Re: Curl.
--- posts/3038156
+++ posts/3038156
- dObERManS
+ doberMans
Fixed your naming convention, please merge
2250 publicly visible posts • joined 23 Oct 2007
> HTML and CSS combined with judicious usage of a JavaScript (aka JackassScript) and a server side language with a solid framework (Python/Django or Ruby/Rails, e.g.) might be smarter.
It depends. Aside from the learning curve for the average SMB owner, the problem with rolling your own is that you are then entirely responsible for maintaining it, including finding and fixing any vulnerabilities (or even just run of the mill bugs) you might have accidentally introduced.
It also makes things like server refresh a pain as you'll have to take your codebase into account.
That's more responsibility than your average SMB wants to take on. Off-the-shelf increases the number of people looking for holes and bugs , and someone else will likely fix those for you.
On the flip-side, of course, the obscurity it brings does have a little bit of benefit. You won't get pwned when someone starts a script to find WP sites and use their latest 0-day on them. But if you're specifically targeted then rolling-your-own might well lead to you being an easier target.
> In a similar way, I'll be running 24x7 a random IP address generator that will then, for a random number of minutes, do a random number of GETs to that IP address and any subpages that are returned..... both massively increasing and poisoning the haystack with random data, and obscuring my actual surfing.
If you do, be very careful.
I did some work a little while back examining the effectiveness of cover traffic on encrypted links.
You'll need to pay attention to the size of the response body and adjust the time between that and the next page accordingly (but not proportionally).
The time a human takes to switch between pages isn't consistent (we might load a huge page, read 1 sentence and click off because it looks crap, or lead a tiny page and take 5 minutes to read because we went and made a cuppa). But that's very different to random intervals as there is some correlation between the amount of text and the amount of time we spend reading.
You also need to make sure that the start and end times of your cover traffic aren't particularly consistent. Having a sleep at the beginning of the script helps a little, but if the traffic always starts within 60 seconds of quarter past the hour, it quickly becomes identifiable
> In a similar way, I'll be running 24x7 a random IP address generat
Don't do that. You don't want it running 24x7, you want it vaguely aligned to your sleep/wake cycle (as well as taking into account things like you going to work all day). Any traffic generated when there's a high probability it wasn't you gives an observer further means to analyse your countermeasures.
If they decide they're going to capture HTTP Host headers (which really, they'll want to), simply connecting to a given IP and requesting pages isn't going to do anything except make the traffic identifiable too.
There's a lot of other things to be considered too.
When observed over time (which is what an ICR will effectively be) the little differences in behaviour between a script and the average human become readily identifiable, and that's when the traffic is using an encrypted link. It's even harder with plaintext (which, to some extent, includes HTTPS because things like SNI are in the clear)
TL:DR running effective cover traffic is fucking hard, assuming your aim is to thwart anyone with any more than a passing interest.
> Will I, and many others like me, have to store these ICR thingies?
And will there be any specific requirements on how we store them? For example, if I write the ICRs out to an aged SSD and never run integrity checks (as to do so could be construed as unauthorised access), is it likely to be too big a drama when those records aren't available (because the SSD didn't start making whining noises to warn me it was going to fail)
Would at least be novel, advising on how to increase the risk of data-loss...
> The term "rape" is being abused. It normally implies violence or a threat of violence.
No, that would be "Violent Rape" or similar.
The term Rape is all about consent. Sex without consent is rape. Fairly simple.
> Some would say that a woman changing her mind after the event is "rape" because the man should have been more caring...
Some would say that if a woman says "yes, but only if you rubber up" means you've only got consent if you rubber up, and that consent wasn't given (in fact was almost explicitly denied) for bareback.
> Not according to Swedish law, and however much Wikileaks and St Jules™ think of themselves, they're not important enough to switch Swedish law for.
I read an interview with Assange, about the Hilary leaks recently. It was good, interesting reading right up until the point the journo asked about this case, at which point it was an easy reminder of what a slimey toerag Assange can be
For example, "In Sweden I am not charged,". There's no way that Assange isn't acutely aware that Swedish law requires this interview before he can be charged, so whilst it's not technically untrue, it's a rather manipulative statement to make.
Can't blame the journalist for asking about it, but somewhat ruined an otherwise interesting interview for me.
> Oh do fuck off. Warned by The Register indeed. When any twat knows that mixing [redacted] and [redacted]; both common household chemicals you can make [redacted] gas.
Don't tell them that. They're already going down the path of burning books, the next thing will be to burn any of us that actually learnt anything in chemistry for possession of banned knowledge.
> I can promise you that none of these missing headers resulted in the funds of 20k customer accounts growing feet and walking away...
Agreed. It's much more likely that someone gained access to their internal systems (whether that's an internal job or otherwise)
>Or that any missing headers in a web server response ever resulted in something similar.
On this scale? Probably not.
It's certainly feasible on a smaller scale though. Cert authorities have been compromised in the past, and likely will be again. The authentication method LetsEncrypt uses when requesting a cert is known to be vulnerable to DNS poisoning, so there's a potential avenue to obtaining a trusted-but-fraudulent certificate there too.
What's the defence against an incorrectly issued, publicly trusted certificate?
Certificate pinning. Which none of the buggers is using. As mentioned earlier in the thread, configuring it isn't without it's risks, but it's just a case of needing careful management.
Incidentally, that LetsEncrypt issue I mentioned, can be mitigated by DNSSEC, which, again, none of the buggers is using.
Given that banks are "trusted" to hold our money, you'd think the bar would be somewhat higher for what they consider the bare minimum.
Personally, I think it'd be better if browsers got their act together and implemented support for DANE, but that's a whole other topic (and would require the banks to set up DNSSEC in any case).
> My immediate response was that the Barclay's app gets a bonus star for not working at all... no?
I did think about that, but decided against. It's more than possible the failure to run was something I did (or didn't) think of, so probably shouldn't give them an additional point (which might be misleading) just in case the app is actually swiss cheese in reality. Given the much wider range of permissions their app asks for, I figured it was better to err on the side of caution
When I last looked they all did a pretty poor job of using the tools/techniques available. Granted I was looking at their apps, but the situation looked more or less the same for their online banking login pages.
Iornically enough, Tesco bank's holier-than-thou stance on security in one area was what prompted me to have a quick gander
> Your thinking is backwards, the court isn't saying that elites can't just dictate and must put it to a vote,
Yes, yes it is.
It's saying that the Government cannot simply make the decision and bypass Parliament.
If you'd prefer it termed this way, it's saying the elite of the political elites cannot dictate.
> the court is saying that a fully democratic referendum
You missed out the word "advisory" there. And, before you take umbrage, make sure you read the numerous legal analysis that show referendums in the UK are advisory unless explicitly stated otherwise in the enabling legislation. It could always be disregarded (not that I'm saying it's necessarily a good idea)
They asked our opinion, and now they must vote on it.
Personally, I think Brexit is a fucking stupid idea, but for me this isn't just about that. The idea that the Prime Minister can make such a permanent, nigh-on-irrevocable decision without a complete mandate (see below) is insane and (given who the PM is) dangerous.
On the mandate front, OK, as a nation we voted in majority of Brexit. We didn't vote on losing access to the single market, and certainly didn't vote on coming out of the ECHR. One of those we know May wants, the other varies depending on who's speaking, but neither or which were actually voted on specifically.
As others have said, what did we vote on?
- Leave the EU?
- Leave the Economic Area?
- Leave the ECHR?
All or some of the above? Whats TM going for?
Strange though, an awful lot of Leavers I know were going on (pre-referendum) about how Parliament was no longer sovereign, and we need to get that back etc. We get a court ruling saying the elites can't just dictate and must put it to a vote and you're all upset?
> Have we realty reached the point at which we're abandoning democracy?
We're a parliamentary democracy and the legal system has just said that Parliament must be involved. If anything we've just re-affirmed that democracy not abandoned it.
> If so, then violence is inevitable.
Lucky we're going to have that extra money for the NHS so we can handle the casualties then... oh, wait
> I have no sympathy for those who are too stupid or lazy not to vote. Use your vote or lose it.
In the context of the referendum, that's the stupidest statement I've seen in a while.
You're asked for an opinion - should we stay, or should we go. You're not sure either way (because neither side is actually giving anything of substance).
Some people said "fuck it", picked one (because they wanted to be "part" of the referendum).
Others said, still not sure, so I'll not vote either way.
I've got far more respect for that latter group than for the former. I know people who voted Leave purely because they wanted to be "involved" and are now pissed that GBP has tanked etc. Frankly, they brought it on themselves, it's just pity they also helped bring it on the rest of us too.
The best reason not to vote is because you don't feel strongly enough in either direction. The worst reason to vote is simply to feel involved in that process, it's not a fucking lottery ticket.
> Seems to me that every company trying to make a buck out of this opportunity should be met with a "no thanks." whilst we buy/use something else
Here's the thing. When you devalue your currency, the cost of things from foreign suppliers tends to rise as a result.
If MS didn't allow us to buy in GBP, and instead only sold in USD, we'd still be spending more.
It's not just opportunism, it's a direct result of the devaluation of the pound, which has come about as the result of businesses having serious concerns about the UK's prospects post-brexit.
In my book, that's definitely something to dump at the feet of the leave crowd.
The only thing to watch out for with that is manufacturer idiocy. IIRC when BT first moved from having a generic default WEP/WPA password on the Homehub they went with the serial number. Umfortunately it was possible to get the AP to tell you it's serial before you'd authenticated.....
You can almost guarantee at least one manufacturer will drop that info into the http headers, or body to aid in identifying the kit when they get a support call
But, to stretch the analogy, you wouldn't get to claim the cost of installing an alarm as damages against the car thief either. The thief stole the car and gets done for that, you don't get to claim back the cost of doing what you should have been doing in the first place.
In other cases though, the US has tried to reach the bar for damages by including the cost of implementing security that should have been there in the first place.
So whilst he shouldn't get off scot-free he's not wrong when he claims it won't actually be justice that's metred out in the US
> 2. Assange has not been charged and he is not wanted for trial.
FFS, if by now you don't know why that's bullshit you're either being willfully ignorant or are just too plain dense to conceive that different countries have different legal systems.
He cannot be charged (and therefore cannot be wanted for trial) until after the interview they want to have with him. It's not a difficult concept, and it's not new.
> 4. Assange has not "refused to come to trial or indeed be questioned".
No, but he (the suspect) is trying very hard to dictate how and where that happens. What other suspects would you say could get away with that?
> 5. Assange did not "flee".
For a start, he's a bail jumper which most would consider fleeing. Secondly look up tje circumstances of his departure from Sweden. Not that whether he flee'd Sweden really matters, if he left to visit his Great Aunt Norma the requirement for him to go back wouldn't change.
Maybe try reading a wider range of sources and verifying facts a little more thoroughly. It might be a fact that he's not been charged, but there's another fact that explains why and that its not unexpected.
Yes and Yes.
Xamarin bug is here - https://bugzilla.xamarin.com/show_bug.cgi?id=39859
Edit: clicky
>> increase the risks criminals need to take
>
> struggling with ideas here that don't involve logging everything everywhere. fuck off.
Perhaps reduce the time wasted on fighting for things that harm us all and focus on doing some actual police work? More coppers doing what they're supposed to be doing should increase the risk of getting caught
>> ; remove the excuses for it
>
> Does anyone have any good excuses for cyber crime? Crap wars in foreign lands?
I've got a sinking feeling that in the future we may all have a good excuse - they've clamped down so hard on things that "normal" stuff like using https is now potentially a cybercrime.
With bcrypt, the salt is stored in the "hash". The output of bcrypt is essentially a string containing the actual hash - in effect ${cost}${salt}${hash} - so if you've got the bcrypt "hash" you've got everything you need except the real password.
But that's fine, because a salt isn't intended to be secret, it's intended to make it more expensive for an attacker to try and bruteforce hashes
> I am also not sure the attacker "would need the salts". Generally they are right next byte to the hash, possibly after or before a separator...
Absolutely correct - with bcrypt the salt is stored within the "hash", along with the cost used and the resulting cipher text. The cost and salt get split out of the stored string when testing a submitted password.
> Millions of pounds of hi tech equipment destroyed for want of a £1 microswitch.
By the time it's been rated "aviation safe" it'll cost much more than £1. I remember seeing £20 spanners coming into the aviation workshop still carrying a price tag that indicated they'd cost 10x as much. Partly because Government contract, partly because they'd been rated as OK for use on aircraft.
So that £1 microswitch may well cost hundreds, if not thousands from the supplier
> Is that this drone was of a horrible design.
Pretty much my takeaway as well.
> if Master Override is activated and one of the altimeters is malfunctioning, the Watchkeeper opens up its “ground touch” window from 1m sensed altitude to 20m sensed altitude. In other words, the drone might decide it has landed even when it is still 65 feet up.
Clearly whoever designed this was trying to solve a specific issue they predicted might happen, but didn't give enough consideration to what the actual ramifications might be
Inevitably leading to someone having to stand at the tobacco counter at Tesco's as their icecream nelts and say, errr... has anyone handed in a steering wheel? I'm sure I had it when I paid, but can't find it anywhere
Not that I once realised I'd left my wallet on the counter once I'd driven 100 miles. Thankfully there was enough diesel in the tank to get back
Perhaps if you'd clicked it it would have resent the email, but in a larger font this time to try and get the information to sink in?
But yeah, I've had similar from my bank - we take account security very seriously, click this link to a random looking domain to find out how to avoid getting scammed
> Assange is not in the EU or the UK, he's on Ecuadorian Soil,
No, he's on UK soil.
The whole "an embassy is foreign soil" is a Hollywood thing, not a real-world thing.
The Vienna convention prevents us from going in without very good cause, but to do so wouldn't be an invasion of foreign soil. The real risk is that failing to respect someone else's embassy would lead to British embassies suffering the same.
> No one has come off well in this, least of which the UK Government. The original offence (if there ever was one) has long been served, by his self imprisonment.
Except it's self-imprisonment so it doesn't actually count. If you're expecting that you'll be convicted of something you can't just hole yourself up somewhere of your choosing and then claim time served, that's just not how it works.
> when you see people in DC doing whatever they're doing, while wearing t-shirts but not seeming to feel the cold.
I don't think I've ever felt the need to layer up in the DC. I have occassionally had to leave the hot aisle because I was getting too warm though. A tshirt is otherwise normally fine, but its possible Ive built a tolerance since the smoking ban exposed me to the elements more frequently
Oh, and Ill usually have something in/over my ears if Im going to be in there for too long. Not so much the volume as the constant exposure that gives me a headache.
Because if you kick the mistake makers too hard, by firing them or making it impossible to continue with their jobs, then you lose not only the skills you've invested in but also the learning from the mistake. Do something wrong in the armed forces and you're often demoted - you have to earn your way back up.
Yup, an employee who's fucked up and been punished is usually still a more productive and useful asset to the company that an employee who hasn't yet fucked up and hasn't learnt to exercise a little more care. I'd rather someone who didn't fuck up because they'd learned to be careful than someone who's just got lucky so far.
Firing is for the willfully incompetent/negligent and for those who never learn to exercise care. Everyone else should get the chance to learn from mistakes.
And firing someone to "make a statement" (i.e. for political purposes) should probably be a sackable offence too IMO, as it's throwing away the company's investment in that person for no good reason.
It's part of Skynet:
....the chip can execute 115 billion operators a second while....
But seriously, as others have said - does there need to be a "why" for trying everything new? Once a technology is developed, uses will generally be found for it, and otherwise unthought of technologies sometimes grow up around them
Tesco are using DNSSEC for their financial arms right? right? Oh wait, no they're not. Hell, they're not even using HSTS or HPKP
Got curious, turns out they're not the worst of the lot, even if far from great.
Also considering the risk of poisoned exit nodes & MITM, while TOR is great for anonymising your origin you probably can't trust it to protect your identity and personal details that you transmit
Well, how about the App actually verifies the certificate it receives, and they use DANE to ensure that the fingerprint of the provided certificate matches the certificate they _know_ to be real.
Then the exit not only has to MITM the SSL connection (using a publicly trusted certificate), but also has to find a way to return a valid, _signed_ response to the DNS query.
Tesco are using DNSSEC for their financial arms right? right? Oh wait, no they're not. Hell, they're not even using HSTS or HPKP
Implementing actual checks on the certificate being provided would benefit all users, tor and non-tor. Instead, they leave their app checking the local system whilst ignoring the large expanse of network between the client and the server.
Personally, I don't know the answer to any of my secret questions. I generate a random string and paste that in.
Passwords are in a manager so the questions shouldnt ever be needed, and if they are Ive bigger things to worry about.
Does mean it's a right shit when a site suddenly updates login to include "enter character 6 of the answer to your security question" though.
I don't know, but I suspect at least one of the deleted comments probably linked to the domain that's been, err, dedicated to ioerror - which very definitely does contain a lot of defamatory stuff.
No idea whether the allegations are true (other than that he can be a knob at times), but that site and the social media witchhunt make me sad to be part of the community. There's no reason for everything to have been done quite so publicly (the site in particular), particularly at this stage, and for a privacy loving community to seemingly take so much delight in a public burning doesn't sit well.
> And unless VM support for DX12 comes along, I don't trust virtualizing a gaming rig with a Steam collection that's Windows-only and VM- and WINE-unfriendly.
Not saying it's necessarily the right solution for you, but one option would be to do something like this
Edit - making link clicky
Browsers need to start tracking the certs for each website and if the certs change, then its untrusted even if Symantec say its trusted.
That's already possible with HPKP and/or DANE.
Googles certificate pinning, is Googles log, I have no reason to trust Googles logs either.
If you don't trust the operator of the site (in this case, Google), why are you exposing your system to their services?
Some go further that that and are included on a list pre-baked into the browsers. So on a virgin install of Chrome (for example), if you enter http://www.google.com it should change to HTTPS without bothering to try port 80.
Helps to remove the inherent risk in just HSTS when talking about users who're visiting your site for the first time.
They're your statutory rights, you can't waiver them. They can throw money at you and make you sign something in the hope you don't use them, which is something different
True, however, they can have you sign an agreement which states that in return for the "advanced redundancy package" you won't exercise those rights.
If you then choose to do so, you lose out on the "advanced" element and fall back to being eligible for a statutory redundancy (1 week per year), in the hopes of perhaps getting a better payment, which will almost certainly be calculated using statutory values.
So, no, you can't waive your statutory rights, but by actually exercising them you effectively throw money away.
> Also, ankle holsters are crap except in very particular circumstances.
For example when you're a leggy femme fatale in a movie that's just looking for an excuse to show some leg :)
It might be a limited imagination, but I can't think of a civilian circumstance where it'd likely be beneficial as it's more of a "backup" thing
systemd
-free Debian fork
> Most of the problems with systemd stem from not knowing or not caring about how to use it
I think that's a little unfair, but, that said, the very presence of systemd on a system can also lead to a systemd blinker coming down when troubleshooting.
I actually spent some time dealing with an issue earlier. For some reason systemd-udevd had started deciding to rename a NIC from it's configured name to "rename2".
I'm sure Lennart's ears were burning for a little while, until I looked a little closer and remembered what fuckwits Realtek are.
The NIC in question is part of a bond, and on the reboot just before the issue, systemd got impatient waiting for the network to come down cleanly, so just shut it off. On boot, the RTL driver reads the MAC from the NICs volatile storage (instead of the PHY) so got the bond's IP instead, which of course matches the other slave. So two NICs matched the same udev rule...oops
Blaming the (sometimes) clusterfuck that is systemd is too easy and rarely solves the problem itself.
But systemd isn't faultless either, just as some distros managed to ship flawed selinux configs (apache context? Nah, won't need /var/www/html). It's got it's problems and journalctl is a fair example (system hung and want to know why? Sorry the binary log is corrupted). Being able to pass through to rsyslogd is a bandaid not a fix for the issue
Or, as others have pointed out, the NTP issues.
In the past when I've said similar, I've had people say "you think the cig is calming you, but actually it's just satisfying the addiction, making the cravings go away"
Because, you know, the twat who pushed untested changes to production clearly had nothing to do with the irritation in the first place..