18,239 Matching Annotations
  1. Last 7 days
    1. to recover loss of observability

      Elaborate... what do you mean? How does it do so? Do they mean recover from loss of observability?

    1. Foreign companies selling into the U.S. are subject to sales tax regimes to the extent there is nexus with the state, which can be established, among other ways, through a physical contact with the state (payroll, property, agents, and inventory held under the Fulfillment by Amazon arrangement) or substantial sales exceeding economic thresholds enacted in light of the Wayfair decision.
    1. Don’t confuse Consent Mode with Additional Consent Mode, a feature that allows you to gather consent for Google ad partners that are not yet part of the Transparency and Consent Framework but are on Google’s Ad Tech Providers (ATP) list.
    1. Will not read or write first-party [analytics cookies]. Cookieless pings will be sent to Google Analytics for basic measurement and modeling purposes.
    2. If a user denies consent, tags no longer store cookies but instead send signals to the Google Server as described in the next section. This prevents the loss of all information about visitors who deny consent and it enables Google Analytics 4 properties to model conversions as described in About modeled conversions.
    1. By default, Google tags use automatic cookie domain configuration. Cookies are set on the highest level of domain possible. For example, if your website address is blog.example.com, cookies are set on the example.com domain.
    2. This means that if cookie expiration is set to one week (604800 seconds), and a user visits using the same browser within five days, the cookie will be available for an additional week, and they will appear as the same visitor in your reports. If that same user instead visited after the original cookie had expired, a new cookie will be created, and their first and second visits will appear as coming from distinct visitors in your reports.

      Not perfect, but at least that's simple enough to understand

  2. May 2023
    1. while I'm not as strongly against the above example code as the others, specifically because you did call it out as pseudocode and it is for illustrative purposes only, perhaps all of the above comments could be addressed by replacing your query = ... lines with simple query = // Insert case-sensitive/insensitive search here comments as that keeps the conversation away from the SQL injection topic and focuses on what you're trying to show. In other words, keep it on the logic, not the implementation. It will silence the critics.
    2. I know this is an old question but I just want to comment here: To any extent email addresses ARE case sensitive, most users would be "very unwise" to actively use an email address that requires capitals. They would soon stop using the address because they'd be missing a lot of their mail. (Unless they have a specific reason to make things difficult, and they expect mail only from specific senders they know.) That's because imperfect humans as well as imperfect software exist, (Surprise!) which will assume all email is lowercase, and for this reason these humans and software will send messages using a "lower cased version" of the address regardless of how it was provided to them. If the recipient is unable to receive such messages, it won't be long before they notice they're missing a lot, and switch to a lowercase-only email address, or get their server set up to be case-insensitive.
    3. This is insightful application of Postel's law en.wikipedia.org/wiki/Robustness_principle. It remains wrong to write software that assumes local parts of email addresses are case-insensitive, but yes, given that there is plenty of wrong software out there, it is also less than robust to require case sensitivity if you are the one accepting the mail.
    4. If you're already using PostgreSQL anyway, just use citext as the type of the email_address column.
    5. Solution: Store emails with case sensitivity Send emails with case sensitivity Perform internal searches with case insensitivity
    6. Robustness principle suggests that we accept case sensitive emails
    7. I'd phrase it stronger: "you're unsafe to treat email-addresses as case-sensitive manner"
    8. So yes, the part before the "@" could be case-sensitive, since it is entirely under the control of the host system. In practice though, no widely used mail systems distinguish different addresses based on case.
    9. In short, you are safe to treat email addresses as case-insensitive.
    1. responded with typical self-effacing matter-of-factness
    2. "Of course, there isn’t any 'God of the Internet.' The Internet works because a lot of people cooperate to do things together."
    1. A flaw can become entrenched as a de facto standard. Any implementation of the protocol is required to replicate the aberrant behavior, or it is not interoperable. This is both a consequence of applying the robustness principle, and a product of a natural reluctance to avoid fatal error conditions. Ensuring interoperability in this environment is often referred to as aiming to be "bug for bug compatible".
    2. Rose therefore recommended "explicit consistency checks in a protocol ... even if they impose implementation overhead".
    1. However, some do differentiate between upper and lower case characters in the recipient part.

      which ones, for example?

    2. If you are storing email addresses then you probably should store them in their original case (the recipient at least) to be safe. However, always compare them case-insensitively in order to avoid duplicates.
    1. Please can we (a) retain case information from the email address the student uses to set up their account (in case their mailbox is case sensitive), and use that when sending password reset emails, etc., but also (b) when checking credentials for login or setting up an account, treat the email address as non-case-sensitive. The upshot would be if someone registered with Student@City.ac.uk, all emails would go to Student@City.ac.uk, but the student would be able to log in with student@city.ac.uk, and if someone later tried to set up an account with student@city.ac.uk they'd be told that the user already exists.
    2. Although there's an argument for keeping case sensitivity for the local mailbox (as they can be case sensitive, depending on how they're set up, though I haven't come across case sensitivity in university emails), the domain part of the email address is not case sensitive and should not be treated as such. Please can we (a) retain case information from the email address the student uses to set up their account (in case their mailbox is case sensitive), and use that when sending password reset emails, etc., but also (b) when checking credentials for login or setting up an account, treat the email address as non-case-sensitive. The upshot would be if someone registered with Student@City.ac.uk, all emails would go to Student@City.ac.uk, but the student would be able to log in with student@city.ac.uk, and if someone later tried to set up an account with student@city.ac.uk they'd be told that the user already exists.
    1. However, it's difficult to rely on a case-sensitive email address in the real world because many systems (typically ones that have to handle data merging) don't preserve case. Notably systems that use email addresses for user IDs, or any system that has to collate data from multiple sources (CRMs, email broadcast systems, etc) will either normalise case or treat them case-insensitively.
    2. However, for all practical purposes in the modern age, I believe you can consider email addresses to be case insensitive.
    1. a SHOULD is always trumped in RFCs by a MUST. The fact that hosts SHOULD do something means that they might not and I just wanted reassurance that, in reality, the SHOULD is a bit more widely adopted than its definition implies.
    1. Not many email services or ISPs enforce case-sensitive email addresses.

      which ones do?

    2. Since the case sensitivity of email addresses can create confusion and delivery problems, most email providers and clients either fix the case if the email address is entered in the wrong case, or they ignore upper-case entries. Not many email services or ISPs enforce case-sensitive email addresses.
    1. the above mentioned RFC 5321 recommends for new email addresses to be created with lower case letters only to avoid potential confusion and delivery problems.

      it does? where does it say that?

    2. While email addresses are only partially case-sensitive, it is generally safe to think of them as case insensitive. All major providers, such as Gmail, Yahoo Mail, Hotmail, and others, treat the local parts of email addresses as case insensitive.
    3. According to RFC 5321, the local part of the email address is case sensitive. This means that, in theory, SoMething@something.com is not the same as something@something.com. However, email providers have the liberty to treat the local parts as both case sensitive and case insensitive.
    1. Are Email Addresses Case Sensitive? Technically, the answer is yes. However, email addresses are typically not case sensitive; if you type your email address into a form and accidentally capitalize one or two letters, it probably won’t prevent the sender from emailing you.
    2. The local part does, in fact, take the case into account, as per RFC 5321. However, Email Service Providers (ESPs) are aware of the potential confusion that could result from allowing upper-case letters.
    1. In short, while it’s technically possible to make the part before @ case sensitive, most popular email servers do not allow that. 
    2. Most big email providers like Gmail, Outlook and even company email address hosted on Google Suite are not case sensitive. Just to avoid any unnecessary confusion. However, in extreme cases, some large companies, implement case sensitivity on their server as some people can often have the same first and last name. But in general, this creates more confusion, than the usability, which is why most standard email providers avoid case sensitivity. 
    1. This doesn't make any sense, though. Once you recognize that the two may represent different addresses, you're arbitrarily choosing the first one in your system as the right one, when the second one is just as right. Just give up at that point and lowercase ’em.

      which one should be considered the correct one?

    2. Some say you should treat addresses as case-preserving as opposed to case-sensitive, meaning you don't change IStillUse@AOL.COM to istilluse@aol.com but you still consider it a dupe of iSTilLUSE@aol.com.
    3. Either way, at some point almost everyone started treating addresses as case-insensitive.
    4. When an IETF RFC uses the keyword “MUST” it means business
    5. Despite it being commonplace to “fix up” email addresses by lowercasing them — or, in financial/government contexts, uppercasing them — email addresses are clearly defined as case-sensitive in the only standard that matters.
    1. Since using case insensitivity is so widespread, take their sign up email address and make it lower case. Whenever they try to log in, convert that to lowercase as well, for comparison purposes, when you go to see if the user exists. As far as sign up and sign in go, do a case insensitive comparison. If the person signs up as Steve@example.com, you'll still want to allow them to sign in later with steve@example.com or sTeVE@example.com.
    2. But you should also keep track of the email address that they signed up with in a case sensitive fashion. Any time you send an email to them, be sure to send it with that original casing. This allows the email server to handle it however it feels like it needs to. So even though the person may always be signing in to your site with steve@example.com, if they signed up as Steve@example.com, you'll always send email to Steve@example.com, just to be safe.
    3. Some day, the de facto standard and the official standard will hopefully be the same. It's too bad we have to deal with this issue at all.
    4. The de facto standard is to treat local mailboxes as case insensitive, but the official standard says case matters (though even the official standard mentions the de facto standard).
    5. Gmail does something similar. You can register an email address with a . in it and Gmail just ignores that for its internal email address. So you can get Firstname.Surname@gmail.com and that's effectively the same email address as FirstnameSurname@gmail.com. Back in 2004 when Gmail launched, I found this to be an especially user friendly feature of their email service
    1. This ensures that GetResponse and our customers comply with Anti-Spam laws.

      IMHO, the customer should be able to opt out of this automatic adding if they want more/full control over the footer. Then they can take on the responsibility themselves.

    1. An example of how to toggle tracking on a per-message basis. Note the o:tracking option. This will disable link rewriting for this message:
    1. You can diminish the size of the journal by means of these commands: sudo journalctl --vacuum-size=100M This will retain the most recent 100M of data. sudo journalctl --vacuum-time=10d will delete everything but the last 10 days.


    1. ISO 8601 specifies the use of uppercase letter T to separate the date and time. PostgreSQL accepts that format on input, but on output it uses a space rather than T, as shown above. This is for readability and for consistency with RFC 3339 as well as some other database systems.
    1. Stop to think about "normal app" as like desktop app. Android isn't a desktop platform, there is no such this. A "normal" mobile app let the system control the lifecycle, not the dev. The system expect that, the users expect that. All you need to do is change your mindset and learn how to build on it. Don't try to clone a desktop app on mobile. Everything is completely different including UI/UX.

      depends on how you look at it: "normal"

    1. Entropy is not a property of the string you got, but of the strings you could have obtained instead. In other words, it qualifies the process by which the string was generated.
  3. datatracker.ietf.org datatracker.ietf.org
    1. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application)
    1. Have you seen mobile phone lock screens where the user is required to draw a specific pattern onto a grid of dots? How about the Windows 8 picture password feature? These are examples of behavior-based authentication factors.

      Behavior factors seems like an artificial distinction, at least based on these examples. These would be better classified as Knowledge factors. Drawing a pattern that you've memorized is conceptually no different than typing a code. Or should I point out that typing a code is also a behavior? You have to press your fingers in a certain location on your keyboard and in a certain order.

    1. “Multi-factor authentication needs multi-factor enrollment,” noted Taku. It shouldn’t have been possible to enroll just using a stolen password. He listed numerous possibilities, among them credentials handed out in person, a one-time password, or a PIN sent to the employee’s registered email or mobile.
  4. Apr 2023
    1. The 409 (Conflict) or 415 (Unsupported Media Type) status codes are suggested
    2. If the target resource does not have a current representation and the PUT successfully creates one, then the origin server MUST inform the user agent by sending a 201 (Created) response. If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then the origin server MUST send either a 200 (OK) or a 204 (No Content) response to indicate successful completion of the request.
    1. Whereas U2F only supports multi-factor mode, having been designed to strengthen existing username/password-based login flows, FIDO2 adds support for single-factor mode.
    1. In particular, with AC connected, a battery with a charge level higher than the stop charge threshold will not be discharged to the stop charge threshold, nor will there be a (cyclic) discharge down to the start charge threshold
    1. You can indeed prolong moderns Li-Ion batteries lifespan by keeping them at a lower charge. If you never ever use it disconnected, you should keep it at 40%. E.g. Uber driver cellphone always-on in travels. However for daily light usage, 60% is considered the 'sweet spot' for practicality, and 80% gives you more freedom. 100% is when the battery is at its peak 'stress' level, and thus wear faster.
    1. Exposing the battery to high temperature and dwelling in a full state-of-charge for an extended time can be more stressful than cycling.
    1. Discharges your battery until it reaches 80%, even when plugged in
    2. This tool makes it possible to keep a chronically plugged in Apple Silicon Macbook at 80% battery, since that will prolong the longevity of the battery.
    1. If you send links with a secret login token with email, then they should be single-use and expire rather quickly.
    2. But you can not make the user send a POST requests from an email

      eh? how??

    3. Sorry, I can't agree with you. If someone issues a second code, they should have two potential logins - one for each one they requested. Call me weird, but considering how cheap it is to store data, I'd rather keep around exactly what happened.
    4. If you implement this system using the user table you risk impatient users requesting a second code and them arriving out of order.
    5. By default SMTP offers very little protection against interception. Traffic may be encrypted between servers but there are no guarantees.

      And how likely is it that the attacker actually owns one of the servers that is a hop on the way from mail sender to mail recipient?? Seems extremely unlikely.

    6. email as a transmission mechanism isn't secure.
    7. If the link can only be used once with a short expiry time and no info in the link can be used to derive secrets in the session it creates then you should be fine. Effectively, the link serves as an one-time password.
    8. If so, then how is sending a link for password reset any more secure? Isn't logging-in using a magic link the same thing as sending a magic link for resetting a password?

      In my opinion: It's not any different or less secure.

    1. À la carte can be now used figuratively to describe someone who picks some things out of a larger set, e.g., an à la carte Catholic who (conveniently) believes in some aspects of the religion, but not others. À la carte television refers to customers paying for just channels they want, rather they having to pay for a whole (cable) service.
    1. Google allowed third parties to build their own Wave services (be it private or commercial) because it wanted the Wave protocol to replace the e-mail protocol.[2][16][17] Initially, Google was the only Wave service provider, but it was hoped that other service providers would launch their own Wave services, possibly designing their own unique web-based clients as is common with many email service providers.
    1. You can do an Nth root by raising to a fractional power. For example, the 4th root of 625 is 5. (BigDecimal(625)**(1.0/4.0)).to_f # => 5.0
    1. A given secret from an authenticator SHALL be used successfully only once.
    2. For look-up secrets that have less than 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.
    1. Similar to Base64, but modified to avoid both non-alphanumeric characters (+ and /) and letters that might look ambiguous when printed (0 – zero, I – capital i, O – capital o and l – lower-case L).
    2. A variant of Base58 encoding which further sheds the lowercase 'i' and 'o' characters in order to minimise the risk of fraud and human-error.
    1. a change in a weight of evidence of 1 deciban (i.e., a change in the odds from evens to about 5:4) is about as finely as humans can reasonably be expected to quantify their degree of belief in a hypothesis
    1. average level of "information", "surprise", or "uncertainty"

      I like the use of "surprise" here

    2. the entropy of a random variable is the average level of "information", "surprise", or "uncertainty" inherent to the variable's possible outcomes
    1. Cloche Seven pieces of 10-foot ½-inch PVC pipe One piece of 10-foot roll galvanized plumbers' metal stripping to attach PVC to sideboards every 2 feet. 28 1-inch roofing nails
    1. Using --ours did what I was after, just discarding the incoming cherry picked file. @Juan you're totally right about those warning messages needing to say what they did't do, not just why they didn't do it. And a bit more explanation that the ambiguity from the conflict needs to be resolved (by using --ours, etc) would be super helpful to this error message.
    2. --ignore-unmerged When restoring files on the working tree from the index, do not abort the operation if there are unmerged entries and neither --ours, --theirs, --merge or --conflict is specified. Unmerged paths on the working tree are left alone. Holy smokes! I guess the git-ish fix for the user interface problem here will be to rename the option from --ignore-unmerged to --ignore-unmerged-except-in-cases-where-we-do-not-want-to-allow-that--consult-documentation-then-source-code-then-team-of-gurus-when-you-cannot-figure-it-out---and-wait-while-half-of-them-argue-about-why-it-is-right-as-is-while-the-other-half-advocate-adding-four-more-options-as-the-fix.
    3. In recent git versions, git restore is supposed to be a "better" way to revert undesired local changes than the overloaded checkout. Great, that sounds reasonable - a nice simple purpose-built tool for a common operation.
    1. If the chicken must come before the egg, where do you put the chicken?

      If the chicken must come before the egg, where do you put the chicken?

    1. If the chicken must come before the egg, where do you put the chicken?

      If the chicken must come before the egg, where do you put the chicken?

    2. Since nobody provided a wire capture, here's one.
    3. The rest of the URL (/path/?some=parameters&go=here) has no business being inside ClientHello since the request URL is a HTTP thing (OSI Layer 7), therefore it will never show up in a TLS handshake (Layer 4 or 5). That will come later on in a GET /path/?some=parameters&go=here HTTP/1.1 HTTP request, AFTER the secure TLS channel is established.
    1. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.
    1. Why do so many businesses share their data openly, for free? Most often, the answer is scale. As companies grow, the staff within those companies realize they have more ideas than they have the time and resources to develop them. It’s typically easier to work with other external companies that specialize in these ideas than build them in-house. By creating APIs, a company allows third-party developers to build applications that improve adoption and usage of its platform. That way, a business can build an ecosystem that becomes dependent on the data from their API, which often leads to additional revenue opportunities.
    1. Clients interact with a service by exchanging representations of resources.
    2. A primary advantage of REST over HTTP is that it uses open standards, and does not bind the implementation of the API or the client applications to any specific implementation.
    1. The first Mr. DRILLER game for the Nintendo Switch™ featuring updated graphics and HD cutscenes!

      Ambiguous. Missing a comma before "featuring"?

  5. Mar 2023
    1. Impersonation is a security concept implemented in Windows NT that allows a server application to temporarily "be" the client in terms of access to secure objects.
    1. Looking SO good. Will do a final check and merge when I get home. Meanwhile it seems addressing most of houndci comments and waiting for a green CI will be enough! Thanks for your hard and good work.