82 Matching Annotations
  1. Oct 2023
    1. In short, Netanyahu is here to stay, and so is Hamas, and it is very difficult to find reasons for optimism.
      • for: Hamas 2023 attack on Israel

      • comment

        • there is no CONVENTIONAL solution, which opens the door for alternative solutions
    2. In short, the combination of blind intelligence, due to the vision of the country’s leaders, and the absence of troops around the Strip allowed this assault to take place with the human toll that we know.
      • for: Hamas 2023 attack on Israel - reason for failure
    3. In short, the intelligence services fell asleep, but to a large extent this can be explained by the government’s stance – and it should be added that for months now the prime minister has been concentrating almost exclusively on his fight to take control of the Supreme Court, which was an absolute priority for him – at least until 7 October.
      • for: priorities - Hamas 2023 attack on Israel
    4. Obviously, recently, it no longer had any sources within Hamas. Its blindness is no less astonishing. For example, journalists had reported in recent months that many Hamas militants regularly went out to train on motorbikes, and even learned to fly light aircraft; and yet the Israeli services saw nothing of it. This is a major flaw for which they will have to answer one day.
      • for: confirmation bias, confirmation bias - hamas attack on Israel
  2. Jun 2023
  3. May 2023
  4. Apr 2023
  5. Mar 2023
  6. Jan 2023
  7. Aug 2022
    1. In a clickjacking attack, the attacker creates a malicious website in which it loads the authorization server URL in a transparent iframe above the attacker’s web page. The attacker’s web page is stacked below the iframe, and has some innocuous-looking buttons or links, placed very carefully to be directly under the authorization server’s confirmation button. When the user clicks the misleading visible button, they are actually clicking the invisible button on the authorization page, thereby granting access to the attacker’s application. This allows the attacker to trick the user into granting access without their knowledge.

      Maybe browsers should prevent transparent iframes?! Most people would never suspect this is even possible.

    1. ANALYSIS OF ATTACK EVENTS
      • Flash loan is a type of unsecured lending that relies on the atomicity of blockchain transactions at the point of execution and adds dynamism to DeFi

      • Reentry attack " the DAO"

      • Arithmetic bug

    1. ‘Attack DAO

      coalition of MKR, Dai and CDP holders.

    2. These attacks affect both the current single-collateral Dai (SCD or ‘Sai’) and the upcoming multi-collateral Dai (MCD) implementations, as well as similar systems with on-chain governance.

      51% is not neccesary to manipulate governance to steal the system's collateral.

  8. Jun 2022
  9. May 2022
  10. Apr 2022
    1. Health Nerd. (2021, March 28). Recently, Professor John Ioannidis, most famous for his meta-science and more recently COVID-19 work, published this article in the European Journal of Clinical Investigation It included, among other things, a lengthy personal attack on me Some thoughts 1/n https://t.co/JGfUrpJXh2 [Tweet]. @GidMK. https://twitter.com/GidMK/status/1376304539897237508

  11. Feb 2022
    1. The techniques we have outlined—randomization, stack protection, and lim-iting which portions of memory can hold executable code—are three of the mostcommon mechanisms used to minimize the vulnerability of programs to bufferoverflow attacks

      有什么技术可以保护程序免收攻击?

  12. Dec 2021
  13. Jul 2021
  14. Jun 2021
    1. paint, chairs, food, electric and neon lights, smoke, water, old socks, a dog,movies, a thousand other things that will be discovered by the present generation of artists.

      I used to watch a TV show called "Art Attack" when I was a child, which is also my initiation of art. I remember he created a huge artwork made up of used clothes, trash, and some garbage bags. That was also the first time that I know the form of art can be various and diverse. Have you watched this TV show before?

  15. Apr 2021
  16. Mar 2021
    1. Deepti Gurdasani. (2021, February 27). The campaign against @DrZoeHyde that has involved several scientists targeting her with personal attacks, and trying to misrepresent her is deeply disappointing. She has been referred to as ‘evil’, ‘idiotic’, ‘sadistic’, and a’sociopath’. A few thoughts on these attacks. [Tweet]. @dgurdasani1. https://twitter.com/dgurdasani1/status/1365641557404229638

  17. Feb 2021
    1. Dr. Tara C. Smith. (2021, January 23). A reminder: Especially among the elderly, some individuals will die shortly after receipt of the vaccine. What we need to understand is the background rate of such deaths. Are they higher then in the vaccinated population? We didn’t see that in the trials. Some data from @RtAVM. https://t.co/LJe9k1WJQC [Tweet]. @aetiology. https://twitter.com/aetiology/status/1352810672359428097

  18. Oct 2020
    1. Could you please explain why it is a vulnerability for an attacker to know the user names on a system? Currently External Identity Providers are wildly popular, meaning that user names are personal emails.My amazon account is my email address, my Azure account is my email address and both sites manage highly valuable information that could take a whole company out of business... and yet, they show no concern on hiding user names...

      Good question: Why do the big players like Azure not seem to worry? Microsoft, Amazon, Google, etc. too probably. In fact, any email provider. So once someone knows your email address, you are (more) vulnerable to someone trying to hack your account. Makes me wonder if the severity of this problem is overrated.

      Irony: He (using his full real name) posts:

      1. Information about which account ("my Azure account is my email address"), and
      2. How high-value of a target he would be ("both sites manage highly valuable information that could take a whole company out of business...")

      thus making himself more of a target. (I hope he does not get targetted though.)

    2. Another thing you can do is to add pain to the second part of it. Attackers want the list of valid usernames, so they can then try to guess or brute force the password. You can put protections in place with that as well, whether they are lockouts or multi-factor authentication, so even if they have a valid username, it's much harder to gain access.
    3. That is certainly a good use-case. One thing you can do is to require something other than a user-chosen string as a username, something like an email address, which should be unique. Another thing you could do, and I admit this is not user-friendly at all, to let them sign up with that user name, but send the user an email letting them know that the username is already used. It still indicates a valid username, but adds a lot of overhead to the process of enumeration.
    1. How would you remediate this? One way could be to have the application pad the responses with a random amount of time, throwing off the noticeable difference.
    2. Sometimes, user enumeration is not as simple as a server responding with text on the screen. It can also be based on how long it takes a server to respond. A server may take one amount of time to respond for a valid username and a very different (usually longer) amount of time for an invalid username.
    1. This is a very dangerous practice as each optimization means making assumptions. If you are compressing an image you make an assumption that some payload can be cut out without seriously affecting the quality, if you are adding a cache to your backend you assume that the API will return same results. A correct assumption allows you to spare resources. A false assumption introduces a bug in your app. That’s why optimizations should be done consciously.
  19. Sep 2020
  20. Jun 2020
    1. The answer, of course, is end-to-end encryption. The way this works is to remove any “man-in-the-middle” vulnerabilities by encrypting messages from endpoint to endpoint, with only the sender and recipient holding the decryption key. This level of messaging security was pushed into the mass-market by WhatsApp, and has now become a standard feature of every other decent platform.
    2. The issue, though—and it’s a big one, is that the SMS infrastructure is inherently insecure, lending itself to so-called “man-in-the-middle attacks.” Messages run through network data centres, everything can be seen—security is basic at best, and you are vulnerable to local carrier interception when travelling.
    1. When you make a call using Signal, it will generate a two-word secret code on both the profiles. You will speak the first word and the recipient will check it. Then he will speak the second word and you can check it on your end. If both the words match, the call has not been intercepted and connected to the correct profile
  21. May 2020
    1. Ghinai, I., Woods, S., Ritger, K. A., McPherson, T. D., Black, S. R., Sparrow, L., Fricchione, M. J., Kerins, J. L., Pacilli, M., Ruestow, P. S., Arwady, M. A., Beavers, S. F., Payne, D. C., Kirking, H. L., & Layden, J. E. (2020). Community Transmission of SARS-CoV-2 at Two Family Gatherings—Chicago, Illinois, February–March 2020. MMWR. Morbidity and Mortality Weekly Report, 69(15), 446–450. https://doi.org/10.15585/mmwr.mm6915e1

  22. Apr 2020
    1. Since the authenticity token is stored in the session, the client cannot know its value. This prevents people from submitting forms to a Rails app without viewing the form within that app itself. Imagine that you are using service A, you logged into the service and everything is ok. Now imagine that you went to use service B, and you saw a picture you like, and pressed on the picture to view a larger size of it. Now, if some evil code was there at service B, it might send a request to service A (which you are logged into), and ask to delete your account, by sending a request to http://serviceA.com/close_account. This is what is known as CSRF (Cross Site Request Forgery). If service A is using authenticity tokens, this attack vector is no longer applicable, since the request from service B would not contain the correct authenticity token, and will not be allowed to continue.
  23. Feb 2019
  24. Sep 2017
    1. Terrorist use of an actual nuclear bomb is a low-probability event

      Low probability and high impact but not a black swan

    2. we attempt to spell out here the likely consequences of the explosion of a single terrorist nuclear bomb on a major city, and its subsequent ripple effects on the rest of the planet.