10,000 Matching Annotations
  1. May 2023
    1. The de facto standard is to treat local mailboxes as case insensitive, but the official standard says case matters (though even the official standard mentions the de facto standard).
    2. Gmail does something similar. You can register an email address with a . in it and Gmail just ignores that for its internal email address. So you can get Firstname.Surname@gmail.com and that's effectively the same email address as FirstnameSurname@gmail.com. Back in 2004 when Gmail launched, I found this to be an especially user friendly feature of their email service
    1. So yes, the part before the "@" could be case-sensitive, since it is entirely under the control of the host system. In practice though, no widely used mail systems distinguish different addresses based on case.
    2. In short, you are safe to treat email addresses as case-insensitive.
    1. Since the case sensitivity of email addresses can create confusion and delivery problems, most email providers and clients either fix the case if the email address is entered in the wrong case, or they ignore upper-case entries. Not many email services or ISPs enforce case-sensitive email addresses.
    1. This ensures that GetResponse and our customers comply with Anti-Spam laws.

      IMHO, the customer should be able to opt out of this automatic adding if they want more/full control over the footer. Then they can take on the responsibility themselves.

    1. An example of how to toggle tracking on a per-message basis. Note the o:tracking option. This will disable link rewriting for this message:
    1. You can diminish the size of the journal by means of these commands: sudo journalctl --vacuum-size=100M This will retain the most recent 100M of data. sudo journalctl --vacuum-time=10d will delete everything but the last 10 days.

      .

    1. ISO 8601 specifies the use of uppercase letter T to separate the date and time. PostgreSQL accepts that format on input, but on output it uses a space rather than T, as shown above. This is for readability and for consistency with RFC 3339 as well as some other database systems.
    1. Stop to think about "normal app" as like desktop app. Android isn't a desktop platform, there is no such this. A "normal" mobile app let the system control the lifecycle, not the dev. The system expect that, the users expect that. All you need to do is change your mindset and learn how to build on it. Don't try to clone a desktop app on mobile. Everything is completely different including UI/UX.

      depends on how you look at it: "normal"

    1. Entropy is not a property of the string you got, but of the strings you could have obtained instead. In other words, it qualifies the process by which the string was generated.
  2. datatracker.ietf.org datatracker.ietf.org
    1. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application)
    1. Have you seen mobile phone lock screens where the user is required to draw a specific pattern onto a grid of dots? How about the Windows 8 picture password feature? These are examples of behavior-based authentication factors.

      Behavior factors seems like an artificial distinction, at least based on these examples. These would be better classified as Knowledge factors. Drawing a pattern that you've memorized is conceptually no different than typing a code. Or should I point out that typing a code is also a behavior? You have to press your fingers in a certain location on your keyboard and in a certain order.

    1. “Multi-factor authentication needs multi-factor enrollment,” noted Taku. It shouldn’t have been possible to enroll just using a stolen password. He listed numerous possibilities, among them credentials handed out in person, a one-time password, or a PIN sent to the employee’s registered email or mobile.
  3. Apr 2023
    1. The 409 (Conflict) or 415 (Unsupported Media Type) status codes are suggested
    2. If the target resource does not have a current representation and the PUT successfully creates one, then the origin server MUST inform the user agent by sending a 201 (Created) response. If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then the origin server MUST send either a 200 (OK) or a 204 (No Content) response to indicate successful completion of the request.
    1. Whereas U2F only supports multi-factor mode, having been designed to strengthen existing username/password-based login flows, FIDO2 adds support for single-factor mode.
    1. In particular, with AC connected, a battery with a charge level higher than the stop charge threshold will not be discharged to the stop charge threshold, nor will there be a (cyclic) discharge down to the start charge threshold
    1. You can indeed prolong moderns Li-Ion batteries lifespan by keeping them at a lower charge. If you never ever use it disconnected, you should keep it at 40%. E.g. Uber driver cellphone always-on in travels. However for daily light usage, 60% is considered the 'sweet spot' for practicality, and 80% gives you more freedom. 100% is when the battery is at its peak 'stress' level, and thus wear faster.
    1. Exposing the battery to high temperature and dwelling in a full state-of-charge for an extended time can be more stressful than cycling.
    1. Discharges your battery until it reaches 80%, even when plugged in
    2. This tool makes it possible to keep a chronically plugged in Apple Silicon Macbook at 80% battery, since that will prolong the longevity of the battery.
    1. If you send links with a secret login token with email, then they should be single-use and expire rather quickly.
    2. But you can not make the user send a POST requests from an email

      eh? how??

    3. Sorry, I can't agree with you. If someone issues a second code, they should have two potential logins - one for each one they requested. Call me weird, but considering how cheap it is to store data, I'd rather keep around exactly what happened.
    4. If you implement this system using the user table you risk impatient users requesting a second code and them arriving out of order.
    5. By default SMTP offers very little protection against interception. Traffic may be encrypted between servers but there are no guarantees.

      And how likely is it that the attacker actually owns one of the servers that is a hop on the way from mail sender to mail recipient?? Seems extremely unlikely.

    6. email as a transmission mechanism isn't secure.
    7. If the link can only be used once with a short expiry time and no info in the link can be used to derive secrets in the session it creates then you should be fine. Effectively, the link serves as an one-time password.
    8. If so, then how is sending a link for password reset any more secure? Isn't logging-in using a magic link the same thing as sending a magic link for resetting a password?

      In my opinion: It's not any different or less secure.

    1. À la carte can be now used figuratively to describe someone who picks some things out of a larger set, e.g., an à la carte Catholic who (conveniently) believes in some aspects of the religion, but not others. À la carte television refers to customers paying for just channels they want, rather they having to pay for a whole (cable) service.
    1. Google allowed third parties to build their own Wave services (be it private or commercial) because it wanted the Wave protocol to replace the e-mail protocol.[2][16][17] Initially, Google was the only Wave service provider, but it was hoped that other service providers would launch their own Wave services, possibly designing their own unique web-based clients as is common with many email service providers.
    1. You can do an Nth root by raising to a fractional power. For example, the 4th root of 625 is 5. (BigDecimal(625)**(1.0/4.0)).to_f # => 5.0
    1. A given secret from an authenticator SHALL be used successfully only once.
    2. For look-up secrets that have less than 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.
    1. Similar to Base64, but modified to avoid both non-alphanumeric characters (+ and /) and letters that might look ambiguous when printed (0 – zero, I – capital i, O – capital o and l – lower-case L).
    2. A variant of Base58 encoding which further sheds the lowercase 'i' and 'o' characters in order to minimise the risk of fraud and human-error.
    1. a change in a weight of evidence of 1 deciban (i.e., a change in the odds from evens to about 5:4) is about as finely as humans can reasonably be expected to quantify their degree of belief in a hypothesis
    1. average level of "information", "surprise", or "uncertainty"

      I like the use of "surprise" here

    2. the entropy of a random variable is the average level of "information", "surprise", or "uncertainty" inherent to the variable's possible outcomes
    1. Cloche Seven pieces of 10-foot ½-inch PVC pipe One piece of 10-foot roll galvanized plumbers' metal stripping to attach PVC to sideboards every 2 feet. 28 1-inch roofing nails
    1. Using --ours did what I was after, just discarding the incoming cherry picked file. @Juan you're totally right about those warning messages needing to say what they did't do, not just why they didn't do it. And a bit more explanation that the ambiguity from the conflict needs to be resolved (by using --ours, etc) would be super helpful to this error message.
    2. --ignore-unmerged When restoring files on the working tree from the index, do not abort the operation if there are unmerged entries and neither --ours, --theirs, --merge or --conflict is specified. Unmerged paths on the working tree are left alone. Holy smokes! I guess the git-ish fix for the user interface problem here will be to rename the option from --ignore-unmerged to --ignore-unmerged-except-in-cases-where-we-do-not-want-to-allow-that--consult-documentation-then-source-code-then-team-of-gurus-when-you-cannot-figure-it-out---and-wait-while-half-of-them-argue-about-why-it-is-right-as-is-while-the-other-half-advocate-adding-four-more-options-as-the-fix.
    3. In recent git versions, git restore is supposed to be a "better" way to revert undesired local changes than the overloaded checkout. Great, that sounds reasonable - a nice simple purpose-built tool for a common operation.
    1. If the chicken must come before the egg, where do you put the chicken?

      If the chicken must come before the egg, where do you put the chicken?

    1. If the chicken must come before the egg, where do you put the chicken?

      If the chicken must come before the egg, where do you put the chicken?

    2. Since nobody provided a wire capture, here's one.
    3. The rest of the URL (/path/?some=parameters&go=here) has no business being inside ClientHello since the request URL is a HTTP thing (OSI Layer 7), therefore it will never show up in a TLS handshake (Layer 4 or 5). That will come later on in a GET /path/?some=parameters&go=here HTTP/1.1 HTTP request, AFTER the secure TLS channel is established.
    1. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.
    1. Why do so many businesses share their data openly, for free? Most often, the answer is scale. As companies grow, the staff within those companies realize they have more ideas than they have the time and resources to develop them. It’s typically easier to work with other external companies that specialize in these ideas than build them in-house. By creating APIs, a company allows third-party developers to build applications that improve adoption and usage of its platform. That way, a business can build an ecosystem that becomes dependent on the data from their API, which often leads to additional revenue opportunities.
    1. Clients interact with a service by exchanging representations of resources.
    2. A primary advantage of REST over HTTP is that it uses open standards, and does not bind the implementation of the API or the client applications to any specific implementation.
    1. The first Mr. DRILLER game for the Nintendo Switch™ featuring updated graphics and HD cutscenes!

      Ambiguous. Missing a comma before "featuring"?

  4. Mar 2023
    1. Impersonation is a security concept implemented in Windows NT that allows a server application to temporarily "be" the client in terms of access to secure objects.
    1. Looking SO good. Will do a final check and merge when I get home. Meanwhile it seems addressing most of houndci comments and waiting for a green CI will be enough! Thanks for your hard and good work.
    1. Because they follow this specification, most authoritative DNS servers won't allow you to include CNAME records at the root. At CloudFlare, we decided to let our users include a CNAME at the root even though we knew it violated the DNS specification. And that worked, most of the time. Unfortunately, there were a handful of edge cases that caused all sorts of problems.
    2. The Inflexibility of DNS Traditionally, the root record of a domain needed to point to an IP address (known as an A -- for "address" -- Record). While it may not seem like a big deal, tying a service to an IP address can be extremely limiting.
    1. Let Docker manage the storage of your database data by writing the database files to disk on the host system using its own internal volume management. This is the default and is easy and fairly transparent to the user. The downside is that the files may be hard to locate for tools and applications that run directly on the host system, i.e. outside containers. Create a data directory on the host system (outside the container) and mount this to a directory visible from inside the container. This places the database files in a known location on the host system, and makes it easy for tools and applications on the host system to access the files. The downside is that the user needs to make sure that the directory exists, and that e.g. directory permissions and other security mechanisms on the host system are set up correctly.
    1. Problem details for HTTP APIs HTTP status codes are sometimes not sufficient to convey enough information about an error to be helpful. The RFC 7807 defines simple JSON and XML document formats to inform the client about a problem in a HTTP API. It's a great start point for reporting errors in your API. It also defines the application/problem+json and application/problem+xml media types.
    2. Michael Kropat put together a set of decision charts that helps determine the best status code for each situation. See the following for 4xx status codes:
    3. HTTP is an extensible protocol and 422 is registered in IANA, which makes it a standard status code. So nothing stops you from using 422 in your application. And since June 2022, 422 is defined in the RFC 9110, which is the document that currently defines the semantics of the HTTP protocol:
    1. HTTP 400 is the right status code for your case from REST perspective as its syntactically incorrect to send sales_tax instead of tax, though its a valid JSON.
    2. Ideal Scenario for 422: In an ideal world, 422 is preferred and generally acceptable to send as response if the server understands the content type of the request entity and the syntax of the request entity is correct but was unable to process the data because its semantically erroneous.
    3. Exactly my thoughts on the matter! I'm coming from XML SOAP background and concept of schema just got into my blood and JSON documents rather don't announce their schema. To me it's whether server "understands" the request or not. If server doesn't know what "sales_tax" is then it's simply 400: "I have no idea what you sent me but definitely not what I want.".
    4. As I said above, the deciding factor is what is meant by syntax. If the request was sent with a Content Type of application/json, then yes, the request is syntactically valid because it's valid JSON syntax, but not semantically valid, since it doesn't match what's expected. (assuming a strict definition of what makes the request in question semantically valid or not). If, on the other hand, the request was sent with a more specific custom Content Type like application/vnd.mycorp.mydatatype+json that, perhaps, specifies exactly what fields are expected, then I would say that the request could easily be syntactically invalid, hence the 400 response.
    5. Just because the code is described as part of the WebDAV spec doesn't mean it's WebDAV-specific! Status codes are supposed to be generic.
    6. Missing field can be a field that has not been sent and that's clearly a 400 to me, because the app cannot understand this payload, it violates the contract. IMHO, 400 suits better to not well-formed JSON, JSON that has different key names (contract violation) and JSON that one or more of the field(s) contents is from another type, let's say, you expect a int and got an object. Even not null constraint can be in both status codes, 400 if field not sent at all (and most frameworks understands it as null), and 422 if sent but with null value.
    7. Just let me get this straight, is RFC 7231 the latest? If so, there is no mention of 422 in there so does that mean it's now obsolete?
    8. I rolled back your edit because the double negative was very deliberate - I explicitly would not claim correctness, just lack of clear incorrectness
    9. Your answer (422) makes sense to me. This is also what Rails (respond_with) uses when a resource couldn't be processed because of validation errors.
    1. 15.5.21. 422 Unprocessable Content The 422 (Unprocessable Content) status code indicates that the server understands the content type of the request content (hence a 415 (Unsupported Media Type) status code is inappropriate), and the syntax of the request content is correct, but it was unable to process the contained instructions. For example, this status code can be sent if an XML request content contains well-formed (i.e., syntactically correct), but semantically erroneous XML instructions.
    1. Is there anyway around the 1 yr limit ? I have been a google user for 10+ years and recently was going to move from Australia to America and as such updated my location. The move however didnt work out and now back in Australia I am unable to access many of the local apps due to my location being locked to the US.
    1. For those who wish to conceal their location from Google, keep in mind that you use Google services under license agreement. That’s a contract. Google is within their legal rights to know under which country’s laws that agreement is being made. Google is liable for honoring each country’s laws.
    2. Google claims: “We associate your Google Account with a country (or region) so that we can better provide our services to you.” I call 100% smelly bug-ridden B.S. This is obviously some crap written by their nasty lawyers to protect Google’s well-exposed and ugly backside. Google couldn’t give a rat’s ass about any of us. They’ve made that clear by their actions time and time again.
    1. For example, when the user is logging in and we get back an OTP_REQUIRED error code, we can prompt the user for their TOTP using a friendly UI. But if we receive the OTP_INVALID error code, we can display an error message instead.

      .

    2. Why the 2 separate steps for this? Simple: to make things easier on the front-end side of things. Sending 2 different error codes, one for when the OTP is required but missing, and one where the OTP was provided but invalid, allows us to adjust our login UI accordingly.
    3. We're going to define a has-many relationship for a user's second factors, to be able to support multiple second factor types, e.g. TOTP, backup codes, or hardware keys.
    4. But first, an important note — friends don't let friends use SMS 2FA.
    1. Passkeys Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins
    2. User Experience The user experience will be familiar and consistent across many of the user’s devices – a simple verification of their fingerprint or face, or a device PIN, the same simple action that consumers take multiple times each day to unlock their devices.
    3. Also, service providers can offer passkeys without needing passwords as an alternative sign-in or account recovery method.
    4. When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password.
    1. If you can unlink your address from a locked out account and then link it to a new account and add new 2FA factors to new account, and basically set it up again to be a replacement nearly identical to the original... how is that any different / more secure than just using a "reset account" feature that resets the original account (removes 2FA)?

      We're still back to the recurring original problem with account security where the security of your account comes down to the security of your linked e-mail account.

    1. Twenty-eight (28) days after you enable 2FA, you’ll be asked to perform a 2FA check-up while using GitHub.com, which validates that your 2FA setup is working correctly. Previously signed-in users will be able to reconfigure 2FA if they have misconfigured or misplaced second factors during onboarding.
    2. The strongest methods widely available are those that support the WebAuthn secure authentication standard. These methods include physical security keys, as well as personal devices that support technologies, such as Windows Hello or Face ID/Touch ID.
    3. We strongly recommend the use of security keys and TOTPs wherever possible. SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B.
    1. We now take an opinionated stance on which second factor you should set up first – you'll no longer be asked to choose between SMS or setting up an authenticator app (known as TOTP), and instead see the TOTP setup screen immediately when first setting up 2FA.
    1. The problem with using SMS-2FA to mitigate this problem is that there’s no reason to think that after entering their credentials, they would not also enter any OTP.
    2. I assume anyone interested in this topic already knows how phishing works, so I’ll spare you the introduction. If a phishing attack successfully collects a victim's credentials, then the user must have incorrectly concluded that the site they’re using is authentic.
    3. discussions about SMS-2FA get heated very quickly. I've found that SMS-2FA deployment or advocacy has been a major professional project for some people, and they take questioning it's efficacy personally
    4. Here are the main arguments I’ve heard for SMS 2FA: SMS 2FA can prevent phishing. SMS 2FA can’t prevent phishing, but it can prevent “credential stuffing”. We have data proving that SMS 2FA is effective. I’ll cover some other weaker arguments I’ve heard too, but these are the important ones.
    5. I believe that SMS 2FA is wholly ineffective, and advocating for it is harmful.

      Would this also appyl to OTP by e-mail??

    6. Unique Passwords and U2F are not perfect, but they are good. Unique Passwords reduce the impact of phishing, but can’t eliminate it. U2F doesn’t prevent malware, but does prevent phishing.
    7. This argument only works if what you’re defending is good. As I’ve already explained, SMS-2FA is not good.
    8. Don’t let the perfect be the enemy of the good. Seat belts aren’t perfect either, do you argue we shouldn’t wear them? Etc, etc. This argument only works if what you’re defending is good. As I’ve already explained, SMS-2FA is not good.
    9. If you also want to eliminate phishing, you have two excellent options. You can either educate your users on how to use a password manager, or deploy U2F, FIDO2, WebAuthn, etc. This can be done with hardware tokens or a smartphone.
    10. You are currently allowing your users to choose their own password, and many of them are using the same password they use on other services. There is no other possible way your users are vulnerable to credential stuffing.
    11. If you use a third party password manager, you might not realize that modern browsers have password management built in with a beautiful UX. Frankly, it’s harder to not use it.
    12. If you’re a security conscious user... You don’t need SMS-2FA. You can use unique passwords, this makes you immune to credential stuffing and reduces the impact of phishing. If you use the password manager built in to modern browsers, it can effectively eliminate phishing as well.

      not needed: password manager: 3rd-party

    13. We have a finite pool of good will with which we can advocate for the implementation of new security technologies. If we spend all that good will on irritating attackers, then by the time we’re ready to actually implement a solution, developers are not going to be interested.
    14. t’s important to emphasise that if you don’t reuse passwords, you are literally immune to credential stuffing.
    1. You can also find the combination verb+in+to, but in that case you're usually dealing with a phrasal verb consisting of a verb and the particle "in", which happens to be followed by the preposition "to".They wouldn't give in to our demands.
    2. "Built in to" appears when you use the phrasal verb "build in" followed by an infinitive, but that is not what you are trying to do in your sentence.There's an electronic switch built in to stop all data transfers.
    1. The house, of course, is not doing the agreeing; Cooper is! Because of the distance between Cooper and the participle phrase that describes him, the comma is necessary.
    2. A present participle phrase will always act as an adjective while a gerund phrase will always behave as a noun.
    1. So in your example, you would not use a hyphen: "You can use the types [that are] built in to the library."
    2. How can this be called an adjective? The postmodifier here is a participle phrase, 'built into the library'.
    3. take off, should also be counted as a (multi-word) verb.
    4. Using a hyphen is the wrongest thing to do here.
    1. Unfortunately all SMS/voice gateway are owned by paid services, thus there is no such thing as open-source, that I can recommend.
    2. Fortunately, we found RingCaptcha (https://ringcaptcha.com), which has a the 'starter plan' that offers free 500 OTP monthly. Just a small plug for them for providing freemium service; they are highly reliable because they are integrated with all major global, and regional providers, e.g., Twilio, Nexmo, Infobip, MessageBird, etc., and send your OTP through the best provider/route based on country/phone carrier, and can auto fallback to alternative paths. This means you just need to integrate with RingCaptcha, without the headache of deciding which SMS/voice OTP provider has best combination of price and reliability, which is a real headache when you are sending OTP world-wide.
    1. the issues I've always had with it: No support. As in, no one in Google's support organization has any clue about what this app does. No support group discussions as far as I can tell ("Smart Lock" is too generic to really find anything). That's not surprising, because while I've figured out how it works/what it does in my use case, there's really no clear documentation on it - like what it even does, really.
    2. No support group discussions as far as I can tell ("Smart Lock" is too generic to really find anything).

      too generic

    1. {{#discriminator.mappedModels}} {{#-first}} {{#vendorExtensions.x-useDeduction}} @JsonTypeInfo(use = JsonTypeInfo.Id.DEDUCTION) {{/vendorExtensions.x-useDeduction}} {{^vendorExtensions.x-useDeduction}}
    1. Most platforms that require OTP verification for ensuring security are targeted at the mobile phone only. But some payment gaterways send OTP to email address also simultaneously to doubly ensure that you get the OTP and that you have requested the OTP. There could be some delay in SMS or email reaching you. Many OTPs are time restricted - you have to use them quickly.
    1. It is a law of nature that our thoughts and feelings are encouraged and strengthened as we give them utterance. While words express thoughts, it is also true that thoughts follow words. If we would give more expression to our faith, rejoice more in the blessings that we know we have,—the great mercy and love of God,—we should have more faith and greater joy. No tongue can express, no finite mind can conceive, the blessing that results from appreciating the goodness and love of God. Even on earth we may have joy as a wellspring, never failing, because fed by the streams that flow from the throne of God.
    1. Double quotes for string literals - because pre-committing to whether you'll need interpolation in a string slows people down
    1. Another option would be to implement a delay scheme to avoid a brute force attack. After each failed attempt A, the authentication server would wait for an increased T*A number of seconds, e.g., say T = 5, then after 1 attempt, the server waits for 5 seconds, at the second failed attempt, it waits for 5*2 = 10 seconds, etc.
    2. The reason for masking the most significant bit of P is to avoid confusion about signed vs. unsigned modulo computations. Different processors perform these operations differently, and masking out the signed bit removes all ambiguity.
    1. Protocols are, by their very nature, open. If you can't read the protocol specification then you can't very well implement it, can you?
    2. As others pointed out, OATH's claims of "open source" have little meaning when compared to other authentication protocols such as SAML. When you include the entire Liberty Alliance specifications as well as the Web Services Initiative protocols and methods (as devised by Microsoft and IBM) there's nary a proprietary bit of code involved. Actually, there's no code involved at all. Protocols are, by their very nature, open. If you can't read the protocol specification then you can't very well implement it, can you?
    1. the output is 20 bytes, and so the last byte is byte 19 (0-origin).
    2. It is suggested that verification be locked out after a small number of failed attempts or that each failed attempt attracts an additional (linearly increasing) delay.
    1. One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.
    1. We believe that being open source is one of the most important features of Bitwarden. Source code transparency is an absolute requirement for security solutions like Bitwarden.