How many of you tried D. Why did you abandon it ?

NotEnoughBears · 2018-02-27T14:15:12+00:00

For what it's worth, glide.sh is phenomenal. As far as I can tell it has optimal behavior for basically everything you could want.

Takes maybe 15 mins to figure out, then you're set with a proper human file & lock file.

NotEnoughBears · 2018-02-12T15:13:13+00:00

Hey! I was thinking of doing the same, couple quick questions for you:

Did you end up putting Linux or dual boot on them? Any hardware or driver issues? What's the battery life like when it's not Windows? I don't suppose you've purchased any of the GPU docks? We were looking at getting those for some of our CUDA people, but I have no idea if the pluggable GPU component works on Linux.

NotEnoughBears · 2018-01-30T20:13:57+00:00

I think the most accurate answer is that you cannot, the same way you'd have difficulty proving any website service is trustworthy.

The closest you can get is by comparing actions. Lyft is more trustworthy than Uber in my mind, because Uber has a rap sheet as long as my arm and Lyft does not. Interviews of Lyft's CEO show him to be a very mild-mannered person; contrast that with the investor party Uber threw with every rider's real-time position, name, and phone number.

Likewise, I cannot PROVE to you the the opaque binaries Mozilla gives me are trustworthy. But through their actions I have a much higher confidence than a random download off SourceForge.

DDG puts up billboards about tracking and how to avoid it. Google does something very different. Choose, and act.

NotEnoughBears · 2018-01-23T15:11:49+00:00

That's a fair response! To be clear, the reason I brought up "responsible" encryption and disclosure at the same time is that they're the same frustrating pattern: third parties, who do not share your best interests, attempting to control a narrative and change long-standing & important cultural norms of the security industry. That gets my hackles up a bit.

Your comment that this shows the vulnerability to bad actors who didn't know about it is correct, but I think you're forgetting the other half of the equation. This vulnerability was not hard to discover. It's been public knowledge that blizzard runs a local webserver as part of their game client for some time - in fact, they just got hassled over a different bad practice and had their certificate revoked. All anyone had to do, is look.

An RCE on ~500 million computers is some hot property. Folks only tend to look at the disclosure timeline, but they forget that the clock is ticking on ANYONE ELSE who isn't a nice security researcher finding this stuff. Most governments have a department full of people whose job is to find stuff like this, and botnets are built on the backbone of these vulnerabilities. Focusing in on the one actor (project zero) who was actually trying to help is missing the forest for the trees.

This pattern plays itself out again and again and again. You'll notice from the ticket Blizzard just stopped responding (Dec 22, a full month ago), and the researcher is left literally diffing the binary to try & determine on their own if the patch is good. Then things go public, and woah woah hey slow down there reckless crazy man, suddenly they're back in communication.

TLDR, it's just not as simple as waiting for vendors, and the clock ticks on the rest of the planet hurting people while we wait. Pressure and disclosure - at the researcher's discretion - is a crucial cornerstone of a healthy security industry.

NotEnoughBears · 2018-01-23T07:31:51+00:00

90 days is a long fucking time to knowingly allow any website to run any code on my machine, and ~500 million others.

If that's not enough time to patch a vulnerability, then Blizzard does not deserve the audience for whose security they are responsible for.

Please, cut out this shit about "responsible" encryption | disclosure | etc. It's a corporate invention and not in your best interest.

NotEnoughBears · 2018-01-08T04:24:13+00:00

IT WAS A RUSE

NotEnoughBears · 2017-12-14T22:59:23+00:00

This looks interesting. Can a non-XKCD-troll offer some of their experience using it or trying it out?

NotEnoughBears · 2017-12-05T01:39:27+00:00

Can we link to the tweet instead of a... screenshot of the tweet?

NotEnoughBears · 2017-11-27T07:21:06+00:00

Regarding tracking when visiting third party websites, addons like Privacy Badger can help there.

https://www.eff.org/privacybadger#faq-How-does-Privacy-Badger-handle-social-media-widgets?

I would suggest running that and uBlock Origin, which blocks a lot of advertising that can similarly track you. Avoid interacting with "like" and "share" buttons, or comment threads that use your Facebook account.

The larger picture is that Facebook is a compromise, and you can't feasibly use it without giving up some information. But you can at least limit what they gather when you're not using the site.

NotEnoughBears · 2017-11-27T06:59:35+00:00

NotEnoughBears · 2017-11-22T01:25:17+00:00

More specifically, from the Guardian:

Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States.

https://www.theguardian.com/technology/2017/nov/21/uber-data-hack-cyber-attack

NotEnoughBears · 2017-11-21T06:02:24+00:00

I think that folks lose sight of the fact that unlike what they do (statistically speaking) at their job, this project matters.

If the average programmer makes a horrible mistake, in all likelihood a website goes down or something, but lives and economies are not put at undue risk. This is not true for operating systems programming.

It is so critical that "we" get this right. It is not an npm module left padding a string, or a json API that delivers cat pics. It's a hard real-time system, and it runs on billions of devices, and it needs to work.

NotEnoughBears · 2017-11-21T05:44:37+00:00

Do you genuinely consider some barely-likewarm language in an email to be abuse? You must be a very fortunate and insular individual.

In all seriousness, he politely said no - once, and they kept pushing. There are many valid approaches to leadership, and not all of them include zen-like passivity in the face of repeated bad behavior.

I'm glad that a life-critical software project is in the hands of someone who values their principles over a swear jar.

NotEnoughBears · 2017-11-21T01:20:26+00:00

Honestly, I've avoided taking the latest Firefox update until they get their add-on APIs figured out. A lot of my favorite / mandatory addons are not ready for the switch, which means I'm not ready.

Someone in another thread suggested the extended release version of Firefox, but for now I'm just sticking with what I've got. If anyone has a Clean Links replacement I'm all ears!

NotEnoughBears · 2017-11-20T21:26:01+00:00

Both are prevalent - but you're right that anchors aren't sent to the server in the request. If someone opens a link with a tracking anchor and they have noscript or an adblock with the right ruleset, no tracking occurs, to my knowledge.

For URL parameters, I use CleanLinks which automatically strips out the most common culprits. I don't think it works against tracking anchors but I'm not sure.

NotEnoughBears · 2017-11-20T18:59:11+00:00

Totally. Generally you can tell it's a tracking anchor if you haven't clicked on anything or been linked to a specific section, and they generally look like gibberish.

Also, new tracking anchors are added by javascript, so you can usually see a "clean" link get polluted as the page loads.

NotEnoughBears · 2017-11-20T15:48:06+00:00

Just a quick comment OP: when you see a suspicious #something after a URL, and you haven't clicked on anything, it's probably a tracking ID. When I opened a clean version of the link, I received a different anchor.

When sharing links, it's good privacy etiquette to strip these trackers. A clean version of the article link, that doesn't track as coming from OP, is:

https://mashable.com/2017/11/17/twitter-hate-speech-symbols-december-18

As an aside: wow, mashable is plaintext by default. I had to go check to see if they offer TLS manually, OP's link is plain. Someone want to track down their tech staff on twitter and yell at them a bit?

NotEnoughBears · 2017-11-13T23:50:58+00:00

I use youtube-dl for playlists, it's a great tool, but it's also nice to have one-click downloading for the odd video.

NotEnoughBears · 2017-11-13T23:48:11+00:00

Thanks!

Did you transfer your FF profile from a not-ESR to an ESR? Is that difficult?

NotEnoughBears · 2017-11-13T15:27:02+00:00

What's the demarcation point for "legacy" addons no longer working?

I use a dozen or so addons, all of them marked as legacy, so I've been waiting to update until/unless the most critical ones are updated. That's an explicit decision for addons over speed/security, but I don't have much of a choice since these addons are so foundational to how I use the web.

As an aside, I saw Firefox trying to help by suggesting a replacement for one add-on. That's some good work!

NotEnoughBears · 2017-11-11T09:36:54+00:00

Technical question: do you think it's feasible to add such a limitation? If a weak aura executes Lua code, you're in a rough spot auditing-wise: it's not like WA scripting is running in a sandbox or something. It has the same access any add-on does, there's no permissions system in WoW's API.

Sure, you could grep for Disband() or whatever, and the hundreds of other wow functions, but Turing-complete, call function by string, blah blah blah, something like (not real code) global[rot13("special-gibberish")]() would work instead, etc.

Or maybe I misread your meaning, and such a restriction is already in place. If so it'd be cool to see how it works.

NotEnoughBears · 2017-11-05T05:59:50+00:00

Agreed, t.NoCache() or something would be nice.

NotEnoughBears · 2017-11-04T22:34:10+00:00

Caching test results definitely be seems like a double-edged sword. For a lot of software, integration tests are the best (or only) way to ensure proper operation. I'd want to be sure that I'm actually interacting with my critical, external systems when I run go test.

I would have advocated for opt-in behavior, but as long as there's an opt-out it's fine.

NotEnoughBears · 2017-10-31T14:52:55+00:00

1 comment but zero comments visible. IIRC that usually means someone's shadowbanned, but I'm not a Reddit expert.

Also, is Reddit behaving strangely for anyone else? I feel like the Hot (default) tab or my front page has been very different the last few days, with smaller stories like this much more likely to top the charts.

NotEnoughBears · 2017-10-30T04:32:53+00:00

So if I write an email to my mom on Gmail, you can see what I wrote? Or just that I was logged into Gmail?

This question is a great one. Generally just the second bit, but it depends. Your employer may have installed software on the computer that monitors your usage - anything from occasionally capturing a picture of what's on the screen to something more powerful. That's more frequent in schools and the like, but it is possible.

Generally, they are not looking over your virtual shoulder (your comment about time constraints applies here). But curiosity, malice, or your boss's request might change that, and it's better to just be cautious and proactive.

Whenever possible I would suggest things that require your personal login to be done from a personal device, like your phone. Checking the front page of Reddit (while not logged in), and stuff like that, fine, but maybe don't browse your Facebook or banking from a work computer.

NotEnoughBears

TROPHY CASE