I was a little puzzled as we got notified our apps were down, and then I tried to login in the Azure portal with no success. But the Azure status page reported no incident, so I posted here and quickly confirmed that others were impacted! They did a pretty bad job with their status page as the front door service was shown green all along
I don't trust random 3rd party extensions. They might be trying to screw me. This is the exact reason why I don't touch npm.
I'm not prescribing a formal set of rules by which you should or shouldn't trust things. I'm just a reasonable person.
Cursor is an unrelated 3rd party to this situation, which is probably clearly described in their Terms of Service. Blaming them reeks of denying responsibility for your own actions. If you want Cursor to audit every 3rd party extension, they'd probably want you to pay them for it. Just like every commercially licensed Linux distro.
You understand that the extension was a copy of a genuine extension?
It was a mistake that he installed the duplicate fraudulent extension. For all we know he could have checked the intended extension code line by line, and then went on to install the trojan horse extension by accident.
This seems like a bad faith argument - the risky tools, yes, actually. I do audit them. Or at least poke around for someone who has.
It is easier than ever to do a DIY malware analysis on the tools you use.
“Hi Claude - you are a security researcher and malware analyst. Analyze the FooBar Chrome Browser extension / git repository I just downloaded for security threats and provide me a report on whether this is OK to use”
I know browser / IDE extensions are not usually audited and approved by the tool owner unless specifically noted otherwise. Even phone apps can sneak stuff in. So I am careful to only install things I trust or will audit myself or am willing to take the risk on.
You can dig in your heels on ideals and principles, but it is simply not realistic to expect a 3rd party extension marketplace from a closed source IDE startup run by 24 year olds in the Valley to protect you from all risk. (By the way, nor is it their goal - they are optimizing for breadth of the ecosystem and adoption and growth, not security and guardrails. That would likely cost you a lot more than $20/month.)
If you can figure out how to moderate a system of 3rd party software (or content, really) to protect the user from all bad things while maintaining global-scale content throughput, I suggest you start a company - I’m sure people will pay a lot of money for your capabilities.
I initially dropped to 4 days/week in lieu of a payrise (comp remained the same). Did that for a while and since then I've been working 2-4 days/week (3 right now)
It helped that it was a small company and I had been working there for 5+ years, not sure how I'd go about finding a part time software job otherwise. Everything is negotiable though.
I would second this and add that moving to part time is a path that your manager can help you talk to HR about. They may ask why since its not common and just be honest about it. If its medical related - taking care of spouse, parents, or kids then in the US there is FMLA which can be up to 12 weeks, pay depends on banked time off and insurance, etc.
In the US there are likely medical benefit and retirement account requirements for working X hours per week, I think its 32 typically but check with HR or if your place has an employee manual it should be clearly spelled out. To phrase that another way - you may lose medical coverage and/or 401k match depending on the "hours" you work. Scary quotes is because you are likely still salary and not hourly.
Maybe look into a Whoop device. Their business model is unique in the space as it's a subscription, but the tracker itself is solid, has no screen and can be worn a number of ways if you don't want it on your wrist.
That is not true. Either A) You know for a fact all content is safe for underaged, or B) You verify.
What is safe for underaged is not defined and can change on a whim. Therefor, any sane person running a website that is not "explicitly for underageds" will verify and eject said underageds. Especially since the one in charge (hired by the company) can be personally liable for any "harm" comming to the underaged.
Not sure why this was downvoted. It was a serious question. The countries I've lived all have digital ID services since a decade ago.
And no I'm not talking about govt ID or a card. I'm talking about a digital identity you log into and then oauth into other govt services like the tax office or healthcare systems.
The UK is notorious for not having ID cards. That's a solved problem in every other developed country as far as I know.
The reason behind it is privacy (lol, considering their total failure and unwillingness to enforce the GDPR) and yet they are totally fine with the tax office having the same database and information (which is no doubt accessible to law enforcement).
>That's a solved problem in every other developed country as far as I know.
Did you just call the US underdeveloped? :P
But seriously, the US does not have a standardized "ID card" either. They have things like passports (which not that many people have), state-issued driver's licenses (so 50+ different ones, not sure how it's handled in all the non-state areas like Guam or Puerto Rico), social security numbers (which aren't exactly ID either), birth certificates, voter id cards (for people without a driver's license), and a slew of other things the government and businesses will accept under certain circumstances. What they do not have is a nation id card.
The UK does have state-issued ID cards: Passports. Are you a UK person that wants to operate on the "international internet"? Get yourself a UK passport! :)
Cookies aren't part of the GDPR, so they must be part of the ePrivacy Directive.
Consent is part of the GDPR, but the way I've seen it operate in practice is widely out of compliance. You're supposed to ask for consent in each specific instance of data collection, not present a blanket approval, and default to "no."
Cookies and the GDPR
The General Data Protection Regulation (GDPR) is the most comprehensive data protection legislation that has been passed by any governing body to this point. However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
What these two lines are stating is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
They are not required for cookies, but they are required for tracking cookies. If you are only using cookies for e.g. shopping cart or CSRF protection, you don't need a consent dialog, but that is not the case for those websites showing the dialog.
Best of luck to the teams responding to this incident.