From my reading, it looks they're considering this for only non HTTPS downloads initiated from an HTTPS page
Relevant quotes:
> ... we will likely start by treating certain high-risk downloads initiated from secure contexts as active mixed content and block them.
> We're not planning to focus on non-secure downloads initiated from non-secure contexts at the moment, because users at least see the "Not Secure" omnibox badge on those pages.
Locally-installed root CAs are allowed by HSTS, so if you added the HTTPS proxy to the root store, this would work without warning, unless you manually checked the certificate.
Of course, this only works on machines you're the admin of, which is why it's allowed.
So what happens if a hacker hacks company A and uses their server as a jump box to hack company B? Is company B allowed to hack A since their machine was used in an attack?
Or even worse, what if company B is mistaken as to who attacked them? If they "hack back" as advocated, but against the wrong target, are they liable?
> log in with some criteria more than just a username/password
The problem there is that captive portals don't add any extra link-layer security. The network is open, so literally anyone can sniff packets.
It's uncommon, but a network using WPA2-Enterprise and user/pass uses different keys for each person (not sure if per device or per user), so you don't have to trust everyone in the room.
I took a differential equations class last semester, where the easy part of quite a few problems was to solve a quadratic equation. And it was easy, because my algebra classes had correctly required me to practice that skill (and memorize the quadratic formula).
So, you say, I'm never going to take differential equations. And you very well might not. I have two responses to that:
1) That's true, you might not, but the guy sitting next to you will, and he doesn't even know it yet. If you were allowed to opt out of that subject, you both would, and he wouldn't even have a chance to make up for it later.
2) There are plenty of other subjects where the easy part is an algebra concept, and it's only easy because you practiced it years before.
You can do something similar with bash. If you set PROMPT_COMMAND='history -a', it'll append to the history file right after the command completes (because the prompt command is run as the prompt is printed).
Disassembly is a much easier task than decompilation, since it's a mostly mechanical process. Decompilation requires you to undo the optimizations/transformations the compiler did as it generated the binary, which is much harder.
That said radare2 is still cool, and a GUI (Cutter) is in the works.
> Which would work if licenses and copyrights didn't exist.
I don't think it would.
Dynamic linking allows a library to be patched once and have the patch apply to all the programs using it. If every program was statically linked, you would have to update each one individually.
Not to mention the waste of space.
I'm guessing much of that is moot these days, but IMHO it's still something to aim for.
I feel like just having a browser extension is a major security hole for any password manager. Yes it's more usable and prevents domain spoofing, but it makes the attack surface huge.
Whereas to exploit a desktop app that doesn't interface with the browser (written in a decent way), you'd need code execution already.
> reversing commit hashes back into their contents
Somewhat off topic, but is this actually possible?
Given hashing is inherently lossy, I'm inclined to assume it's not possible for anything must longer than a password, but commits are text, which I suppose is low entropy per character, so I don't know.
> Machine Learning (e.g. CS221, CS229, CS230, CS124, CS224N) You should be comfortable with the basics of machine learning and deep learning.
Anyone have a good implementation-heavy self-study resource for those topics, or experience with the recorded lectures for those Stanford courses?