|
Some require e-mail correspondence, some have deletion mechanisms on the site proper, and others are broken relics acquired or expired. Being in Canada I also had a fourth category of “service is geo-blocked and I’m not installing a VPN just to terminate that”.
|
#
?
Mar 18, 2023 00:35
|
|
|
|
| # ? May 29, 2024 23:59 |
|
|
Late to the VPN discussion but poo poo really changes when you stop doing "put all the VPN clients in one subnet and open fw rules to it" and start creating traffic rules based on the client's presently-authenticated user account
|
|
#
?
Mar 18, 2023 16:00
|
|
|
Shumagorath posted:Some require e-mail correspondence, some have deletion mechanisms on the site proper, and others are broken relics acquired or expired. Being in Canada I also had a fourth category of “service is geo-blocked and I’m not installing a VPN just to terminate that”.
|
|
#
?
Mar 18, 2023 17:01
|
|
|
Anyone know what the gently caress is going on with Firefox's message about websites requesting 'extended information' about authenticators when registering them? It warns you that it can 'anonymize' the information, but that the relying party may reject it. And... that's it. No actual information about what information is requested. Tracing through the source code of firefox it seems to be talking about requests for direct attestation. Which, according to yubico https://developers.yubico.com/WebAuthn/Concepts/Securing_WebAuthn_with_Attestation.html is not really a major privacy concern unless you literally don't want them to know what model authenticator you're using. It shouldn't, afaik, contain any uniquely (as in per-individual-physical-authenticator) information. Spending a couple hours searching for more information on this I'm more convinced than ever what the entire 2FA world is still a complete loving poo poo show. Outside of an enterprise this poo poo is borderline unusable. The web browsers are the worst offenders. They give you absolutely zero loving information on what is happening, what is being requested, etc... Is this just a second factor? U2F or Webauthn? Is this a password-less account the site is trying to setup? Is it the kind where you have an unlimited number, or a limited number of certs actually on the authenticator? Who the gently caress knows?
|
|
#
?
Mar 18, 2023 19:08
|
|
|
adnam posted:Dumb question - but I came across this post from somewhere in business, finance etc given Lastpass's incredible idiocy these last few years. I've migrated over to 1password but I saw digital cruft mentioned here. How can I go about closing accounts that I no longer use, or is it just a whack-a-mole of emailing websites to close my account, or stop using accounts at service x, y, z and pray they eventually rot away? Someone else asked this and my answer was to just delete the account name and password from your 1password and forget they exist, with the exception of old email: Klyith posted:In terms of security I don't think it matters. Nobody's gonna use your planetquake account from 2002 to gain access to anything else. The thing that might be dangerous is old email accounts, and it's probably better to keep the keys to those rather than delete them. Certainly if a website doesn't have a "delete my account" feature anywhere I doubt emailing the webmaster and asking them to delete will do much. Facebook might send you into a digital maze and hide the account delete button behind some sort of puzzle where you have to figure out which dark pattern tells the truth and which one always lies -- but at least they have a delete button.
|
|
#
?
Mar 18, 2023 20:39
|
|
|
Oh yeah don’t forget ticket websites that often flag carrier NAT as “bot that hasn’t paid us” and prevents you from even logging in. This includes Ticketmaster, where calling the sales office will get you further than engineering.
|
|
#
?
Mar 18, 2023 21:17
|
|
|
This should be a fun one to deal with  https://twitter.com/ItsSimonTime/status/1636857478263750656
|
|
#
?
Mar 18, 2023 21:48
|
|
|
Ugh how how how, cropping can also be undone?
|
|
#
?
Mar 18, 2023 21:51
|
|
|
Thanks Ants posted:Ugh how how how, cropping can also be undone? I believe it just overwrites the head of the file and leaves junk in the tail, was sort of the impression I got. Though that would imply the files don't actually get smaller, which you'd think somebody would have noticed. Also it seems to be specific to 'Markup' for screenshots, so probably doesn't affect pictures cropped with google photos? Is the impression I got.
|
|
#
?
Mar 18, 2023 22:04
|
|
|
So who has a Samsung phone? https://arstechnica.com/information-technology/2023/03/critical-vulnerabilities-allow-some-android-phones-to-be-hacked/
|
|
#
?
Mar 18, 2023 22:22
|
|
|
Pablo Bluth posted:So who has a Samsung phone? Thankfully mine is a Snapdragon. This seems to be the list of Exynos phones, that's the affected platform.
|
|
#
?
Mar 18, 2023 22:33
|
|
|
Fortunately Samsung's history of commitment to product support will ensure that no vulnerable devices are left out there
|
|
#
?
Mar 18, 2023 22:34
|
|
|
Thanks Ants posted:Fortunately Samsung's history of commitment to product support will ensure that no vulnerable devices are left out there I mean google is no better. They updated the Pixel 7, and owners of the whole year-old Pixel 6 were told to sit tight. I'm kidding of course they've said nothing at all, there's no actual ETA for Pixel 6 owners for this 10/10 critical remote superuser-privileged code execution bug.
|
|
#
?
Mar 18, 2023 22:48
|
|
|
Rescue Toaster posted:Anyone know what the gently caress is going on with Firefox's message about websites requesting 'extended information' about authenticators when registering them? It warns you that it can 'anonymize' the information, but that the relying party may reject it. And... that's it. No actual information about what information is requested. The short version is that with a lovely FIDO device, it's possible to uniquely identify you. The website can identify which batch you're in. If the manufacturer did something sketchy and did one batch per hardware key, it would be possible to track you. Don't stress too much about it.
|
|
#
?
Mar 18, 2023 23:39
|
|
|
Rescue Toaster posted:I believe it just overwrites the head of the file and leaves junk in the tail, was sort of the impression I got. Though that would imply the files don't actually get smaller, which you'd think somebody would have noticed.
|
|
#
?
Mar 19, 2023 00:26
|
|
|
Shumagorath posted:I definitely have a photo on my drive that’s edited like this; for several versions of Windows it would show more in the thumbnail than was displayed in whatever image viewer. I could probably hex edit back to the original. It's more likely that this is a jpeg image with an embedded thumbnail, and whatever tool cropped the original image didn't update the thumbnail. So you could recover a low-resolution version of the original, but not the original picture itself.
|
|
#
?
Mar 19, 2023 01:25
|
|
|
Jabor posted:It's more likely that this is a jpeg image with an embedded thumbnail, and whatever tool cropped the original image didn't update the thumbnail. So you could recover a low-resolution version of the original, but not the original picture itself.
|
|
#
?
Mar 19, 2023 02:10
|
|
|
Pablo Bluth posted:So who has a Samsung phone? Vindicated in never upgrading my old Note.
|
|
#
?
Mar 20, 2023 08:19
|
|
|
Rescue Toaster posted:I mean google is no better. They updated the Pixel 7, and owners of the whole year-old Pixel 6 were told to sit tight.
|
|
#
?
Mar 20, 2023 10:44
|
|
|
starting renewal process for sec+, holy lol I forgot how much of a pain these questions where. I got stuck on XSRF/XSS/SXSS questions, because I'm not really a web guy and I forgot which specifically was which.
|
|
#
?
Mar 20, 2023 17:19
|
|
|
I thought you could just submit CE stuff instead of doing the renewal test
|
|
#
?
Mar 20, 2023 17:23
|
|
|
The Fool posted:I thought you could just submit CE stuff instead of doing the renewal test I got forced into doing the cert master thing, because I slept on my renewal stuff and I have like two weeks to do the other options.
|
|
#
?
Mar 20, 2023 17:40
|
|
|
$50 more to do the 4hr renewal test (that your company should be paying for) over “doing” 50 hours of CE. I’d do the test every single time. Even out of pocket.
|
|
#
?
Mar 20, 2023 20:04
|
|
|
lol. lmao. https://twitter.com/David3141593/status/1638222624084951040
|
|
#
?
Mar 21, 2023 19:15
|
|
|
yeah computers were a cool experiment just toss em and lets go back to mail and paper tickets please
|
|
#
?
Mar 21, 2023 19:36
|
|
|
Teaching sand to do maths was a mistake.
|
|
#
?
Mar 21, 2023 19:43
|
|
|
I wonder if imgur understands what kind of data they are sitting on right now.
|
|
#
?
Mar 21, 2023 20:27
|
|
|
Apparently you have to follow a particular workflow with the win11 tool that shouldn't be very common, and allegedly win 10s "win+shift+s" is safe. At least.
|
|
#
?
Mar 21, 2023 20:35
|
|
|
Sickening posted:I wonder if imgur understands what kind of data they are sitting on right now. This vuln is only on Win 11 so I'm guessing that's a fraction of a percent of all the screen grabs from Windows that are hosted there.
|
|
#
?
Mar 21, 2023 20:35
|
|
|
Maybe those Butlerians had the right idea.
|
|
#
?
Mar 21, 2023 20:40
|
|
|
imgur recompresses everything before serving it up, so nothing they serve should be affected. Who knows if they keep the original files, but I kind of doubt it. This is probably the tip of the iceberg, I'm gonna guess a lot of image markup and editing tools will be shown to not fully sanitize their output.
|
|
#
?
Mar 21, 2023 21:12
|
|
|
Rescue Toaster posted:Anyone know what the gently caress is going on with Firefox's message about websites requesting 'extended information' about authenticators when registering them? It warns you that it can 'anonymize' the information, but that the relying party may reject it. And... that's it. No actual information about what information is requested. If it's just direct attestation then yeah as Buff Hardback said there shouldn't be much to worry about; the spec allows you to identify the make and model of the authenticator but nothing more (specifically because of privacy concerns). If it's enterprise attestation though then that's a different matter, that part of the spec does allow identifying authenticators by their serial number (or similar). Barely anything supports EA yet though, and Yubikeys that support it are not sold to consumers.
|
|
#
?
Mar 21, 2023 21:59
|
|
|
TheFluff posted:If it's just direct attestation then yeah as Buff Hardback said there shouldn't be much to worry about; the spec allows you to identify the make and model of the authenticator but nothing more (specifically because of privacy concerns). If it's enterprise attestation though then that's a different matter, that part of the spec does allow identifying authenticators by their serial number (or similar). Barely anything supports EA yet though, and Yubikeys that support it are not sold to consumers. Interestingly, based on the Firefox source I'm pretty sure it does not differentiate between indirect, direct, or enterprise attestation in terms of the prompting. So unfortunately you have no way of knowing, as Firefox doesn't even tell you the attestation type let alone give you the option to see the attestation metadata. Yet another way the UX around 2FA is still dog poo poo.
|
|
#
?
Mar 21, 2023 22:29
|
|
|
bull3964 posted:imgur recompresses everything before serving it up, so nothing they serve should be affected. I’m told that Discord doesn’t!
|
|
#
?
Mar 21, 2023 23:35
|
|
|
Subjunctive posted:I’m told that Discord doesn’t! Discord fixed this problem in Jan 2022 iirc, so anything uploaded before that is a problem but not nowadays anymore I believe.
|
|
#
?
Mar 21, 2023 23:39
|
|
|
CLAM DOWN posted:Discord fixed this problem in Jan 2022 iirc, so anything uploaded before that is a problem but not nowadays anymore I believe. They didn’t just go and re-encode everything they already had? Tsk tsk.
|
|
#
?
Mar 21, 2023 23:43
|
|
|
Subjunctive posted:They didn’t just go and re-encode everything they already had? Tsk tsk. Not that I was able to read/find! Who knows though!
|
|
#
?
Mar 21, 2023 23:52
|
|
|
As of last night and seeing which screen grabs on discord could be expanded, I can see it does not appear to have been retroactively applied at this time. Maybe that's changing, but it doesn't seem to be right now.
|
|
#
?
Mar 22, 2023 16:55
|
|
|
Rescue Toaster posted:I believe it just overwrites the head of the file and leaves junk in the tail, was sort of the impression I got. Though that would imply the files don't actually get smaller, which you'd think somebody would have noticed. I forgot the article, but I read one that went into the details. Basically, the cropping tool would save the new image to the same file as the old image using the native file APIs. When this was originally implemented, the native file APIs correctly resized the file when this happened. At some point after that, the native file APIs were changed to the new behavior of just overwriting the head of the file and not resizing by default (why?). This retroactively caused the issue and nobody noticed until now. The "good" news is that the bug only happens with the file cropping tool, not the photo cropping tool. Because the default photo cropping tool in Android saves a new copy of the image instead of overwriting the old one. So unless you specifically open your photos outside of Google Photos for editing, it won't happen with camera photos. It is mostly an issue with cropped screenshots. KillHour fucked around with this message at 17:10 on Mar 22, 2023 |
|
#
?
Mar 22, 2023 17:07
|
|
|
|
| # ? May 29, 2024 23:59 |
|
|
Is it a terrible idea to expose a self hosted bitwarden instance to the internet? Currently mine is only available over my VPN but I am kicking around the idea of extending it to my family in a desperate effort to get them to have better password management and security in general as opposed to using the same drat password for everything.
|
|
#
?
Mar 25, 2023 15:45
|
|
