|
The engineer found that Copilot Designer generated disturbing scenes that have gone unaddressed by Microsoft, CNBC reports. That should go over great during his next annual review
|
|
|
|
|
Microsoft said that the use of CodeQL will eventually analyze 100 percent of its commercial products. Security in the future, for what wasn't in the past
|
|
|
|
|
I hate CodeQL, flags WAY too many false positives about injection.
Warning! You have injection into your LOGGING message!
I’ve given up trying to be calm. However, I am open to feeling slightly less agitated.
I’m begging you for the benefit of everyone, don’t be STUPID.
|
|
|
|
|
Kent Sharkey wrote: Security in the future, for what wasn't in the past From not checking anything to disturb you to the point you are not able to work anymore.
Nice evolution.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Building a cross-platform application is challenging. This is where Uno Platform becomes essential. Because it's #1?
|
|
|
|
|
|
MarkTJohnson wrote: There's a card game call Uno and you have to announce Uno when you lay down your penultimate card.[^] My kids love it
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
The National Security Agency is sharing new guidance to help organizations limit an adversary's movement on the internal network by adopting zero-trust framework principles. In case you have more than zero trust with the NSA
|
|
|
|
|
Kent Sharkey wrote: is sharing new guidance and probably asking you to install / run something to check for vulnerabilities.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
|
First two sentences of that article just blow my mind!! 🤯🤯🤯
Forbes said: [1] Security experts advise against using SMS messages for two-factor authentication codes due to their vulnerability to interception or compromise. [2] Recently, a security researcher discovered an unsecured database on the internet containing millions of such codes, which could be easily accessed by anyone.
1. "They" (almost every company out there) give us no other choice but 2FA via text
2. It is obvious that devs have no idea what they are doing. Why would the codes be in a freaking DB? They should be generated on the fly and expire very quickly. It is obvious that companies have no idea what security even means and they assign security solutions to devs who have no idea what they are doing.
And, oh, here's a meme I creatd for 2FA : https://i.stack.imgur.com/R6EvV.png[^]
|
|
|
|
|
raddevus wrote: Why would the codes be in a freaking DB? I think they would need to be persisted to a database due to the challenge of maintaining a large in-memory store across geographical boundaries.
raddevus wrote: They should ... expire very quickly. Agreed. A cron job should delete them from the database as they expire.
/ravi
|
|
|
|
|
Ravi Bhavnani wrote: I think they would need to be persisted to a database due to the challenge of maintaining a large in-memory store across geographical boundaries.
I was thinking about this myself and there is a way around it that isn't that difficult -- a solution that makes it so they never have to store codes.
1. They could generate SHA-256 hashes based on time and some other salt.
2. Then they can either:
2a. return 6 chars of the SHA-256 (from anywhere within the 64 character hex-based hash) -- this would be the code that the user would type into the form to verify. Later the server side would just generate the hash again and match to the 6 chars that the user typed.
2b. or calculate a number from the sha-256 hash
The point here is that they use a reproduceable method for generating a sha-256 hash so that they don't have to store values anywhere.
Since these codes would expire within 10 minutes it is unlikely a hacker could recreate the hashes in time anyways.
There are definitely ways -- that aren't that difficult -- so they don't have to store these codes in a db.
it would be very similar to the old key fobs used for vpn sign on. see image[^]
here's a wiki article about them: RSA SecurID - Wikipedia[^]
The vulnerabilities are man-in-the-middle attack but that is true for the other codes too.
modified 6-Mar-24 13:27pm.
|
|
|
|
|
The database is of codes that were used. They are expired.
|
|
|
|
|
Joe Woodbury wrote: The database is of codes that were used. They are expired.
oh, what!?! How do those expired codes matter?
I'm completely confused!
|
|
|
|
|
Forbes wrote: Security experts advise against using SMS messages for two-factor authentication codes due to their vulnerability to interception or compromise I am more for: The problem is not the SMS per se, the problem is the way the codes are generated and validated and the SIM duplication / phone clone (vendors fault)
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
The Lost Universe offers a free deep-space adventure that can be adapted to your favorite TTRPG system. Roll D20 to launch
|
|
|
|
|
Kent Sharkey wrote: Roll D20 to launch and 5D20 to land (and stay straight)
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Why do we spend so much time on a process nobody wants? If you’re doing it right, the performance review process should be unnecessary. No one *needs* them
Middle management *wants* them, because it gives them an actual purpose in life.
modified 8-Mar-24 12:26pm.
|
|
|
|
|
Exactly. Everyone is being reviewed every day.
|
|
|
|
|
Kent Sharkey wrote: No one *needs* them Totally agree.
At least mine (this week) went good for me
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
My employer's hyper-active HR department, minds stuck in the 1980's, requires quarterly reviews for everyone, from both exempt professionals and non-exempt employees.
There are no solutions, only trade-offs. - Thomas Sowell
A day can really slip by when you're deliberately avoiding what you're supposed to do. - Calvin (Bill Watterson, Calvin & Hobbes)
|
|
|
|
|
Quarterly reviews? That is bad.
|
|
|
|
|
The answer to "Why" is so that HR Departments have an excuse for existing to the extent they are today. When HR depts first became a thing you only needed 1 maybe 2 people b/c all they did was take care of hiring/firing paperwork. In order to justify why an HR dept. like where I work consist of 10 women, it must have many more duties and responsibilities so the primarily female run HR Depts everywhere came up with new annoying means to justify their existence like these evaluations.
|
|
|
|
|
I'm intrigued by why you feel it necessary to call out the gender preference in your particular HR department - sounds like a sexist jibe. How ironic on International Women's Day!
Our primarily male HR department would have you on a disciplinary for that.
|
|
|
|