I'm sure it's not entirely impossible, but sounds backwards to me. Sure - a lot of the internet relies on Cloudflare, but I'd be very surprised if GCP had a direct dependency on Cloudflare, for a lot of reasons. Maybe I misunderstood your comment?
This is really important for me. Currently, hearing aids will turn to full duplex during calls, and be used as both input and output.
- Audio quality will be much worse, since the bandwidth is split between the two channels. This is obviously bad if you're already struggling to hear.
- Listening to music, for example, the volume controls on the hearing aids simultaneously turn surrounding sounds down and the music up, or vice versa. In "phone-call" mode, however, the phone hijacks the volume control so if you're struggling to hear on a call in a noisy environment there's no way to increase the volume without simultaneously amplifying the surrounding noise to painfully loud levels.
- As mentioned in the article, the microphones are designed to make me hear other people but not myself, making other people complain about my sound a lot. The best I can do is to say "sorry - either you'll hear me like this or I won't hear you at all"
This was designed for people using BT headsets of course, but hearing aids are not headsets.
On Linux I can just pick which microphone I want to use and which mode to use for Bluetooth. It's worked flawlessly for the last decade. To me, that's being "user friendly", good UX, or whatever you want to call it.
On Windows, you can go deep into some ancient, almost hidden, settings and disable the microphone on the BT device. On macOS, you can do the same using the old Audio MIDI Setup tool. It will periodically reset itself of course, like anything related to a11y on macOS. Not sure about iOS, would be interesting to know.
I remember a website about Ski-Doo snowmobiles that my friend was obsessed about (both the website and snowmobiles) in 1998 or so. It was from Canada, and the bgsound was the website owner saying something in French.
To us, it sounded like: fjänfny, hmmhmmhmm, dadadada. I only realized lately that the first word must be "bienvenue". It would be amazing to find it again on archive.org but unfortunately I dont remember more than this. :)
This sounds super useful. I imagine a pipeline where each migration has to explicitly mentioned which locks it will acquire (and the build failing if there's a mismatch).
I just carefully read the papers inventing the techniques I want to implement, and verify correctness of my implementation by checking outputs from my code match the papers and pass sanity checks (ie. diffusion produces nice images, RL improves rewards, etc).
Any reading recommendations about leadership at NASA? It amazes me that they've delivered do much value, often very quickly, despite being such a large, complex organization.
I recently started reading Peter Westwick's 2007 book, Into the Black: JPL and the American Space Program, 1976-2004. I've only gotten up into the 1980s so far and I find it a good read. Leadership? Sausage making. Per Westwick, there have always been contentious relations between NASA headquarters, the different NASA centers, JPL, and Caltech. (JPL is a NASA center, but staffed by Caltech employees, and relations between JPL and Caltech themselves are often strained.) At JPL, there were frequent shufflings of people in leadership roles. Add in the politics of the whole thing and trying to get funding from the government. If the Reagan administration had fully had their way, there wouldn't have been Voyager 2 flybys of Uranus and Neptune. Fortunately, many politicians (like Newt Gingrich, of all people!) supported NASA. (Westwick discusses all of this in his book.)
So my impression is that we were incredibly lucky that Voyager worked out so well in spite of its chaotic existence from its earliest developmental stages to now. I suppose there are some leadership lessons, but survivorship bias must be accounted for as many projects didn't make it off the drawing board.
I disagree—opinions on the moon landing don't matter because for the most part our lives are divorced from whether or not it happened.
It's much easier to get people to believe stuff that they already want to believe. In conspiracy terms, this looks like qanon's "liberals are pedophiles" and a belief that russia somehow has more influence over our politicians than israel does.
But it all ties in to each other - "the moon landings were fake because they wasted the money on other black projects, we could have been so much better off" and so on.
Well sure, if you're looking to be angry you can tie anything into your interests. But actual criticism of the moon landing is soberly connected to reality: https://www.youtube.com/watch?v=goh2x_G0ct4
I'm just saying there's a reason why moon landing is such a funny topic to discuss—if you do deeply care about it enough to deviate from the accepted narrative, that's very odd.
To limit his legal exposure as a researcher, I think it would have been enough to create a second account (or ask a friend to create a profile and get their consent to access it).
You don't have to actually scrape the data to prove that there's an enumeration issue. Say your id is 12345, and your friend signs up and gets id 12357 - that should be enough to prove that you can find the id and access the profile of any user.
As others have said, accessing that much PII of other users is not necessary for verifying and disclosing the vulnerability.
Eh, part of assessing the vulnerability is how deep it goes. Showing that there were no gates or roadblocks to accessing all the data is a valid thing to research, otherwise they can later say "oh we hade rate limiting in place" or "we had network vulnerability scanners which would've prevented a wholesale leak".
Hey there--pentester, security researcher, and bug bounty hunter here.
"Demonstrating impact" is common practice. The presence (or non-presence) of rate limiting controls, such as those alluded to by the commenter above, can play into the risk assigned to a vulnerability, and may be difficult to ascertain without actually attempting an otherwise theoretical attack. This also has the effect of indicating whether the target has adequate detection capabilities, which is important information.
Demonstrating impact is also just sometimes necessary to convey urgency to leadership; hand waving is common. Alternatively, some organizations may silently patch without performing a responsible disclosure, such as was the case with this article. Having hard proof that the attack was 1) viable and 2) not detected is critical information in the event that you must disclose to the public.
As an aside, from your history:
> My one gripe with HN is that people say incorrect things with complete confidence pretty regularly and you can only Detect it if you know the subject matter.
Welcome to being part of the problem. Remember the feeling.
Also a security professional, pentester, bug bounty hunter, multitude of other irrelevant self-imposed titles owner here.
You’ve demonstrated impact by small amounts of enumeration. If you had any real experience in bug bounty contracts you would know 2 things:
Almost all contracts ask you not to enumerate the entire data set as 2 or 3 records is enough (again, that’s how security controls work) and no one is interested in hearing about rate-limiting on public bounties. Pentesting sure, but that’s not what we’re talking about.
Source, 2 decades in the security industry at large in all kinds of positions.
And a note for future reference. If you think I’m out of line for my snark then don’t give what you can’t take.
Edit: Oh, and as someone on both sides of the fence enumerating an entire data set against scope is in the top ten reasons people get booted from programs. To anyone else seeing this chain: don’t do it. YOU DO NOT NEED TO TO PROVE IMPACT. Respect people’s privacy.
I'm sure it's not entirely impossible, but sounds backwards to me. Sure - a lot of the internet relies on Cloudflare, but I'd be very surprised if GCP had a direct dependency on Cloudflare, for a lot of reasons. Maybe I misunderstood your comment?