That's an interesting find thanks. I was not aware of no-cors mode.
It seems though that a browser would not allow 'non-simple' headers in no-cors mode[0].
Authorization headers for example would not be allowed (if i'm reading correctly). So any API using that header would not be affected by this issue right?
What are passwords if not difficult to guess strings? It’s usually safer to create a link with 32 random characters than letting users come up with their own passwords such as „qwer1234“.
I disagree. There’s a reason why security by obscurity gets a bad rap. Browsers generally treat passwords as sacred — not saving or logging them unless the user explicitly asks. On the other hand, the URL bar gets saved to history, sent as a referrer when links are clicked (in some browsers), might be sent to an external server by the browser or extensions, etc.
I agree with the part about an URL being less secured than a password. However, it's not security by obscurity. It's just less secure and more convenient. But the URL scheme merely grants you access to a ticket, not the whole account, so the potential damage is negligible.
32 random characters (192 bits of entropy if you assume base64) is a lot more than just "difficult" to find. I'm pretty sure that is not what the article meant by difficult to find pages.
99% of security issues are silly and avoidable in retrospect. I don't think an insecure direct reference (assuming that's what is meant) is really all that different from most XSS, SQLi, etc
Two old friends riffing off each other about the world.
I've listened all the way through twice and both times have found myself laughing out loud and deep in thought simultaneously.
I look forward to seeing how Eric Weinstein will continue to evolve The Portal in 2021. No doubt he will continue to deliver outstanding content in his own uncompromising style.
Well, seeing that the update you cited in the article allowed the phone to continue working at a slower speed instead of shutting down entirely when the battery was old - yes.
I never said that Apple could defy the laws of physics and prevent battery degradation.
Also, if I bought a brand new phone that was released in 2018 and even if it did have an old operating system - but a new battery, I could update to the newest OS. If it was a used phone with an old battery - I could replace the battery for $70.
My son just replaced an iPhone 6S that I bought in 2015 late last year. I replaced the battery before giving it to him. It was and still can run the latest OS version. It will be running the latest OS until at least September 2021.
I'd be interested to hear how Slack patched this. Hopefully by removing the ability to apply settings from URLs altogether, rather than attempting any sort of sanitisation on the download settings.
The Christchurch shooter amassed a cache of weapons, and also posted a copy of his manifesto and a link to his real Facebook account to 4chan.
The censorship/Facebook algorithms amplifying abhorrent content debate is one thing but I'm surprised by the lack of scrutiny of the security services over this. Especially for a member of the 5 Eyes. I can't help but feel this could have been prevented without any of the changes being proposed.
Just to expand on this a little bit, it is contingent on ISP and as far as I know, the following websites:
- voat.co
- 4chan.org
- 8ch.net
- liveleak.com
- archive.is
- bitchute.com
- zerohedge.com
- kiwifarms.net
I think I'm right in saying that Telstra, Optus and Vodafone are the 'Big Three', and they have blocked the above.
Here in NZ, It's Vodafone, Spark and 2 Degrees, all of whom, I understand, blocked access, though I've been unable to verify this first-hand.
There are also hefty prison sentences [0] (up to 14 years) and fines for people who read/distributed the manifesto and watched/shared the original footage.
Edit: More comprehensive block-list can be found here: [1]
Wait, are you saying that watching the video is considered a crime in and of itself? Not redistribution, and not even mere possession, but just seeing it?
Certainly, like child porn, watching snuff movies was already illegal in NZ before the alt-right terrorist attack, all the NZ censor did was confirm that the snuff movie fell under that category, it was essentially born illegal. No one passed any special new laws to make it so.
It also falls under the US supreme court test for obscenity and is equally illegal in the US
>It also falls under the US supreme court test for obscenity and is equally illegal in the US
I don't think that's correct.
There are no federal obscenity laws. The U.S. government does not expressly prohibit obscene conduct. In fact, the U.S. government expressly protects some communications in the First Amendment to the U.S. Constitution.
18 USC 71 ... is the federal obscenity law, it's been much patched in and around child porn, but the basic law is still there. Of course there's been a lot of Supreme Court rulings in and around it culminating in the Miller test ... Your 'shooting video' is really a snuff film, probably one of the few genuine ones (along with those made by ISIS, and just as bad) and certainly falls under the Miller test
You can't just redefine a murder video as pornographic because you don't like it. You mentioned the miller test, so you already know it requires that it depict "sexual conduct or excretory functions specifically defined by applicable state law".
Ignoring the state law requirement (which you haven't cited), the video does not depict sexual conduct.. and there's no way you can twist this into being illegal in the US. It's not illegal. Period. ISIS videos aren't illegal either.
18 USC 71 is about 'obscenity', which doesn't just include pornography. These days it includes a bunch of clauses about child porn, but that's mostly about politicians wanting to get their names on the board. The original, base law is more general and its definition comes from common law modulated by many supreme court decisions
There's a difference between watching fatal car accidents or faked scenes in movies as opposed to live criminal acts of violence on real people, but there are certainly grey areas too. Who hasn't seen people jumping from the World Trade Center fires?
We're drawn to, and learn from, the plight of others, but there are also legal standards to protect real people who are being filmed while being criminally abused, rather than just acting the part in a video portrayal of such.
Hah, good luck enforcing that. Besides, most people that wanted to already saw the video and read the manifesto because they had proxies setup to get access to US video streaming catalogs.
One of the questions the public is asking them is why White Supremacy is not mentioned in 10 years of NZ SIS and GCSB reports. For readers unfamiliar with the agencies involved, the NZ SIS is NZ's domestic intelligence agency, whereas the GCSB is ostensibly focused on foreign intelligence.
I'm a fan of liquibase. It's a very mature tool which allows you to run it every time the application starts, useful for development to create in-memory dbs. Or you can just call it as part of the build process if you don't want to check the DB changelog tables on startup.
It tracks changes that have been applied in changelog tables so you don't apply them multiple times.
Common operations such as adding a column are defined in a supported markup language but for more complicated things, such as migrating data, you can reference ad-hoc SQL files. All of which can be checked-in to your codebase.
The only real downside is because you are applying the entire development history of the database, you can sometimes be caught doing illogical things like adding and then removing something later on. This can be mitigated by rewriting history if needed though.
Flyway was not as good for me because it lacked a domain language, raw SQL makes it less easy to interpret but I know developers who preferred that.
It seems though that a browser would not allow 'non-simple' headers in no-cors mode[0].
Authorization headers for example would not be allowed (if i'm reading correctly). So any API using that header would not be affected by this issue right?
[0] https://developer.mozilla.org/en-US/docs/Web/API/Request/mod...