I haven't written up an article about it yet, but from a cursory look of the legal stuff this only affects private citizens and could be circumvented by setting up a shell company that owns your devices.
Legally, you can't surrender these devices, access to them or their passwords, as they are company property.
There's what's legal, and then there's what the border guard with a hemorrhoid flareup decides to do on the spot. One pain in the butt can cause you a lifetime of pain in the butt even if it wasn't the intent of any legislator.
I'm not sure that if this is an obvious question that has been gone through already, but have any of the death threats relating to Rust stuff actually been "verified" or is it just an opinion that has been repeated enough times until it has been accepted as truth?
Just the open amount of discontent towards the language and the community, creates the perfect storm for a malicious individual to pose being a Rust developer that sends death threats for doing things that are not aligned with the values of the language/community.
If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party. You can do this wholly anonymously, so you don't have to worry about some trigger-happy corpo ruining your life.
Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.
Just to play devil's advocate, couldn't sending zero-day exploits to a foreign nation's intelligence service potentially cause the sender significantly more trouble.
Finland is a NATO country, so for most people on this site you would be sending it to a government agency of an allied nation. Punishing that would make it look like you don't trust your allies
The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability
Because information asymmetry benefits those with the information. If the devil understands your argument, and you don't understand the devil's argument, the devil will have information advantage.
> If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party.
The CCC (Chaos Computer Club) in germany will probably do the same.
Were you somehow able to intuit that parent is Finnish?
I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.
> the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO
Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with
> Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.
If it's anything like the Dutch or German infosec agencies, "worst of both worlds" is about as far from the truth as you can get. Maybe it works that way in Saudi Arabia but it's not "reporting yourself" here
I wouldn't trust anything like that in Germany, where everything is rules-based. Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period. In Germany there's no common sense applied to the rules. Arguing that you hacked and then reported it responsibly won't reduce your criminal penalty for hacking.
> I wouldn't trust anything like that in Germany [...] Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period.
This is rather hilarious to read as a reply to someone whose day job is literally hacking in Germany. We document it for tax reasons and sometimes are even allowed to publish it, too! Besides paying clients, we also "hack" (read: help secure) projects and blog about the vulnerabilities we've found and what the disclosure timeline was
Clearly this doesn't work as a blanket statement and coordinated vulnerability disclosure is a thing here. I can agree there are caveats but the statements as made aren't accurate
As for dealing with the government, so far as I'm aware, none of us have had bad experiences with the German IT security agency (BSI) whenever a vendor was being uncooperative (healthcare vendors tend to be very, let's say, German about whose responsibility it is when their device sends genital pictures over a network with no encryption or authentication option available in the software)
Apart from a certain general incompetence in IT related topics, common sense is a rather important part of German legal interpretation. Intention, proportionality and such.
There are some infamous counter-examples, but you can find these in any country and it's these that make the news.
It's starting to be so common on the internet, clueless US residents not really grokking things aren't as bad in other places as in the US, that I'm starting to think that maybe this is some sort of psychological defense mechanism? You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...
That sounds a lot like the assumption that crime rates are better in less populous areas - just because there is less reporting doesn't mean that it isn't there.
Have you been to the US? If not how can you be certain that the US is truly worse?
> You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...
You are describing cognitive dissonance, I suspect most people do have it about their country (unless they really like history in which case they are aware of the fucked up things their country has done and there is much less dissonance) but the average US citizen is very much an outlier by the standard of western countries.
Even the smart ones who do know history often only know their side of it from their point of view and many of them have very little understanding of the world beyond their borders (because they simply have no need to).
They just seem to blur the border between nationalism and patriotism more than most countries.
Is this purely theoretical? Asking since we don’t wanna encourage making the world worse if there is indeed a clever way to stay safe - has anyone been hassled after reporting to the Finnish Cyber Security Centre?
Well I'm a Finn and have reported my findings to the FCSC. Zero hassle. The folks at Traficom are a really nice and smart bunch, I have had chats with them face to face a couple of times. They are very well versed when it comes to potential issues or hassles with disclosing exploits. From what I've seen, everyone at Traficom really just wants to keep internet and information systems safe, and to provide the best support possible for IT professionals regarding cyber/information security.
This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."
Reporting software vulnerabilites in Germany is the dumbest thing you can do, you WILL be arrested. There is a recent case where some company had a hardcoded database password in their EXE file and if you open it with e.g. Notepad you can see it and this already counts as "illegal hacking". https://www.heise.de/en/news/Federal-Constitutional-Court-re...
For the generic selector naming I'd suggest "cascade selector/selectors" as that gives a hint of the origins and describes the actual function of it pretty well.
I see what you mean, but what would this do except add more churn?
Words sometimes have misleading aspects, but I don't see any practical problem with the current usage of the word "selector" in web dev. The CSS part is often omitted when it's implicit.
The spec separates selectors cleanly into its own module already, and there are already implementations that don't rely on HTML rendering.
Any rename by commitee wouldn't stick anyway, and the origin of this selector spec is CSS, doesn't prevent other uses.
When you bring in "cascading", you already go close to the CSS / rendering aspect, because that's the most common use case for cascading?
But in the real world, for maximal battery savings and therefore UX, routing any notification data via APNS is recommended.
Fortunately you can choose the payload by yourself and just send a notification "ping" without any data about the messages. But if we're serious about security, you just don't ping the client about new messages because even the time and existence of a notification can be compromising. _The user will know that they got a message, when they open the app and see that they got a new message._
Routing e2ee notification data via APNS is fine, it’s no different than routing e2ee notification data via HTTPs. Your ISP sees the outer ciphertext in both cases (APNS is also mTLS).
It's not likely, but if you're an expert I'm sure you could think of a few ways it would be possible. The reason we give people with pacemakers a list of machines to avoid is definitely not to waste their time because there is no possible way any of those things could be dangerous to them.
As an RF expert I can assure you that I could create a device to wirelessly interfere with a pacemaker. A pathological one, maybe, but the point remains: regulation is needed.
The question is whether such interference could be created by a device as a by-product of its normal operation, not by a weapon that's intended to cause harm.
It couldn't be less relevant. It's noise that distracts from the interesting core of the topic. When I'm reading HN, I don't want a long string of "oh btw theres an account on this website called abc_defg". I doubt it's interesting to anyone with sense.
I've been toying with an idea of creating a JS runtime that tries to run all code two times, one which runs all identifying information inside a runtime that has any network API's stubbed, and another that replaces the identifying info with garbage.
Most likely needs manual quirk code overlays for sites, but it's totally a solvable problem.
archive.today has a documented history of altering the archived content, as such they immediately lose the veil of protection of a service of "public good" in my books.
Just my 2 ¢, not that it really matters anymore in this current information-warfare climate and polarization. :/
What do you want me to address? I'm just pointing out that there are no great archival services, and the only real alternative to archive.today is worse.
>Pay attention to this type of behavior, folks. It's revealing
Yes! That one. But we need it for video ads as well now.
Ads are an evil that must be removed from the internet, and draining the wallets of companies using ads, without upside, would make them place less value on them.
Legally, you can't surrender these devices, access to them or their passwords, as they are company property.
reply