A native Frisian speaker would probably have an even easier time, given that Frisian is the closest language to English. However, Frisian is still more similar to other west-germanic languages than English.
It's "intelligence platform" in the sense that you can gain a ton of information on individuals, organizations, and relationships that drive it all. If you can track how people move and interact between organizations, you can determine who someone is doing business with and even make an educated guess if that's a sale or interview.
It's not necessarily just Germany. Lots of countries have laws that basically say "you cannot log in to systems that you (should) know you're not allowed to". Technical details such as "how difficult is the password to guess" and "how badly designed is the system at play" may be used in court to argue for or against the severity of the crime, but hacking people in general is pretty damn illegal.
He also didn't need to run the script to try more than one or maybe two accounts to verify the problem. He dumped more database than he needed to and that's something the law doesn't particularly like.
People don't like it when they find a well-intentioned lock specialist standing in their living room explaining they need better locks. Plenty of laws apply the same logic to digital "locksmiths".
In reality, it's pretty improbable in most places for the police to bother with reports like these. There have been cases in Hungary where prestigious public projects and national operations were full of security holes with the researchers sued as a result, but that's closer to politics than it is to normal police operations.
The main problem I have this with real-world analogies we use for hacking is we assume that, like a home owner, these companies ultimately care about security and are in good-faith trying to make secure systems.
They're not. They're malicious actors themselves. They will expose the absolute maximum amount of data they can with the absolute maximum amount of parties they can to make money. They will also collect the absolute maximum amount of data. Your screen is 1920 by 1080? Cool, record that, we can sell that.
All the common sense practices we were taught in school about data security, they do the opposite. And, to top it off, they don't actually want to fix ANYTHING because doing so threatens their image, their ego, and potentially their bottom line.
And people wonder how the US can just turn off the electric grid of another country on demand...with laws like these, I expect there are local 6 year olds who can do the same.
Theoretically, the easiest way is to use a sub address (more commonly/colloquially known as email aliases or plus addresses, they're described in RFC 5233). You should be able to add a separator character (usually a plus, sometimes other characters instead/in addition) and arbitrary text to your email address, i.e. "myemail+somecompany@example.com" should route to "myemail@example.com"
In practice, this works about 95-99% of the time. Some websites will refuse the + as an invalid special character, and the worst of the worst will silently strip it before persisting it, and may or may not strip it when you input your email another time (such as when you're logging in or recovering your password).
I also suspect spammers strip out subaddresses frequently, very little of the spam I receive includes the subaddress.
So the only 100% reliable way is to use your own domain, but you don't need to run your own custom mail server
A few ways I've heard about - DuckDuckGo.com has a system that generates a random email address on their domain where you can request "a new email address" whenever you need one; you request a new alias and they create a permanent mapping to your real address from that new address. Then mail sent to say Foo-Bar-Hotdog@duck.com goes to you, duck remembers the mapping that this goes to your address. You can reply back and duck handles the anon mapping.
Or you can have a catchall email address on your own domain, where anything sent to any alias on your domain gets forwarded to your own address. Then hamburger@myDomain.com and mcdonalds@myDomain.com goes to your real private address. you don't have to set it up. Anytime you join a new service, say reddit, you tell them your address is "reddit@myDomain.com".
All of these have a level of pain associated with them. And they aren't that private. The government could no doubt get a court order to pierce the obscured email addresses.
There's proton email and many others. All of these are too painful for most people.
I have wondered if people who want to be really secret set up a chain of these anon mail forwarding systems.
Proton let's me bring my own subdomain for those random emails and does a pretty good job of tracking which email is given to whom, and also supports hiding your email even if you want to initiate the email contact, not just reply (plus scheme in mail address doesn't allow this). Otherwise you can also use their domain too, to stay fully anonymous.
I've been happy with Proton too. I use my own domain and Proton's catch all for this. I always register using addresses like service.name@matheusmoreira.com.
If you’re on Gmail, there’s “plus addressing” - this allows you to append any term after your email - and then sort accordingly.
So if your Gmail is foo.bar@gmail.com you can use foo.bar+servicename@gmail.com and the mail will still end up in your mailbox. Then you can create a rule that sorts incoming mails accordingly.
> Instead, I offered to sign a modified declaration confirming data deletion. I had no interest in retaining anyone’s personal data, but I was not going to agree to silence about the disclosure process itself.
Why sign anything at all? The company was obviously not interested in cooperation, but in domination.
It's clear that the intentions of the insurance company are selfish and they want to gain leverage over the reporter. Even if the reporter managed to add a clause about data deletion, the company could still make the reporter's life hell with the remaining clauses that were signed. This is not worth the risk.
> Wanna trash the site's design, you should open a top level thread instead.
Or better, don't[1]:
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
Get a better browser I'd say. Firefox Reader mode makes short work of such sites, including the submission. I use it very often, so I can enjoy the content rather than get frustrated over styling issues.
As well as contrast issues, could also be that there was a javascript error on their end (or they don't whitelist sites for JS by default). This is unfortunately one of those sites that renders a completely blank page unless you use reader mode, enable JS, or disable CSS.
> You can use isolated JS scripts, or other approaches like progressively-enhanced web components
How would one use "progressively enchanced" web components? Maybe I misunderstand the intention behind this statement, but web components are either supported or not. There doesn't seem to be some kind of progression.
Given custom elements are pretty widely supported by browsers now, I assume you are referring to js being turned off.
In terms of designing for that situation - you can follow a pattern where your custom element wraps ( <custom-ele><stdelement></></> ) the element you want to enhance. If js is turned off, then the custom element defaults to rendering it's contents....
Yep, that's the ideal approach for decent browsers. A curious caveat is that IE 8 and below will interpret that example HTML as <custom-ele></><stdelement></> (ie. as siblings, not parent and child) and therefore not apply any component-scoped styles. Not ideal.
Of course nobody uses those browsers anymore, the same caveat applies to non-custom HTML5 elements, and the bad behavior has long been preventable with JavaScript [0]. But anyone (else) with an extreme backwards compatibility mindset might consider if they could instead bootstrap from <div class="custom-ele"><stdelement></></> and (if needed and in window) a coordinating MutationObserver.
Do you have any insight on SSH servers that only allow login with public key authentication? Do bots leave immediately when they see that they can't use passwords?
If the bot sees no login / password sequence, there’s no way for it to brute force credentials. If the server only takes ssh keys, that will cause an immediate disconnect. Which is why this setting is best practice when setting up a server when practical: PasswordAuthentication no.
I wish this would be the default. I expose my homelab port 22 directly to the internet. I'm _pretty_ sure I always always always disable password auth but I do worry about it because most distros have an unsafe default.
(A lot of this risk is mitigated by not having login passwords but I definitely have one node where I have a login password, it's an old laptop so I thought I might want to physically log in for local debugging).
I guess the ideal solution here is to run a prober service that attempts logins and alerts if it gets any responses that smell password auth is possible. But no way I have time to set that up.
One way to solve this it to use a configuration management tool (Puppet / Chef / Salt / Ansible etc.). Alternatively, run NixOS. You apply the setting once and then it's applied to all your machines from that point onwards.
When you get a "Permission denied (publickey)." if you try to connect to a server which requires a public key for authentication, it causes your 5 lines to wrongly raise an alarm ... you need to adapt your grep.
reply