therealtbs's comments

It's getting press because it is siphoning off the page contents which include the names of files you have stored. It is quite a different scenario than just loading an image through an img-tag (which can be controlled through things like Referrer-Policy these days)

Yes, everyone is in complete hysterics exactly because Facebook is evil (by the definition "harmful or tending to harm" (OED) or "morally reprehensible" (Merriam-Webster)). Just remember the recent(-ish) Oculus controversy, where they forced everyone who bought their hardware to sign in with Facebook and in some cases (soft-)bricked users devices because their Facebook accounts did not have enough activity [1]. Especially because Palmer Luckey (founder of Oculus) when answering questions about the acquisition in 2014 said that Facebook would not do such a thing [0].

I personally am scared because the language being used here is not at all specific to the scenario mentioned here ("hosted clients"). I understand that anything more specific would probably be rejected by their legal team. I am afraid that some 5 years down the line they'll be able to do something worse without notifying users because the TOCs and privacy policies are written in this ambiguous language.

Regarding alternatives, I can't really speak on the security/privacy of any of them but from what I can gather, Matrix does have E2E-encryption functionality [2] so I'm not quite sure how it is less secure than Signal (provided you host your own server and/or have a reasonable degree of trust in the server-operator of your conversation-partner).

[0] https://www.cgmagonline.com/2020/08/19/oculus-founder-facebo...

[1] https://www.eurogamer.net/articles/2020-10-15-oculus-quest-2...

[2] https://matrix.org/blog/2020/05/06/cross-signing-and-end-to-...

You don't even need to root it.

Most Xiaomi smart-devices speak a protocol called miIO. There are several libraries/bindings for your favorite languages/tools as well as a nice CLI tool[0].

The only tricky part is getting the device token[1]. But once you have that it's smooth sailing.

[0] https://python-miio.readthedocs.io/en/latest/vacuum.html [1] https://python-miio.readthedocs.io/en/latest/discovery.html#...

I have been using GraphQL professionally as a frontend developer for about 1.5 years and I think it is definitely getting more relevant now.

I can't speak for many services that use GraphQL since we always have our own backend that we use. But I can speak a bit from my experiences using it with a number of different backends.

So first up: The number one thing GraphQL does really well is the tooling. You can have anywhere from a full-featured client for your SPA with Apollo [0] to a simple client for just one-off requests like urql[1]. You can have your schema be automatically turned into type definitions for TypeScript so everything is strictly typed from the backend to the frontend. Do you want to adopt microservices? You can offer your frontend-devs a single GraphQL-endpoint with schema stitching or Apollo Federation[2].

Also great is the ability to compose queries how you see fit. Need a sub-sub-sub entity of whatever you're querying? If the schema is properly set up, that is easily done in one request, while with REST you are potentially looking at up to 4 requests that need to be made. So from a UX-perspective it is also quite nice because there may be lower latency.

Since GraphQL is different from REST, it does require a different way of thinking by the backend developer. I've worked on one project where the developers weren't quite thinking in GraphQL, so they had fields that referred to objects by their ID instead of referring to it directly. That coupled with not having a unified schema in a microservices environment meant, that the end result wasn't much better than just using a REST API.

So I would recommend GraphQL for projects where, like the name suggests, you have a complex graph of objects or entities you need to regularly traverse. I wouldn't use it for things where in most cases a single REST-Request is all that's needed.

- [0] https://www.apollographql.com/docs/react/ - [1] https://github.com/FormidableLabs/urql - [2] https://blog.apollographql.com/apollo-federation-f260cf525d2...

I assume the password manager is supposed to prepend the host of the login form or whatever host is configured in the password manager.

So if I save example.com in my password manager, it will access example.com/.well-known/change-password no matter which urls I later visit that might be on subdomains of that original page.

If I already configured evil.example.com in my password manager, it's game over anyway before anything relevant to this spec even happens.

Usually the place where you realize you forgot your password is the login form. So the 'standard' link/button/whatever below/next to/in proximity of the login form works quite well for this.

Since the spec is intended for password managers and other user agents, it makes sense to have a standard location to access such functionality.

Also the page could be anything (i.e. doesn't have to be a redirect) so theoretically AWS could set up an account chooser that has links to all the appropriate places for your accounts

Interestingly the linked page shows no purchases, except for Google Play subscriptions, for me.

That's probably because I use G Suite.

When the news of the acquisition first broke, they said they were going to keep GitHub as a separate company. So Microsoft would not have anything to do with Atom, it's still GitHub's.

They don't mean the Google Titan security key but rather the one that's offered to you when signing up to their advanced protection program.

People in the UK are sent directly to a chinese online store which means at that point Google has no control over anything anymore.

I would assume they are talking about Google/Apple/Samsung/etc. Pay with NFC-enabled terminals

In my (tbh quite limited) experience, I have found that physical security devices are some of the worst offenders when it comes to connecting to anything more complex than a simple RFID-tag. I wonder why there are no (or few?) companies that get their devices properly audited before release. I personally would pay much more for devices that have an independent audit published.