• 4 Posts
Joined 3 years ago
Cake day: January 21st, 2021


  • If you just need to intercept the keypresses in webpages then you can inject a content script and handle these. However there is no way with the new WebExtensions API to intercept browser chrome events.

    Additionally there is no way to delay events. So if you want to suppress both shift presses you will struggle to do that. If you are ok to let the first one go through suppressing the second one is trivial.

  • The problem with Yubikey is that it doesn’t have a good enough management story for broad use. I do use it for a few core sites (like GitHub) but if I lose a key I need to get a replacement and register that replacement with every site I have set up U2F 2FA on. This is ok with a few core accounts but doesn’t scale to the hundreds of sites that I have an account with. I am sure to miss a few and then either I can’t log in with the new key or get completely locked out when I lose that key and get a second replacement.

    1. Salt doesn’t matter if your password is unique.
    2. If they can download data via SQL injection having them log in probably doesn’t matter that much.
    3. If they can dump your password/hash they can likely also dump the TOTP secret.
    4. A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.

    So yes, it is slightly better, but in practice that difference probably doesn’t matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.

    So yes, it is better. But for me using random passwords and a password manager it isn’t worth the bother.

  • How exactly does Samsung police this? Surely the repair shop could just… not tattle?

    Well there is a contract in place and there would be consequences for not upholding the agreement. Sure, they could probably get away with it for quite a while. But it likely isn’t worth the risk, they would rather just out Samsung as being a piece of shit and go on their merry way.

    It would be pretty easy to catch this as well. Samsung can just occasionally submit a phone with a known third party part for repair and see if the expected report comes in.

  • kevincox@lemmy.mltomemes@lemmy.worldIt seems like a lot...
    21 days ago

    I think the main problem is that the companies selling vapes and related products are not really targeting users who are quitting smoking. Obviously there is less money in temporary users. They are targeting people who will keep smoking, usually because it is “cool” and especially teenagers who are a good target for “cool” and can be customers for a long time.

    So yes, if you are using it temporarily ease off nicotine it is great and we should keep vapes available for these people as medical devices. However we should try to reduce the damage that vapes are doing to other people. How strongly we should do this is obviously controversial. Personally I would focus on education and personal choice, but there is a strong argument to be more forceful.