|
my favorite password handling was a certain very large e-commerce website whitescreening after I signed up because for whatever reason they had embedded my password unescaped & plaintext in javascript on the redirect page, and my generated password having a quote in it caused a syntax error.
|
# ¿ Feb 4, 2021 01:04 |
|
|
# ¿ Apr 26, 2024 02:16 |
|
Arsenic Lupin posted:My God, this thread. so uh, what was wrong with the old way: have two motion sensors a couple feet apart and tell if someone goes in or out by which one is triggered first not enough bootstrap and bruno mars?
|
# ¿ Feb 4, 2021 19:36 |
|
Shame Boy posted:like gently caress even just require a supervisor password to change it by more than like 20% a day. if i have to implement this kind of bullshit to make cashiers' lives harder at the request of stores who don't trust them to handle discounts correctly, a water treatment plant's safety system should have to as well one contributing factor was the supervisor wanting to access the controls remotely so if your plan was implemented the override password would just be 123456 and stickied to a monitor on-site
|
# ¿ Feb 9, 2021 00:41 |
|
mystes posted:This is seriously like something out of a science fiction book. dear riaa: i have video evidence of unlicensed public performance. also the perpetrators have unlimited money just fyi
|
# ¿ Feb 10, 2021 22:16 |
|
Subjunctive posted:how would you design a repo that avoided typo squatting? have the package manager throw up a warning when you try installing a package and there's another package with levenshtein=1 that's substantially older and more popular? sure nobody reads warnings but it might help
|
# ¿ Mar 3, 2021 19:45 |
|
Podima posted:hang on can we go back to this, what the gently caress my old company used sharepoint for some things and as far as i could tell it's a geocities you need to hire an admin for.
|
# ¿ Mar 10, 2021 23:32 |
|
Kazinsal posted:considering the birth of javascript almost directly correlates with the beginning of the race to pile on additional modern trendy layers of complexity to tasks that were already usable and solved by existing low overhead solutions this makes sense personally i think javascript is neat just wish we didn't let ads use it
|
# ¿ Mar 13, 2021 03:52 |
|
in a general sense convenience is security, if the alternative is users choosing not to do it at all. i am absolutely not putting 20 things into google authenticator and spending a whole day resetting things when i get a new device again
|
# ¿ Mar 18, 2021 21:26 |
|
Clark Nova posted:I have a TCL Roku tv, which afaict is the least bad smart tv option, but the picture quality is, well, exactly what you'd expect out of a $350 tv from target. They patched in airplay 2 support a few months ago which is actually nice and a halfway compelling inducement to not blackhole the fucker on my network an a/v nerd recommended me a tcl series 6 (55", 4k, "real" hdr, ~$600) and it looks absolutely fine to me. no ads because I never connected it to wifi, we use an apple tv instead i don't think they even do ads at all but the threat of an automatic update implementing them at any time is still worth leaving any smart tv disconnected.
|
# ¿ Apr 6, 2021 18:46 |
|
klosterdev posted:All we need are the right data leaks. Searchable database of what kind of porn sites every senator visits and what their message board aliases are? There's not going to be -less- data about the rich and powerful collected and sold. that would probably just make computer touching a felony
|
# ¿ Apr 6, 2021 22:47 |
|
students: "you shouldn't trust people. bad things could happen." oss maintainers: "ok, on the evidence, we will no longer trust you" students: ?!?!
|
# ¿ Apr 27, 2021 00:04 |
|
beuges posted:I had a credit card with this bank. couple of months ago the app wouldn’t let me in, after I entered my credentials it would say that I needed to change my username (my first name) and wouldn’t let me move past that. my bank uses my bank card number as a login because it's unique and i have it and people who know me can't guess it banks always finding new ways to gently caress up security is amazing
|
# ¿ May 15, 2021 18:56 |
|
threatening to fire employees for secfucks just means secfucks will never be reported or fixed
|
# ¿ May 19, 2021 01:47 |
|
Ur Getting Fatter posted:i think I would go in insane typing out my passwords on mobile every time now that most of them are 20+ insane gibberish. i do and i do go insane i would love to use the ios password store except i can't figure out how to make it save the password i type in. thanks for reminding me you exist every time i touch a password field though handoff does let you sync the clipboard between devices so i could, in theory, copy from my password manager on desktop and paste it into my phone. except i've got that disabled because for the other 99.9% of the time the idea of allowing my phone to access my desktop clipboard is horrifying.
|
# ¿ Jun 7, 2021 08:35 |
|
remember that besides cryptocurrency, the most viable ways for scammers to cash out large amounts of money involved gift cards and tf2 hats banning cryptocurrency won't eliminate cryptocurrency, it would effectively neuter its usefulness for cybercrime when foo corp gets cryptolockered and needs to pay criminals 2 million dollars, it's not good for anyone that they can go to the bank and actually acquire 2 million dollars of cumcoin.
|
# ¿ Jun 8, 2021 07:30 |
|
rjmccall posted:so, My Wife is making a website for her art with wordpress. are any of these vulnerability scanners not terrible, and is there a guide for not getting hacked that isn’t written by some shifty internet security company as marketing copy? wordpress on its own is fine, the security problem comes from the entire ecosystem of "i don't know anything about web development but I can make a bespoke application by gluing 70 wordpress plugins together". most plugins are absolute garbage. i'd recommend at least skimming the source code of anything you install, if you can. i don't use any vulnerability scanners but the principle sounds good (periodically scanning existing files for changes and assuming a change means a backdoor popped up) as far as setup goes you probably want to disable xmlrpc, change the login/admin paths from the default /wp-admin/, and not have an administrator account with a predictable username. these don't really do anything for security (wordpress is happy to enumerate all account usernames for anyone who asks nicely) but they will at least frustrate tens of thousands of brute force attempts your site will get daily.
|
# ¿ Jun 15, 2021 04:49 |
|
spankmeister posted:IIRC you cannot enumerate a username that never posted, so if you create an admin user but never post a message with it, you should be good. GET /wp-json/wp/v2/users
|
# ¿ Jun 15, 2021 07:10 |
|
mystes posted:I once sort of panicked myself into temporarily forgetting my google account password for a couple days and before I ended up being able to remember it again I tried to recover it and they had stuff like this but maybe even crazier. I ended up being able to answer some of the questions based on looking stuff up in gmail on my phone, which was still logged in, but there's no way any normal person would be able to provide the information they wanted from memory, so it seemed completely pointless to do it that way. I went through this with an oooold secondary gmail account of which I had locked myself out of the 2FA and I had to think for a good long while to narrow my account creation date down from a range of 5 years. I was surprised when it actually worked and I got the account back.
|
# ¿ Jun 16, 2021 02:37 |
|
CRIP EATIN BREAD posted:it was rubi-con i have never seen anyone reach for a trash can that urgently who wasn't inside their own home
|
# ¿ Jul 27, 2021 02:39 |
|
ewiley posted:Wait i had it on good authority from mister taviso that browsers are the best way to store passwords ironically i think it was lastpass that, when you first installed it, would ask if you wanted to import all your saved browser passwords and it worked! very smooth and easy. and then you go "cool! wait, that's bad" i guess they hardened browser password stores since then, this was a long time ago, evidenced by the part where I installed lastpass
|
# ¿ Jul 28, 2021 02:26 |
|
core wordpress is meh, wordpress is a giant secfuck because there are thousands of poorly written plugins to mash a cms into some kind of bespoke backend. my advice is don't use them. notable exploits in core from the past couple of years include being able to view private posts and various privilege escalations/file modification for authenticated users. like yeah those are pretty big issues, but depending on your use case they might not matter. for making a static website that a handful of staff can update, i wouldn't worry.
|
# ¿ Sep 9, 2021 02:40 |
|
BlankSystemDaemon posted:not gonna lie, i deeply admire when developers make the "copy protection" just gently caress with the game and make it unplayable in fun ways it's very funny and probably more effective too one of my favorites was "game dev tycoon"'s copy protection causing your simulated game studio to fail because too many people were pirating your games
|
# ¿ Dec 20, 2021 09:14 |
|
NFX posted:the technology connections youtube guy has a video talking about analog vs digital clocks. analog ones have the nice property of being visual progress bars. 🕠 is faster to parse (for some) than 17:28:43 lollin at the idea of combining time with zero-width joiners
|
# ¿ Jan 3, 2022 08:20 |
|
i'm disappointed that GDPR hasn't seemed to stop sites sending me newsletters after signing up for accounts, even though that's explicitly forbidden without opting in
|
# ¿ Jan 20, 2022 11:01 |
|
Shame Boy posted:all the gpu-mining coins use one of like, three hash algorithms, maybe the card is just looking for whether or not you're executing nothing but a specific blacklisted set of instructions over and over and over and over and over for hours at a time this seems like it'd work well, assuming cards can check that trivially. "but what if they changed the cryptocurrency code to use a different algorithm so new cards worked" they wouldn't, because the mining cabals that control cryptocurrencies and already have warehouses of mining-capable equipment would have no incentive to allow a change.
|
# ¿ Mar 5, 2022 04:33 |
|
it's crazy to remember that for a solid decade in the 90s-00s browser security didn't exist and it was normal to get pwned from viewing a website and the worst that happened was you'd just get ads, and normal people would regularly take their computer to the computer repair shop when they got too many ads in order to get the ads removed. like if such a vulnerability came out today it'd break the internet and be a huge panic but then it was like "oh, 400 viruses. shouldn't have gone so long without a scan. good thing the hackers will never find my credit cards in recipes.xls" fisting by many fucked around with this message at 10:08 on Apr 15, 2022 |
# ¿ Apr 15, 2022 09:57 |
|
A Man With A Plan posted:https://twitter.com/sickeningsprawl/status/1515820469773086730?t=KCLeG8D3qIE2QZOgmFJbUQ&s=19 ace through parallel universes
|
# ¿ Apr 18, 2022 02:44 |
|
Methanar posted:I'm not worth 2m/yr so still probably not because I'd be discovered as a fraud immediately and fired it'd surely take at least a few days, in which time you'll have made money and not contributed any evil. seems good to me.
|
# ¿ Jun 3, 2022 08:45 |
|
suddenly remembered the faerie quests i think there were 35 stages and you could only do one a day. you'd have 15 minutes to get and trade in some item, and after 30 days you would start to get super rare and valuable rewards. usually you'd just search the shops and buy whatever it was for some trivial amount of money. but after the 25th day they'd start asking for various things that were a) completely useless, so while people still hoarded them, there wasn't an actual economy of trade and b) only like five of in the whole game so maybe you could find the macguffin in the market search for days 26-28, and it'd cost quite a lot of money but worth the investment for the day 30 rewards, but then on day 29 there'd be a single macguffin in the shops and it was priced at $fakeNotActuallyForSaleAmount and you were just screwed and had to start over. anyway I bring this up because it's the most evil online game mechanic i haven't yet seen widely copied by mobile games.
|
# ¿ Jul 22, 2022 09:27 |
|
The Fool posted:anyone using namecheap maybe keep an extra eye on your account for a little bit https://twitter.com/ReneReh1/status/1564349884106477573 that looks bad the ceo having a fit on twitter doesn't really inspire confidence either, anyone got registrar recommendations?
|
# ¿ Aug 30, 2022 08:22 |
|
oh the ceo's a bitcoiner too loving hell
|
# ¿ Aug 30, 2022 08:23 |
|
Shame Boy posted:gandi has been very needs suiting i've heard good things, i'll probably move over nice that they include email with the domain, that's worth the $2/year premium
|
# ¿ Aug 31, 2022 04:50 |
|
Malloc Voidstar posted:https://twitter.com/vxunderground/status/1570597582417821703 swiped a password from their lan and pwned their hackerone
|
# ¿ Sep 16, 2022 06:39 |
|
Rufus Ping posted:Its overhyped, appeared to be the result of someone scraping results from an endpoint that turned phone numbers into usernames (password recovery page or similar) leaking your phone number is a pretty big deal but I don't know how you offer that feature and not have it be vulnerable to enumeration scraping. i'd assume every social service where that's offered has been similarly exposed.
|
# ¿ Nov 25, 2022 05:34 |
|
Rufus Ping posted:You have them type in a phone number, and then say thanks, if it's connected to an account we'll text you an OTP or whatever. Don't divulge whether/which account until they prove ownership but the point is to allow other people (potentially strangers) to find you from your phone number. so there's no way to verify the request.
|
# ¿ Nov 25, 2022 06:59 |
|
Jabor posted:You "fix" that by requiring people to opt-in to that feature, and if they haven't opted in then it doesn't find their account. which is what twitter did, at least. it still seems like a bad idea from a security perspective, as an ordinary person would not anticipate this kind of attack. it probably shouldn't be an option, even if opt-in.
|
# ¿ Nov 25, 2022 07:16 |
|
Zamujasa posted:hoist by your /home/ petard
|
# ¿ Feb 6, 2023 03:43 |
|
|
# ¿ Jul 13, 2023 09:29 |
|
Oysters Autobio posted:im a bit late to reading about the Minecraft modding malware stuff but curious to hear if this is as sketchy as I thought it was i remember 90s windows software being very specific about where they had to be installed (usually C:\ or C:\Program Files). not sure what the technical explanation was. if it's a virus you're probably owned wherever you put it so
|
# ¿ Jul 18, 2023 12:59 |
|
|
# ¿ Apr 26, 2024 02:16 |
|
was that just a convention or was there really some stupid reason you couldn't install stuff to arbitrary directories?
|
# ¿ Jul 18, 2023 13:00 |