Re: stepped foot
It's SET FOOT, FFS! Or stepped would also work.
1502 posts • joined 11 May 2007
It's SET FOOT, FFS! Or stepped would also work.
And yet people still say they're not secure!
Grow up and use your username. Going anon just to call people names is pathetic.
Wow. Someone's not getting any....
No, no, no. This is totally, totally different to MS dropping support for XP, and a load of fandroids will be along to explain how any second, without a hint of irony....
Su-metal has an awesome voice, I read somewhere that the entire project was dreamt up as a vehicle for her. Certainly sounds nothing like a cat being strangled. The little'uns are a bit more shrill but they're there for dancing more than singing.... Altogether they're a breath of fresh air in a increasingly fragmented and insular metal scene!
No. You can tell by the fact no-ones commenting on the story.... Well, except for all the comments about not caring.
Then came and commented on how you weren't interested in it. Cool!
>> Or they could just say they have a problem and admit it, together with an idea of when they can be arsed to fix it. <<
Umm, that's exactly what happened. The problem was Google didn't want to wait the few days between their "deadline" and patch Tuesday. Next time you pull a quote from an article maybe you should read it too?
Well one of you can spot a joke. To the rest, thanks for your informative posts and many downvotes! I'm here all week. Try the fish!
I preferred the wild speculation and opinion tbh.
>> "But you're just reporting the wild speculation and opinions of a noisy minority of forum whiners with no basis in fact"<<
I like the way you backed up your comment with all those references and facts! Or is it just wild speculation and opinion?
I asked for a card without it and they told me very politely to fuck off, so I doubt it.
Yes, but the example code just uses a load of different prefixes on the same domain. Then you just use script to access each sub domain in turn using http and if the browser uses https instead then you know that bit is set.
Ok, it's not very clear from the article but as far as I can tell it's to do with using the fact that a single site is HSTS enabled as a bit and storing an identifier by hitting lots of sites.
So (I think) the idea is you set up 8 domains for example (to hold a byte). Hit each in turn with a url containing a flag to ask the server to respond with "HSTS enabled" to store a 1 or "HSTS disabled" to store a 0. Then later the code attempts to read those sites again without the flag and using http. The server responds indicating whether the connection was https or not and you can reconstruct your byte with that information!
Yeah, as Google responded "defeating such fingerprinting is likely not practical without fundamental changes to how the Web works". For once I agree with Google. Gah!!!
So reading up on this on Wikipedia and others I see that HSTS is effectively an https only header that tells a browser to i) communicate with the domain using only https for a specific time and ii) interpret any secure transport errors as meaning it should stop communication immediately. The header is ignored on http requests and shouldn't be sent.
So in normal use there is a potential for MITM attacks during your first contact with an HSTS site as the redirect to https happens with the usual 301. Once you connect with https you get the special header and your browser knows to always communicate to the domain using https, making further MITM attacks very difficult.
No where in that is there any requirement for this information to be shared with any other domain, or any advantage to doing so. I don't see anywhere in there a requirement for a magic number between the domain and the browser. What this generates is a private list of sites and durations that the individual browser uses to force https on certain sites.
So how did this become a tracking issue?
Sorry, that explanation doesn't really help.
What is the "it" you're referring to?
The article says:
>> His point is that an HSTS “pin” is set for each HTTPS-redirected site you use, it's unique to user and site, and it's readable from your browser settings by any site <<
That looks like a domain issue, specifically "it's readable from your browser settings by any site". Is the article wrong? What am I missing?
Exactly! Isn't the issue here about boundaries not protocols? Why can other sites see a domain specific secret?
No, it doesn't. What you're talking about is to do with your attitude to artists and whether you think they're cool or not. Artists change over time and success can definitely change them, but it's much more complex than "successful = bad, underground = good". Step away from that and just start listening to the music. Maybe you'll find there are successful acts you actually enjoy listening to, even though they're trying to make music other people like. Some times when an artist tries to make music people like they succeed!!
Forsooth, good sirrah, for surely that is an impossible task. But nevertheless, one can listen to said track and dislike it without expounding on it's vagaries in the comment section beneath. If one does indeed post in such a manner, then one should not take offence if a gentle ribbing ensues....
Why do people insist on listening to music that you don't like? Fucking idiots.
And what do you use when you need to get over yourself? I assume lifting gear is required....
Purchase it now and you are buying it, those who got it from KickStarter were funding it's development in return for a copy of the game. If you can't tell the difference then maybe you shouldn't be on kickstarter.
So everyone who disagrees with you is insane? Seems unlikely....
Am I? Of course I must be, what other reason could there possibly be to criticise Google?
And we're sure the monkeys in control of Google will be better why? Because they don't even have to scrape through an election to get in power? As long as they make money, that must be good for the country?
It's fine to spend your money for the results you want, but be honest about it, don't pretend it's for the greater good.
Well, that's ok then, convenience trumps monopolistic abuse every time.
You talking to us or your testicles?
>>So investing in the future of the country by providing training and research facilities <<
Is that what they're doing? You sure they're not just investing in the future of their own company? Wouldn't someone who wanted to invest in the country be a bit less desperate to avoid paying tax?
Oooh, you are gonna get SUCH a downvoting for that!
Instant downvote. Just sayin'.
Sweet! Make users carry signs!!
(Signage? What is it with the desire to use a fancier sounding word? They're signs, not "signage"!)
You better mean that as "slowing" and not "mentally disabled". As a term of abuse it's unacceptable. Rein it in.
Of course they shouldn't. Those are three groups of people we can definitely trust to behave themselves correctly at all times.
It would be good to see Mr. Pointy back in action!
Not every youtube "how to unlock your phone" video is genuine....
Yeah, like a shotgun is handy for shooting yourself in the face. Those two are starting to make the endless re-runs of "Two Pints of Lager" seem bearable...
The main reasons I prefer it is that it's better at autocomplete (sharp seems to lose this ability at the drop of a hat and wants recompiling before getting it back) and better at showing errors (vb tends to flag up the line that causes the issue, sharp often flags all the references to the bad line as well, making a simple job in B much trickier in sharp). Doesn't stop me working in sharp, but it does make me wonder why B is still better at these specific things....
Sharp does late binding better! (Didn't think I'd ever be typing that....)
Yes, for now. They could change that, but that would be them ignoring the "only share this with friends" flag. That would be creepy. Allowing me to search posts you've already shared with me is not creepy in any way.
I'm not standing up for facebook, I don't use it, but the daily mail style knee jerk headlines and typical ill thought out responses posted here get on my tits.
OOOh, creepy! Except, not at all creepy as people have to share stuff with you for you to be able to search it.
That is some top quality sarcasm! Nice!
According to the article:
we bypassed GAE whitelisting of JRE classes / achieved complete Java VM security sandbox escape (17 full sandbox bypass PoC codes exploiting 22 issues in total);
we achieved native code execution (ability to issue arbitrary library / system calls);
Sounds like a security fail.
Ah, of course! I knew Google couldn't be responsible for this!
No, they're wrong when they try to shut us down AND when they work with us!
The only safe way is to go back in time and nuke them from orbit in 1990!
...is fine for Youtube. Bizarre how little the law has to do with it.
I'd say the capability to upgrade without the need to sideload or do a factory reset would get it a little closer to perfection....
Trevor, seriously, get some help.
Google don't just return 1 result per search. They could easily put some business promotion results in with the actual search results.
Google's central business plan MUST be to continue to work for its customers, the advertisers that provide it's revenue. Meaning it has to keep it's users onside enough to be a valuable advertising base, no more than that.
I'm not suggesting that all Google do is promote themselves, they do a ton of stuff I use and appreciate, but I'm not so enamoured with them that I'll pretend there's no conflict of interest when users search for a service that Google and it's competitors both provide.
however the drinker likes it!! I don't like mine cold but I definitely don't want it watered down thanks.