feature request: AI-based risk analysis, with a model of which types of commercial vehicles at that location are likely to be controlled by organized crime
It is discuused here: https://lists.mindrot.org/pipermail/openssh-unix-dev/2023-De... - the HPN-SSH maintainer says "I do have an issue with [the OpenSSH 9.6] release in that it breaks interaction with HPN-SSH. The client seems to be window limited to 2MB sending regardless of what is being advertised by the receiver."
for "Thats exactly what we will be doing initially! Our tablets taste much better than Bite!" I might go with the brand "habitablets" and the tagline "where self-care meets planet-care"
the idea is that "habitablets" are a type of "tablets" that (when widely adopted to reduce packaging waste and shipping waste) will ultimately make our planet more "habitable"
Suppose you have office space in the jail, and give him (or anyone else) the opportunity to apply for remote jobs at anyplace willing to hire him - with the caveat that he loses office access unless he demonstrates that he's maximizing his potential to earn money, all of which will go directly to compensating victims. (Assume that he can't have Zoom calls with arbitrary colleagues of his choice. He can only have Zoom calls with Bill Lumbergh.)
I appreciated the links to the audit, but your quote was misleading to me when taken out of context like you did. I interpreted it as basically saying that the author couldn't or wouldn't address the issues identified. The full quote was:
> The upstream
author doesn't have enough resources to address them on its own and wants to
develop fixes in the open. Therefore I have created GitHub issues in the
upstream project and publish the full report today.
I.e. the "and wants to
develop fixes in the open" part left me with a very different interpretation from when I first read your comment.
These issues are pretty recent. I would greatly appreciate sponsorship to address issues faster: https://github.com/sponsors/schollz or just help with PRs.
Just wanted to say that Croc is one of the most reliable and straightforward file transfer tools I’ve ever used. It worked so well that I used it for Android (via Termux) to Windows transfers regularly. I only wish there was a way to use it on iOS but I imagine that’s challenging.
Thanks for the kindness :) I use it the same way actually! I don't use any Apple products so that's the major roadblock for me to develop against iOS...
Yes, I subscribe to Daniel Stenberg's RSS feed and have seen his many articles bemoaning excessive classification of bugs as vulnerabilities. One of these bugs, however, show serious cryptographic deficiencies. Unfortunately there are a lot of cryptography amateurs making stuff without a proper understanding ond making grandiose claims, so my default stance is one of skepticism unless reputable cryptographers have looked at it.
I use wormhole-william, the Go version of the Python magic wormhole, and age, mostly because of this Latacora endorsement:
What data is stored about an employee's justification for viewing a customer account? Is there an enumerated set of justifications such as "direct customer inquiry" versus "to be used for upselling other banking products" versus "IT debugging" etc. or is it free-form text? Is the justification process more complex if the bank knows that the customer is a public figure, celebrity, or maybe anyone who meets Wikipedia'a notability requirements?
Years ago, many decisions to hide error details were a cargo cult reaction to CVE-2012-4929. To review, CVE-2012-4929 works like this:
1. the attacker can see (but not decrypt) the victim's TLS traffic to example.com
2. an attacker-controlled website makes the victim send many different invalid requests to example.com, each of which gets an error message
3. some data in each request is attacker-controlled, but authentication data in headers is filled in by the victim's browser
4. example.com compresses response data before encrypting it
5. because repetitions affect compression, the response size is smallest when the authentication data matches part of the attacker-controlled data
6. after enough requests, the attacker knows the authentication data to login to example.com as the victim
One workaround for CVE-2012-4929 was to set up the server so that an error message never depended on the request data. Before CVE-2012-4929 was announced, people thought it was sufficient to sanitize the error message (i.e., avoid XSS) but CVE-2012-4929 prompted a shift toward producing exactly the same error message for all invalid requests. (Not sure, but I think this was the original motivation for Google's famous "That's an error. That's all we know." messages.)
There were better CVE-2012-4929 defenses later, but the cargo cult had already formed. (Some subset of) a generation of developers believed that customized error messages were Very Bad because they enabled account takeover.
"Some of the documents that we previously received through FOIA suggested that all major manufacturers of color laser printers entered a secret agreement with governments to ensure that the output of those printers is forensically traceable."
The yellow dot feature doesn't exist? It most certainly does.
You can see this yourself by putting a darker ink in place of the yellow in your printer.
Out of curiosity, why couldn't I make a printer driver that always sent the printer data with some extra yellow dots scattered around, in an arrangement that would make the tracking codes illegible?
Perhaps the yellow dot is placed slightly off from the axies of the standard grid, making it unforgeable through input data-- I'm not sure that's what they've done, but surely they have to have considered input sanitization to some degree
That's exactly how countermeasure software works. I believe it was both the EFF and CCC that developed counteractive software for this after initially discovering it (correct me if I'm wrong).
The firmware would make sure the significant yellow dot patterns would be recognisable by not printing some of those yellow dots you tell it to print. As long as the firmware has the final say on what ends up printed there is no way you can avoid those watermarks no matter how cunning your scheme is. Stalin was right when he said "It's not who votes that counts, it's who counts the votes" - this is just as applicable here: "It's not who orders the print what counts, it's who prints the order".
Given that there is open source firmware for 3D printers, I’d say no. Also, the “resolution” of 3D printers is not high enough to allow for a tell tale “mark” that was otherwise undetectable.
I mean you can't laser print bank notes either, not just because of the EURion constellation [1], but because they look and feel literally nothing like bank notes. I honestly never understood the imeptus.
Oh, you can absolutely laser print bank notes. It used to be a thing in the 90s, either with color laser printers or color photocopiers. Of course, they're absolutely horrid fakes.
Now, the only person dumber than a criminal who would think to try this is a store clerk who would accept these. So it is not an effective crime, unless the effect you want is "jail, quickly". But it is nonetheless a real crime.
Generally counterfeiters will strip the ink from a $1 bill and print a $20 or $50 on it. This way it feels like real money. It is easily detectable if you hold it up to the light, but a cashier might not notice it right away.
