Mathias Karlsson (Hacker News, Slashdot):
Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.
[…]
I reported this to LastPass through their responsible disclosure page and the report was handled very professionally. The fix was pushed in less than a day(!), and they even awarded me with a bug bounty of $1,000.
[…]
Should we stop using password managers? No. They are still much better than the alternative (password reuse).
Although, taking a second to disable autofill functionality is a good move because this isn’t the first autofill bug we’ve seen, and I doubt it will be the last.
xpx777:
Disclosure: I work for AgileBits, makers of 1Password.
For browser extensions, the URL constructor would be even easier [for parsing]. (Yes, I know it says that IE doesn’t support it, but IE doesn’t have a proper extensions framework, so it’s irrelevant to this topic.)
Bug LastPass Parser Passwords URL Web
ProDesignTools:
The difference is that direct links to download the complete standalone/offline installers are not possible and no longer work if (only) the new approach is used. We at ProDesignTools have a long history of providing direct download links to all major Adobe software products, but now there is no way that we (or anybody) can make direct download links available for the new CC products released today (and beyond)!
[UPDATE (June 22nd @ 7pm) – We were just contacted by an Adobe Product Manager who says the company is aware of the situation and hoping to find a solution to restore direct download links and standalone installers for all tools in the new release! So we’re happy to report they are listening to customers and hearing your feedback. Please stay tuned to this page where we will keep you updated in the coming days!]
I had been using this page to get direct download links for Lightroom updates, but it hasn’t been updated in a while. I eventually found in a comment that the Lightroom 6.6.1/CC 2015.6.1 update is available here.
Adobe Adobe Lightroom Mac Mac App
Matthew Green:
Today I filed a lawsuit against the U.S. government, to strike
down Section 1201 of the Digital Millennium Copyright Act. This law violates my
First Amendment right to gather information and speak about an urgent matter of
public concern: computer security. I am asking a federal judge to strike down key
parts of this law so they cannot be enforced against me or anyone else.
[…]
There’s a saying that no good deed goes unpunished. The
person who said this should have been a security researcher. Instead of welcoming
vulnerability reports, companies routinely
threaten good-faith security researchers with civil action, or even criminal
prosecution. Companies use the courts to silence researchers who have
embarrassing things to say about their products, or who uncover too many of those
products’ internal details. These attempts are all too often successful, in
part because very few security researchers can afford a prolonged legal battle with
well-funded corporate legal team.
[…]
In the United States, one of the most significant laws that
blocks security researchers is Section 1201 of the Digital Millennium Copyright Act (DMCA). This 1998 copyright law instituted a raft of restrictions aimed at
preventing the “circumvention of copyright protection systems.” Section 1201 provides
both criminal and civil penalties for people who bypass technological measures
protecting a copyrighted work. While that description might bring to mind the
copy protection systems that protect a DVD or an iTunes song, the law has also
been applied to prevent users from reverse-engineering software to figure out
how it works. Such reverse-engineering is a necessary party of effective
security research.
Lawsuit Legal Security
Erica Sadun:
This code creates the complete .forbidAll set and then removes the local restriction.
var restrictions: AVAssetReferenceRestrictions = [ .forbidAll ]
restrictions .remove(.forbidLocalReferenceToLocal)
Interestingly, you can also pass .forbidAll without brackets in the current version of Swift and it will compile. […] I’m told that this option set syntax works because each element of an option set is itself an option set: [.forbidAll] is the same type and equal to .forbidAll. The array literal form of [.a, .b, .c] is syntactic niceness for creating an empty option set and then inserting (i.e. bitwise OR) each element)
Or you can write:
let restrictions: AVAssetReferenceRestrictions = .forbidAll.subtracting(.forbidLocalReferenceToLocal)
AVFoundation Cocoa iOS Language Design Mac Programming Swift Programming Language
