he pretty explicitly states that AES 128 is not in any imminent danger and mandating a switch to 256 would distract from the actual thing he thinks needs to happen.
So why argue about whether AES-256 is worth it if we can just literally replace those 3 characters and be done with the upgrade? This was the smart move already in 2001 when Shor's algorithm was known and computers fast enough that we don't notice the difference. At least to me, it seems like less bikeshedding will be done if we abandon AES-128 and don't have to deal with all the people left wondering if that's truly ok
Then again, something something md5. 'Just replace those bytes with sha256()' is apparently also hard. But it's a lot easier than digging into different scenarios under which md5 might still be fine and accepting that use-case, even if only for new deployments
There's a whole lot of cases where the tokens are temporary in nature with an easy cut-over, either dropping old entries or re-encrypting while people are not at work. We tend to think of big commerce like amazon or google that need 24/7 uptime, but most individual systems are not of that scale
In most other cases you increment the version number for the new data format and copy-paste the (d)e(n)cryption code for each branch of the if statement, substituting 128 for 256. That's still a trivial change to substitute one algorithm for another
Only if there exists no upgrade path in the first place, you have a big problem upgrading the rest of your cryptography anyway and here it's worth evaluating per-case whether the situation is considered vulnerable before doing a backwards-incompatible change. Just like how people are (still) dealing with md5
I'm working on just that in some IoT context, and a lots of chips I have to deal with only have hardware support for AES-128, so it's a little more complicated...
You can’t just throw “Grover’s algorithm is difficult to parallelize” etc. It’s not same as implementation, especially when it gets to quantum computers. It’s very specialized.
The page isn't allowed to know what extensions you have, instead LinkedIn is looking for various evidence that extensions are installed, like if an extension was to create a specific html element, LinkedIn could look for evidence of that element being there.
Since the extensions are running on the same page as LinkedIn (some of them are explicitly modifying the LinkedIn the website) it's impossible to sandbox them so that linked in can't see evidence of them. And yes this is how a site knows you have an ad blocker is installed.
However, there are other proof of concept of another attack vector to bypass this by using timing difference when fetching those resources.
I help maintaining uBO's lists and I've seen one real world case doing this. It's a trash shortener site, and they use the `web_accessible_resources` method as one of their anti-adblock methods. Since it's a trash site, I didn't care much later.
I have had to repeatedly attest to my insurance that treatments and meds for my 6 year old son with a genetic condition is not work related. My 6 year old who I will point out is unemployed. Usually it's just a popup screen but occasionally it's a scary letter that threatens to not pay for surgery if not properly filled out.
In theory you only need to trust the hardware to be correct, since it doesn't have the decryption key the worst it can do is give you a wrong answer. In theory.
You can if the manufacturer has a track record that refutes the notion, and especially if they have verifiable hardware matching publicly disclosed circuit designs. But this is Intel, with their track record, I wouldn't trust it even if the schematics were public. Intel ME not being disable-able by consumers, while being entirely omitted for certain classes of government buyers tells me everything I need to know.
I encrypt some data and keep the key. I send the encrypted data to you (probably some cloud provider). I tell you to do some operations on the data. I don't tell you the key or what the data is or what the operations mean. You send the results back to me. I use the key to decrypt them.
You have helped me with my compute task, but the data you have is totally meaningless without the key, and only I have the key.
It's hard to believe that it's possible to make encryption where this can do useful work, but it is.
Usually the 'look' is not the issue as much as the geocoder (which you are only allowed to use with a google basemap, no that clever idea you have isn't going to work), like clients are often excited to use a more customizable basemap but balk when it comes to other geocoders which are nice but are not the google one which people really really are used to.
Yeah this was a major problem for us as well. Luckily we can just replace the map, and we'll continue to use the Geocoder and address lookups elsewhere. Its kind of crazy how much better it is with "newer" US addresses vs everything else we've tried.
not OP but the google maps API doesn't actually support other vector tiles (and other map libraries are not allowed to use the google map basemap) which means it's not easy to just have two versions of the site that differ only in basemap
In your example crypto would only replace the visa network. Most of the fee you are playing is to Airbnb for getting you the client in the first place.
Correct, but these fees are trending up and not down, its not uncommon in this space to see payment fees hitting 15%. Removing the primitives of payment requirements, rails which are hard to build and practicably a monopoly, would free the state, this would power end-users instead of building more monopolies.
Actual payment fees are hitting a couple % max, all the rest is platform fees which are orthogonal to how you are paying. If you sell something through airbnb, they will get a cut no matter how you pay.
Credit card fees are a great deal for consumers even when they are added as a surcharge or there is a cash discount. Not having to deal with cash AND being able to dispute transactions are significant benefits.
A Veteran health ID card is a government issued photo id card used to prove your identity with the government to get health care, why wouldn't it be allowed for proving your identity with the TSA.
It's because technically the dollar is divided into Dimes, Cents, and Mil. (this is why dimes say 'One Dime' on them instead of 'Ten Cents'.
So while the mil isn't really used anywhere else that regular people see any more due to inflation, it is a valid division of the dollar and that's why they are able to get away with it.
> (this is why dimes say 'One Dime' on them instead of 'Ten Cents'.
No, it's purely stylistic. We tend to spell out denominations on coinage and "dime" is just the American spelling of disme, meaning a tenth.
The capped bust dime from 1809-1839 had "10 C." rather than "One Dime". Similarly, the capped bust quarter said "25 C." instead of the modern "Quarter Dollar", the half dollar said "50 C." rather than the later "Half Dollar" and the half dime said "5 C." rather than the later "Half Dime."
Most of the 18th century and early 19th century coinage, besides half pennies and pennies didn't have their denomination written on them at all.
There is no such decipence division in the UK, but fuel is still sold with a vestigial .9 pence on the end. In fact, since the denomination is per litre, not gallon, the .9 is about 4 times more significant.
When the final calculation of XX.YYY litres * AAA.9 pence/litre is done, it's then rounded off to 1 pence.
They're allowed to get away with it because of a dysfunctional lobbying driven government. Mils don't exist in the common knowledge and if any reasonable person looked at this they'd call it out. It is useful in accounting but a Mill has never been minted and the last half penny was minted in 1857. It has never been possible using issued physical legal tender in the US to pay a debt of $3.129
The Mill doesn't exist because of some archaic need - it's pure dysfunction and the utilization of it in gas prices is a practice that should and very easily could be made illegal.
Yes, the "Mill" discussion looks to be totally irrelevant. [1] and [2] seem to back up my claim that, at least in modern times, it's purely a "just-below pricing" psychological trick and has nothing to do with the Mill unit.
$4.999 looks a lot smaller than $5.00 to everyday people and it makes the gas company more money than $4.99. That's all there is to it.
So do whatever they do with mils but for the penny too. They don’t nor have they ever minted a mil coin, so the procedure for this is already well established if this is correct.
reply