- They exist. Services treat control of the number as equivalent to control of the account, and expect you to maintain that control.
Throwaway phone numbers are not a viable low cost or no cost alternative in most normal user signup scenarios, and they're implemented as a privacy invasive form of spam prevention for that exact reason.
- > It’s surprising how something that seems harmless, like a simple recovery page, can actually hide some pretty serious security risks.
This is something you should include in any personal security checkup. Attempt account recovery using every allowed mechanism. The rules for recovery change over time in a way that classical login doesn't.
- "ThE tAx CuT pAyS fOr ItSeLf"
- I put the passkeys in a password manager, then lock the password manager with multiple physical Yubikeys, keeping several in secure storage.
This same pattern works for Google/iCloud accounts.
- >I kinda just don't get wireless CarPlay/Android Auto at all.
In addition to your argument, wireless CarPlay is also notoriously unreliable.[1]
[1]: https://www.google.com/search?q=wireless+carplay+not+working...
- If the dongle acts as a wifi AP with a DHCP server, it could give the iPhone an ip address but no gateway upon connection. This will cause the iPhone to talk directly to the dongle via the WiFi interface, but talk to the rest of the internet via the cellular connection.
You can determine this by checking the WiFi network's properties after the connection is established. If there's no value in the "Router" field, that's how it works.
Once you load the firmware update page, JavaScript on the page instructs the browser to fetch the firmware payload from a server on the public Internet, then relays that data to the dongle's web server to execute the firmware update process.
As the other reply mentioned, this can be tricky, as CORS likes to prevent this kind of data transfer for security reasons, the right configuration on the web server will make it work.
It's a fairly clever setup.
If you want a low-tech way of confirming this design, try running the firmware update with a device that doesn't have two network connections, like a laptop, instead of a cell phone. If it doesn't work from such a device, the scenario I described above is probably how it works.
- To keep with that analogy, customers expect the SaaS company to respond to the HTTP requests for free, but you still have for-profit factories producing servers...
- No. I used both of them when migrating from LastPass, and found that Bitwarden only supports four or five types of entries, which ultimately drove me away from the product.
The rich entry types from 1P and LP are nearly all converted to Notes in Bitwarden. Great product otherwise.
- That's the endgame I see.
Oligarchy. Kleptocracy. Morons cheering because they're deluded enough to believe that the definition of "pork" is when the government transfers money directly to lower and middle class via paychecks.
Congress will authorize contractors to do these jobs instead. We get back privatized versions of the old government services at a higher price, and the money goes into the bank accounts of the rich.
I'd like to read the CBO report on what this shit will actually cost over ten years.
- It's currently accessible to law enforcement via the law-abiding manufacturer acting as sole custodian. I don't see how this makes any difference.
- That counts as begging from my point of view.
> Good luck getting data this easily from any other major manufacturer
This is an industry-wide problem.
- The problem isn't that the owner didn't get the data. The problem is that the method for getting the data is that you must beg Tesla for it, rather than just slurping it out of a USB port inside the car.
If Tesla is going to go to the trouble of uploading all this shit to the cloud anyway, the least they can do is give customers a no-questions-asked download button.
- I'd recommend any good sound device that connects digitally, like USB or HDMI/Displayport.
So the answer is that you should get a dedicated sound device, but don't bother looking for an internal card. External devices are easier to connect, won't complicate upgrades, and can be attached to a different machine with less work.
Onboard has always been good enough, it's just that people are usually willing to accept trash.
- > not having a mouse plugged in will mean you have no mouse cursor when remoting in.
Parsec has a setting to fix that too. Look in the host options.
- It is the height of irony to me that a blog post complaining about clickjacking is presented on a website that is guilty of scrolljacking.
- We've got similar opinions here. I'm just pointing out that the overall experience here feels familiar, and it wasn't until reading this thread that I really put it together.
I agree with you that I'd be surprised if Enshittification works as well here as it does in tech, but maybe since there's an app involved, they just think they can get away with it. Who knows.
- > they also removed the best deals from the app
They've captured the user base with the money that corporate was pumping into the app deals, and are in the process of enshittifying it by transferring the value to themselves instead of the users.
- I will sadly admit that the high price of fries only angers me when they're not fresh.
- > The development environment where I'm downloading random libraries is on a completely separate physical machine than my primary computer. I generally spin up a short-lived container for each new coding project, that gets deleted after the resulting code I produce is uploaded somewhere. This is completely separate from the work-supplied machine where I hack on my employer's code.
Something like VS Code remote dev with a container per project? Just plain docker/podman for containers?
> On my primary computer, my web browser runs in an ephemeral container that resets itself each time I shut it down. My password manager runs in a different, isolated, container. Zoom runs in a different, also isolated, container. And so on.
Qubes, or something else? I've been looking at switching to Linux for a while, but Apple Silicon being as good as it is has made making that leap extremely difficult.
- > my personal threat model ranks a compromised device ... much higher likelihood than me personally falling victim to phishing
I completely understand that. I'd actually be interested in reading anything practical you might have on that topic if you don't mind. I asked some experts who gave a talk on supply chain security last year ... they didn't have a lot of positive things to say. Developing software feels like playing with fire.
- > you can order ahead and your food is ready when you arrive
That just sounds like a great way to get cold McDonald's...
> I think additional user data is a relatively minor part of it.
You're probably right about that, but I've always undervalued user data because I don't think it's ethical to exploit people like that.
I'm sure that a well-timed push notification suggesting a personalized meal deal right around hungry-o'clock is the real goal of pushing this stupid app on their customers.
- > I wasn't aware that WebAuthn didn't have this requirement. I prefer TOTP because I actually like having a second factor in addition to a credential stored on my computer's hard drive (whether a password or a private key in my password manager), but I might be willing to reduce my security posture to get rid of this annoyance.
I've seen passkeys support something like what you're after. The browser will produce a QR code you scan with your phone, and then you authenticate with the passkey via the phone, which then authorizes the original browser.
I'm not absolutely certain that this is part of the spec or how it actually works. I'd like to know. It solves a couple different usability issues.
You could always use something like a Yubikey.
- A lot. MCD corporate seems determined to get on the user data gravy train, and appears to be subsidizing it for the franchisees.
Three large fries ordered at the counter costs over ten dollars.
- Unfortunately, yes. Drugs are well-known to be the only product for which cash is an acceptable form of payment. The utility of hard currency really took a hit when all the hookers moved to Venmo.
- Dollar bills are usually in terrible condition. Folded corners, creases, dirt. Ten singles take up more space in my wallet than just about anything else I'd put in there.
I'd rather have ten coins. They'll easily fit in the bottom of my pocket, and when I pull out change there's likely to be a useful amount of money in it.
- > Restricting arbitrary downloads from curl, wget or bash (or better, any binary) makes these attacks pretty much useless.
Any advice what that looks like for a docker container? My border firewall isn't going to know what binary made the request, and I'm not aware of per-process restrictions of that kind
- That's a popular architecture, but I personally wouldn't run part of the application stack (HAProxy) on my network firewall, and would instead opt to move it to the media server.
Suppose you have the media server in its own VLAN/Subnet, chances are good that the firewall is instrumental in enforcing that security boundary. If any part of the layer-7 attack surface is running on the firewall... you probably get the idea.
- > TIP - To insure prompt service
FYI, this backronym is nonsensical. It would only make sense if the gratuity were paid in advance, and then again only were it called a "tep," to ensure promptness.
- > I wonder what the market for throwaway phone number verification is worth.
I pondered this recently, and it seems to top out at a couple bucks per shot.
The problem is that the phone number tends to need to be persistent for the sake of security. You can't typically sign up for something that requires a phone number and then expect to be able to keep the account safe without maintaining exclusive access to that number.
I'm sure if it were cost effective, one of the password managers would have some kind of SMS integration, like Apple's hide my email, but for phone numbers.
It's unclear to me if the code linked on the plugin's description page is in amy way guaranteed to be the code that the IDE downloads.
The status quo in software distribution is simultaneously convenient, extraordinarily useful, and inescapably fucked.