HackerTrans
TopNewTrendsCommentsPastAskShowJobs

om2

no profile record

comments

om2
·2 месяца назад·discuss
That article doesn’t explain why acupuncture works, just gives a hint of a possible mechanism. It also doesn’t contain any evidence that acupuncture works at all (other than as a placebo).
om2
·2 месяца назад·discuss
- and + operators have the same precedence. And a similar bug is possible if the operators were the same (both -). So I’m not sure it’s right to blame this on operator precedence or mixed operators. It’s just that, ultimately, the “consume” needs to be subtracted, not added.
om2
·8 месяцев назад·discuss
> They also have the option to not spend resources finding the bugs in the first place.

The Copenhagen interpretation of security bugs: if you don’t look for it, it doesn’t exist and is not a problem.
om2
·8 месяцев назад·discuss
The codec is compiled in, enabled by default, and auto detected through file magic, so the fact that it is an obscure 1990s hobby codec does not in any way make the vulnerability less exploitable. At this point I think FFmpeg is being intentionally deceptive by constantly mentioning only the ancient obscure hobby status and not the fact that it’s on by default and autodetected. They have also rejected suggestions to turn obscure hobby codecs off by default, giving more priority to their goal of playing every media format ever than to security.
om2
·8 месяцев назад·discuss
Nation-states are a very relevant part of the threat model.
om2
·8 месяцев назад·discuss
In this world and the alternate universe both, attackers can also use _un_published vulnerabilities because they have high incentive to do research. Keeping a bug secret does not prevent it from existing or from being exploited.
om2
·8 месяцев назад·discuss
Take it up with the parent of my comment, who compared them directly.
om2
·8 месяцев назад·discuss
Implementing it without tons of security bugs is apparently pretty hard.
om2
·8 месяцев назад·discuss
It doesn’t scale well to content that changes dynamically on the client side very well. Dynamic manipulation of the post transform XSL-FO is confusing and difficult, retransforming the whole document from source is too slow and loses state. This is a big part of why CSS won.
om2
·8 месяцев назад·discuss
Fetch API is a pretty recent addition to the web platform. Back in the day, you could absolutely embed images of stylesheets from ftp: URLs. You could even use it with XMLHttpRequest (predecessor of Fetch). Even further back, gopher: was integrated with the web. URL schemes were invented for the web with the idea that http: is not the only one. These other protocols were really part of the web until they weren’t.
om2
·8 месяцев назад·discuss
XSLT is also a really problematic feature from an implementation perspective (albeit in a different way than showModalDialog or MutationObservers).

I’m not a Chrome dev but I think they have decent reasons for going this way.
om2
·6 лет назад·discuss
I'm surprised this hasn't gotten any mainstream tech press attention. Chrome's Privacy Whitepaper describes a number of privacy-questionable nonstandard headers which are only sent to Google services. Just try searching for X- here:

https://www.google.com/chrome/privacy/whitepaper.html

And for ease of reading, a few others:

> On Android, your location will also be sent to Google via an X-Geo HTTP request header if Google is your default search engine, the Chrome app has the permission to use your geolocation, and you haven’t blocked geolocation for www.google.com (or country-specific origins such as www.google.de)

> To measure searches and Chrome usage driven by a particular campaign, Chrome inserts a promotional tag, not unique to you or your device, in the searches you perform on Google. This non-unique tag contains information about how Chrome was obtained, the week when Chrome was installed, and the week when the first search was performed. ... This non-unique promotional tag is included when performing searches via Google (the tag appears as a parameter beginning with "rlz=" when triggered from the Omnibox, or as an “x-rlz-string” HTTP header).

> On Android and desktop, Chrome signals to Google web services that you are signed into Chrome by attaching an X-Chrome-Connected and/or C-Chrome-ID-Consistency-Request header to any HTTPS requests to Google-owned domains. On iOS, the CHROME_CONNECTED cookie is used instead.