HackerTrans
TopNewTrendsCommentsPastAskShowJobs

tric

no profile record

Submissions

“Some actions on this tweet have been disabled by Twitter”

twitter.com
4 points·by tric·3년 전·1 comments

Twitter's Recommendation Algorithm

blog.twitter.com
181 points·by tric·3년 전·2 comments

comments

tric
·3년 전·discuss
> Only requirement is that the domain the attacker is spoofing is using O365.

This is not true. The paper mentions multiple service providers using more relaxed validation.

Table 3, section 5 in the paper shows which policies need to be in place on the domain they are piggy-backing on.

They reference Postfix:

"Additionally, we note that mailing list software such as Listserv and Mailman require a backend MTA. In our experiments we used Postfix with DMARC turned on, a configuration which follows good security practice. However, in practice many organizations might not use this configuration because many MTAs (including Postfix) do not enforce DMARC by default. In these cases, the attacker can spoof email from any target domain, regard- less of its DMARC policy, much like the attack against Gaggle."

I read this to mean that if you actually enable DMARC in Postfix, piggy-backing on another domain's policies results in rejection.

No mention of results for receiving at ProofPoint, Mimecast, Trellix, or Cisco's email appliance.

> This is not a UX problem.

They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that.
tric
·3년 전·discuss
Your domain may have a policy of reject or quarantine, but does the receiving host correctly act on that policy?

I can understand if free email providers are more permissive with narrow authentication scenarios. Users aren't usually able to contact support.

As someone suggested in this thread, this is a UX problem.

Policies need to appease a large number of users. A gov/corp org receiving these messages can be more strict. Even in these orgs, people complain about not receiving an email that was appropriately rejected.
tric
·3년 전·discuss
> the DMARC offenders are primarily at the state, county, and local level.

This has been my experience as well. Likely due to their systems being managed by lowest-bidder MSPs.

Someone once shared their own analysis of each state's configuration a few years ago:

https://old.reddit.com/r/sysadmin/comments/cawch1/united_sta...

I wonder how it looks today.
tric
·3년 전·discuss
The diagram demonstrating the attack shows DMARC fails. All they have shown is that everyone should have DMARC configured properly, and use a reject or quarantine policy. This has been best practice for a long time now.

They use the example of state.gov. That domain's policy is currently set to Reject, which is what all Federal government services have been using for years now.

Here's CISA's requirements: https://www.cisa.gov/news-events/directives/bod-18-01-enhanc...

Microsoft also uses their own auth mechanism in addition to DMARC. It's called composite authentication. In my experience, comp-auth is more strict than DMARC alone.

https://learn.microsoft.com/en-us/microsoft-365/security/off...

What am I missing? Why is this noteworthy?

EDIT:

After reading more of the paper, my conclusion is mentioned in a later reply:

"They are demonstrating a problem with managed providers, and their opinionated configuration. You give up a lot of control as an admin when you use 365 as your front-end. This further proves that. "
tric
·3년 전·discuss
The problem is with linking the account/activity with your identity.

HN can only use less reliable identifiers (eg GeoIP) to link my account to other data. A phone number (potentially) connects me to more data about me.
tric
·3년 전·discuss
It's always surprising to see how willing people are to give up their phone number to use an app. It's not just Meta products. Telegram & ChatGPT too.

I'm afraid more services will go in this direction.
tric
·3년 전·discuss
> I'm surprised there isn't some way for gamers to rent out use of their GPU's when idle.

https://rendernetwork.com/

"The Render Network® Provides Near Unlimited Decentralized GPU Computing Power For Next Generation 3D Content Creation."

"Render Network's system can be broken down into 2 main roles: Creators and Node Operators. Here's a handy guide to figure out where you might fit in on the Render Network:

Maybe you're a hardware enthusiast with GPUs to spare, or maybe you're a cryptocurrency guru with a passing interest in VFX. If you've got GPUs that are sitting idle at any time, you're a potential Node Operator who can use that GPU downtime to earn RNDR."
tric
·3년 전·discuss
> wouldn't it be a duopoly considering that AMD is also a big player?

I don't think GPUs are commoditized. You can't swap a Nvida GPU with a AMD GPU, and get the same performance/results.
tric
·3년 전·discuss
> people used to get around without driving

Believe it or not, they still do.
tric
·3년 전·discuss
> Geez, TikTok (basically) content on HN...

The aggression, quick cuts, single word subtitles...

I don't understand the appeal of this style. I wonder how people will look back at this era of video editing in 10 years.
tric
·3년 전·discuss
You can ask that the mortgage not be sold, and continue to be serviced at your local bank. I don't know if this increases costs, though.
tric
·3년 전·discuss
That quote is about "Bitcoin supply" and impact to the "entire Blockchain regime" (ie the Bitcoin blockchain), not Ordinals.

Regardless, Ordinals is not centralized. See the correction in the article.
tric
·3년 전·discuss
>Probably that it’s very centralized. Or at least that the price is able to be highly influenced by a few individuals/groups.

The article and the parent comment are about Ordinals. Your comment appears to be an opinion about Bitcoin the asset and/or network itself.
tric
·3년 전·discuss
> I have premium at the moment ...and the ads are still getting out of hand.

Do you mean promos for other Netflix shows? Or are these ads for products/services unrelated to Netflix?
tric
·3년 전·discuss
> seems like a power grab to me

If you're not at the table, you're on the menu.
tric
·3년 전·discuss
> What's concerning to me are reports of the car still uploading all the collected data if you attach a cell phone to the radio's bluetooth

This must be if you have the car manufacturer's app installed. I can't think of any other way for it to phone home from DCM via buetooth if the cellular module is disabled.
tric
·3년 전·discuss
> How could a car system be better than just be a screen and interface for the functionality your phone provides? It's literally the dream.

This is how Apple Carplay works. It just streams the phone to the display, and accepts input from the car's buttons. I think Android Auto does the same.
tric
·3년 전·discuss
I was looking into getting a new toyota, but was hesitant because of this tracking "feature."

I searched online for how to disable it, and found this question:

https://carkiller.com/scottykilmer/qa/how-to-permanently-dis...

These responses are typical:

"But you're still going to be traceable by your phone."

"...everyone, EVERYONE, on the planet has their information out there. There is no such thing as "off the grid." "

"your phone has sent more than enough info about you to every advertiser on Earth mord than the DCM will ever do."

Many people just don't care....
tric
·3년 전·discuss
Here's the nitter link:

https://nitter.net/elonmusk/status/1657050349608501249

A few days ago, Twitter started requiring cookies when not logged in.
tric
·3년 전·discuss
I think vitamin D deficiency explains moderate hair loss in some people. Just based on my own experience. I don't think enough people mention it.