That's exactly the issue - you can't have a takeaway if you don't have a reasonable sample size. Are these drives all in the top 5% of quality for their respective brands? We'll never know unless we do a larger study.
The odds of all six drives being in the top 5% by chance is one in 64 million. So I think we can at least rule out that extreme with decent confidence.
You can make a seamless experience so that people don't even realize that their email is encrypted, but then the problem becomes: if their computer crashes and they lose their private key, they have now lost access to every previous email ever written. That's just unacceptable. I closely guard several backups of my private key, but most people aren't going to create an enormous single point of failure like that.
I always assumed the point of mocking a database response was to ensure that you were testing just your code, and not also the existence of a database with the right schema, the ability to connect to it, as well as the correctness of the code that rolls back any side effects.
> I like testing those things on which my model depends. It gives me much more confidence. Why wouldn't I want to test them?
Those things all need to be tested, but if a single unit test fails, it's nice to know that it failed because the code was wrong, not because the database connection happened to die just then. If I have one test for the logic, and another that verifies that the database can be connected to, and a third that verifies the schema is right, then the specific combination of failing tests tells me a lot more about what's wrong and if my code even needs to be changed.
Even after reading this list, I'm comfortable forgetting everything (with maybe one exception) because these surprises really only come up when you use horrible coding practices. But it's nice to know it really takes some serious effort to find these kinds of things in Python.
I was using it for a long time, and then after some update I was completely unable to get it to run on any new servers. Not sure what changed, but using the package manager route was no longer viable. Building from source also failed for reasons that are totally ungoogleable. Surely my incompetence plays a role, but I had to abandon it after every single workaround in their troubleshooting section failed to resolve the issue.
I'm going to say FU to the industry and buy a horse ranch if it is! These were all public documented endpoints and 'worked as intended'. criticker is next-level incompetence, that's pretty much the point.
In seriousness, recall the weev/AT&T case[1]. As I understand it, the attack was roughly of the sophistication of making a totally unauthenticated request to:
get_user_email_address.php?id=N
(where N was from a series of sequential integers)... and apparently the feds had a colorable argument that N constituted an "access control system", and therefore the act of iterating the entire series of possible N values (and downloading the resulting data) constituted "unauthorized access to a protected system".
Not quite in the same realm as coughing up plain-text passwords, I'll admit. But clearly some relevant authorities would set the bar for "access control system" fairly low. And apparently rank incompetence on the part of the site developer/owner appears not to come into things.
Assuming the user "Injustice" isn't the blog post author's account, yeah they shouldn't be logging into it, even just to prove the legitimacy of an exploit.
I don't really get it, either, since in most cases the secure channel is something like email, where the token travels around in cleartext. I understand one-time session tokens are typically how password resets are accomplished, but that happens relatively infrequently for a given user. For users who don't like to stay logged in to a service, frequently sending out new session tokens via email or SMS seems like a step down from passwords. I think I must not understand, though, so thanks for correcting any incorrect assumptions I'm making here.
No, I think you get it. It's the equivalent of doing a password reset every time, generating a new random password each time, and simply never writing that password down. The idea is interesting but it has a few drawbacks. The one drawback that hasn't been pointed out by any comments I've seen is that email suuuuuucks as a transport for something you want to happen quickly (e.g. logging in). Occasional hiccups in delivery and spam false positives make it a serious pain in the butt if you have to receive an email in order to log in somewhere.
No, I don't get the idea. If I'm requesting a token for a certain user, how can the server reliably determine if I actually am that user? If it just authenticates every request, what's the point of even having a password?
A new "password" is sent to you over a secure channel you control each time you log in.
For example, say your session has timed out. You click the log in button and provide your username, and a couple of moments later you receive an email with a one-time-use link that you click to take you back to the site and log you in.
Another example: you click log in and provide your username. A few moments later you receive a text message with a 6-7 character one-time-use token that you type into a text field on the web site. The web site then logs you in.
In both cases the login requires you have immediate access to a secure channel you specified at the time you set up the account. The token or link provided via those channels are only valid for a single use and if left unused expire in a fairly brief period regardless.
"delivered over the channel of your choosing" is the key phrase, where that channel is usually email. Essentially, they've defined "User A" as "people with access to email address B" instead of the more standard "people who know password C".
Assume the channel delivering the token is email. Then to login you provide your user ID or email, identifying who you are, they immediately email you a token (or link containing the token) to login with.
OK nevermind. I get it now, it's just emailing you a new token everytime you want to use the site, or something like that. It's just such a terrible idea I couldn't wrap my mind around it. Who would ever want to use a website like this?
That's kind of a stretch. There might be valid issues with the approach, but it isn't as mind-numbingly terrible as you're suggesting. You'd just authenticate new devices/browsers every time you needed to--you wouldn't be doing it every time you used the site.
I like the idea of getting a text message on your phone with a very quickly expiring key (60 seconds), or having an authentication app like Google's, which works for a bunch of websites. I do admit, even that's kind of annoying. That's why I started using a password manager.
The bullshit rules and time pressure are all part of making sure you actually make it through the system.
I, for example, took 4 years to get a two year degree in part because I didn't know where I was going, not all of the classes transferred, and the classes needed to transfer were different depending on which school you went to. So, you cover your bases since you might not get into your chosen school...
The rules only apply to those enrolled in the ASAP program. Non-ASAP students get the standard CC experience, come and go, part-time, etc.
The ASAP program forces those students into a more rigorous program in order to get them graduated. I don't see a problem with that - there is obviously a set of students that need the structure in order to excel. And it appears to be working.
That's exactly the issue - you can't have a takeaway if you don't have a reasonable sample size. Are these drives all in the top 5% of quality for their respective brands? We'll never know unless we do a larger study.