But it should be their job to protect against MitM in their threat model. There is no rational reason to exclude them from the bug bounty. Doing so only leaves MitM attacks like this undisclosed.
I just gave a rational reason to exclude them from the bug bounty, which I can summarize as "the bug bounty is not their entire security program and does not have the goal you've axiomatically derived for it".
Cards on the table I am not a fan of bug bounty programs, and the fact that they're an engineering process that turns out to be impossible to have public engineering discussions about is definitely one of many reasons why. Most companies should not run bug bounty programs.
I’m not diagnosed face blind but I’m hoooooorble with names. It’s weird because I’ve been tested and score in the 98th percentile for memory generally.
I hung out with a large group of people for nearly a decade and couldn’t remember who was who until the pandemic. The names under zoom helped me gradually learn over weeks.
When I teach scuba I recite the list of student names for my class in as random an order as possible while I drive to the shop to lower my cognitive load to put faces to names. When I do roll call, I write down every person’s name and try to gradually move off the cheat sheet as I call on them to answer questions. But once they put on their gear (especially since I teach where they use hoods) it all goes downhill. Two white guys approximately 35yo? I’ll get them confused.
If this were socially appropriate I’d totally use it as my prescription glasses to help continue smoothing the curve.
Most sandbox systems today, take seatbelt from Apple for instance, only strip permissions. If your extensions without internet access calls a tool that needs it, boom access denied or worse, weird network issues.
One would need some kind of ring system where less privileged processes can call higher privileged processes with their own sandbox permissions.
Sure, that's the main challenge with building good sandboxing systems. But it's not actually that hard to do when the will to do it is there.
For example, Android already allows you to give apps restricted access to your media. My understanding of the way it works is that the resulting interface for picking photos etc. is not under the control of the app. The app only receives whatever file you picked.
That used to be my thing: wherever our ops manager declared something was impossible, I’d put my mind to proving her wrong. Even though we both knew she might declare something impossible prematurely to motivate me.
My favorite was “it’s impossible to know which DB is failing from a stack trace”. I created STAIN (stack traces and instance names): a ruby library that would wrap an object in a viral proxy (all returns from all methods are themselves proxies) that would intercept all exceptions and annotate the call stack with the “stain”ed tag.
I've seen more than one half-joke-half-serious chunk of code that would "encode" arbitrary info into stack traces simply by recursively calling `fn_a`, then `fn_s`, `fn_d`, and `fn_f` before continuing with the actual intended call, giving you a stack trace with (effectively) "asdf" in it.
They've also been useful more than once, e.g. you can do that to know what iteration of a loop failed. There are of course other ways to do this, but it's hard to beat "stupid, simple, and works everywhere" when normal options (e.g. logs) stop working.
Well you're doing gods work as far as I'm concerned. Conflating difficulty in practice with impossibility in principle is, to my mind, a source of so much unnecessary cognitive error.
Similarly, one of the great things about Python (less so JS with the ecosystem's habit of shipping minified bundles) is that you can just edit source files in your site_packages once you know where they are. I've done things like add print statements around obscure Django errors as a poor imitation of instrumentation. Gets the job done!
Dr. Fauchi pardon comes to mind. I doubt that his accepting of pardon was an admission of guilt. He wasn't even charged, so how can he admit the guilt?
And i think that similar preemptive pardon here, without charge and thus any guilt admission, wouldn't allow the fund seizure.
It should be possible to switch the terminal to use the satellites themselves for positioning (Starlink positioning) but it needs manually switching to that option.
reply