Nope. Most people, when they are "required" to use mixed case and special characters, do it in a way that can be easily brute forced with only a handful of extra attempts (1 = !, at = @, O = 0, etc.). The parts that preserve the difficulty of brute force are:

• 3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
• 4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character

• when evaluating password length.

• 9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

Web site have been having it both ways for years: they have been telling us to make harder password, while simultaneously making it harder for us to do so. In some cases, passwords were truncated or forced to lower case before being hashes, making them much much weaker than it seemed they were. And then when a password is compromised, the user is blamed.

Don't mix up the actual strength if voluntarily using complex passwords with the perceived strength of forcing someone else to do so.

My Chevrolet has a touch screen with all the controls, but I can change the radio station and volume with steering wheel controls and all the climate controls and defrosters have physical buttons very similar to what cars have had for the past thirty years. All the buttons cooperate with the touch-screen system, you can use either without disadvantage.

However, this is beside the point. This vehicle is much more likely to break than cars used to be and likely to be more expensive to fix. I actually had a Mazda that the factory bought back because the "infotainment system" needed to be repaired six times under warranty.

Bad programmers write bad programs. No surprise there.

What you're missing is that when you tweak even a decent number of database queries to get just the right columns for the task at hand, you end up with a sprawl of data models in your code that all map back to the same columns. Composite models where the properties come from multiple tables because the underlying query has a join compounds this. Tracking what database change will affect what code becomes a truly cumbersome process and updating data that you just read becomes spotty. For example, if you retrieve four columns from a ten column table and you want to add a new record, you might need one of the other six because they aren't nullable. So, you create an object of a different class to save, save it, then either round-trip it through the database to reduce it to the four column object that can be bound to the UI elements, or write even more code to convert or adapt it.

There's real value in ORMs and in auto-generated database code. There's also real value in knowing how a particular design choice affect database performance. Unskilled programmers might prefer to not write SQL, but that doesn't mean that not writing SQL directly leads to unskilled programming.

It's also obvious that the manufacturers don't really care to add the features that people want. I have a $3000 smart oven and every time I lose power, I have to reset the clock. With the little up and down button on the control panel. That's right, the oven won't set its clock using Internet time and the app has no "set clock" feature.

The only thing I get out of the "smart package" is that my phone gets an alert when it's preheated. That's it. This is the only useful feature.

It's not the manufacturer's responsibility. However, federal law requires that the manufacturer show that the Frankensteining caused the damage. Otherwise manufacturers would say things like "Our grills were never tested with veggie burgers" and use call that a misuse of the product and deny warranty service.

Are they provided free? Of course not. The act was specifically worded that way to get warranty writers to stop requiring specific products and providing a very easy remedy for anyone that does... they give their product away for free.

At the time, auto manufacturers were already set up to make the claim "we're not requiring our parts". They did this by creating companies to sell parts - GM had AC Delco, Chrysler had Mopar, etc. The exact wording in the act was intended to close this loophole.

The paraphrasing is not misleading, it is exactly what was intended and exactly what applying the more specific wording of the act accomplishes. Additionally, Weber violated both the paraphrased statement and the wording in the act since they don't give away replacement parts. So, the paraphrasing is both easier for most people to fit in their heads, and accurate enough to use as a functional replacement. The "settlement" that Weber reached simply puts them in compliance with Magnusson-Moss.

The Magnuson–Moss Warranty Act of 1975 says specifically "Warrantors cannot require that only branded parts be used with the product in order to retain the warranty."

So, apparently the FTC entered into negotiations with Weber and "settled" on having Weber comply with an act of congress that has been on the books for almost fifty years. This was reported in the context of right-to-repair, so I'm curious if Weber made a deal to actually honor the existing law if the FTC would back off on its right to repair demands. Seems like a pretty weak deal if that's even remotely close.

Fine with me. Just don't claim that Chrome told you my site was hacked.

I get a constant stream of people telling me that Chrome told them my site was hacked. It turns out that Chrome told them that they're trying to use their already compromised password on my site. Warning don't do a whole lot of good when people don't understand them.

We can infer nothing.

Al Capone was sent to jail on tax related charges because it was more expedient and reliable to do so. This fact does not mean that Capone didn't order murders and it doesn't mean that he didn't run an organized crime ring. It also doesn't mean that he did.

This researcher is simply using expedient methods to disrupt something he doesn't agree with. It's possible that he's a censorship nut that wants speech he doesn't personally agree with silenced, and it's possible that he's trying to shove the most egregious hate influencer out of their position of influence before too much harm is done. You can't infer his motives from the fact that he chose to pursue a technicality rather than the core issue as a remedy. If you claim he is wrong, show some real evidence.

That's why my plan didn't have only one mechanism to maintain security. Items #2 and #3 should help.

Another thing to think about is vendor management. The IT industry accepts poor security because nearly all vendors are selling poor security. If we started sending clear messages to vendors when these things happen, we'll get better products. However, these types of changes will take many years to bear fruit.

You don't need to inspect the actual software. Actually, you probably don't want to rely on inspection, because it's terribly expensive. The open source "many eyes" mantra is all about spreading that burden. However, if you have to make sure your software is secure, you can't rely on the rest of the world to do it for you in most cases.

So, here's what you do; first, get all the free benefits you can by always installing security updates very soon after they are published. Put whatever funds are necessary to know what updates are out there, get them tested, and get them rolled out. Second, get ahead of the curve by running your own pen tests. Third, catch the things you miss by installing behavior analytic software that looks for abnormal use patterns.

BTW, writing software yourself doesn't make it any more secure. You won't put any backdoors in your own software, but you might put in an "administrative access feature", which is what the guys that make back doors call them when they make them. It's not called a back door until it's discover by someone else.

Actually, "defund the police" really means to create an entirely separate set of organizations to do the tasks that the police are supposed to be doing, and redirect the police money there. It's supposed to express the acceptance that the police have built up so many barriers to reform that this is the only practical path to reform... even if the money ends up going to an organization that is essentially identical to the current police.

See: Wells Fargo circa 2016.

There is no evidence that the lab couldn't have been the source. But, there is evidence that all of the press that followed the cables was the result of feeding them out of context partial truths.