The vulnerability allows extracting the secret key from a vulnerable device. If I remember correctly, it's after a successful auth / sign flow, which requires the login/password of the target website.
I could give you my security key and you'll be able to login once. If you can extract the key, then you could login without the security key. In the context of a targeted attack, that could heavily change the impact.
If you're paranoid, of course, you're not going to trust a key that's left your possession, even if you get it back later. One it's gone it should be revoked permanently.
It does. If you can get my yubikey off my keyring while it's in my pocket and put it back on without my noticing then I don't know how I can defend against that.
And you can store things like your PGP keys on there. I use mine for code signing, ssh, and encryption. For me it’d just be a PITA, since I don’t operate in a very sensitive or valuable area, but it could be a nightmare for someone who signs code a lot of people use, for example.
Usually it's because users will login or miss click on it. This will give their email address and personal information so that they can be sold or spammed. On another note, it boosts new accounts/sign-in metrics.
Aren't patent trolls called trolls because they litigate on broad patents, for which prior art exists in many case? If so, they can't protect a startup in any way unless you create broad and invalid patents.
Your IP assets can be used to litigate by companies that aren't patent trolls.
Extensions often rely on third-party binaries (such as Language Servers, kubectl, ssh or even git itself), internet access (SAAS providers, pulling data or definitions, ...) and on your filesystem (SSH Config, Kubernetes config, Config folder in your home, ...). Sandboxing these extensions is not easy unless everything is configured within VSCode which is rarely the case.
As far as I know, extensions are not sandboxed either on Emacs, (Neo)vim, Jetbrains IDEs.
Extensions (in Emacs lingo we call them 'packages') are not sandboxed by design. Because unlike VSCode, you are allowed to override any, just about any part of a package's code. You can, for example, grab a command introduced in a third-party or a built-in package and override only specific parts of it without having to rewrite the entire thing.
Of course, in many cases that can make your entire setup brittle - i.e., what happens when the package author decides to change some functionality that you carefully and tightly integrated into your system? At the same time, there's enormous, unmatched flexibility for making your own rules of the game - there's nothing that comes even close. You can change a function to do things that it was never initially designed for. For example, if there's a command that lets you perform GitHub search and open results in the browser, you can advise that command to change the behavior and instead of opening the results in the browser, send that data to an LLM and display it in a text buffer. You wouldn't have to rewrite the entire command; you would only have to override a specific part of it. In Vim, you'd have to rewrite the entire function. In VSCode, you'd likely have to make a separate extension. In Emacs, you wouldn't even have to save the damn thing into a file - you can write it in a scratch buffer and immediately try it out.
Would still be nice to have the option to opt into, for example, running as a WASM isolate - given the option of a robust sandbox, some plugins will find it desirable to migrate and gain the secure badge or however isolated plugins are marked for user identification.
But There are plugins where it’s going to be too much of an uphill battle to move to that model though. I still think on balance having sandboxed plugins, however they’re implemented, would be pretty nice.
And happily VS Code runs in the browser (vscode.dev, github.dev) if you do choose to make that security/performance trade off at some point for some reason. And with sync you can have all your UI extensions and keybindings ported over under the covers.
Sure, I’ve even made a handful of those myself. I contrast them with workspace extensions that run on a (possibly remote) host with full access to subprocesses/etc.
VSCode could shove the entire extension, third party binaries included, into a sandbox, Docker-style. And “give this extension Internet access” could be an option when you install it, with the default being “no”, and a bit warning if you want to override that default.
For all that the Docker ecosystem is somewhat of a mess, it seems more than adequate for this use case.
I would say that functionally reproducible builds are sort of inherent in the concept of “source”. When builds are “not reproducible” that typically just means they’re not bit-for-bit identical, not that they don’t produce the same output for a given input.
Once neural networks enter the scene, I don't think giving the same output for a given input is possible in the field currently. I believe this is as open as language models can be, and what people mean when they say it's a "fully open source" model.
Setting up a database, backup processes, object storage, archiving, and especially compliance is a huge upfront cost for a small company.
It is true that you pay for the engineering done by AWS, but you also need to take into account the network effect and compatibility with third-parties.
With this being said, AWS is still very expensive. But AWS being profitable doesn't imply it is profitable for you to run your own infrastructure. The same way it is not profitable for you to run your own shipping company, or your own internet backbone provider.
Indeed, that is decided on a case-by-case basis. So if a company determines that moving on-premise is cheaper than AWS, perhaps that is actually true for them.
LG WebOS is just as bad. It used to load in a second but after a few update, booting up the TV takes 10 to 30 seconds.
They changed where it boots to. You don't have any image or app menu by default anymore. They changed Terms and Conditions so many times, reenabling tracking defaults as they see fit.
Seeing how they support their own OS, I'm not surprised they broke support on Android-TV.
And then Starlink users get fined or arrested and Starlink Minis get seized. Also how good does it look for an international company to sell as evading customs and imports taxes.
Crypto and stablecoin don't make the physical reality of owning such a device disappear.
I could give you my security key and you'll be able to login once. If you can extract the key, then you could login without the security key. In the context of a targeted attack, that could heavily change the impact.
reply