Hacks, Leaks, and Revelations: The Art of Analyzing Hacked and Leaked Data is available for sale today, and also it's free under a Creative Commons license
Hydroxychloroquine has dangerous side effects for people with heart abnormalities, and shouldn't be prescribed without first determining if it's safe. The FDA warned about this in 2020, and also warned doctors to not prescribe it for COVID-19 since it's shown to be ineffective at treating it: https://www.fda.gov/drugs/drug-safety-and-availability/fda-c...
The doctor never should have prescribed hydroxychloroquine for COVID-19 because it was ineffective and the medical community already knew it at the time, and if they were going to they should have done a physical exam or taken labs to determine if it was safe first, and they didn't.
"Any account doxxing real-time location info of anyone will be suspended, as it is a physical safety violation. This includes posting links to sites with real-time location info."
While you did not embed the link itself, that nuance is a distinction without a difference as the intent was still to share the location to a site with real-time location information, which as stated, will result in suspension/ban.
Twitter just banned Mastodon's official Twitter account @joinmastodon with 174,000 followers, probably because it tweeted a link to @ElonJet's Mastodon account. Twitter is now censoring posting the link, but the user is @elonjet@maston.social
I have doubts that a timing attack would even be exploitable here since it's a hidden service, but I just made the string comparison constant-time to be safe: https://github.com/micahflee/onionshare/issues/3
Keep in mind that the username/password are just hex-encoded 128 bits from /dev/urandom, so they're not guessable at all without some sort of leakage attack, like a timing attack. And if anyone attempts to do a timing attack the person hosting the file will see all the requests scrolling down their terminal in real-time and can always hit ctrl-c.
There's also the bit about knowing the hidden service .onion to attack in the first place, which wouldn't be trivial to discover, especially since I envision these to mostly be very short-lived.
But all that said, this is great feedback. Keep it coming and feel free to open security issues on github.
What is the semantic difference between username and password? If they're both randomly generated for a particular resource, why not combine them into one access key field?
Hmmm. There are music & video search tabs in my (12.04) dock that do seem to search out online. The music purchase links go to http://one.ubuntu.com though. The video searches seem to go to BBC iPlayer & YouTube.
Your settings tweaks don't work on 12.04 - any idea how I would go about disabling this?
(The settings schema "com.canonical.Unity.Lenses" doesn't exist on my system.)
It doesn't particularly matter if people trust StartSSL, it matters if browsers trust them (which they do).
There are about 100 root CAs, and something like 1000 CAs if you include intermediates (controlled by ~650 different organizations - https://www.eff.org/observatory), and browsers trust ALL of them. All it takes is one to issue a malicious cert, or to get hacked, to do a MITM attack on ANY domain without showing a browser warning.
The trustworthyness of a single CA doesn't make a difference, because if any CA isn't trustworthy then an attacker can use them instead the other ones. This is the problem with CAs, and the problem with centralized trust systems in general. There are hundreds of weak points.
But also, StartSSL does fairly thorough identity verification. I've had to send them photos of my passport and talk to them on the phone to do identity verification. It's also worth noting that it's the CA that both https://www.eff.org/ and https://pressfreedomfoundation.org/ use.
As long as there's a broken CA system, the choice of CA does not matter in the slightest as long as it's trusted by browsers. Users only care if it breaks a website with a scary warning, but if it doesn't, it doesn't matter. There's no need to spend money.
StartSSL does charge if you have more than very basic needs, like if you want multiple alt names, or if you want a wildcard. But it's still cheaper than the competition.
>it matters if browsers trust them (which they do).
We had endless problems with StartSSL on mobile browsers. They have only recently been added to the latest Windows Mobile 8 repo and you can forget about any phone OS (except iOS) that was released before 2012.
The thing with SSL providers is most people think if it works on Chrome and IE they're set, but for certain businesses they need something that will work on the Wii Browser, an IBM Power System, or an older dumbphone. SmartTV's in particular are pretty annoying to get any CA list because whoever implemented the browser portion on the devices probably just imported some random Java lib from circa 2002.
If you are doing something small and personal, StartCom is just fine. If you're running a business, at some point it may become inevitable that you switch to oldest provider you can reasonably sign up for, in particular one of the Original Three (Thawte, GlobalSign, or Verisign). If you're running a non-profit advocating for privacy and cryptography where a large number of your users may be based in the middle east running on legacy hardware, you may want to take a cursory look to see if your users are getting any cert problems and get a cert from Thawte (the cheapest of the three - though you will need to chain to an intermediary cert if you got with their 123 option).
If you offer software to download HTTPS is a must. Otherwise any active attacker, from a kid at a coffee shop to the NSA at the ISPs, can make it so when people download your software they're also downloading your software with malware attached. Software downloads are one of the most important things to protect, and it saddens me that some websites still exist that offer software downloads that don't use HTTPS.
Last night we released a Chromium update that had a critical bug that broke the browser. As soon as we discovered this we removed it from the Chrome store temporarily until we could release an update.
When was the last time you tried Debian on your desktop? It's much better than it used to be. The only piece of hardware that didn't work out of the box for me was wifi, but I just had to enable the nonfree repo to install my wifi driver. Other than that, it's a lot like Ubuntu.
Long time ago, i switched to Ubuntu when it arrived.
Besides drivers, i still wouldn't want to fiddle around with unstable repos, apt pinning and those long release cycles on my desktop. Nowadays you get PPAs for most stuff you need, that's nice, too. So there is still some additional value that Ubuntu provides. If not that then the arguably larger "Desktop community". Launchpad is a nice-to-have platform as well, in my opinion.
