i think what's being conflated here is that there are reasonably buyers for this kind of vulnerability but there's no market in the truest sense. I think a correctly connected individual could well sell this vuln to a state actor or a contractor to one; but the ecosystem of bug sales to these parties has no aggregate appetite for them, thus, there is nothing driving the price up. People in the market for cyberweapons want point and shoot vulns that have broad usage beyond a specific server for a specific company or parts for them, and ones that will last beyond a single corporation patching something. They are willing to pay such big $$$ for this that the whole market is optimized for it. The power players here would much rather buy a gun and shoot the lock off a door than a specialised set of picks that work for that lock in that building.
Analogue clocks like the face of big ben are not like digital displays, and whether they "show seconds" in the context of the meaning of this article is not, like digital displays, down to whether there is a dedicated hand.
Unlike digital displays, the largest denomination hand on an analogue clock display contains all of the information that the smaller hands do (depending on the movement in some cases).
The easiest way to realise this is to imagine a clock without the minute hand. Can you tell when it's half-past the hour? You can. The hour hand is half way between the two hours.
Again, it depends on the movement, but it is not out of the question that your minute hand is moving once every second, and not every minute. It is down to the number of beats per unit time for an analogue display as to what the minimum display resolution is (regardless of if the movement is analogue or digital itself).
Unlike digital displays, the largest denomination hand on an analogue clock display contains all of the information that the smaller hands do (depending on the movement in some cases).
You would be surprised. When I was a kid, I sometimes used to stare at the clocks with an analog face at the train station while waiting for the train to school to arrive.
Interestingly enough the seconds hand would go slightly faster than actual seconds and at the 60 seconds the seconds hand would get stuck for a moment as if it was pushing the minutes hand and then the minutes hand would flip to the next minute.
The description describes how they work, which seems like a mixture of digital and analog (due to the use of both cogs and relays + propagation of pulses from central to local clocks), translated:
- The seconds hand makes a revolution of 57-58 seconds and is then stuck for 2-3 seconds.
- The seconds hand is driven using 230V.
- The minutes hand get a 12V or 24V pulse once every 60 seconds. The polarity has to swap every 60 seconds. The swapping of the polarity can be done using a relay or specially-made components.
- The hours hand is driven by the minutes hand using cogs.
The key to this mechanism is that the stepping of the minute hand is what unlocks the second hand. Pretty clever low-tech way to keep a LOT of clocks in really close sync.
Dutch train stations used to have these too, I loved to watch them in action while waiting for a train.
If you think of the design goals (synchronizing clocks across the train network) and the technology available at the time, the design is actually pretty clever. Knowing the exact second is not important - if the second hand actually completes a whole cycle in only 58 seconds, this is still good enough to be able to see how much of the minute has passed. Having the exact same minute on all clocks is much more important than that - especially since train departure times are usually "on the minute".
What technology wasn't invented by the time this clock was created??? And the design is bad, nothing clever about it, clocks can move their minutes hand to give the necessary indication
So name a single time tech and explain how the lack of it didn’t prevent other train station operators having clocks without jumping hands operating even before 1944?
(not sure, but think that the minute timetable resolution was pretty universal)
> it depends on the movement, but it is not out of the question that your minute hand is moving once every second, and not every minute.
I think the only place where I've seen the minute hand move by the minute has been on TV, in those climactic moments where the camera zooms in on the clock and strikes a certain time. Maybe it's a trope, for emotional tension, like mines that don't explode until you step off.
> The easiest way to realise this is to imagine a clock without the minute hand. Can you tell when it's half-past the hour? You can. The hour hand is half way between the two hours.
Can I? Many analog clocks actually "tick" the second and minute hand. I've even seen some that tick the hour hand.
I think a slightly better term is "discrete" vs "continuous". Some analog clocks are discrete, some are continuous. Some digital clocks operate on a resolution so fine that they appear to move continuously. It's quite lovely to find those that invert your expectations when out in the real world.
There are analog clocks where all hands move continuously (like when there's a second hand with no discernable beats). There are analog clocks where all hands move discreetly once per second (60 BPM for all hands). There are analog clocks where the minute hand moves at 1 BPM (quantized to the floor of each minute) while the second hand does something else (perhaps discrete movement at 60 BPM, or perhaps continuous other than a pause at the top of each minute, etc.). And there are digital clocks!
You're correct, thanks for the clarification. I was going more with the colloquial understanding of the two (analog = continuous; digital = discrete) and was trying to touch on the vagueness of no true analog clock with the reference to ticks/resolution.
However, your explanation is definitely much better.
OIDC+OAuth is what most people actually want when they think of OAuth imo. The main issue here is that OAuth was not designed as an authentication protocol.
At Google, people can use "Cider" which is a web browser based IDE, and they can use a "Cloudtop" which is a desktop virtual machine provisioned via Google's cloud infrastructure, as alternatives to a dedicate physical workstation.
in the uk, most pay tax by an even simpler method, Pay as You Earn (PAYE). the taxes are all filed by the employer, and the online website allows taxpayers to add anything else
Before the layoffs I worked on a security checks team (“ISE Hardening”) at Google. Google requires for almost all projects that code is physically imported into the SCS; when this code touches anything at all, extremely stringent security checks run at build-time.
These checks often don’t attempt to detect actual exploit paths, but for usage of APIs that simply may lead to vulnerability. These checks can only be disabled per file or per symbol and per check by a member of the security team via an allowlist change that has to be in the same commit.
This is not perfect but is by far the most stringent third party policy I’ve seen or worked with. The cost of bringing 3p code into the fold is high.
The flipside of this is that Google tech ends up with an insular and conservative outlook. I’d describe the Googl stack as ‘retro-futuristic’. It is still extremely mature and effective.
Not only are the products confusing (which one does what parent mentioned?) but that pricing is out of reach for so many I'm wondering if the company is actually real or not?
If you are a big corp a security leak costs you 10 mil USD, it might make sense to pay. Instead of paying $50k for a one time security audit, you get a part of it in the form of a subscription.
I want to second this. The top StackOverflow comment for protecting against XSS in PHP still recommends htmlspecialchars() https://stackoverflow.com/questions/1996122/how-to-prevent-x... which is a terrible and ancient approach (context-aware templates are the modern approach).
I also Googled to check CSRF protection and all the sites I can find just discuss rolling it yourself; the example uses some CSPRNG that can potentially return not cryptographically secure numbers without erroring. https://www.section.io/engineering-education/csrf-protection...
That's one thing that really drove me away from PHP. It presents an extremely simple seeming universe, in which web apps are very easy to write – but has really naïve bones, requiring a lot of extra scaffolding to be safe.
You do get XSS protection out of the box in most templating languages, though, and PHP is also a templating language.
Take this template:
<h1>{{ title }}</h1>
In most templating languages, for a title of "<script>alert();</script>", the result will end up being:
<h1><script>alert();</script></h1>
In PHP, which is a templating language, the equivalent seems to be:
<h1><?php echo $title; ?></h1>
But this will print the title unescaped, which is a security vulnerability, and incorrect. In reality, the equivalent is:
<h1><?php echo htmlspecialchars($title); ?></h1>
Now, you could say, don't use PHP as a templating language! But if you're not supposed to use PHP as a templating language, why does it behave as one? This is one of PHP's footguns to be avoided. Personally, I recommend a linter like PHPCS to catch issues like this one.
Templating languages are abstractions on top of other technologies. I don't see how PHP is a templating language. I could write that exact same code above in NodeJS and I'd need to use mustache to escape the output. So you can make the same mistakes in Node, Python.
Nobody writes PHP mixing HTML and PHP anymore, and if you do you should run. Shit code is not unique to PHP and I've seen more than my life's share in JS and Python codebases.
> I don't see how PHP is a templating language [...] Nobody writes PHP mixing HTML and PHP anymore
PHP is designed to be a template language, but it's a terrible template language, so nobody (it is claimed) uses it as it was originally designed to be used anymore.
So "use PHP" is not good advice if what you mean is "use a web framework and a separate third-party template language", which works just as well in any language and doesn't give PHP any particular advantage.
Tangential, but I've always found Mustache's tagline "logic-less templates" confusing - what they mean is that the template language doesn't have control flow. Logic is not a synonym of control flow in my mind.
Well, of course not from any lang that treats HTML as a string, but there are langs, which treat HTML as structured data, in their standard libraries. Take a look at SXML libraries for example. Whatever script you stored as a username for example, it would still get treated as text, not tag, when put into lets say a span or p. SXML is aware of the boundary between tags, their attributes and their content.
Alright, let's go with widely-used programming languages for now - I've been programming for over 20 years and never heard of Guile.
I am not against the idea of having native protections built into stdlib, we can agree there, but it's disingenuous to suggest that this problem is unique to PHP as the parent comment suggested. It's the same in all of the major programming languages used to spit out HTML as far as I can tell.
Oh, very much so. I don't doubt it. Most of them are doing it wrong, fiddling with strings, instead of structured data, which HTML would lend itself really nicely to. Especially PHP, with its "output HTML" in-built mentality should have gotten it right, but did not. Many others did not do any better.
appleid https://zemnmez.medium.com/how-to-hack-apple-id-f3cc9b483a41 steam https://hackerone.com/reports/409850