Even if it didn’t outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren’t generated with a secure random number generator, or the validation call isn’t resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.

Well that’s easy. The protests aren’t illegal. Therefore this amounts to nothing.

Fuck this dude.

Well that didn’t age well, did it.

All circles are flat.

Or wear a respirator while you sand…

That’s correct, it is just plain text and it can easily be spoofed. You should never perform an auth check of any kind with the user agent.

In the above examples, it wouldn’t really matter if someone spoofed the header as there generally isn’t a benefit to the malicious agent.

Where some sites get into trouble though is if they have an implicit auth check using user agents. An example could be a paywalled recipe site. They want the recipe to be indexed by Google. If I spoof my user agent to be Googlebot, I’ll get to view the recipe content they want indexed, bypassing the paywall.

But, an example of a more reasonable use for checking user agent strings for bots might be regional redirects. If a new user comes to my site, maybe I want to redirect to a localized version at a different URL based on their country. However, I probably don’t want to do that if the agent is a bot, since the bot might be indexing a given URL from anywhere. If someone spoofed their user agent and they aren’t redirected, no big deal.

User agents are useful for checking if the request was made by a (legitimate self-identifying) bot, such as Googlebot.

It could also be used in some specific scenarios where you control the client and want to easily identify your client traffic in request logs.

Or maybe you offer a download on your site and you want to reorder your list to highlight the most likely correct binary for the platform in the user agent.

There are plenty of reasonable uses for user agent that have nothing to do with feature detection.

Is fuckboy really a curse word?

It’s easy enough to disable or change the settings to exclude apps. Not that it should be enabled by default, but it is part of initial account setup too.

https://support.microsoft.com/en-us/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15

JSON Problem Details

https://datatracker.ietf.org/doc/html/rfc9457

• It has a specification, so a consumer of the API can immediately know what to expect.
• It has a content type, so a client sdk can intelligently handle the response.
• It supports commonly needed members which are a superset of all of the above JSON examples, including type for code and repeating the http status code in the body if desired.
• It is extensible if needed.
• It has been defined since at least 2016.

This specification’s aim is to define common error formats for applications that need one so that they aren’t required to define their own …

So why aren’t you using problem details?

Its use looks contrived to me on the linked GitHub page. The comparison with @ and # is flawed because those symbols are part of the resource name, whereas here the symbol is superfluous. It’s like adding a 🌐 in front of every web URL.

Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it’s less about clicking the box and what happens after you’ve clicked the box.

Random passwords and MFA all the way!

This isn’t the evolution of C at all. It’s all just one language and you’re simply stuck in a lower dimension with a dimensionally compatible cross-section.

Those companies aren’t “the Internet.” They’re products connected to the Internet.

The OP argument is like saying the Internet is dead because Netflix is down.

Doubtful. By far, most servers responsible for Internet traffic are not running crowdstrike software.

This incident was a bunch of fortune 500 companies caught with their pants down.

I mean, yeah, exactly. Keep in mind scammers are targeting vulnerable people. Granted I don’t see how such a feature will work on my grandmother’s flip phone.

It might be a good feature for the elderly as long as it’s local and optionally enabled (especially if it can be enabled only for unknown callers).

Yes, I understand you would never really know if it’s not always enabled. But then again, you currently don’t know if anything similar isn’t already enabled.

For other users, again potentially useful if it’s opt in. However, many people (myself included) simply don’t answer the phone anymore unless it’s a caller we already know. I use Google’s call screening feature for any other caller not in my contact list already, and I would estimate about 1 in 20 or 5% of such calls I receive aren’t spam (marketing or fraud). Of those non-spam calls, the majority are appointment reminders I don’t need.

So would I turn this feature on? No, I don’t have a need. Could it be beneficial for the elderly? Yes, but probably not implemented in a way where it would actually be effective.

How does it verify the command is valid? Does it run what I enter?

If so, just give it an infinite loop followed by some attempt at a tar command:

while true; do :; done; tar -xyz

Isn’t it available on PS5?