I’m not so sure about that. With enough dedication and time I think you could target a specific company from HN. Start writing a few good blog posts that would appeal to your audience, only run attack when some attribute is true to that company (i.e. their Corp IP addresses).
You could even combine the two. Post the blog to hacker news, then send phishing email pointing to HN post. That is a trusted link. Then the user will likely click the source link in HN.
Obviously, a lot harder and lower chance of success, but not impossible.
> [...] only run attack when some attribute is true to that company (i.e. their Corp IP addresses). [...] Obviously, a lot harder and lower chance of success, but not impossible.
In general maybe, in this particular case it's gonna be challenging however, as gitlab is a remote company so most employees will logon from residential ips
It's not impossible to determine which of your visitors has login cookies to other sites, such as internal.gitlab.com, and provide different content to them.
Most companies I’ve encountered have moved towards split-tunneled VPNs so an employee clicking on a phish page would traverse the employees gateway, not corporates.
I can’t decide if I hate that more or less than what I’ve seen: client-side blocking of DNS resolution and driving all queries through Cisco Umbrella or friends.
liberty mutual, the largest insurance provider, is in the process of moving from default route on the vpn to no vpn at all and zero trust networks for their apps.
These two don't play nice together. That is you can't use cloudflare as a CDN and netlify without netlify complaining to you about not being able to provision your ssl.
I know you’re not being precise, but the term “backed” is not valid. For a currency to be “backed” or more accurately commodity backed currency, you must be able to exchange that currency for that other thing. I.e. money for gold. You can’t get the electricity back in exchange for your bitcoin. :)
Can you pay your electric bills in bitcoin? Even though dollars are not 'backed' by gold, you can still exchange dollars for gold. Just not from the government at a government-fixed price.
Not sure about that. Especially if it all goes to one ip address where they have peering arrangements. It could cause some load there but the traffic will be essentially free for cloudflare. And some good publicity for Cloudflare.
Correct; Cloudflare doesn't cache large asset files (I think anything more than 2MB?) by default. It's not that kind of CDN... at least, not for free it's not.
Of course, you can trick Cloudflare into caching your large media assets using some funky Page Rules... but I wouldn't suggest it. Mostly just for moral reasons. If you have that much traffic, you should be making some money off it and then paying Cloudflare with it!
And a "cache everything" page rule tends to cache literally any file type, but it's not a great idea to push media files through CF due to the TOS prohibiting "disproportionate amounts of non-web content".
2mb might be referencing the limit for Workers KV.
Completely agree. With HDMI-CEC and moving off of old Campos it is the only remote used in our house and nobody ever asks me how to do X. They click it, everything turns on and the navigate to the thing they want.
A bit of rubber on the lower half so could feel up from down would be my only change.
Yeah I use HDMI-CEC to turn on and off my TV from the Apple remote.
I use an HD HomeRun and the app Channels to watch local antenna TV via the Apple TV, so no need for channel buttons.
I do wish that the Apple TV volume buttons worked without HDMI-CEC so I could use those to control the volume when playing games. That and the occasional need for the Input button are the only reasons I keep the TV remote handy.
The fatal flaw of CEC, at least with my particular setup, is that there is no way to play music on my receiver via the Apple TV while having the TV off. When CEC is enabled, turning on the receiver turns on the TV, and turning off the TV turns off the receiver. It’s insanely frustrating, but hey, how could it know when I really don’t want to turn off the receiver?
my receiver (denon x1400) doesn't turn on the tv when it turns itself on, but the tv turns on the receiver and turns it off. i've set it up a long time ago but IIRC it was configurable.
I think that's approximately the issue with my setup as well (I also have a Denon receiver). I believe I settled on only disabling CEC on the TV. Thus waking up the Apple TV does turn on the receiver, and putting it to sleep turns off the receiver. I only have to manually turn the TV on and off, which isn't so bad. Ideally I would be able to configure it so that all CEC controls were active except that manually turning off the TV did not turn off any other device.
And what about the hours of effort put into reading, annotating, and jotting down notes on the ebook? (Typical of serious reading/research) That is worth way more than $25 -- MS is robbing people of the value they tried to create/store for their future selves. What use is a "platform" if it can't support that?
This happens every week for people using some SaaS product that gets cancelled.
DRM is content as a service, and by definition, all DRM will either be cracked or will become inaccessible eventually with probability approach 1 over time.
I contribute to Standard Ebooks that takes PD text (primarily from Gutenberg but also elsewhere) and reformats it with good typography and consistent styling, before re-releasing it as public domain again. We’re coming up to 300 titles now, any problems you find can be fixed with a pull request on github if you want: https://standardebooks.org/
Translated Japanese light novels. There's a membership that lets you read along as they translate, but if you purchase the ebook when they're done, it's DRM free.
It's not the same as buying DRM free, but stripping DRM from most eBook formats is pretty trivial these days, afaik. Unless something has changed in the last few years since I last bought a kindle edition of a book (which I stripped of DRM so something like this couldn't happen).
It’s not trivial for Kindle anymore. I did it recently on a Mac, and it took a fair bit of work, was complicated and confusing, and required finding an old version of the Kindle reader program and somehow preventing it from checking in with Amazon’s servers. My brother in law recently tried and failed after having done it in the past.
It's still trivial AFAIK (I last did it one or two years ago) if you have an old kindle device, and can therefore convince Amazon to send you the poorly encrypted files meant for old kindles. I use a "Kindle Keyboard" e.g. the 3rd gen. Amazon has stopped selling new-old-stock, but it seems you can still find them on ebay for somewhere between $20-50.
Incidentally this model of Kindle also comes with text-to-speach, which is a really nice feature which I believe is missing from all newer models (removed to avoid cannibalizing audio book sales.)
Keep in mind that by buying DRMed books you give companies an incentive to produce them. If you're opposed to DRM, it may be better to pirate instead. Especially if you live in a jurisdiction in which removing DRM is illegal so you're breaking the law anyway.
If you live in the US and have a library card, try Overdrive. You can check out a huge catalog of eBooks for essentially free (since it’s paid via your local library).
Overdrive primarily uses Adobe's DRM system. You can "liberate" the titles with the use of the DeDRM toolset or get the resources directly off their "libby" platform, which simply requires reassembling the assets into an EPUB
That's still showing the dark side of DRM. However it is also Microsoft handling that dark side in a professional way.
If a game developer shuts down their game servers, do they release the binaries? Some do, I guess. I've even seen some software companies release the source if/when they shut down.
This assumes that the paperback exists. It ought to be the responsibility of the vendor to offer either a full refund or a hard copy, at the vendor's expense, including any annotations that were made on the digital copy.
While having such an option may be a good idea, one of the main appeals of ebooks for me is that I already have far too many linear feet of paper books. Giving me a hard copy adds to this problem.
Either way, let me annotate my own paper book TYVM.
At least this time it's Microsoft closing down gracefully. I can't see the same happening if it's a smaller, specialized business going bankrupt and going away without the ability to mitigate the shutdown.
That is not the solution. Usernames are not passwords. If they were, why have them at all? Generate a random unique password for your user and don’t have a username at all. As the parent mentioned using haveibeenpwnd or similar service is a much more user friendly and secure approach.
> That is not the solution. Usernames are not passwords. If they were, why have them at all?
Claiming that usernames cannot be a source of entropy/security needs foundation.
Back when the whole concept of authentication was new (UNIX) that was true because usernames were quite literally public information, you could see them via a directory listing. With early email (SMTP) that remained true but worse via public directories listings across-computer.
However in this context there's nothing inherent about a username that allows us to ignore its security characteristics. Unless the argument is "over the shoulder" leakage? Which I'd argue itself doesn't have a strong foundation.
Both obscure usernames and obscure passwords can contribute to the overall strength of a system. A system that allows the user to set their own password may gain particularly from pre-selected randomized usernames, as users have proved untrustworthy in the past when picking passwords (e.g. reuse, patterns, common words, etc).
As an aside, scrapping usernames and only having a password isn't inherently problematic, except two users with the same password may clash, and a password recovery scheme may be more difficult to develop. That's essentially what authentication tokens are.
> Generate a random unique password for your user and don’t have a username at all.
Because having an unknown username with an unknown password increases the difficulty of compromise via improved entropy.
I agree there is nothing technically bad about using usernames as more entropy (it is bad from a user experience standpoint), but why have two strings at all? Just have one longer, truely random string.
> Because having an unknown username with an unknown password increases the difficulty of compromise via improved entropy.
Not necessary. It depends on the characteristics of each. If the username is truely random, sure, but then you are back in the same boat as using one random string.
Right; why have them at all? Why not log in with a UUID or something randomly generated. Use a 'password store' tool, and forget about the pointless username.
Further, do some automatic challenge-response thing between the server and yourself so you are authenticated to the server, and the server is authenticated to you. Which the current username/password scheme doesn't do at all.
Our current default state (username/password where both are human-rememberable) is failing us massively. Its arbitrary, historical and currently pointless.
With a single random password most people will write down their password, so anyone who can read what was written down gains full access. With a random username and a user-chosen password most people will write down their username but not their password. Clearly this approach is more secure.
I don't see how relying on haveibeenpwnd can be considered secure. Many people use the same password for different sites. If your site's login credentials are just email+password you are relying on the security and honesty of all other sites that use the email+password combination.
> With a single random password most people will write down their password, so anyone who can read what was written down gains full access. With a random username and a user-chosen password most people will write down their username but not their password. Clearly this approach is more secure.
I don't believe this is grounded in evidence. You are basically saying that given two hard to remember strings, most people will write down one hard to remember string and not the other hard to remember string. Why?
> I don't see how relying on haveibeenpwnd can be considered secure. Many people use the same password for different sites. If your site's login credentials are just email+password you are relying on the security and honesty of all other sites that use the email+password combination.
I think you are missing the point of the haveibeenpwnd service. The point is to block people from using ANY password that is listed in the haveibeenpwnd database, thus denying attackers from using that dictionary of known passwords.
A string is not that hard to remember when it is a password you thought up and have been using for 10 years. OK I cannot offer proof that most people would not write down their password, but surely some would not - and for those people having a separate User ID/password combination represents improved security. But anyway this is beside the point, which is that adding random characters to user credentials improves security - whether those credentials are 1 or 2 strings - and would have prevented this TurboTax attack.
Yes, using the haveibeenpwnd service offers some level of protection. But it still allows an attacker to breach a random website like funnycatpictures.com and find the email/password combinations that are not on haveibeenpwnd. Boom, that attacker has access to all those users' tax information.
I don't believe that is really true. Most woodworking stores pretty much only have Saw Stop in the stores. Sure, lots of people have the super cheap Dewalt's or whatever from Home Depot, but Saw Stop sells a lot of table saws. I won't use anything else.
You literally can't buy a Saw Stop outside of the US. And even if you import one, after paying $$$ for the saw and $$ for shipping, you'd need to install a big hunking $$$ 220V-110V transformer in your shop. I've never seen one over here.
The European philosophy seems to be that the Saw Stop isn't worth it, because if you get in a situation where it kicks in, it means you've done something stupid like not using a riving knife and not using a crosscut sled or other pushing device.
I think also the fact that you don't get the system on other types of saws (band saw, mitre saw, circular saw, etc.) says something about the efficiacy.
>I think also the fact that you don't get the system on other types of saws (band saw, mitre saw, circular saw, etc.) says something about the efficiacy.
No, I don't think it says that at all, and you should reconsider your statement. I think it's a matter of geometry more than anything else.
The technology works. People do stupid things all the time. Having a backup safety device is a good idea, not a poor one. Or would you argue that safety belts and fire extinguishers are also unnecessary for "responsible" people?
What is in question, is the ability for an explosive block to stop a blade in single-digit milliseconds, before it can travel far enough to cut the user.
On a spinning saw blade, firing an aluminum block into a spinning blade and dropping the assembly away from the user is a matter of geometry.
How would this work on a band saw? If you can come up with a way, I believe a very lucrative patent is in your future.
AFAICT SawStop's patents (seems to primarily hinge on US patents 7,895,927 and 8,011,279) are only valid in the US. Also, when Bosch tried their "Reaxx" branded competitor, it was only launched in the US.
The official reply from Bosch when people asked on their forum about bringing the Reaxx to Europe was
"""
There are currently no plans to bring the Reaxx to the European market simply due to differences in health and safety regulations across the two continents.
"""
My reading of this is that as long as people in Europe follow local H&S regulations, this technology is redundant. And they're not going to sell tools with features that enable people to disregard H&S regs.
American-style table saws (that you see in literally every YouTube video involving wood) are fairly rare in professional woodshops in Europe. Almost every larger shop has a format / sliding table saw, which avoids several (but not all) "classes" of kickback and other safety risks in the first place. Even small shops often have scaled-down sliding table saws (which have been around for many decades, usually using round steel bars for guiding the table instead of the more complex double-roller designs used by Altendorf & Co.). A Sawstop-like system could still be a useful addition, though.
I wouldn’t say 2FA or password managers have “taken off”. I don’t have numbers, but just from my small sample of friends/family, only people who are technically advanced or who I have forced (my wife ;) use password managers.
You could even combine the two. Post the blog to hacker news, then send phishing email pointing to HN post. That is a trusted link. Then the user will likely click the source link in HN.
Obviously, a lot harder and lower chance of success, but not impossible.