The only outlier is Hepatitis A, which is still recommended in some European countries. On the reverse side, the meningococcal vaccine is commonly scheduled in Europe but not in the US.
Docker is not for production. Nomad at scale in practice needs a lot of load-bearing Bash scripts around it: for managing certs, for external DNS, you need Consul for service discovery, Vault for secrets.
At that point, is Nomad still simple? If you're going to take on all of the essential complexity of deploying software at scale, just do it right and use Kubernetes.
Source: running thousands of containers in production.
Kubernetes uses etcd for service discovery. It isn't that Nomad does things differently or less simply, it is just that they are more explicit about it.
The real difference is that Kubernetes has a wide array of cloud hosts that hide the complexity from users, whereas Nomad can realistically be self hosted
I'm not saying that Kubernetes isn't complex, I'm saying it's a fallacy to claim that the Hashicorp stack in any way manages to be less complex in practice. All of these moving parts are unavoidable if you want to run software at scale, Kubernetes is just way better engineered than the Hashicorp stack, if only for not depending on dockerd.
"moderate" makes sense here; those are issues that needed fixing, but they wouldn't give someone privileged access they shouldn't have, and they occur in non-default configurations.
> A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts.
> A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of sudo), effectively negating the intended behaviour of the targetpw or rootpw options.
> Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.
This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.
Not in EU. Many banks mandate you either have an iPhone or Google approved Android as 2FA. Those fucking idiots have killed their own competition options.
Effectively, if the client doesn't download the App, they will never be able to log into the homebanking website again. The bank enforced this and now if you login normally it will redirect to a page where you can download the app or use up one of three remaining chances to login. I am down to two. From now on, I'm only able to use ATM's or go to an actual teller to make payments and such. The app requires that I have a Google account or an Apple account and I think that's just messed up, specially for a Portuguese bank.
The app on the google store is pt.novobanco.nbsmarter if anyone is curious. It has interesting permissions as well.
You say "The bank"... does this mean Portugal only has one bank? If not, wouldn't this be a good reason so change banks? Maybe to a credit union (bank co-op) if they have those in Portugal as the members generally have much more of a say.
When I wrote "the bank" I meant, the bank in question, which is the one mentioned in the URL. Hope this makes it clearer for you.
As for alternatives, yes there are, I'm still figuring which ones do not require an app on the smart-phone, though.
I believe I've found a fair alternative after asking a few friends but, I have to account for other factors as well, like, how secure their infrastructure is.
This is because offline 2FA keyfobs were never that popular in Portugal (to my knowledge), unlike 2FA via SMS which I find less secure that keyfobs, but now with the SCA directives from the EU, most banks are jumping on the App 2FA bandwagon. Some do offer a government issued alternative [0] but it still requires an app. I'd be perfectly happy to sign in with my Citizen's ID card reader but that is also rarely implemented (bank-wise), specially since the Chave Movel Digital app from the government [0].
Bottom line, most major banks are going in one direction (deploying their own apps onto customer devices), while smaller banks are staying put (with SMS 2FA) but their security was never that great. So I'm still prospecting and yes, there's a bank co-op on my list also.
Oh, and by "security" I'm mostly going by feel here. Like, if the web interface is a bit jankie I don't feel secure. I'm not going to look into obfuscated .js and pretend like I know anything about web security.
Not sure where gp lives. But most banks here restrict you to 4 digits as the password. So basically a PIN. If you are lucky, you get 6 digits or even letters. But be careful: if you use “fancy letters” (symbols, umlauts, …) you risk locking your account: you will be able to set this password, but the actual login form won’t allow you to enter it. Banks here are highly regulated, so don’t hope for competent competition.
They mitigate the obvious security thread with mandatory 2fa (actually mandated by regulation). Some use this as an opportunity to push their apps: no separate 2fa method, but only integrated in their bloated app, that checks for rooted devices and only supports the newest OS.
It’s quite hard to find out in advance, what 2fa methods with which fees each bank actually requires. I remember that some of them had funny ideas, what a customer should be billed for 2fa SMS. I think it was 50 cents per SMS.
I assume a banking app needs (temporary) permission to use the camera for check photos or things of that nature ... and possibly (temporary) use of location data.
I would be alarmed if it requested microphone or access to either contacts or photo storage ...
All banks are required to have "safe" 2FA in the EU by EU regulation. SMS is banned.
Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.
The apps they require are proprietary. They are not generic TOTP generators. Some of them require biometric approval. Some just logging in and approving a notification. I have seen some generate a form of non-standard TOTP. Otherwise I wouldn't complain about being locked into Google or Apple ecosystems. They are Play Store or App Store apps that require attestation from the libraries / systems provided Google or Apple like SafetyNet or Play Integrity. Some require strong hardware attestation. If the OS is modified, those checks do not pass. You cannot use any FOSS system without crazy hacks. If the phone is stolen, you have to go through manual reonboarding. It sucks when you're out of the country.
> Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.
Most banks? Do you have evidence? AFAIK many (and certainly the most used) German banks (Sparkasse, Commerzbank, Hypovereinsbank) allow chiptan which does not require a smartphone.
> All banks are required to have "safe" 2FA in the EU by EU regulation. SMS is banned.
Hungary is in EU and the most popular bank sends a one-time code (with expiry) via SMS for logging in, making a transaction, for the mere displaying of "Telecode", and so on.
There is no TOTP, only this one-time code sent via SMS.
I do not use their apps on any platform. I login via their website when I need to which is rare. When I make a payment via card, I have to provide the provided 3-digit "Telecode" and the one-time code sent via SMS. There is an option "What if I do not have access to that phone number?" or whatever the literal translation is, but I have not checked that out yet.
... which is why I left a comment asking you about the details. You telling me SMS is banned and referring to EU regulations just left me more confused given the above.
>SMS is banned.
Really? I didn't know that. Can you point me to a document that states that? I'd greatly appreciate it.
>SafetyNet or Play Integrity
A few days ago I did inspect the NovoBanco (Portuguese) apk, and I did look for SafetyNet specifically. They didn't use it. But since I'm not that familiar with the android eco-system I couldn't really tell if Play Integrity was used instead. But I did find a LOT of HMS (Huawei Mobile Services) stuff, and some if it was definitely related to security.
I might take a look at it again tomorrow.
I was curious if I could sideload the app without logging into a google account, meaning without using google services, but all I did was a tiny bit of static analysis instead of actually trying it.
If you have any write-ups on crazy hacks for foss systems, again it would be awesome if you could share them and greatly appreciated. Cheers
Also, is using HMS a normal thing in android development? Last I checked Huawei was persona non grata in the west, at least when it came to hardware like network equipment and consumer devices. I was surprised when I saw HMS in the apk.
All of them now require some kind of 2FA, everywhere. This is due to a legal requirement on all EEA payment providers that they require 2FA for almost everything since 2020, including accessing your account on their website: https://en.wikipedia.org/wiki/Strong_customer_authentication
TOTP codes would be allowed by the regulation, as would biometric approaches or separate physical tokens, but in practice every bank I've used in recent years (quite a few, mostly Spanish but also in Belgium & Switzerland) require that you accept a confirmation prompt or similar in their app.
It feels like "gold-plating" of regulations is and always has been a significant problem in the EU.
Regulations are written (at EU level) to allow X, Y and Z; somehow by the time it's implemented at member state level it miraculously only allows only X or Y, and once it gets to actual service providers (who've presumably been advised by their in-house lawyers that 'Y is bad') we end up with a choice of X or nothing.
Then if you ask anyone at EU level what's going on, they point to what the regulation says, and everyone shrugs.
Well not in Germany. Some banks accept their branded authenticators, some of them don't.
ING in Germany forces you to either have a single Google approved smartphone or a single authenticator, not both.
DKB requires a paid Girocard to use the authenticator or a Google approved smartphone.
N26 requires a single phone but they are a bit lenient. However they have way too many incidents reported where they closed people's accounts without a reason.
The traditional banks have high fees. One pays upwards 10 - 15 Euros a month for Sparkasse or Commerzbank for a simple checking account. Using Sparkasse means you cannot deposit money outside county (yes county and country) borders. Many traditional banks have high fees for withdrawing outside the network.
So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.
My German bank started to require an Android or IOS smartphone [0]. No dedicated HW, no desktop. I actually dumped my well working Xiaomi Phone because it was either security or banking.
They used to be ahead of the bunch 20 years ago. They sent out PGP encrypted transaction statements if you wanted. Then they degraded. I think of switching to a normal Sparkasse, they typically even can do account creation with EID l, have Wero and allow 2FA Hardware.
Absurd thing is that 1822 claims to make things much more secure but their 2FA reset with a single phone PIN is a joke.
> So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.
I do not understand how you are coming to that conclusion regarding modern banks. You can use the authentication device, which is completely independent of Google or Apple.
Some neobanks are limited to mobile-only. The OP's statement was too general. It's also true that some regular banks are phasing out 2FA via SMS, which is outdated per EU regulations, and may not easily offer alternatives to their app for 2FA codes.
Please stop spreading disinformation. I live in the EU and my EU bank supports desktop browsers + Card reader matching everything the mobile app can do.
That's especially crazy. With Trump's/USA's belligerence, why on earth would EU companies/banks/governments want to require that you have an Apple/Google account, it makes them totally dependant on foreigners!
Because "deal". Why implement an aithentication when you can use the Google/Apple/Microsoft one ? It's free. You only have to make a "deal" and give them all your data (which they have anyway, because they run the keylogger on your device).
Well in Sweden we can't. You already need bankid on your phone to log in on your PC. There used to be a bankid desktop app and dedicated hardware, but that's gone from many sites now
That I know of: Danske Bank, ICA Banken and Nordea give you some “calculator”-style device to generate codes and login. Danske calls it “kodbox”, Nordea “ID-dosa”. I got mine at account opening, and you need it to issue BankID for the first time.
There are banks/companies that require BankID, but there are several big banks that have alternative methods. It seems that only Swedbank of the big four require mobile BankID for sign in.
This has been true since it stopped being true for Internet Explorer. I've not noticed any significant change over time. I have been using Firefox for over 20 years.
Back when Microsoft said they were going to let Android apps run on Windows before killing it off for I think the third time, I was excited that I'd be able to run my bank app on my desktop. The app is a simple process to login, but the website has about 50 steps to login making it unappealing to use (probably on purpose).
True, but there are alternatives to using these services, though a bit more inconvenient. What will be the alternative to the age verification mobile app?
In the Netherlands we have 'focus cameras' now that specifically detect smartphone use while driving, with hefty fines of €430. These cameras are mobile as well, so they get placed on different spots over time.
It's not like the browsers can just switch to some better maintained XSLT library. There aren't any. There are about 1.5 closed-source XSLT 3 implementations, Altova and Saxonica. I don't want to sound ageist, but the latter is developed by the XSLT spec's main author, who is nearing retirement age. This library is developed behind closed doors, and from time to time zip files with code get uploaded to GitHub. Make of that what you will in terms of the XSLT community. For all of its elegance, XSLT doesn't seem very relevant if nobody is implementing it. I'm all for the open web, but XSLT should just be left in peace to slide into the good night.
Saxonica is an Employee Ownership Trust and the team as a whole is relatively young (far off from retirement).
"Saxonica today counts some of the world's largest companies among its customer base. Several of the world's biggest banks have enterprise licenses; publishers around the world use Saxon as a core part of their XML workflow; and many of the biggest names in the software industry package Saxon-EE as a component of the applications they distribute or the services they deploy on the cloud."
And we are there. A boat sails, and a submarine sails. A model generates makes perfect sense to me. And saying chatgpt generated a poem feels correct personally. Indeed a model (e.g. a linear regression) generates predictions for the most part.
"Would Europe ever hand over control of its national power grids to foreign companies bound by non-European law? Would we trust a foreign supplier’s guarantee for 99.999% uptime (which is the standard uptime SLA agreement of cloud providers) while at the same time a foreign power could force them anytime to cut Europe’s power? Of course not."
Bert Hubert is good at identifying problems like this, but his proposed approach is always to demand the EU pass new laws even when the problem is Europeans asking people in foreign jurisdictions to run everything for them because they can do it better, partly due to not being under EU control. The cause of the problem is presented as the solution.
The internet has a compressive effect on markets. Most markets can only sustain about 3-5 competitors before the number of choices becomes overwhelming and customers can no longer easily differentiate between them. If you offer your services over the internet, that means 3-5 competitors globally, and in turn that means hacking one of them can give you control over a huge chunk of the market. It also means it's easy to end up with all of those competitors being outside your jurisdiction if you aren't highly competitive.
macOS does ask you if you want to allow a program to access your files in $HOME. Not sure if it's a perfect solution, but still, it's something.
As a more additive approach than just giving up and running everything as root, I think in Linux you could do the same with (a fair amount of effort and) SELinux or AppArmor.
reply