I believe that SMS 2FA is wholly ineffective, and advocating for it is harmful.

Unique Passwords and U2F are not perfect, but they are good. Unique Passwords reduce the impact of phishing, but can’t eliminate it. U2F doesn’t prevent malware, but does prevent phishing.

This argument only works if what you’re defending is good. As I’ve already explained, SMS-2FA is not good.

Don’t let the perfect be the enemy of the good. Seat belts aren’t perfect either, do you argue we shouldn’t wear them? Etc, etc. This argument only works if what you’re defending is good. As I’ve already explained, SMS-2FA is not good.

If you also want to eliminate phishing, you have two excellent options. You can either educate your users on how to use a password manager, or deploy U2F, FIDO2, WebAuthn, etc. This can be done with hardware tokens or a smartphone.

You are currently allowing your users to choose their own password, and many of them are using the same password they use on other services. There is no other possible way your users are vulnerable to credential stuffing.

If you use a third party password manager, you might not realize that modern browsers have password management built in with a beautiful UX. Frankly, it’s harder to not use it.

If you’re a security conscious user... You don’t need SMS-2FA. You can use unique passwords, this makes you immune to credential stuffing and reduces the impact of phishing. If you use the password manager built in to modern browsers, it can effectively eliminate phishing as well.

We have a finite pool of good will with which we can advocate for the implementation of new security technologies. If we spend all that good will on irritating attackers, then by the time we’re ready to actually implement a solution, developers are not going to be interested.

t’s important to emphasise that if you don’t reuse passwords, you are literally immune to credential stuffing.

build something in/into something phrasal verb with build verb

You can also find the combination verb+in+to, but in that case you're usually dealing with a phrasal verb consisting of a verb and the particle "in", which happens to be followed by the preposition "to".They wouldn't give in to our demands.

"Built in to" appears when you use the phrasal verb "build in" followed by an infinitive, but that is not what you are trying to do in your sentence.There's an electronic switch built in to stop all data transfers.

The house, of course, is not doing the agreeing; Cooper is! Because of the distance between Cooper and the participle phrase that describes him, the comma is necessary.

A present participle phrase will always act as an adjective while a gerund phrase will always behave as a noun.

So in your example, you would not use a hyphen: "You can use the types [that are] built in to the library."

How can this be called an adjective? The postmodifier here is a participle phrase, 'built into the library'.

take off, should also be counted as a (multi-word) verb.

Using a hyphen is the wrongest thing to do here.

Unfortunately all SMS/voice gateway are owned by paid services, thus there is no such thing as open-source, that I can recommend.

Fortunately, we found RingCaptcha (https://ringcaptcha.com), which has a the 'starter plan' that offers free 500 OTP monthly. Just a small plug for them for providing freemium service; they are highly reliable because they are integrated with all major global, and regional providers, e.g., Twilio, Nexmo, Infobip, MessageBird, etc., and send your OTP through the best provider/route based on country/phone carrier, and can auto fallback to alternative paths. This means you just need to integrate with RingCaptcha, without the headache of deciding which SMS/voice OTP provider has best combination of price and reliability, which is a real headache when you are sending OTP world-wide.

the issues I've always had with it: No support. As in, no one in Google's support organization has any clue about what this app does. No support group discussions as far as I can tell ("Smart Lock" is too generic to really find anything). That's not surprising, because while I've figured out how it works/what it does in my use case, there's really no clear documentation on it - like what it even does, really.

No support group discussions as far as I can tell ("Smart Lock" is too generic to really find anything).

like the one in the picture.

{{#discriminator.mappedModels}} {{#-first}} {{#vendorExtensions.x-useDeduction}} @JsonTypeInfo(use = JsonTypeInfo.Id.DEDUCTION) {{/vendorExtensions.x-useDeduction}} {{^vendorExtensions.x-useDeduction}}

Most platforms that require OTP verification for ensuring security are targeted at the mobile phone only. But some payment gaterways send OTP to email address also simultaneously to doubly ensure that you get the OTP and that you have requested the OTP. There could be some delay in SMS or email reaching you. Many OTPs are time restricted - you have to use them quickly.

It is a law of nature that our thoughts and feelings are encouraged and strengthened as we give them utterance. While words express thoughts, it is also true that thoughts follow words. If we would give more expression to our faith, rejoice more in the blessings that we know we have,—the great mercy and love of God,—we should have more faith and greater joy. No tongue can express, no finite mind can conceive, the blessing that results from appreciating the goodness and love of God. Even on earth we may have joy as a wellspring, never failing, because fed by the streams that flow from the throne of God.

It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

Double quotes for string literals - because pre-committing to whether you'll need interpolation in a string slows people down

Another option would be to implement a delay scheme to avoid a brute force attack. After each failed attempt A, the authentication server would wait for an increased T*A number of seconds, e.g., say T = 5, then after 1 attempt, the server waits for 5 seconds, at the second failed attempt, it waits for 5*2 = 10 seconds, etc.

The reason for masking the most significant bit of P is to avoid confusion about signed vs. unsigned modulo computations. Different processors perform these operations differently, and masking out the signed bit removes all ambiguity.

The lack of interoperability among hardware and software technology vendors has been a limiting factor in the adoption of two-factor authentication technology. In particular, the absence of open specifications has led to solutions where hardware and software components are tightly coupled through proprietary technology, resulting in high-cost solutions, poor adoption, and limited innovation.

Protocols are, by their very nature, open. If you can't read the protocol specification then you can't very well implement it, can you?

As others pointed out, OATH's claims of "open source" have little meaning when compared to other authentication protocols such as SAML. When you include the entire Liberty Alliance specifications as well as the Web Services Initiative protocols and methods (as devised by Microsoft and IBM) there's nary a proprietary bit of code involved. Actually, there's no code involved at all. Protocols are, by their very nature, open. If you can't read the protocol specification then you can't very well implement it, can you?

the output is 20 bytes, and so the last byte is byte 19 (0-origin).

It is suggested that verification be locked out after a small number of failed attempts or that each failed attempt attracts an additional (linearly increasing) delay.

One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.

We believe that being open source is one of the most important features of Bitwarden. Source code transparency is an absolute requirement for security solutions like Bitwarden.

But getting codes by phone turns out not to be not very secure at all. A vulnerability in SMS messaging is that crooks can reroute text messages(Opens in a new window).

Unlike the other apps listed here, Authy requires your phone number when you first set it up. We're not fans of this requirement, since we’d rather have the app consider our phones to be anonymous pieces of hardware; and some have suggested that requiring a phone number opens the app up to SIM-card-swap fraud.

2FAS doesn't need your phone number or even require you to create an online account, so it's not susceptible to SIM-swapping fraud.

The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

The authors believe that a common and shared algorithm will facilitate adoption of two-factor authentication on the Internet by enabling interoperability across commercial and open-source implementations.

Businesses can send message templates to up to 250 unique customers in a rolling 24-hour period

On my ZE620KL nothing worked, many tries, I waited a few days and it didn't work. Even changing the rom for an official Asus rom (without root) the app kept saying that the device is not safe. It only started to allow contactless payment after relocking the bootloader. I believe that in my case, gpay did not work by detecting the unlocked bootloader. Edit The device passed all tests, safenet, Google protect, basic, CTS (with root). but it still only worked after relocking the bootloader

Our test raises an ActiveRecord::RecordNotFound exception. We know that Rails has special handling to return a 404 status code in this case. However, the request spec still raises the exception.

Finding good names is quite difficult. Single words are also almost always better than combined names, even though one is a bit limited with single words alone. There are exceptions though. For example .each_with_index or .each_index are good names, IMO.

And, my kids learned all about the inner workings of the car in areas that are usually hidden. This was an exhilarating accomplishment, and a triumph of a homeschool project. I hope to do more with the kids over the years so that they have practical life skills, and I encourage other parents to work with their children to fix the family car.

I am not a mechanic, but I like to dabble in fixing whatever is at hand, especially when it saves our family money.

Why is it, then, that although publicly is far more common as the adverbial form of public than publically, the ratio of usage has diminished? Publically is becoming more common for the same reason that people write irregardless in place of regardless or write “diffuse the situation” instead of “defuse the situation” or “all of the sudden” rather than “all of a sudden”: evolution. Language is, in a sense, alive, and just as life itself evolves, so does language—but note that the primary definition of evolution is not “improvement”; it simply means “change.” And how does language change? The change is modeled: New words are coined, or new senses of existing words develop (or new spellings or new forms occur), because someone, somewhere acts to make it so, and the evolution goes viral.

First, dictionaries are not arbiters of highly literate writing; they merely document usage. For example, irregardless has an entry in many dictionaries, even though any self-respecting writer will avoid using it—except, perhaps, in dialogue to signal that a speaker uses nonstandard language, because that is exactly how some dictionaries characterize the word. Yes, it has a place in dictionaries; regardless of that fact, its superfluous prefix renders it an improper term.

Washington wallet-sized birth registration cards aren’t accepted

Ultra-high frequencies typically offer better range

Does the EDL/EID card transmit my personal information? No. The RFID tag embedded in your card doesn't contain any personal identifying information, just a unique reference number.

Our transactional and marketing email services allow you to send emails effortlessly.

With comprehensive drag-and-drop email builders like Mailgun's Drag-and-Drop Template Builder, or a responsive email language like MJML, you can create and change up your email marketing campaigns with ease

Code your own template with HTML, or use our markup language MJML, the only framework that makes creating responsive designs easy.

Send me the Mailjet newsletter. I expressly agree to receive the newsletter and know that I can easily unsubscribe at any time.

What are transactional emails? Typically any email that is triggered by or sent automatically from your application.

Welcome emails Actionable emails Password resets Receipts Monthly invoices Support requests App error alerts Reminders etc.

for instance, when the recipient’s address is full (a soft bounce: just wait and re-send) or worst, when it’s non-existent (a hard bounce: you need to remove the account from your list)

Don't be a lump on a log. See an issue? Have a suggestion? Want to help? Well git in there!

A Method Decorator is declared just before a method declaration.

const requiredMetadataKey = Symbol("required");

As an aside, I think I now prefer this technique to Python for at least one reason: passing arguments to the decorator method does not make the technique any more complex. Contrast this with Python: <artima.com/weblogs/viewpost.jsp?thread=240845>

When you call 'foo' in Ruby, what you're actually doing is sending a message to its owner: "please call your method 'foo'". You just can't get a direct hold on functions in Ruby in the way you can in Python; they're slippery and elusive. You can only see them as though shadows on a cave wall; you can only reference them through strings/symbols that happen to be their name. Try and think of every method call 'object.foo(args)' you do in Ruby as the equivalent of this in Python: 'object.getattribute('foo')(args)'.

def document(f): def wrap(x): print "I am going to square", x f(x) return wrap @document def square(x): print math.pow(x, 2) square(5)

einwärts ge­wand­ter Spitze

Gänsefüßchen

Unless physical stature is of relevance in a conversation, simply using a person's name is appropriate.

I am a developer, and we are developing the app for the customer, that will not publish through the google play store. But when we distribute the app to the customer, customer get that error. I want to avoid that alert of the Play stored.I want to understand, exactly which security concern has been break by my app.

The benefits of getting administrative privileges over an open-source OS like Android stands aplenty. Among them, it’s the ability to flash modules and tweaks that is at the top of the priority queue, However, this is just one side of the coin. Rooting has its own downsides as well, the primary among them is the fact that SafetyNet getting triggered.

Google has had the ability to harden SafetyNet checks using hardware-backed key attestation for several years now. The fact that they refrained to do so for 3 years has allowed users to enjoy root and Magisk Modules without sacrificing the ability to use banking apps. However, it seems that Magisk's ability to effectively hide the bootloader unlock status is soon coming to an end. It's a change that we've expected for years, but we're sad to see it finally go into effect.

The conflict of interest he now has is evident but that's not something that should be used to flame him, it's just the way it is.

Fortunately, topjohnwu has been given the green light to continue developing Magisk, but this approval is contingent on the project dropping support for its root hiding feature called MagiskHide.

For people like me, who believe that accessibility applies to all users, the following two words come to mind: Inclusive design. The British Standards Institute (2005) defines inclusive design as "The design of mainstream products and/or services that are accessible to, and usable by, as many people as reasonably possible..."

Conversations are collections of messages that all have the same Subject. When "conversation mode" is on, searches return entire conversations as results. So what should gmail search do if a conversation contains both a message that matches, and a message that does not match your search? You are probably expecting it to return conversations only if all messages in that conversation match. But that is not correct. Instead, Gmail search will return conversations even if only a single message in that conversation matches. So that means that if you do the same search above with "conversation mode" on, the results are likely to include messages that do not match your search!

I am a software engineer, canoeist, gardener and and all-round tinkerer. I got into software because of my curiosity about how things work. I kept asking “why” until I eventually found myself doing it for a job. I love the range of work I get to do as an engineer. My work often focuses on performance improvements and coaching teams in code design choices. I value thoughtful communication that amplifies marginalized voices in the workplace.

As a general practice, it seems like gems should remain compatible with current/recent versions of their dependencies. Otherwise, if you have 2 gems in your project that depend on faraday, and one of those is locked to faraday 0.17.6, and the other requires at least 2.x, then you have a problem...

Note though, that this only works when you're already using git for your dependency

It looks like we are all in agreement that command line flags should be stateless

The official Bambora Ruby library is not thread-safe. This means you will run into errors when using it with Sidekiq or Puma. This gem is a thread-safe client for the Bambora and Beanstream APIs.

Forwarding will always break emails specially in Outlook as it adds it's own code before composing. You can have a forward link on emails which takes you to a page to forward to a friend or you can go with a broken email when it's forwarded. It's harsh I know but there is no way around it.

It used to be a lot more common for people to have work and personal phones before the internet made it possible for work to take over every aspect of your day to day life.

Its outlooks rubbish filtering system. They have "AI" rules that look at the sending ip address for reputation. They score you on user reportsand lots of other bits they will not tell you about. Make sure you have SPF, DMARC, DKIM, and sign up for their JMRP and SDNS they will tell you. But it still is a game of cat and mouse. Its a slippery slope and even Microsoft trap their own mail to their own outlook users. PITA, to be honest and luckily we managed to get a mitigation to the issue. However some users in different domains still complain of email going to JUNK. Go figure. I hate having to work on issues with Outlook.com. They themselves send out spam and have the audacity to block well configured SMTP senders. I wish you luck. You will need it.

But, since they'll automatically encode in rich text if there are any HTML tags placed in the message by the device itself, putting a single space (&nbsp) in the signature via the mail app itself, and then bold/italic-izing said space makes it work.

The issue is that Mail isn't behaving as expected. If I tell it to always send messages as Rich Text I expect it to send them as Rich Text no matter what. Instead, sometimes it will send out emails as plain text. This is clearly an issue with Mail. If, for example, you tell your word processor of choice, be it Pages, LibreOffice or Word, to save all your documents as ODF files you expect it to do so no matter what and not to automatically revert to TXT files for documents that you haven't formatted yet without giving you proper notice, thereby preventing you from ever formatting those particular documents in the future.

This problem has been reported on these forums many, many times over the last few years and MS always quote the same non-answer but never get around to fixing it.

Rack::Session was moved to a separate gem. Previously, Rack::Session was part of the rack gem. Not every application needs it, and it increases the security surface area of the rack, so it was decided to extract it into its own gem rack-session which can be updated independently.

Destroys the concurrency of your ruby code using Redis.

The reason is Rails only reads and creates the session object when it receives the request and writes it back to session store when request is complete and is about to be returned to user.

Session race conditions are very common in Rails. Redis session store doesn't help either! The reason is Rails only reads and creates the session object when it receives the request and writes it back to session store when request is complete and is about to be returned to user.

As you can see from the example, the session cookie is updated on every request, regardless of if the session was modified or not. Depending on when the response gets back to the client last, thats the cookie that will be used in the next call. For example, if in our previous example, if get_current_result’s response was slower than get_quiz, then our cookie would have the correct data and the next call to update_response would of work fine! So sometimes it will work and sometimes not all depending on the internet gods. This type of race condition is no fun to deal with. The implications of this is that using cookie storage for sessions when you are doing multiple ajax call is just not safe.

A better solution would be to use a server side session store like active record or memcache. Doing so prevents the session data from being reliant on client side cookies. Session data no longer has to be passed between the client and the server which means no more potential race conditions when two ajax are simultaneously made!

If you already have an instance of your model, you can start a transaction and acquire the lock in one go using the following code: book = Book.first book.with_lock do # This block is called within a transaction, # book is already locked. book.increment!(:views) end

Event Replay: If we find a past event was incorrect, we can compute the consequences by reversing it and later events and then replaying the new event and later events. (Or indeed by throwing away the application state and replaying all events with the correct event in sequence.) The same technique can handle events received in the wrong sequence - a common problem with systems that communicate with asynchronous messaging.

As our needs become more sophisticated we steadily move away from that model. We may want to look at the information in a different way to the record store, perhaps collapsing multiple records into one, or forming virtual records by combining information for different places. On the update side we may find validation rules that only allow certain combinations of data to be stored, or may even infer data to be stored that's different from that we provide.

If you haven't seen it yet, check out the PinePhone Pro and its docking station. Much like the Steam Deck's docking station, it plugs the phone into a monitor, keyboard, and mouse to turn your phone into a PC.

When Ubuntu was confronted with making Debian user friendly, the issue was speeding up software updates. Manjaro has the opposite issue with Arch and is handling it appropriately.

B/ Mainline kernel offers many ways to increase desktop responsiveness without the need to patch or reconfig it. Many tweaks can be activated using the cfs-zen-tweaks you can download and just run but I would advise you just read the very simple code and learn how each of the tweaks impact. Don't hesitate to lower the priority of your cpu-bound processes (compilations, simulations...) and increase the priority of your interactive tasks thanks to the renice command and even change their scheduling policy using chrt Ultimately, you can always pin interrupts to dedicated cpus (setting desired values in /proc/irq/[irq_id]/smp_affinity) , having one in charge of the keyboard and the mouse, another one for the graphic adaptor a third one for the sound card and a fourth one housekeeping for all the possible remaining. Just plenty of solutions left opened without changing a byte in your distro-kernel.

Sure, eagerly failing loudly would be better also. The outcome is still the same - you wouldn’t be able to do the thing you want, you just would be informed faster.

deleting user files without being asked for is by far an "unsafe in nonzero scenarios" decision, no program should do it. The sane option is to refuse working and/or display a visible warning explaining why.

There should thus be an option to give npm a list of vulnerability IDs (CVEs etc.) that it does not need to defend because the admin has decided it does not apply to their edge case.

If the answer to this is "no" with some set of reasons, that's a perfectly reasonable outcome.

The intent of this RFC is to do that - propose a solution. I do not expect that this solution will go through unanimously and unchanged, but I'd like to get something up that can be talked about and addressed both by the ecosystem and by those thinking about Security in the registry and CLI.

There's been an interest expressed in the ecosystem of having some form of counterclaim for advisories surfaced by npm audit. There's been some discussion of a potential counterclaim mechanism for some time, but I've not seen a solution proposed.

Scaling a single VCS to hundreds of developers, hundreds of millions lines of code, and a rapid rate of submissions is a monumental task. Twitter’s monorepo roll-out about 5 years ago (based on git) was one of the biggest software engineering boondoggles I have ever witnessed in my career. Running simple commands such as git status would take minutes. If an individual clone got too far behind, it took hours to catch up (for a time there was even a practice of shipping hard drives to remote employees with a recent clone to start out with). I bring this up not specifically to make fun of Twitter engineering, but to illustrate how hard this problem is. I’m told that 5 years later, the performance of Twitter’s monorepo is still not what the developer tooling team there would like, and not for lack of trying.

In very large code bases, it is likely impossible to make a change to a fundamental API and get it code reviewed by every affected team before merge conflicts force the process to start over again.

Developers are faced with two realistic choices. First, they can give up, and work around the API issue (this happens more often than we would like to admit).