Looks like you're on Windows? You can run X apps with XMing, I used to do it years ago. You can run the actual X app and use it, not just get a screenshot.
In 2022, Google TAG were awarded a "lamest vendor" award at defcon for fixing a Chrome vulnerability they discovered was being exploited in the wild... without asking for permission from the NSA first. That was the turning point for me.
Ok that's weird indeed. Here at European hacker events this action would be applauded. Getting permission from spy agencies before fixing something would be a surefire way to get lamest vendor, lol.
Most there don't trust government. And besides security holes can be used by all sides so it's imperative to fix them asap.
Yikes! One would have expected a little more code review or a design review from a hardware manufacturer, especially of security system. A system that people have been worried about since the Pentium FDIV bug.
I feel like using the example key isn’t really the big failure here.
They didn’t need a keyed hash at all, they needed a collision resistant hash.
SHA256 would have eliminated this vuln and it has a hardcoded “key” built into it.
Using a secret key for CMAC would not have been more secure, it would have just meant sophisticated hardware extraction of the key was required before this attack could be mounted.
I'm not familiar with the expert they consulted, but the claim that "The main advantage of 2FA is that it is much more difficult to gain access to your accounts via phishing attacks" is just plain false.
TOTP or SMS-2FA are obviously phishable, if you just entered your password into a phishing site, why wouldn't you also enter a TOTP code? I usually point to Modlishka as a practical example (https://vimeo.com/308709275) to help visualize this.
In fact, the main (claimed) advantage of 2FA is that it prevents "Credential Stuffing" of reused passwords. I personally don't think TOTP (or similar) are a good solution to this problem at all, but this is a thorny issue.
The point here, I believe, is that 1Password will only prompt you to enter the 2FA code if the domains match, same with the password. Your point that if you've already decided to enter your password then entering the 2FA code isn't much of a hurdle is sound, but from the perspective of a user of 1Password, it is indeed very surprising (and rare!) when I try to log in to a page and find that 1Password won't show my log in because the domains don't match. It happens, usually due to some cross-origin login flow, but it's rare. So I think the claim isn't false, it's just based on a premise that might not factor in for different people.
If domain doesn't match, password manager of choice will not suggest to populate credentials. In that case it doesn't matter if 2FA is saved by the password manager, or is managed on another device, because you won't have the chance to use the 2FA.
If domain doesn't match, and you manually copy the password, and login, you can as well manually copy the 2FA code.
I think their point was that it's less phishable from the perspective of needing the attacker to try logging into the site with it in realtime instead of being able to just store the password for some later time. The needed concurrency makes it more difficult (if only slightly).
I'm curious though why you don't think TOTP or similar are good against credential stuffing though, would you be able to expand upon that?
Imagine you reuse the same password everywhere, and are sick of credential stuffing attacks. You ask your friend for advice, and your friend tells you to just enable TOTP when available, explaining that when there is a data breach you will be safe.
That is obviously bad advice, the vast majority of services do not use TOTP and you will have to race attackers to change your credentials quickly at dozens (hundreds?) of services. I think a reasonable person would say that you have not "prevented" credential stuffing.
A far better solution is unique passwords, it works today with all service providers.
I think that's a miss for Claude, this doesn't look right at all. The accrual account is an okay solution, but the syntax is wrong! That syntax is only used for budgeting and forecasting.
I think the solution is effective dates, there is an example pretty close to this scenario in the manual:
I don't think it's terribly wrong. It will generate the desired entries (internally) and proper reports, if you add the appropriate option (--forecast=... for hledger, something else for Ledger). Or you could use it once to generate permanent journal entries, in your main journal or a forecast journal:
This seems like a weak excuse, the same problem exists on UNIX, but slocate solves it well enough. The slocate solution is to build the index and record permission and ownership, then it can restrict output to entries you have permission to see at query time.
I bought a few items at a drugstore yesterday, and noticed the cashier had very elaborate nails.
She used the second knuckles on her inverted hands (i.e. palm facing up) to operate the touchscreen PoS system, and was very efficient. Tool usage can sometimes be adapted.
Super cool, I didn't know about this - too bad it's not archived. I did know about a different game for 1-2-3, I even managed to track down original media and get it working in Linux!
For example...
It looks like this: https://imgur.com/a/Eq2ToVOObviously no input though, you would have to use xdotool! The main benefit is that you probably already have all these tools installed :)