Do you have source for IWF funding being by big tech? Haven’t found anything that breaks their funding down by source and the majority on the UK govt site is from “charitable activities”…
Putting aside the WASM sandboxing (I’m not familiar enough with it to understand how sandboxing works) there’s a DoS vector at least. Even regexes have had many DoS issues, and I can’t imagine WASM being easier to…
There’s a big difference in the expected use of a file. If the file is attacker provided, and the fallback path is being used, the attacker can embed whatever WASM payload they want into the file since the file will be…
UK has never had net neutrality, there are many limited data phone plans that include unlimited music/video etc
Making it explicit wouldn’t be particularly problematic no? Option<&Spouse> in Rust terms. Or for this specific case, a GADT (Single | Married<&Spouse>)? It could even use a special “NULL” address. Just don’t pollute…
Pure CS is not necessarily equivalent to pure maths. For the “science” bit of CS, you do need to do the equivalent of experiments (for more applied topics). For example, a physics degree is expected to have experiments.…
Changing the links and doing nothing else would be a pretty dumb MITM. You could do a more complex variant which is not so easy to spot (targeting specific networks, injecting malware whilst modifying the checksum) The…
I find it interesting that they bought Astro (https://blog.cloudflare.com/astro-joins-cloudflare/), which from my definitely-not-a-frontend-person perspective seems to tackle a similar problem to Next. A month ago. If…
You can make it so employees don’t have ambient access to data, and require multi-party approval for all actions that require user data. Giving away a user password should be treated as a routine risk. I’m not saying…
A global train outage would be quite a spectacle, is that even possible?
Management not having to listen to engineers is the structural problem. How do managers know which concerns that engineers bring up are actually relevant? How do engineers know which concerns have real world…
I think it depends on the scope and level of solution I accept as “good”. I agree that often the thinking for the “next step” is too easy architecturally. But I still enjoy thinking about the global optimum or a…
I guess this is also a matter of organisational policy and how much power individual teams/organisational units have. I would imagine mature organisations without serious short/medium term existential risk due to…
Team lead manages the overall direction of the team (and is possibly the expert on some portions), but for an individual subsystem a senior engineer might be the expert. For work coming from outside the team, it’s sort…
To be clear, they definitely use ingress anycast (ie anycast on external traffic coming into Cloudflare). The main question was whether they (meaningfully) used egress anycast (multiple Cloudflare servers in different…
So reading the article you’re right, it’s technically anycast. But only at the /24 level to work around BGP limitations. An individual /32 has a specific datacenter (so basically unicast). In a hypothetical world where…
I guess my workflow for this is more fragmented. Either I’m prototyping a script (and edit and test it directly) or just need throwaway loop (in which case fish is nicer). I also don’t trust myself to not screw up…
For POSIX: I leave Bash as the system shell and then shim into Fish only for interactive terminals. This works surprisingly well, and any POSIX env initialisation will be inherited. I very rarely need to do something…
Wha do you mean by “fixing this” or it being a design flaw? I agree with the point about sequential allocation, but that can also be solved by something like a linter. How do you achieve compatibility with old clients…
Google’s SRE STPA starts with a similar model. I haven’t read the external document, but my team went through this process internally and we considered the hazardous states and environmental triggers.…
Hmm, I see what you mean, although technically this is still a 2 factor compromise (Google account password + 2FA code). Just having one or the other wouldn’t have done anything. The bigger issue is the contagion from…
Gotcha, thanks for clarifying! And did you have passwords using chrome password manager as well (which were also compromised by the Google account access, and this is how they got access to e.g. Coinbase?), or did they…
But if you get access to the inbox, then you have a compromised device or the password via some other means right? Inbox access is a fairly big compromise, even without the 2FA codes.
I’m struggling to understand the chain of events, because the story starts midway. Is the claim that JUST the 2FA code was enough to pwn everything with no other vulnerabilities? If that’s the case, then that’s a way…
These don’t prevent censorship necessarily, they will give you a way to detect it at best. DNSSEC gives you the ability to verify the DNS response. It doesn’t protect against a straight up packet sniffer or ISP…
Do you have source for IWF funding being by big tech? Haven’t found anything that breaks their funding down by source and the majority on the UK govt site is from “charitable activities”…
Putting aside the WASM sandboxing (I’m not familiar enough with it to understand how sandboxing works) there’s a DoS vector at least. Even regexes have had many DoS issues, and I can’t imagine WASM being easier to…
There’s a big difference in the expected use of a file. If the file is attacker provided, and the fallback path is being used, the attacker can embed whatever WASM payload they want into the file since the file will be…
UK has never had net neutrality, there are many limited data phone plans that include unlimited music/video etc
Making it explicit wouldn’t be particularly problematic no? Option<&Spouse> in Rust terms. Or for this specific case, a GADT (Single | Married<&Spouse>)? It could even use a special “NULL” address. Just don’t pollute…
Pure CS is not necessarily equivalent to pure maths. For the “science” bit of CS, you do need to do the equivalent of experiments (for more applied topics). For example, a physics degree is expected to have experiments.…
Changing the links and doing nothing else would be a pretty dumb MITM. You could do a more complex variant which is not so easy to spot (targeting specific networks, injecting malware whilst modifying the checksum) The…
I find it interesting that they bought Astro (https://blog.cloudflare.com/astro-joins-cloudflare/), which from my definitely-not-a-frontend-person perspective seems to tackle a similar problem to Next. A month ago. If…
You can make it so employees don’t have ambient access to data, and require multi-party approval for all actions that require user data. Giving away a user password should be treated as a routine risk. I’m not saying…
A global train outage would be quite a spectacle, is that even possible?
Management not having to listen to engineers is the structural problem. How do managers know which concerns that engineers bring up are actually relevant? How do engineers know which concerns have real world…
I think it depends on the scope and level of solution I accept as “good”. I agree that often the thinking for the “next step” is too easy architecturally. But I still enjoy thinking about the global optimum or a…
I guess this is also a matter of organisational policy and how much power individual teams/organisational units have. I would imagine mature organisations without serious short/medium term existential risk due to…
Team lead manages the overall direction of the team (and is possibly the expert on some portions), but for an individual subsystem a senior engineer might be the expert. For work coming from outside the team, it’s sort…
To be clear, they definitely use ingress anycast (ie anycast on external traffic coming into Cloudflare). The main question was whether they (meaningfully) used egress anycast (multiple Cloudflare servers in different…
So reading the article you’re right, it’s technically anycast. But only at the /24 level to work around BGP limitations. An individual /32 has a specific datacenter (so basically unicast). In a hypothetical world where…
I guess my workflow for this is more fragmented. Either I’m prototyping a script (and edit and test it directly) or just need throwaway loop (in which case fish is nicer). I also don’t trust myself to not screw up…
For POSIX: I leave Bash as the system shell and then shim into Fish only for interactive terminals. This works surprisingly well, and any POSIX env initialisation will be inherited. I very rarely need to do something…
Wha do you mean by “fixing this” or it being a design flaw? I agree with the point about sequential allocation, but that can also be solved by something like a linter. How do you achieve compatibility with old clients…
Google’s SRE STPA starts with a similar model. I haven’t read the external document, but my team went through this process internally and we considered the hazardous states and environmental triggers.…
Hmm, I see what you mean, although technically this is still a 2 factor compromise (Google account password + 2FA code). Just having one or the other wouldn’t have done anything. The bigger issue is the contagion from…
Gotcha, thanks for clarifying! And did you have passwords using chrome password manager as well (which were also compromised by the Google account access, and this is how they got access to e.g. Coinbase?), or did they…
But if you get access to the inbox, then you have a compromised device or the password via some other means right? Inbox access is a fairly big compromise, even without the 2FA codes.
I’m struggling to understand the chain of events, because the story starts midway. Is the claim that JUST the 2FA code was enough to pwn everything with no other vulnerabilities? If that’s the case, then that’s a way…
These don’t prevent censorship necessarily, they will give you a way to detect it at best. DNSSEC gives you the ability to verify the DNS response. It doesn’t protect against a straight up packet sniffer or ISP…