I think just making any significant change to one's diet can, in the short term anyway, have noticable positive effects, especially depending on what the previous diet looked like. But over time those effects tend to level off and eventually into net-negative consequences from whatever's being restricted out. I can definitely see that being the case for a prolonged potato only diet.
I also think the best long term strategy is to focus first on eating plenty of nutrient dense, minimally processed foods which will naturally tend to crowd out the junk. Junk being anything consisting mostly of the cheap subsidized ingredients like wheat, corn, and soy.
Maybe I'm missing something in the description of the exploit, but don't sites that use email address during account creation typically send some sort of link/code to the provided email to verify ownership? So does this vulnerability assume the attacker has access to the victim's email? If that's the case it seems like "pre-hijacking" would be the least of concerns.
- the hackers signs up with xxxx@gmail.com via the normal email/pass way
- the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)
- the user, at some time in the future, goes to the site and signs up (they think) by clicking ‘sign up with Google’
- the site now merges the former account with the latter and signs in the user; because signing in with gmail, there is no email link that has to be clicked
The site’s ( erroneous ) db entry is now a validated (via sso) account with a manual password; the hacker can now login with the password they set in the first place while the real user logs in via the Google sso link.
> the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)
Most services don't even offer a way to resolve this.
There is never a "this email does not belong to the person who created the account and should be detached from it" link.
Those who do, don't have a way to prevent it in future.
Some same guy keeps using my email address as their recovery email for Gmail every few days. And I have to detach it again and again. Amazing spam by Google. Nobody can do anything.
I'm curious, have you ever tried contacting that guy and explaining that he shouldn't use your email address?
This design seems like a surprising oversight on Google's part. The correct design is to only add the recovery account if a verification link is clicked (which is in fact what they do for enabling mail forwarding). That way you could simply create a filter to mark the requests from that guy as spam. However, being the recovery address of this guy doesn't seem like such a serious problem – it should be relatively easy to filter the emails that Gmail sends to recovery accounts (something like "from:no-reply@accounts.google.com <guy's email address>").
We simply have both status (not verified) and a type (password) fields; so an type sso login or signup will never encounter a type password record and a not verified record will never let you get logged on. Then we purge not verified records every few days.
I would expect a phone number link request at that point for suspicious activity, which actually is suspicious this time. And that is assuming it's even possible to deactivate the account without going into a black hole phone tree which is what I expect these days. Even if you successfully deactivate it, a service you aren't using now has data on you that won't ever actually be deleted. Trying to fix it feels like it's almost playing into the scammer's hands.
Yes this is so annoying! I think it also sometimes happens when email addresses are communicated through speech instead of writing.
Though I tend to just block the sender domain (because they're always from services that I'm never going to use anyway) and ignore the email just on the off-chance that someone is trying to scam me in some weird way. (Plus I really just don't care enough to deal with it unless the email is clearly important or sent by an actual person)
I've stuck to using only email logins simply for less reliance on google (or any other specific service) and getting unique logins for every new service. I'm glad there's now a security benefit attached to it as well, even if I would have never imagined it myself.
It used to be standard for signup forms to include only the email address. It was thought to decrease friction. At some point, someone decided it was better to ask for a password upfront, then it became the new standard.
Is your email address something like [fullname]@gmail.com? Because in that case it's more likely that someone is either confused about their own email address or just made a typo and left out the number they put after the name they happen to share with you.
It is in the form of [fullname]@gmail.com. It got so bad to the point that I called the guy and we spoke. Now when I see an email from an org in his state, I automatically forward it to him. My email for instance is firstlast@gmail.com, his is firstllast@gmail.com and he forgets to put the 'l'.
I haven’t read the actual report, but I would imagine a scenario like this would be possible:
1. Mallory registers an account for alice@example.com using a password.
2. Alice receives an account activation email, but doesn’t do anything about it.
3. At a later date Alice registers an account on the service using a social login/SSO (e.g. Google, GitHub)
4. Alice properly activates the account (may or may not be required, depending on the service).
5. The service merges the password account together with the SSO account since they have the same email.
6. Mallory can access Alice’s account with their original password from step 1, while Alice continues to use social login, unaware they also have a password set.
Took me several reads to fully understand this but it actually is concerning since there is no user error required here. Although it is a little unlikely and hard to pull off
> Although it is a little unlikely and hard to pull off
As always with this kind of attack they are not targeting specific individuals, they probably do this to millions of accounts and periodically check if they can login to any.
Not really. It’s become a design trend to send a confirmation email but then not require it. Part of reducing user signup friction. Then later you might prompt or push the user to confirm or mark users with unconfirmed emails as a higher abuse risk.
No, many sites let you continue to use your account _before_ you validate your email address.
They let you configure settings and explore before the address is validated. An attacker can use this to poison an account without ever having access to the actual email address.
Read further down. It's about the merging of an SSO account with an email account, where the email address is the same.
django-allauth is an excellent python package, for example, that has put a lot of effort into such things but I can see how plenty of websites roll their own auth code and make a mess of the complexity that is user accounts.
Most sites go through something like Sign Up > enter email and password > account is created, inactive > send email verification.
If you then log in with SSO using the same email, the existing inactive account, with its password, is merged into the new account, which doesn't require email verification anyway. Furthermore, people logging in with SSO don't usually check or even know about the password, they only use SSO.
With this flow, an attacker knowing your email gets to choose your password, if they can guess a site that you want to SSO login to, but haven't yet.
Does higher measured brain activity for one task relative to another performed by the same individual conclusively mean that task is "better", or maybe just that individual is more efficient/practiced/comfortable with the other task?
Not discounting your experience, but we have clients in all three, and our own experience is that Azure support and service is _significantly_ better than AWS and GCP, to the degree that we primarily recommend Azure for that reason.
Interesting to see that many of the predictions weren't far off.
But one recurring prediction that was notably wrong was of Microsoft's declining prospects. It would have been difficult at the time to argue otherwise, but WOW did things turn out differently.
Check the New York times reporting on Fred Trump and Donald Trump. It is clear to elites that just outright breaking tax law has no repercussions. More and more wealthy people are understanding this, and will not pay or will underpay taxes.
It's critical that taxes be enforced uniformly and in every case.
I recall ditching a relatively high-end router a year or two ago after a firmware update required me to accept that in order to use most of the advanced features supported by the router, essentially all of my household's web activity would be sent to a 3rd party data collection service. Thanks but no thanks.
Two things to look for when selecting olive oil at the supermarket - a dark glass bottle, and a harvest date printed on the label. Granted, this doesn't guarantee you're getting a high-quality, non-blended EV olive oil, but without these you most assuredly are not.
Don't go to a supermarket to get good olive oil in the US. There are a few small stores scattered around that sell good olive oil.
Dark glass is cheap and so cheap oil at a premium price comes in a fancy dark bottle. You are paying for the fancy bottle (which doesn't cost much more than a cheap plastic bottle of the same stuff - profit)
A harvest date is useful if you can find one, but doesn't really mean quality. If the date is more than 3 months ago it means subpar though which is something.
This isn't strictly true - you can get good, real extra virgin olive oil at, say, Whole Foods, but it's gonna be from California. Tinted glass keeps UV light from degrading the product, similarly to why no decent beers come in clear glass.
You're completely correct about getting good imported olive oil from a supermarket though, absolutely.
The main thing about the dark glass bottle is that UV damages olive oil making it taste worse. If your olive oil is in a container that lets in UV you're guaranteed that the manufacturer doesn't give half a hoot about quality.
I'm a bit skeptical of claims like this. All standard transparent soda lime glass is opaque to short wavelength UV (UV-B and UV-C) but is in fact trasparent to long wavelength UV (UV-A) (transmission drops off rapidly under 350nm). However, what tinting is actually being employed in any particular bottle and how effective is it at blocking long wavelength UV? To be sure, there are some tinted glasses that are effective at blocking long wavelength UV, but can the consumer identify those by sight? Amber glass is meant to be pretty good at blocking UV, presumably UV-A since regular glass will block UV-B and UV-C, but amber glass seems to be a fairly complex formation and it's not clear to me if some formulations are more or less effective than others. Beer sold in clear glass is relatively rare, but green glass isn't particularly uncommon and from what I can tell ferric ion green glass doesn't seem to block UV-A any better than clear glass. Green glass made with didymium is often used as UV filters, but I don't think that's used in beer bottles.
I suspect tinted glass has more to do with marketing, consumer expectations (and maybe cargo cults) than UV protection.
(Also, what brand is in the habit of leaving their bottles of EVO sitting out in sunlight instead of in warehouses, in shipping containers, in stores, etc? When you avoid direct sunlight and electric arcs, the UV threat should be minimal.)
Even though I've given in to using the "automated schema updates", or migrations, approach (Technique 1 in the article), I'm still uncomfortable with the idea of the application tier having permission/ability to manage database schema and execute DDL. I feel that it removes a key layer of defense-in-depth, and opens up the possibility for bugs and exploited vulnerabilities in application code to have hugely negative impacts.
Even ORMs make me nervous for similar reasons, since they essentially enable the application tier to pass into the database any/all queries and DML. But like migrations, I allow ORMs for the convenience they provide during development.
The live application serving traffic does not need to have DDL permissions. The migration code can live in the same code base/application, but can be executed as a separate task with escalated privileges.
Ideally, the same build should be used in every environment and all the configurations such as db endpoint, username and password must be external to the built and fed from the environment. The migration command can be a part of application, but only invoked automatically in dev environment. Most of ORMs allow to configure whether schema initialization happens at the startup or not.
During deploy, the migration part can be executed separately in prod environment, before the actual deploy. Different tools provide different "hooks": e.g. heroku has release phase(https://devcenter.heroku.com/articles/release-phase), in spinnker you can add a separate stage for db migrations: https://blog.spinnaker.io/deploying-database-migrations-with..., which can use a different db user. In this case, migration functionality is disabled at startup in production environment and runtime db user need not have DDL privilege, because by the time it starts up, migration phase must have been finished.
I also think the best long term strategy is to focus first on eating plenty of nutrient dense, minimally processed foods which will naturally tend to crowd out the junk. Junk being anything consisting mostly of the cheap subsidized ingredients like wheat, corn, and soy.