I wouldn't count out Trump sending out "tariff profit" checks (with his face of course) to all Americans. If he gives everyone a $2000-5000 check (undoubably paid for by borrowings not real tariff income) then he'll get a pass for at least a few months.
Site is here with waitlist signup. It's also titled "For Those Who Know" and says: >> status beta_signup.is_open=true so perhaps theres a CLI or hidden way to signup immediately?
I've got uBO on my Android Firefox and the form is visible. UMatrix shows only first party css, no js at all, which is good. You might have other extensions. View source on my phone shows a very simple HTML page with a form that posts to list-manage.com Maybe something added to your Firefox is blocking that.
Yep. You might need to disable Adblock to have it appear.
I was still hoping for something more than a simple email waitlist signup however. But I didn’t find anything obvious hidden in the page that would allow immediate signup
While remembering that when you wanted to use what you purchased to defend your ally in Ukraine your supplier prohibited you. Lets see how much merit there is in any US purchase with that in the background...
These are not "MAGA talking points." I speak my own opinions. And they come from bringing a modicum of critical thinking to a situation where people (including the MAGAs, I might add, who want to scare people away) are trying to get you to catastrophize. And like I said, the only source of this we will ever have is a very biased one whose story is as untrustworthy as Alex Jones' would be.
Most of these CBP agents are the same people who had the job 6 months ago. And 6 months ago, people who lied (possibly by omission) on visa applications largely got exactly this treatment. The news just didn't report on it.
Well at the bottom of the article, they mention that Microsoft first closed the issue as invalid, and on the second attempt they closed it as "cannot be reproduced" (after fixing it).
I've reported a trivial way to infer details about passwords in Windows. (Ctrl-arrow in password fields in Windows 8 jumped by character group even when hidden so if a prefilled password was 123 abc.de it would stop after 3, after space (I think), after c, after dot and finally after e.)
All I got was an email: that is interesting bye bye. But it was fixed in the next patch or the next after I think.
So I didn't care to report the two bigger problems I found with Azure Information Protection [1][2] I thought about reporting them but decided against it.
And I will continue to tell people that I don't care to do free work for MS when they won't even give me a t-shirt, a mug or even acknowledge it.
Maybe if one is a security researcher it can be worth it but if you just find something interesting you'll probably be better rewarded by reddit or HN, yes, the upvotes are worthless but less so than a dismissive email.
[1] one in the downloadable AIP tooling where you can easily smuggle clear text information with rock solid plausible deniability - I found it by accident after having implemented a part of a pipeline in the most obvious way I could think of.
[2]: the second had to do with how one can configure SharePoint to automatically protect files with AIP on download, the only problem being if you logged in using another login sequence (sorry for the lack of details, this was before the pandemic and it was just a small part of what I was working on at the time) SharePoint would conveniently forget all about it despite all efforts by me, the security admin at the company and the expert that Microsoft sent to fix it.
Ha ... ha ... ha ... ha ... did they give you the run around for several months until you dropped the issue? It's actually pretty astounding that they don't get sued for this practice. If a company is paying for support and are given illiterate noobs then that is breach of contract I would think. I would never recommend entering a contract with MSFT, they produce trash products they can't support and are more invested in their Legal team than actual product.
I thought the same when a friend of mine reported something to Apple. I would guess it's SOP at this point across big tech, unless something is too big to ignore.
You might have no idea how expensive providing great support to customers is when you're an vendor like Apple or a Microsoft. It's like backports, which are even more unbelievably expensive still, and those are gone industry-wide for that reason.
Think of the cost of opportunity in having smart, capable, experienced staff doing support or backports instead of actual dev work. (Especially backports, which when they were done frequently they were done precisely because customers are risk-averse, so a great deal more review and testing (with a much larger test matrix) was required for backports, with attendant huge increase in cost.) That cost is enormous. But of course they do need to provide some support, and at some point some really good support for the really serious bugs, and the vendor will in time do it, but first the customer demand and pressure has to build.
I can't speak to Apple, but wrt Microsoft, you're not appreciating just how bad support is (or even the documentation is) and you're not appreciating how much people pay for support on top of the product.
I feel like I know more about M365 than anyone I talk to at MS. That's bad.
Everyone hates support. Especially the execs who have to pay for their support department.
Azure basic support is pretty bad. I am even surprised at how bad some of the higher tiers of support are. I have no frame of reference for other cloud providers but anecdotally they are not so great either (some CSP's I am told are worse).
All in all - wrt documentation - software docs have gone downhill across the industry since the 90's. And back then people were still loudly grumbling about how bad the docs were!
Reminds me of an issue I reported years ago to the super-special-premier support my company pays for. I never got to somebody who actually understood the issue but there were several managers who constantly tried to have meetings and close the ticket.
Support orgs love to measure how long it takes to close tickets, but rarely whether the problem was actually resolved, or customer sentiment.
I had a friend who worked for an Cable ISP decades ago in the UK. Management of support management got outsourced to another company, who set aggressive targets for call length. Not average call length, but call length of any call they received. Any call that went over the target was a mark against the support person, and if you got more than a few marks you got a dressing down by the supervisor, a few more after that would get you a written warning, and then a few more would see you fired.
It started out at 15 minutes, and that was okayish. It took about 6 minutes to reboot a cable modem and have it come on-line, and that was done with almost every single support case, and fixed at least half of them.
Then they cut it down to 10 minutes. That was squeezing it a bit. 4 minutes at the most to do all introductions, hear the problem, wait for modem reboot and test things were resolved.
Then they cut it down to 5 minutes. The support folks had literally no choice but to just randomly hang up on people as soon as they got close to 5 minutes, or ask them to do a reboot of the modem and phone back. "Oh, I'm sorry, we must have been randomly disconnected"
The intention of the password entry dots isn’t to prevent folks with unrestricted physical access to the machine from exfiltrating information, it’s to stop it from appearing in screenshares and casual “over the shoulder” observations.
Honestly I’m surprised they even acknowledged that as a bug, given there are many ways to get a whole lot more info than what you demonstrated, for instance the builtin “eye” button that is purpose built to reveal the full password to anyone with physical access to the machine wishing to see it.
Suppose user U has read access to Subscription S, but doesn't have access to keyvault K.
If user U can gain access to keyvault K via this exploit, it is scary.
[Vendors/Contingent staff will often be granted read-level access to a subscription under the assumption that they won't have access to secrets, for example.]
(I'm open to the possibility that I'm misunderstanding the exploit)
My reading on this is that the Reader must have read access to the API Connection in order to drive the exploit [against a secure resource they lack appropriate access to]. But a user can have Reader rights on the Subscription which does cascade down to all objects, including API Connections.
But also the API connection seems to have secret reader permissions as per screenshot in the article… Giving secret reader permission to another resource seems to be the weak link.
The API Connection in a Logic App contains a secret in order to read/write (depending on permission) a resource. Could be a Key Vault secret, Azure App Service, Exchange Online mailbox, SharePoint Online site..., etc.
The secret typically is a user account (OAuth token), but it could also be an App Id/Secret.
But somebody gave the API Connection permissions to read the KV secrets from, Exchange Mailbox, SharePoint folder etc… And anybody who has access to the API Connection now has access to the KV, SharePoint folder, etc… I do not think this is a problem with Azure, this is just how permissions work…
The API Connection in the example has permissions to read the secrets from the KeyVault -as per screenshot.
It seems to me the KeyVault secret leak originated when KeyVault K owners gave secret reader permissions to the API Connection. (And I will note that granting permissions in Azure requires Owner role-which way more privileged than the Reader role mentioned in this article.)
[edit - article used Reader role, not Contributor role]
There's absolutely no reason for them to introduce a new mechanical camera system. They previously marketed their cropping of the center 12MP of their 48MP sensor as 2x optical zoom. They will use the same method here.
Strongest argument that they didn't is that adding something like that is absolutely a thing Apple would have talked about at length in the press release. They love getting to do extensive "here's something cool that 'only Apple could do'" segments. (And we love to make fun of them for it.)
