When did Chrome go from the most secure browser to there is a exploit-chain giving RCE by visiting a malicious website every second month? (Last one I recall was CVE-2024-4761 and -4671)..
Or maybe it was never really secure and it was just good marketing?
Chrome has the most vulnerabilities because it's the largest browser by market share by a mile, and so has the greatest number of eyes on it. You also can't extrapolate "it was never really secure" from that: practically all software has bugs, especially multi-million line codebases like Chrome. Relative to the average C++ program Chrome is exceedingly secure, and likewise Chrome has been constantly on the cutting edge of introducing new security mitigations. "Is it secure" is not a binary property.
The bar for chrome was IE at the time, and it beat that.
I think it’s also partly Google’s very open culture on CVEs that means they are discovered and reported on promptly. It’s difficult to tell how much it’s just increases awareness that browsers are full of holes and whether the holes are increasing in size/frequency tbh.
> The bar for chrome was IE at the time, and it beat that.
I would say there were three trends that happened at the same time that really made a difference:
- People now actually update their web browser, and yes, started to ignore the browser vendor that wasn't shipping them (IE). Driveby download exploits started to disappear.
- Flash and Java went from enabled by default to prompt-first. Flash was later abandoned, and IcedTea-Web / Java Web Start had its core functionality gutted in later Java versions.
- No support for ActiveX at all, unless you wanted to go for IE Frame (Chrome and IE tabs under a Chrome interface) or Chrome Frame (IE and Chrome tabs under an IE interface), which quickly faded into corporate Intranet obscurity
It is the most secure browser. The lifetime of these kinds of bugs is generally a few weeks to perhaps 2 months. With a high churn codebase, these things just happen. There is a lot of ongoing work to mitigate the impact of renderer bugs, such as the V8 heap sandbox.
As others said, they are quite open about vulnerabilities and CVEs.
However, Chrome is an operating system unto itself. It's more than 40 million lines of code comprising of complex intertwined systems. It's a miracle there are so few CVEs
> I then leverage this to achieve arbitrary memory read and write outside of the v8 heap sandbox, and in turn arbitrary code execution in the Chrome renderer process.
So the code is running in a process that runs as the same user running the browser. That's no longer much of a sandbox and you're now relying on the OS to protect your data, right?
No. There is a reason the author keeps repeating "arbitrary code execution in the Chrome renderer process." Because it's there, not in the browser process.
It makes sense once you realise that Chrome and Google benefit from increasing the complexity of web browsers. It means that new browsers cannot feasibly compete. It's basically an arms race of "how much mental shit can we throw in there"?
I understand why they do it (I think it's probably more about pushing the idea of a browser as the thing people use for everything than competition with other browsers TBH), but I definitely wouldn't say it "makes sense".
Just used in few days ago an it was very practical to use it instead of downloading some third party software. Since video conferencing apps are web-based it makes sense.
Also while not about cancer specifically, the book Immune by the kurzgesagt founder Philipp Dettmer has a chapter on it and the relation to the immune system. Which is very relevant for these new immunotherapies.
I don't think this is a good test. If I prefix it with "a riddle" then GPT 4 got it right for me
"Yellow"
I think the "temperature" (randomness) of a LLM makes it so you'd need to run a lot of these to know if it's actually getting it right or just being lucky and selecting the right color randomly
And the best part is that it allows you to write logic in C(++) if you want.
I tried Tasmota first but struggled with trying to get the rules to handle my slightly complex logic. Which was that when a water level sensor triggered, run a pump 15 seconds, wait 5 mins, run 15 sec and repeat for x times. But with the catch that if the sensor triggered before the run was done, it should ignore that.
After reflashing esphome I got it done in a few minutes in C.
Yes! This is one of the reasons I like them so much and support them.
They have been focused on the end goal, even if it meant having to kill the original idea that drove the initial fame and success. The automated, solar powered platform [1]
I try to remember them when I'm getting too emotionally attached to an idea. They remain pragmatic, focused on reducing the plastic in the optimal way. Even when that means doing it manually, by driving around in "dirty" ships, instead of the nice clean automated solar powered platforms they initially pitched.
Same with expanding to the rivers. Where their initial (and still working) platform is a automated and solar powered one, but recently they are just putting up fences/barriers and then manually scoping up the trash with (again, "dirty") excavators.
oh it's definitely much more than a "baseline check", it seems to be mostly the same silly rules as the real app store
for example, the developer of Clip (Riley Testut) had to add a pointless "map" function which uses the user's location in order to be allowed to run in the background
The first version I tried used the user’s location to remain active, but was rejected by Apple. Testut then updated Clip with a Map feature — so there’s a reason for the app to remain active in the background — to receive approval.
Riley posted the following on Mastodon about this:
Getting some Qs about Delta availability, hope this clarifies things!
• Delta is exclusive to AltStore in EU
• Because of Apple’s new dev terms, all downloads in EU cost us €0.50/yr in AltStore PAL and App Store…so couldn’t offer Delta in EU App Stores without making it paid
• App Store only supports one-time paid-upfront apps, so we’d have to pick a price that could support ~years of CTFs
• PAL’s €1.50 covers Delta’s CTF
• We’d make everything free everywhere if it wasn’t for the CTF
No need to question the previous comments experiences. Is there really anything which is "certain" when it comes to memories?
I'm not a memory expert, but as I recently read a book on the subject I think I have better than average understanding of it. If you can read Swedish or Finnish I do recommend it, the title is "Minnets Makt" by Julia Korkman (freely translated "The power of memory", official title is "Memory Dependent")[1].
The book taught me a lot about how memories work, how they are formed, recalled and modified during the years. And as memories are a core part of everyone's life, I think it would be good for more people to understand them better.
I did find a youtube video where the author, does a short lecture meant for law enforcement to teach them the basics of how memories work. As for them it is even more important to understand how meories, especially the recall of memories work when they interview people.
Disclaimer, I haven't watched it yet, only skimmed it but it does seem to cover the same concepts as in the book.
On a related topic, I wish someone would implement "user-encrypted-at-rest" to protect me from the provider getting breached.
I don't care so much for the transit, but I'm a bit worried about the fact that I have many years of emails stored in "plaintext" (citation makes because they probably use FDE and maybe other encryptions but they can still read everything) on the providers server.
I'm not worried about a malicious provider, but worries they might at some point make a mistake which allows them to be hacked.
If anyone knows any solutions for this that works in iOS/Mac I'd love to hear.
Not really, grandparent is asking about what we call "zero access encryption" [1]: encryption at rest of received and sent emails, without the provider having access to the keys (unlike typical "encryption at rest", which doesn't give you much).
Instead, OP is talking about outgoing end-to-end encryption using public keys from keys.openpgp.org.
Or maybe it was never really secure and it was just good marketing?