I haven't done any video editing it in around 6 months, so I don't know what's their current status, but it did get noticeably more stable for me around the 0.7.3 version. Ah the wonders of Arch and rolling releases
It would still crash occasionally, though. The only saving grace is that it's auto-save is impeccable.
Am I the only one seeing the irony of calling something "Revolution" and then adding version number 4.0 to it?
I think that about sums it up nicely...
Wrong. Your HTTP headers don't end up on your Twitter "blog" (or whatever it's called), they end up on the attacker's.
And as for banks not having a public messaging feature, is Citibank big enough for you?
https://banking.citibank.com/JoinOurOnlineForum/UserGuide.aspx
But once again, do note that the page where the user's credentials end up doesn't need to be public; it just has to be accessible by the attacker.
I'm sure it's great to repeat cliche lines when it comes to economics and computer science, and I know it's super popular with the recent quant economics and stock market debacle. But it'd be kind of nice if people knew what a Nash equilibrium is in the first place. If I use a Nash equilibrium strategy, it doesn't matter *how* you change your behaviour, you can't benefit from it. Think minimax algorithm in zero-sum games.
This is a perfectly sound mathematical concept, in a mathematical sense it's as true as anything else in mathematics. And this is an important and interesting result we found about it. There's no need to label anybody as "geeks addicted to a single theory". It's the same as saying that we "need to stop being addicted to believing that 1+1 equals 2 and start dealing with people".
Our applications of the theory can be more or less successful, and any application of game theory to anything as complicated as economics can only be an approximation. But there's no need to spit on this result because of that.
The key difference is that with IMG tag the attacker can only get the user's browser to make GET requests, whereas this attack enables POST requests as well. Any reasonably well-designed online banking application should not be exploitable via GET requests.
Also, the attack vector here is different compared to a "regular" CSRF through XSS. Which one is more practical is open to debate.
Erm, no, you're getting it wrong. What this attack means is that the attacker gets the ability to make arbitrary requests for resources on behalf of the user.
So no, it doesn't mean that the attacker can now serve you malicious web pages that will appear to be coming from your bank's web site. What it does mean is that once you go to a secure page on your bank site, the attacker can instruct the bank to transfer money from your account to his, without you ever knowing. This is kind of similar to the IMG tag attack but it's more difficult to defend against.
"Take that, you hostile sons-of-bitches!" -- James Coburn, in the finale of _The_President's_Analyst_