Microsoft | Data Scientist II | Redmond, WA | ONSITE 50%
We're the Video Experience (VX) team, part of the Microsoft AI organization. Our goal is to make consumer video experience awesome across Microsoft products. The product includes both web and mobile camera SDKs as well as the playback experience.
We work with partners across Microsoft with a focus on a consumer grade experience.
In most jurisdictions in the USA renewable energy generators are registered and audited by a third party, (like mrets.org where I work). Anomalies with generation data can be compared directly with data from the grid operators. Utilities will also require these commercial operations to have a "commercial energy meter" which are very expensive.
Thank you so much for making this. I was constantly checking it to determine what was flying above our house in Minneapolis during the recent civil unrest. I took comfort in at least know what was buzzing us and why it might be doing it.
Yes, this. They are basically like magic for cooking proteins and vegetables. And the 'done' to 'overdone' margin of error can be hours instead of mere minutes.
The worst offender I have seen in the wild is treasurydirect.gov. The password must be click in on an online keyboard, and they do not allow password managers to enter the passwords.
It uses some kind of JS trick to replace usernames and passwords with asterisks, and you end up with all kinds of invalid information stored in your password manager.
I currently use BitWarden (LastPass previously) and neither have had a problem logging into Citi's website though it's been quite some time since I tried to add a new entry from their site.
+1 for BitWarden. For anyone reading this unfamiliar, it's an open source password manager with all the usual features (including iOS Fingerprint enabled client etc, shared group passwords), but the server is also open-source, and you can host your vault on your own server. It's free for individuals/families, supported by Enterprise licensing (or you can roll your own).
I would think the fix to this would be manually entering the credentials into the password manager rather than having it read the credentials from the site.
> A virtual keyboard, with keys that display in random order, is available to deter others from learning your password.
This is a weird way to describe keyloggers if that is actually what they are talking about.
The random order I don't understand either unless the "keylogger" is also recording mouse positions.
Otherwise, if this is actually talking about over shoulder lookers it probably has the exact opposite effect because of the increased time require to enter a password.
The "random keypad order" is used on secure physical keypads, which display a random order of numbers so that fingerprints, key wear, etc. can't be used to isolate the keys being pressed over time.
I'm also curious how this is more effective at stopping a keylogger than copy/pasting from a password manager, or auto-logging in via one.
Unless it's common for keyloggers to monitor the clipboard?
In which case, for the system they've developed to seemingly work as intended, you'll have to either have a memorizable password (likely relatively insecure), or have your password written down at hand.
I'm skeptical that this nonstandard, hostile UX was designed with any sort of valid threat analysis rather some kind of Rube Goldberg-esque security-through-obscurity scheme that "sounded good" during some meeting.
The irony is that if someone managed to install a keylogger, they could've installed any other RATing tool such that the machine itself and everything it touches it completely compromised.
I imagine 99% of keyloggers are the 'put this on as many machines as possible and look for worthwhile logins' type, which are well-thwarted by this approach.
Anything more bespoke than that is probably much rarer.
"The random order I don't understand either unless the "keylogger" is also recording mouse positions."
I would bet that that is exactly what they are worried about. This seems to me to be a really hacky way to solve that problem. If you actually need to address the possibility of keyloggers then some sort of 2FA setup would be simpler, more standard, would address a wider variety of potential security problems, and would create less friction for the user.
1. "Does your account number begin with a *letter*" <- click link
2. Paste Account Number
3. One-time passcode emailed to you
4. Copy OTP from email
5. Paste OTP into site
6. Use onscreen virtual keyboard to enter password (readonly field; no pasting allowed)
Opening up devtools and deleting the `readonly` attribute does allow you to paste from your password manager of choice without further hassle.
There is a South African bank (absa.co.za) that not only uses the online keyboard thing, but requires you to type in a randomized subset of your password. For example. if your password is "Password" it would display something like 257 and you are need to type "awr" (the 2nd, 5th and 7th letters of the password) to log in.
Unless they're storing hashes of every combination of characters in your password... seems pretty indicative of them storing the password in plain text.
Well, that's better though. So even if there's a key logger and mouse click recorder on your machine, one cannot recover your password. Though, if your machine is that compromised, might as well have a screen recorder, too. Though that would create more outgoing traffic.
don't need a screen recorder. the keycap images are trivially machine readable.
this technique is actually good if implemented correctly -- with secure display where the host OS cannot read the image data. some predecessor to SGX whose name I don't recall had this feature. the idea is to enter a PIN though, not a friggin password.
treasurydirect seems to have only taken away the trivial aspect of it without understanding the underlying reasons and details. you know, like what most companies do with Agile.
Well I face this everyday with apps in my TV and playstation. Want to log in to your EA sports account? Here is a keyboard and type away. I usually have to open 1Password, make the password's font giant, then proceed to type. Dreadful.
I manage a software team at a Fortune 20 company, and my developers have a ton of freedom. They can work from home any day they please, and I'm honestly surprised when I tell them, "You don't have any meetings for the rest of the day, go home." By no means am I an exceptional manager, but that statement is taken as suspect by most of my staff. Good software can't be coerced.
They also own houses instead of renting flats in SF with roommates.
We're the Video Experience (VX) team, part of the Microsoft AI organization. Our goal is to make consumer video experience awesome across Microsoft products. The product includes both web and mobile camera SDKs as well as the playback experience.
We work with partners across Microsoft with a focus on a consumer grade experience.
https://jobs.careers.microsoft.com/global/en/job/1711796/Dat...
Application closes on May 10th