PSA i can spoof any mit.edu email and it will pass all DKIM/SPF/etc. checks. here's an email i sent to myself pretending to be a famous MIT-affiliated podcaster - thanks gmail for auto-inserting the profile pic :)

MIT may fix this someday but in the meantime beware that it's trivial for any mit.edu account to send mail as any other mit.edu account! i discovered this because i received a VERY convincing phishing email sent from "me". it turns out the attacker compromised another acct and was using it to send email as arbitrary users. that acct has been reported and suspended.mit.edu

in january 2023, i had a simple ultrasound done at SimonMed. they sent me 4 bills totaling $5137 for it.

after a year of emails and phone calls, they finally admitted today that i only owed $140.53 and are mailing me a refund check!

here's how i did it 🧵 2/ the first bill they sent was for $484.92, which i paid promptly. a few months later they sent a bill for $3378.69! i contacted my insurance and they sent me an updated EOB saying i only owed an additional $140.53.

when reading text in a non-native language & wondering how it's pronounced, u can enter this in devtools to have the browser pronounce it:

u=new SpeechSynthesisUtterance(getSelection().toString());u.lang='ru-RU';speechSynthesis.speak(u)

(replace 'ru-RU' with any BCP 47 tag) assuming you've highlighted the text you want pronounced

i…. just received a children’s book about a rabbit who travels back in time to medieval europe and gets everyone hyped about blockchain some of the blockchain applications that the poor bunny serfs come up with:

my friend sophie got fired from her job at Facebook and turned down a $64,000 severance package in order to leak this, so u better read it. buzzfeednews.com/article/craigs… my biggest takeaway from this article is that FB could be doing a lot more to prevent politically-motivated bot activity, but they choose not to because they don't see any immediate revenue or PR benefit from doing so.

why is it not common knowledge that u can make perfect japanese-style croissants from scratch with like 20min of effort?? thx @MimeeXu for enlightening me

(recipe in thread👇) 1/ mix 400g bread flour & 6g salt

microwave 240g milk for 30s
dissolve 8g dry yeast in it
add 50g honey
add 40g softened butter
mix together

mix wet mix into dry mix to form a well-combined dough

cover and rest overnight in fridge

1/ in this thread i'll summarize some differences between SameSite=Lax (Chrome's new proposed default policy; see mikewest.github.io/cookie-increme… for more technical details) and third party cookie blocking (Brave's default policy unless user turns it off for a site)

https://twitter.com/ChromiumDev/status/1125849423819431936

2/ SameSite=Lax is more strict than 3p cookie blocking in the sense that it also blocks requests using unsafe HTTP methods. For instance if X contains a form that POSTs to Y, cookies to Y would be blocked by SameSite=Lax but not most 3p cookie block implementations AFAIK

Signal Desktop just pushed out a fix for a remote XSS vuln: github.com/signalapp/Sign…

demo:

External Tweet loading...
If nothing shows, it may have been deleted
by @ortegaalfredo view original on Twitter

a lot of @electronjs devs have the attitude that their app doesn't need sandboxing or keeping up-to-date with Chromium bc "it doesn't execute untrusted code". the problem is that falls apart as soon as you get XSS. github.com/signalapp/Sign…

(at least Signal has sandboxing)