Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
CmdrRiker
Apr 8, 2016

You dismally untalented little creep!

Ha. Of course. How stupid of me.

Obviously.

Adbot
ADBOT LOVES YOU

PIZZA.BAT
Nov 12, 2016


:cheers:


flakeloaf posted:

gathering mac addresses from nearby aps and inferring a user's location because they said no when you asked them for it is a tad more blatant

anyone who's not living like rms is living in a post-privacy world and you make your peace with that when you carry around your personal, serialized transmitter

wait a sec i thought apple had their devices lying about their mac addresses until a user authenticated connection occurred for years now

CoasterMaster
Aug 13, 2003

The Emperor of the Rides


Nap Ghost
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

tl;dr the zoom application on MacOS has a webserver running listening on localhost. A malicious site can join you in to a meeting (potentially enabling your webcam)

fishmech
Jul 16, 2006

by VideoGames
Salad Prong

Rex-Goliath posted:

wait a sec i thought apple had their devices lying about their mac addresses until a user authenticated connection occurred for years now

as long as it lies consistently for a few minutes at a time, thats enough to track someone in like a store, or to make a quick confirmation with something else local to the device that x mac address is associated with y user in whatever app for now

PIZZA.BAT
Nov 12, 2016


:cheers:


fishmech posted:

as long as it lies consistently for a few minutes at a time, thats enough to track someone in like a store, or to make a quick confirmation with something else local to the device that x mac address is associated with y user in whatever app for now

right i thought every handshake attempt generated a new random mac. could be wrong about this i have no clue that’s just what i thought

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.

CoasterMaster posted:

https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

tl;dr the zoom application on MacOS has a webserver running listening on localhost. A malicious site can join you in to a meeting (potentially enabling your webcam)

oh word? the app phone support scammers have been installing for years has an rce?

Wiggly Wayne DDS
Sep 11, 2010



nice of them to keep the webserver active after uninstall

Xarn
Jun 26, 2015

ugh, I like my spotlight

Chris Knight
Jun 5, 2002

me @ ur posts


Fun Shoe

CoasterMaster posted:

https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5

Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

tl;dr the zoom application on MacOS has a webserver running listening on localhost. A malicious site can join you in to a meeting (potentially enabling your webcam)

lol just saw that on Twitter
https://twitter.com/backlon/status/1148464344876716033

Bulgakov
Mar 8, 2009


рукописи не горят


quote:

Additionally, Logitech reiterates that any pairing of a receiver with a device should only be done "if it is ensured that there are no suspicious activities within a radius of 10 meters".

sure, no problemo

Bulgakov
Mar 8, 2009


рукописи не горят

Rex-Goliath posted:

wait a sec i thought apple had their devices lying about their mac addresses until a user authenticated connection occurred for years now

https://arxiv.org/abs/1703.02874v1

remembered this paper made the rounds awhile ago.

Bulgakov
Mar 8, 2009


рукописи не горят

Bulgakov posted:

https://arxiv.org/abs/1703.02874v1

remembered this paper made the rounds awhile ago.

hard to not cry while remembering the day that apple went bankrupt due to mac address crimes

flakeloaf
Feb 26, 2003

Still better than android clock

Rex-Goliath posted:

right i thought every handshake attempt generated a new random mac. could be wrong about this i have no clue that’s just what i thought

i didn't know that

you can't do that

well you can but you shouldn't; like, what abou


Bulgakov posted:

hard to not cry while remembering the day that apple went bankrupt due to mac address crimes



yeah, that thing

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.
i seem to remember apple getting spicy over someone spoofing their USB VID to give a device itunes compatibility way back when

Hed
Mar 31, 2004

Fun Shoe
Jon Rubenstein! :argh:

haveblue
Aug 15, 2005



Toilet Rascal

infernal machines posted:

i seem to remember apple getting spicy over someone spoofing their USB VID to give a device itunes compatibility way back when

iirc that was rhapsody, aka napster trying to go legit

mystes
May 31, 2006

haveblue posted:

iirc that was rhapsody, aka napster trying to go legit
Why would rhapsody have needed to spoof a USB vid (did they have hardware?)? Didn't they just add iPod compatibility to their software or something like that?

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...
Lol if you think there was "iPod compatibility" in the stebe times

mystes
May 31, 2006

Volmarias posted:

Lol if you think there was "iPod compatibility" in the stebe times
Yeah that's the point. They had to reverse engineer it and Apple then blocked it from working.

https://www.theregister.co.uk/2004/12/15/apple_vs_real/

mystes fucked around with this message at 14:29 on Jul 9, 2019

haveblue
Aug 15, 2005



Toilet Rascal
I don't remember the exact details but there was something about the proprietary ipod protocol that was closed and kept secret so only itunes could sync with it (and apple's version of musicmatch jukebox before itunes for windows). rhapsody or whoever reverse engineered this and released a client that could talk to ipods without approval. they went through a few rounds of protocol cat and mouse before giving up


e: yeah that article

e2:

quote:

That's bad news for Real - partly because the move limits the company's ability to sell to iPod owners, but mostly because no one has noticed until now, almost a month and a half later. That suggests that Real's iPod-owning customer base is rather smaller than it would like.

lol

haveblue fucked around with this message at 14:32 on Jul 9, 2019

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.
it was palm, spoofing the vendor ID of the Pre so that iTunes would sync to it

Bulgakov
Mar 8, 2009


рукописи не горят

peepaw rotor explain yourself :hai:

pseudorandom name
May 6, 2007

Rex-Goliath posted:

wait a sec i thought apple had their devices lying about their mac addresses until a user authenticated connection occurred for years now

I think you’re confusing APs tracking the phone’s location using the phone’s MAC address with apps tracking the phone’s location using the AP’s MAC address

haveblue
Aug 15, 2005



Toilet Rascal
yeah there's two separate things going on here

if you are a physical space and want to track inhabitants, you record every mac address that hits your APs so you can see how they move. this is what apple breaks by sending a different random mac to every AP

if you are an app and want to track your user, you get the list of every AP in the area and send their macs off to skyhook or whoever. this will give your server the device's location without using the OS GPS service which would alert the user. this is what the apps were caught doing in that study

ymgve
Jan 2, 2004


:dukedog:
Offensive Clock
but why the gently caress do apps have access to the list of visible APs

pseudorandom name
May 6, 2007

a very good question!

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

ymgve posted:

but why the gently caress do apps have access to the list of visible APs

we actually use the functionality in an embedded system based on android, but it's an explicit permission the application has to request.

i think the problem is that the android permissions are far too fine grained, which is good for developers who are TRYING to request the bare minimum, but bad for users since it's hard to understand.

google should come up with some system that takes all the permission requests of an application and builds a human-readable list that groups together related permissions in an easy to read format.

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...
Users are just going to mash "accept" without reading anything, though.

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat
they are the same ones who blindly skip through UAC dialogs or sudo dialogs.

eventually you just gotta blame the people making GBS threads their own pants

haveblue
Aug 15, 2005



Toilet Rascal
I hope android has the thing ios does where you can go back and revoke individual permissions you've granted to apps

MononcQc
May 29, 2007

One of the main reasons I left android and refuse to come back was the lovely permission model. Another one was forever not receiving updates from my carrier and having to travel to the US to get them from AT&T instead while I was there for work.

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

haveblue posted:

I hope android has the thing ios does where you can go back and revoke individual permissions you've granted to apps

It does.



MononcQc posted:

One of the main reasons I left android and refuse to come back was the lovely permission model. Another one was forever not receiving updates from my carrier and having to travel to the US to get them from AT&T instead while I was there for work.

Permissions are radically different compared to a few years ago. It's a lot better now.

pseudorandom name
May 6, 2007

except for the backward compatibility necessary to keep old apps running

android's problem was that apps could demand the world before they even agreed to run, and they've been slowly moving to the (mostly correct) iOS model where the app has to specifically request each individual permission before first use

the iOS problem is you can't downgrade permission requests, if the app demands full read and write access to your photo library, you can't say "no, gently caress you, you'll ask me to choose a specific photo every single time"

Soricidus
Oct 21, 2010
freedom-hating statist shill
I don’t see why an apple mac shouldn’t get to choose any mac address it chooses. there’s a hint in the name after all

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.
i love the facebook comments plugin that demands permissions on my mobile browser if i touch it and refuses to display anything if i don't approve

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

A black principal, four white teens and the ‘senior prank’ that became a hate crime posted:

He started to cry. He would be the only one who immediately admitted what they did. The others, court records show, would deny it. Tyler wished Willingham good luck in finding out who did it.

Eventually they were told: The school’s WiFi system requires students to use individual IDs to get online. After they log in once, their phones automatically connect whenever they are on campus.

At 11:35 p.m. on May 23, the students’ IDs began auto-connecting to the WiFi. It took only a few clicks to find out exactly who was beneath those T-shirt masks.

:owned:

haveblue
Aug 15, 2005



Toilet Rascal
some days you gently caress the sec...

Potato Salad
Oct 23, 2014

nobody cares


holy poo poo zoom persistent local webservers

imagine some hell future in which local webservers become the basis of highly agile deployment of js-inserting apps to desktops

Potato Salad
Oct 23, 2014

nobody cares


"what if the world's most popular chat apps were built on stacks vulnerable to script-kiddie even-a-computer-janitor-can-do-it attacks?"

-:nsa:

Adbot
ADBOT LOVES YOU

duz
Jul 11, 2005

Come on Ilhan, lets go bag us a shitpost



death to prank culture

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply