|
if you take 10000 steps a day you can eat anything you want and you won't gain an oz
|
#
?
Mar 30, 2018 10:10
|
|
|
|
| # ? Jun 1, 2024 21:58 |
|
|
Ur Getting Fatter posted:hackers know I've been eating too many carbs quote:the majority with the hashing function called bcrypt quote:majority
|
|
#
?
Mar 30, 2018 10:29
|
|
|
Wheany posted:majority yeah thats p reasonable, after you upgrade to bcrypt there isnt much you can do to the old passwords* and you update users passwords to the newer hasher/params after they log in next, if a user hasnt used the service since you updated the password hashing you will probably have the password stored in the old format still *without doing something super hacky like if all you have in the database is old_sha1_method(password), update everything and store bcrypt(old_sha1_method(password)) under a separate format like https://docs.djangoproject.com/en/2.0/topics/auth/passwords/#password-upgrading-without-requiring-a-login and this can be enough of a pain that "let it work itself out for any active users" is a reasonable choice, not to mention the big cost of hashing everything all at once instead of as each user logs in
|
|
#
?
Mar 30, 2018 12:35
|
|
|
or after a while you just invalidate the weakly hashed passwords and make users reset
|
|
#
?
Mar 30, 2018 12:38
|
|
|
i hack my fitness every day with a snack overflow
|
|
#
?
Mar 30, 2018 13:15
|
|
|
Lysidas posted:*without doing something super hacky like if all you have in the database is old_sha1_method(password), update everything and store bcrypt(old_sha1_method(password)) under a separate format like https://docs.djangoproject.com/en/2.0/topics/auth/passwords/#password-upgrading-without-requiring-a-login and this can be enough of a pain that "let it work itself out for any active users" is a reasonable choice, not to mention the big cost of hashing everything all at once instead of as each user logs in doesn't facebook use the that but over every password hashing method they've ever used and also involving HSMs?
|
|
#
?
Mar 30, 2018 14:11
|
|
|
Cocoa Crispies posted:doesn't facebook use the that but over every password hashing method they've ever used and also involving HSMs? basically https://youtu.be/7dPRFoKteIU
|
|
#
?
Mar 30, 2018 14:47
|
|
|
oh cool Charles Proxy now available for iOS time to see who is abusing background app refresh https://twitter.com/lukas_kollmer/status/978911283675324417
|
|
#
?
Mar 30, 2018 14:55
|
|
|
Lysidas posted:*without doing something super hacky like if all you have in the database is old_sha1_method(password), update everything and store bcrypt(old_sha1_method(password)) under a separate format like https://docs.djangoproject.com/en/2.0/topics/auth/passwords/#password-upgrading-without-requiring-a-login and this can be enough of a pain that "let it work itself out for any active users" is a reasonable choice, not to mention the big cost of hashing everything all at once instead of as each user logs in super hacky? if you have 50 lines of code to manage multiple password hashes and migrate, it's like five more to do it the secure way. requiring a login to convert an account to secure is the unreasonable method
|
|
#
?
Mar 30, 2018 16:40
|
|
|
set myself and a couple of my Apple-using partners up with S/MIME personal certs from comodo for encrypted email, very nice & easy
|
|
#
?
Mar 30, 2018 16:42
|
|
|
Dylan16807 posted:super hacky? if you have 50 lines of code to manage multiple password hashes and migrate, it's like five more to do it the secure way. requiring a login to convert an account to secure is the unreasonable method remember that time mtg. ox lost their database to sqli and then some enterprising bitcoiners realized they could make more dosh mining salted-fast-hashed passwords instead of cybercoins?
|
|
#
?
Mar 30, 2018 17:17
|
|
|
Jimmy Carter posted:oh cool Charles Proxy now available for iOS time to see who is abusing background app refresh
|
|
#
?
Mar 30, 2018 18:12
|
|
|
also shocked that ios is contacting apple servers
|
|
#
?
Mar 30, 2018 18:15
|
|
|
anthonypants posted:im the shock that a stargazing app would need to know your location when it's not open?
|
|
#
?
Mar 30, 2018 18:41
|
|
|
anthonypants posted:im the shock that a stargazing app would need to know your location There's no reason it needs to send your information off to the servers when not in use.
|
|
#
?
Mar 30, 2018 18:42
|
|
|
if its granted background access its not super surprising, though the value of knowing exactly where to map the stars on opening is a bit silly for most users since it isnt like most people are rushing to raise their phone faster than a gps lock id chalk it up to lazy programming before anything else but ios also supports disabling location access when closed now specifically to handle this
|
|
#
?
Mar 30, 2018 18:45
|
|
|
Subjunctive posted:when it's not open? EVGA Longoria posted:There's no reason it needs to send your information off to the servers when not in use.
|
|
#
?
Mar 30, 2018 18:50
|
|
|
ate all the Oreos posted:don't worry they've separated the avionics from the entertainment system by a very secure-looking firewall graphic nah they don't even do that anymiore https://www.gao.gov/assets/670/669627.pdf#page=23
|
|
#
?
Mar 30, 2018 18:52
|
|
|
anthonypants posted:so turn the location setting from "Always" to "While Using the App". that's what that's setting's for. or maybe you've got it set to Always so that the app will load quicker, like you would with maps. maybe you're confused about why you think it needs to talk to a server, because you think the images of the sky are hosted in the app and not on some guy's server somewhere. cool job being dense about the privacy implications of apps constantly sending your gps location when not in use also cool job not realizing that they did that for years before iOS forced the "only when using app" as an option
|
|
#
?
Mar 30, 2018 18:55
|
|
|
EVGA Longoria posted:cool job being dense about the privacy implications of apps constantly sending your gps location when not in use it's sending data to a central server, because, like siri or like 90% of the non-game apps on your mobile phone, that's where the data processing happens. this is not a security fuckup. if you don't want it to do that while the app isn't open, there are settings to tell it to not do that while the app isn't open. this is not a security fuckup.
|
|
#
?
Mar 30, 2018 18:58
|
|
|
if only phones had some sort of, say, positioning system, which it could use when you actually open the app, instead of requiring it to constantly phone home to ask where it is so it doesn't get lost
|
|
#
?
Mar 30, 2018 19:08
|
|
|
far more interesting than “makes a connection” would be the content of the data to and fro. That’s your real sec fuckup goldmine
|
|
#
?
Mar 30, 2018 19:15
|
|
|
Trabisnikof posted:far more interesting than “makes a connection” would be the content of the data to and fro. That’s your real sec fuckup goldmine in the twitter thread he posts a screenshot of the stargazing app request, though he didn't include the response. the request looks like it's just lat/lon, app version and some flags
|
|
#
?
Mar 30, 2018 19:18
|
|
|
ate all the Oreos posted:in the twitter thread he posts a screenshot of the stargazing app request, though he didn't include the response. the request looks like it's just lat/lon, app version and some flags "just"
|
|
#
?
Mar 30, 2018 19:21
|
|
|
Hmm, I wonder what interesting data you could get from "just" constant updates of lat/long coordinates of peoples' phones. Perhaps someone could even make a heatmap of them and make it public? Also lol at the idea that instead of just defaulting to a more private setting, every user now just has to make sure that generic app #182 isn't phoning home constantly. Granny doesn't want Bejeweled to know about the doctor she visits? Too bad she didn't know about some random permissions somewhere. ohgodwhat fucked around with this message at 19:26 on Mar 30, 2018 |
|
#
?
Mar 30, 2018 19:23
|
|
|
Pinging user locations every few minutes back to the server in the background all the time seems bad to me for a star gazing app. geofence those requests or something at least
|
|
#
?
Mar 30, 2018 19:27
|
|
|
ohgodwhat posted:Hmm, I wonder what interesting data you could get from "just" constant updates of lat/long coordinates of peoples' phones. Perhaps someone could even make a heatmap of them and make it public?
|
|
#
?
Mar 30, 2018 19:58
|
|
|
EVGA Longoria posted:There's no reason it needs to send your information off to the servers when not in use. sure there is: location based events hey user neat things are happening above you so maybe consider inclining your head within the next few minutes granted that's gonna be somewhat rare but there's your reason
|
|
#
?
Mar 30, 2018 20:03
|
|
|
I don't know why you're struggling with the idea that maybe the default shouldn't be for apps to be able to send whatever they can back to 3rd party servers 24/7.
|
|
#
?
Mar 30, 2018 20:05
|
|
|
anthonypants posted:so turn the location setting from "Always" to "While Using the App". that's what that's setting's for. or maybe you've got it set to Always so that the app will load quicker, like you would with maps. maybe you're confused about why you think it needs to talk to a server, because you think the images of the sky are hosted in the app and not on some guy's server somewhere. maybe it should only request your location when you're using it by default, instead of the user needing to go out of their way to opt out of them constantly feeding your day to day movements back to them for analytics or whatever
|
|
#
?
Mar 30, 2018 20:08
|
|
|
ohgodwhat posted:I don't know why you're struggling with the idea that maybe the default shouldn't be for apps to be able to send whatever they can back to 3rd party servers 24/7. but there's an option to not allow it if you dig around in the settings so it's your fault if you let this happen to you, grandma!
|
|
#
?
Mar 30, 2018 20:13
|
|
|
ios will ask you before the first time the app is allowed to access your location. I don't remember the exact wording of this dialog but maybe it doesn't make clear that you're consenting to location access for all time after that. it's not like android where you have to give permission as a condition of downloading it
|
|
#
?
Mar 30, 2018 20:14
|
|
|
also i think the general public probably doesn't realize that "allow this app to access your location" and "allow this app to run in the background" translates to "allow this app to take your location and send it to our servers, while running in the background, which we will be doing 24/7 from now on" but i'm not really sure how to solve that problem.
|
|
#
?
Mar 30, 2018 20:17
|
|
|
haveblue posted:ios will ask you before the first time the app is allowed to access your location. I don't remember the exact wording of this dialog but maybe it doesn't make clear that you're consenting to location access for all time after that. it's not like android where you have to give permission as a condition of downloading it yeah you get a differently-worded version of this for background access:  and later you'll also get this:  apps get to specify the smaller text, the os controls the big headline
|
|
#
?
Mar 30, 2018 20:18
|
|
|
ate all the Oreos posted:also i think the general public probably doesn't realize that "allow this app to access your location" and "allow this app to run in the background" translates to "allow this app to take your location and send it to our servers, while running in the background, which we will be doing 24/7 from now on" but i'm not really sure how to solve that problem. turns out the whole concept of exposing permissions to the end user and making them figure out what their apps need to be able to access or not was a terrible idea
|
|
#
?
Mar 30, 2018 20:28
|
|
|
the implications of this email I just received aren't concerning at all
|
|
#
?
Mar 30, 2018 20:32
|
|
|
Main Paineframe posted:turns out the whole concept of exposing permissions to the end user and making them figure out what their apps need to be able to access or not was a terrible idea we should just allow apps to do whatever they want without question
|
|
#
?
Mar 30, 2018 21:26
|
|
|
pseudorandom name posted:we should just allow apps to do whatever they want without question or better yet we shouldn't allow apps to do anything at all ever
|
|
#
?
Mar 30, 2018 21:28
|
|
|
ohgodwhat posted:I don't know why you're struggling with the idea that maybe the default shouldn't be for apps to be able to send whatever they can back to 3rd party servers 24/7. Cocoa Crispies posted:yeah you get a differently-worded version of this for background access:
|
|
#
?
Mar 30, 2018 22:00
|
|
|
|
| # ? Jun 1, 2024 21:58 |
|
|
ate all the Oreos posted:or better yet we shouldn't allow apps to do anything at all ever
|
|
#
?
Mar 30, 2018 22:06
|
|
