valaramech

valaramech , 7 minutes ago to Technology in Cloudflare's recent blog regarding polyfill shows that Cloudflare never authorized Polyfill to use their name in their product

Direct linking via a specific CDN was the problem. This is solved by bundlers, not caused by it.

The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. ... However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.

valaramech , 23 hours ago to Technology in The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites

In my experience, first-party JavaScript is more likely to be updated so rarely that bugs and exploits are more likely than supply chain attacks. If I heard about NPM getting attacked as often as I hear about CDNs getting attacked, I'd be more concerned.

valaramech , 23 hours ago to Technology in The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites

I actively do this with uMatrix - granted, I only block non-first-party JavaScript. Most sites I visit only require a few domains to be enabled to function. The ones that don't are mostly ad-riddled news sites.

There are a few exceptions to this - AWS and Atlassian come to mind - but the majority of what I see on the internet does actually work more or less fine when you block non-first-party JavaScript and some even when you do that. uMatrix also has handy bundles built-in for certain things like sites that embed YouTube, for example, that make this much easier.

Blocking non-first-party like I do does actually solve this issue for the most part, since, according to the article, only bundles that come from the cdn.polyfill.io domain itself that were the problem.

valaramech , 10 days ago to politics in White people must take responsibility for dismantling white supremacy in America

Closes the current tab

valaramech , 11 days ago to News in Trump floats eliminating U.S. income tax and replacing it with tariffs on imports

The US Constitution prevents this: https://constitution.congress.gov/constitution/amendment-22/

valaramech , 11 days ago to Ask Lemmy in Fraudsters of Lemmy, how would you commit fraud if governments embrace cryptography

In this theoretical system, ideally it's illegal for anyone other than the person who's supposed to have the private key to have it - excepting some subset of legal reasons (e.g. parents for their children). So, the only business that would be asking for people's private keys are the kind that are already operating outside of the law.

valaramech , 12 days ago to Ask Lemmy in Fraudsters of Lemmy, how would you commit fraud if governments embrace cryptography

This is no longer the case. Any SSN issued after 2011 is fully randomized

Additionally, the following SSNs are always invalid:

1. Any SSN with "000", "666", or "900"-"999" in the former area number
2. Any SSN with "00" as the former group number
3. Any SSN with "0000" in the former serial number.

valaramech , 12 days ago to Ask Lemmy in Fraudsters of Lemmy, how would you commit fraud if governments embrace cryptography

That's kinda backwards, isn't it? If I want to verify my identity to a company, they would send me something that only I could decrypt. Some government agency provides all the public keys of all citizens, the company takes my public key, encrypts some secret with it, sends it to me, and asks me to decrypt and return it. If I'm able to do so, I must be who I say I am otherwise I would not be able to decrypt the secret.

In an ideal world, the company (or, even better, the employee) would have a similar certificate that I could use to encrypt my response with.