chainsaw10's comments

From my reading, it looks they're considering this for only non HTTPS downloads initiated from an HTTPS page

Relevant quotes:

> ... we will likely start by treating certain high-risk downloads initiated from secure contexts as active mixed content and block them.

> We're not planning to focus on non-secure downloads initiated from non-secure contexts at the moment, because users at least see the "Not Secure" omnibox badge on those pages.

If someone does that with one of my (custom domain) addresses, it won’t work, here’s what I implemented: https://zackorndorff.com/2015/03/10/disposable-email-address...

(To save you a click, they look like [email protected], with shorthash being based on COMPANY and a secret)

Downside is the address ends up absurdly long, and I’ve had to manually create some aliases for companies that won’t accept the plus.

I don’t recommend this setup, it’s kind of a pain to maintain, but I wish one of the mainstream providers would implement something similar.

Locally-installed root CAs are allowed by HSTS, so if you added the HTTPS proxy to the root store, this would work without warning, unless you manually checked the certificate.

Of course, this only works on machines you're the admin of, which is why it's allowed.

So what happens if a hacker hacks company A and uses their server as a jump box to hack company B? Is company B allowed to hack A since their machine was used in an attack?

Or even worse, what if company B is mistaken as to who attacked them? If they "hack back" as advocated, but against the wrong target, are they liable?

> log in with some criteria more than just a username/password

The problem there is that captive portals don't add any extra link-layer security. The network is open, so literally anyone can sniff packets.

It's uncommon, but a network using WPA2-Enterprise and user/pass uses different keys for each person (not sure if per device or per user), so you don't have to trust everyone in the room.

Very well said.

To directly answer GP's question:

I took a differential equations class last semester, where the easy part of quite a few problems was to solve a quadratic equation. And it was easy, because my algebra classes had correctly required me to practice that skill (and memorize the quadratic formula).

So, you say, I'm never going to take differential equations. And you very well might not. I have two responses to that:

1) That's true, you might not, but the guy sitting next to you will, and he doesn't even know it yet. If you were allowed to opt out of that subject, you both would, and he wouldn't even have a chance to make up for it later.

2) There are plenty of other subjects where the easy part is an algebra concept, and it's only easy because you practiced it years before.

> computer security Nobel prize

While they're not as big of a deal AFAIK, we do have the Pwnie Awards: https://pwnies.com/

You can do something similar with bash. If you set PROMPT_COMMAND='history -a', it'll append to the history file right after the command completes (because the prompt command is run as the prompt is printed).

radare2 is a disassembler, not a decompiler.

Disassembly is a much easier task than decompilation, since it's a mostly mechanical process. Decompilation requires you to undo the optimizations/transformations the compiler did as it generated the binary, which is much harder.

That said radare2 is still cool, and a GUI (Cutter) is in the works.

Have you gotten Windows to work well as a guest?

I could never get it to work as well as it does with VirtualBox.

Ah, okay, that makes more sense.

I guess maybe it was to enable touch on some websites?

I'm curious as to what good reason there is to have the Android user-agent string contain "Mobile Safari"...

The rest of it looks like fairly standard user-agent string antics.

It doesn't compile though -- I hope.

I'm pretty sure C keywords require a space on either side...

Also, somewhere in GNOME settings, there's a setting to enable "emacs mode", which lets you use ^a, ^e, ^k, ^y in normal textboxes.

> Which would work if licenses and copyrights didn't exist.

I don't think it would.

Dynamic linking allows a library to be patched once and have the patch apply to all the programs using it. If every program was statically linked, you would have to update each one individually.

Not to mention the waste of space.

I'm guessing much of that is moot these days, but IMHO it's still something to aim for.

I feel like just having a browser extension is a major security hole for any password manager. Yes it's more usable and prevents domain spoofing, but it makes the attack surface huge.

Whereas to exploit a desktop app that doesn't interface with the browser (written in a decent way), you'd need code execution already.

Thoughts?

> reversing commit hashes back into their contents

Somewhat off topic, but is this actually possible?

Given hashing is inherently lossy, I'm inclined to assume it's not possible for anything must longer than a password, but commits are text, which I suppose is low entropy per character, so I don't know.

> The bug is in bad js authored by CF

No, the bug is definitely in the browser. Web code is untrusted and should not be able to adversely affect the browser.

> Why not standardize?

You can't. These apps don't federate, and not everyone uses all of them.

As I wrote this comment, I realized I use more apps than I thought.

I use SMS for some folks, Messenger for others, and Slack, Hangouts, and GroupMe for specific groups.

If I'm in a 5+ person group chat, I can't really ask everyone to move to something else. And I want to hear what's going on, so I keep the app around.

I'm curious: what do you use to enter insert mode then?