It doesn’t affect their newest keys, but you can’t upgrade an older key to fix it:
All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.
It seems to be largely the same attack that succeeded against Google’s Titan keys a few years ago, according to the article
In fact reading through the article it sounds like they would need to use it to extract the secret. I guess the end goal for this would be to maintain surreptitious access to something after returning the key to the target, either to build a criminal case or for espionage purposes.
Given that the vulnerability may also apply to other secure access card/devices I suppose it could also be used if a nation-state wanted to use an impostor to access secure facilities.
Mlem doesn’t render these either
Question I’ve been meaning to ask: if I start with cloud can I move to self-hosted later? I’ve seen this before and it feels like a product I could make good use of, especially for getting tabs closed.
Caveat: Californians who add a driver’s license to their Apple or Google wallets must still carry their physical ID card as required by law.
What’s the point, then? I thought the reason for a digital ID was so you didn’t always need the physical one with you.
I still replay both every few years; finished Portal 2’s co-op with the kiddo earlier this year.
I haven’t done any programming in over 20 years, but I think I can make a contribution to projects by trying to improve documentation, once I start using some projects
I’ve seen multiple markdown standards; which one did you implement?
Not specifically for restaurant menus, but more generally if you’d like to contribute to Open Street Map while out and about, depending on your area there may not be complete information for a lot of businesses. You can use an app like Go Map!! on iOS or Street Complete on Android (or many other OSM apps) to add information like business hours, website, phone number, and other useful information.
Yes, I just didn’t realize that auto-renew doesn’t work with PayPal on NameCheap and had lazily set it up with PayPal when I got it because I didn’t want to go get my wallet. Lesson learned!
I had this happen with NameCheap. I’m not sure if they bought it or someone else, but it stayed registered with them. Whoever bought it has held it for a couple years, put up a fake website to look like they were using it, but took it down after a year when I didn’t bite on buying it. Current status shows it’s pending deletion finally for abuse or non-payment. I keep checking to see when I can nab it again.
No one seems to be mentioning separate 2FA/TOTP apps. Is everyone running those through their password manager as well? That seems risky?
The big problem is there are a lot of good creators who are only able to be good creators in large part because of the YouTube ad revenue they get. They would otherwise have to work normal jobs and not be able to devote the time or resources to their videos. I have little faith that enough viewers would actually pay enough money to offset the ad revenue that supports many creators. Without a way to realistically replace that financial stream there is a large chunk of YouTube that can’t migrate. Of course, that’s no loss with some of the content mills churning out crap to try and cash in on the revenue, but I’ve seen plenty of good stuff that I’m not sure would exist another way.
I remember a really smart, very nerdy family friend telling us about Linux around 1997/98 and this was the experience he described. It sounded interesting but also like a crazy amount of work.
As someone who has done no programming since taking C++ in high school more than 20 years ago, what do you mean by safer language?
I look forward to the lawsuits that will ultimately cost this man his job.
The article is making a big deal that he works for Microsoft but also says he’s been doing this back since his days working at Google. It never says that this work is part of his official job at Microsoft, though, and I don’t know if we could even know that unless it’s part of his job title. Do we know that Microsoft hired him to do this or could it just be this has been his longtime passion project and he’s doing it outside of his work responsibilities, and he just happens to currently work for Microsoft as his day job?
Reading the article I think most people don’t need to worry about upgrading because of this flaw; this would be a very targeted attack. And I can understand not letting the firmware upgrade; I’m pretty sure I’ve seen examples of nation-state hacks for phones that involve attackers installing an “upgraded firmware” that disables security protections to access otherwise secured info. But yeah, cost is definitely a risk with this design.