Keeping passwords in plain text in “value” attribute. Addons can use this for password leaking

Either there is a security hole or I’m missing information about something.

While I was testing how Surfingkeys addon works I’ve noticed that it has command yf to copy form content on current web page. I though about testing it on “Sign In” and “Log In” forms on few websites to see if it would be able to retrieve typed passwords in plain text. It was successful if standardized <form> tags were used.

Then I’ve noticed that in most web applications password is kept in <input value=""> attribute in plain text which to me seems like by-standard security hole for whole W3 stack (HTML, CSS, JS, etc.). If this addon was able to get password from DOM then any addon can do that. The only piece missing is sending that data to server of a 3rd party who are owners of such malicious addon – such situation already had place with Stylish.

So attack scenario looks like this:

  1. Company “mal1c1ous” buys popular web addon.

  2. They add to addon generic <form> parser script which retrieves data from <input value="">.

  3. For each known website they make their addon “decorate” submit buttons with script which on click 1st sends request with credentials to their server and then to host of that website. Or they just send requests each time parser script is able to get new data.

  4. After some time they perform an attack using gathered credentials.

I find that scenario possible show me that it can’t happen. Also my question is: given that is Web security flawed by design?

The thing is that no one discourages from using <input value=""> as a password holder it seems that there is no other option by standard. Web developers can only come up with their own ideas to obfuscate where a password is stored before request is made.

How to avoid a boring late game in strategy games while still keeping victories satisfying?

A common thing I’ve noticed in strategy games (of all types, 4X, RTS, MOBA, etc.) is that most games eventually get to a point where it is fairly clear who is going to win, and the rest of the game just becomes playing out the motions, and if the winning player/team doesn’t make a major misstep, they will win.

This is just kind of the nature of strategy games. They inherently have a “snowball” effect. The gameplay is all about setting yourself up for success over your opponents in the future, and whoever does this better in the earlier stages of the game should win in the later stages. This happens in every strategy game to some extent, even the most classic. In Chess, it becomes increasingly harder to win if your opponent takes more and more of your pieces and forces your remaining pieces into tough situations.

As I said, this is just a fundamental part of the genre, so I’d hesitate to call it a problem. However, on occasion, in these types of games, you have matches where no player/team gains a significant advantage early, and the game comes down to the last turn. In my opinion, these are the most exciting and interesting matches you can have. Furthermore, when this doesn’t happen, the late stages of the game can feel very boring for everyone involved, where the winning player is just awaiting their inevitable victory, and the losing player their inevitable demise (this can be especially unfun for the losing player, as they probably have very few options, and it is just really unlikely that they are having a good time).

So it would be cool if we could design a strategy game that avoids consistently falling into this state, right? Well, I have seen a handful of games like this, where a losing player consistently has avenues to victory, no matter how far behind they are. The issue with this is that if an upset happens (say one player was dominating the whole game, and then a losing player makes one good play at the end of the game to win), that victory can feel very unsatisfying for the winning player, as they may feel they didn’t deserve it. Similar, the player who was winning most of the game may be very unhappy, as they may feel like victory was robbed from them, and they didn’t deserve to lose. So essentially, no one is happy with the result. This approach may also make the early game less fun, as players may feel like it just doesn’t matter.

So is it possible to design a strategy game that avoids both of these issues? A game where we don’t consistently fall into a boring lategame with a forgone conclusion, and yet also keep victories feeling satisfying and deserved? Or are these issues far too fundamental to strategy gameplay to overcome?

If this question is too vague on its own, then we can focus on 4X strategy games, as those are the games I have experience with, and that I am interested in designing.

How can I transfer an office 365 domain to a different tenant keeping the users’ OneDrive files?

I registered user@mydomain.com with office 365 and registered the custom domain mydomain.com.

After doing this, I noticed that several users with the same domain had previously registered, thus automatically creating a tenant, the same tenant I have been put into.

Those users have put several files on OneDrive.

my situation now is:

tenant: mydomaincom.onmicrosoft.com   added domain: mydomain.com   admin user: user@mydomain.com   other users: user1@mydomain.com, user2@mydomain.com (use OneDrive files) 

Now I’d like to move the domain to another tenant, but I need to do this without deleting or changing the username of any of the existing users.

This is what I’d like to achieve:

tenant: newdomaincom.onmicrosoft.com   added domain: mydomain.com     admin user: user@newdomain.com   other users: user1@mydomain.com, user2@mydomain.com (keep OneDrive files) 

What sofware to encrypt whole drives, Google drive folder, keeping access on Android and good performances? [on hold]

I would like to encrypt my drives and data on Windows 10, but I need some recommendation to use the appropriate software(s).

  • On my system drive, I have the "Backup and sync" Google software and the synchronized Google Drive folder. But I absolutely need to let the folder content readable from my phone at any time. If I encrypt the whole drive, will this folder be synchronized as encrypted? If yes, is it possible to decrypt files from Google Drive on the fly on Android?

  • I also have a "Media" SSHD (with my Pictures and Videos folders, and video editing stuff), a "Backup" SSHD (which contains the FileHistory Windows folder), and a "Virtual machines" SSHD. Note that I need to keep good performances with all of them if I encrypt them, regardless of the method.

I think that the most important folders to encrypt are Google Drive, Pictures, Videos and FileHistory. But I don’t know if whole drive encryption will be better and more appropriate.

For Windows, I found "Bitlocker" and "VeraCrypt", but if all files are encrypted, I won’t be able to decrypt Google Drive folder content on Android.

For Google Drive, I found "Boxcryptor", "Cryptomator", and "GoodSync" which work on Windows and Android, but which seems to be specific to cloud storage.

  • What folders or drives must I/can I encrypt to keep good performances?
  • What software(s) do you advise me to use? Do I have to use two sofwares to fit my requirements, or do you have any other recommendation?

Thanks!

ImageMagick Crop image keeping original position

Having enter image description here https://upload.wikimedia.org/wikipedia/en/thumb/1/10/Stratton_Oakmont_logo.svg/1200px-Stratton_Oakmont_logo.svg.png

I would like to cut the lion but keep the original image size and lion in place.

right now i’m only able to cut the lion and keep the original image size, but not it’s position:

convert /tmp/stratton.png -crop 550x800+320+30 -background none  -extent 1200x1920 /tmp/output.png 

enter image description here

How can i keep the lion in it’s original position?

What are the best practices for keeping and analyzing unstructured user feedback?

To get and analyze users’ feedback is vital for designing successful products as all of you perfectly know. It is more or less clear what to do with surveys’ results, but what is the best way to keep results of interviews and unstructured user reports?

Shame but now I just keep feedback in a special mailbox and store interviews’ summary in Notes. As a result, I create tickets in Jira after short analysis 🙂 Previously when I had 3 more designers we used spreadsheets (excel, confluence, google sheets) but it takes too much time now when I’m the only designer (yet). The main issues with those approaches are:

  • you can’t really analyze anything (e.g. find alike or controversial things) in Notes and mail ))
  • spreadsheets give some sort of analysis capabilities but it consumes too much time

Any hints on how to avoid spreadsheets? Thanks!

Narrowing the range of an interpolating function while keeping integral the same?

Consider an interpolating function derived from some data, e.g.

data = Table[{x, Cos[2 π/1000 x] // N}, {x, -250, 250}]; fun[x_] = Piecewise[{{Interpolation[data][x], Min[data[[;; , 1]]] <= x <= Max[data[[;; , 1]]]}}] 

As it is, the interpolation shows a hump that goes to zero at x=-250 and x=250:

Plot[fun[x], {x, -500, 500}] 

enter image description here

Now I would like to change (manipulate) the interpolation function such that e.g. the function goes to zero at x=-100 and x=100 instead while the hight increases proportionally such as to keep the integral constant

Integrate[fun[x],{x,-Infinity,Infinity}] 

318.31

Here a rough sketch how the result should look like enter image description here

How can I do this with mathematica?

EDIT:

Naively, I could always do

targetA = NIntegrate[fun[x], {x, -Infinity, Infinity}]; transfA = NIntegrate[fun[x 5/2.], {x, -Infinity, Infinity}]; newfun[x_] = fun[x 5/2] targetA/transfA; Plot[{fun[x], newfun[x]}, {x, -500, 500}] 

enter image description here

But I wonder if there is a less pedestrian way of doing that?