the auto-renew doesn't work, who knows what else doesn't work on those servers.
Biting the hand that feeds IT © 1998–2021