I found it interesting that they made it progressively harder to cheat on the puzzles, they could have made it impossible to cheat from the start, but chose not to (brute forcing #2 was made possible when they could have just hashed the answer like they did in #3.. for instance. I took this as a sign that cheating was allowed and did so to get to level 4... then I gave up, because I couldn't work out how to cheat and I hate number sequence puzzles.
134 posts • joined 28 Sep 2009
Re: It's all about the annual review
Message_First_Word = 'H' + \
'e' + \
'l' + \
'l' + \
Re: I'm not buying the "0-day exploit" story.
Well; it was a zero-day at some point...
Re: Zero Day Exploit
I'm guessing the IT service providers, or the AV company told them it was 'It was a zero day, That's why it wasn't stopped' and they have no reason not to believe them.
I've been told that an Excel macro virus was 'A Zero Day' just because the AV signatures didn't pick it up. The AV crowd have realised that if they define 'Zero Day' as 'Anything we miss' they can get away with murder.
He's pretty much just talked through the syllabus of a CEH course... not exactly ground-breaking insights!
Massive sampling bias here... These are passwords from sites that have been hacked... So only tells you that people use crap passwords for sites that can't be trusted.
Also, these passwords were either A. stored in plaintext, in which case complexity is irrelevant, or B. stored hashed, in which case only easily crackable passwords would be released; skewing the results even further.
ALSO... as all the 'good' passwords are probably unique, they will never be at the top of the list of passwords. So the non-unique passwords will inherently have more people using them.
The more I think about it, the more meaningless this information becomes.
Re: Budgets, constraints and
Something I've experienced before is security companies giving assurances that they shouldn't give based on the scope of the testing, and not giving adequate caveats.
E.g. testing a web application and not testing the infrastructure yet declaring a web service 'secure.'
Re: |Hmmm... click bait
Agile: I literally had someone tell me "We don't want all the project management and testing, can't we just use agile?"
Certainly, But you'll want to double your budget for project management and testing...
Except in the wacky world of "Manufacturing Execution Systems" where enterprise and embedded collide...
Re: small iterative changes will be the norm
Ha! A more accurate analogy would be building the second, third and fourth floor anyway and papering over any subsequent cracks (or calling them 'features') until it all falls over... then you leave the rubble where it lies and start building again.
Re: Ah joke wallpaper ...
(Except for Johnny Castaway of course)
Just gave me a massive wave of nostalgia, Someone's compiled the whole lot into this youtube vid:
Re: “A less than really sharp manager agreed,”
As per the Dilbert Principle.. the 'less than sharp' people are consistently promoted to management positions where they can do the least amount of damage. sounds like WG's manager is due a promotion.
I wonder if this was invented by a Criminal mastermind by the name of Rolando ... we will never know.
We had a few occasions where truck drivers tried to drive off with our forklift drivers still in the trailer unloading... after discussing lots of high-tech and convoluted processes to stop it happening we solved it for £5. By putting a hook on each of the roller-doors in the loading bay.
When the truck comes in, their keys are hung on the hook before the roller-door is opened, leaving the keys hanging 15ft in the air. Then they physically can't get their keys back (or drive off) until the door's closed again.
Nope, Risk = Impact X Likelihood .. The boss asked for the likelihood of something going wrong, OP assumed that he was aware of the Impact
Re: Can't see why nuclear power is a danger for a data center
Presumably it helps provide some measure of guaranteed base load for the reactor. For cloud processing, you could even offer discounted cycles based on excess power generation (Amazon have a 'run X when it's cheap' option.)
Re: Whole new level
But there's only one nuclear power plant on site....
Re: Cyber Warfare vs things that go boom
Someone in the local area took out a major transmission mask with a badly (well?) aimed firework a few years ago... (Google 'Morborne transmitter'))
I think they've left themselves an 'out' here.
When the first guy got killed, one of the guards said something like "Don't run,... why do they always run?" implying that running is somehow a bad idea, even though they're facing 'certain death' .. so I wonder if there is a catch in there about it only working if you're scared or some other hand waving ..
we shall see.
Re: I'm not sure which is funnier...
Pretty sure that sentence could do with a comma! "was motivated by opposition to US Foreign policy, and support for Palestine"
Re: Lateral thinking
Yeah, Although unfortunately this probably falls under the 'conspiracy theory' banner simply because there's no way of proving it either way, I'm tempted to agree with you!
Without other supporting evidence, there's no way of telling the difference between a genuine vulnerability and a cleverly placed backdoor.
Had something similar in a potato store/ pack house: They'd re-lined the inside of their old warehouse with PVC panels. over the top of all of the network points, 3 wireless access points, AND the door leading to the cupboard with the communications rack in.
I just stood there for 5 minutes looking between my site map, and the place in the wall where the door should have been.
Re: Dunno for teachers, but ...
"or just RTFM and have 2 cents of common sense as an architect." .. ityf 2 cents makes you a Senior Architect
Re: Seems little margin for error...
Interlocking anything to speed relies on the measuring devices working perfectly. e.g. if you couldn't lower your landing gear unless the plane believed you were under 80kts, and your air speed indicator failed (frozen pitot tube f'rinstance) it would be somewhat inconvenient to have to get out and fix the problem prior to landing.
The most popular of the passwords he was able to successfully crack...
Re: "having [..] storage silos is a costly nightmare of managing [..] storage infrastructure"
You have exactly the same problem if you have a centralised data centre. In both scenarios, of course you would keep things local that have a true high-availability requirement. There are, however, lots of other reasons not to want to hand over all your data to a start-up . . .
Re: Annoys me sooo much
so.. who's the mug?
Ironic, that theregister tries to impose conditions upon people linking to their website..
"The Register permits any website to link to any of our stories, provided it clearly states its source and does not include the full text of the story on its own site"
Pretty much implying, that they too believe it is within their power to permit (or not) people to link to their site.
Re: Physical security?
Ok. that's 19.. but easy to remember:
Deep down in Louisiana close to New Orleans ...
The fact you have to use tricks like that, or technology, to 'remember' passwords just proves why we need to find a better option.
Re: Once again ...
OWASPs Application Security Verification Standard is a good starting point. IT has some weight to it (a lot of people have heard of OWASP) and it's quite pragmatic in its approach.
Re: My method
Am I Close?
Re: You see...
Nah, get them tattooed on the bottom of your foot; that way you'll almost certainly notice if someone steals them.
Re: I need to access my accounts ...
One option, off the top of my head: take a piece of paper, write your passwords on it, stick it in your wallet.
That way, you'll know what they all are (primary function), they will be almost completely secure (primary requirement) and you'll know who has access to them, and if/when they've been stolen.
Don't have to be particularly techno-savvy to drive a biro.
Re: OOH OOH!!! I know what the weak point is
You're basically storing all of your passwords on someone else's computer, using software you have no way of validating, running on servers who's configuration you have no way of validating.
I always get looked at like the internet-age version of a luddite for saying 'maybe some things shouldn't be on the cloud' ... but I'm glad I stuck to my principles on this one.
There's no guarantee all of your passwords haven't been exposed.
Step 1: Hack the webserver
Step 2: Change the code on the page that shows you your passwords, after they're decrypted to also save them somewhere on the server in plaintext
Step 3: ????
Step 4: Profit!
Off the top of my head; assume they do actually have access to a working email account. (Pushing the 'password reset' problem onto the email provider, in effect) But if everyone did this, you'd only need one password anyway...
Log them in by sending a one-time link to that email that sets an authentication cookie. They want to log in again, they click, 'log in' and get a new link via email.
I failed to create an account with a certain UK bank because the required me to provide answers to 3 of 10 'secret questions' and I didn't know/have answers to any of them..
E.g. I don't have a 'Favourite colour' because I'm not 7.
As I responded to a complaint of "You only changed one line of code, why did it take so long?"
"Changing one line of code: 3 minutes"
"Changing the right line of code: 3 weeks"
These days it's all in the big blue bin marked 'confidential shredding'... which someone comes every day to wheel out, without anyone checking their ID.....
Re: It has it's uses
Those pen testers were clearly idiots then.
Besides, since when have penetration tests been 'pass or fail'? Normally they return a long list of recommendations of varying degrees of severity. Do you mean they raised the existence as robots.txt as an issue? if so, what severity issue was it, if it was 'informational' I can see their point...
Lots of people saying 'Old news', of course it is, but that does beg the question of how so many sites still get it so badly wrong?
One genuine failing in the article is that it doesn't even mention the right solution, which is to use a Robots meta tag within resources you want to hide like
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
So the file will be ignored IF a spider finds it, but won't be advertised via the robots.txt file, this only works for HTML resources though.
The bigger 'take away', of course, is the fact that you should never rely on obscurity as your only security; if you don't want files to be accessible; block/control access on the server-side.
Re: Lemmings !
"On-board avionics are secured through fire-walls " Surely implying that they're separated by software only, and not air-gapped... anything is possible.
Re: Read the statement carefully
Only if an act of parliament is passed allowing the TV license man to hack into your PC...
You missed the bit where it says :
enactment” means any enactment, whenever passed or made, contained in—
an Act of Parliament;
an Act of the Scottish Parliament;
a Measure or Act of the National Assembly for Wales;
an instrument made under any such Act or Measure;
any other subordinate legislation (within the meaning of the Interpretation Act 1978);
11:10, to anyone wondering if/when he shows it working.
Re: Nasty JPG
It's a bit more subtle than that, but not much more. I think it's a nasty script that is also a valid JPEG. so if you check that the use has uploaded a valid JPEG, it works, but it also executes as a valid .aspx.
Re: Moving ever on and upward rapidly .......
"That's a nice website you've got here, would be a shame if something was to ... happen to it."
I think, from prolonged observation of the 'digital' tribe, they are talking about what we used to call 'software', normally web applications and mobile applications with some sort of back-end.
The main distinguishing feature of 'digital' over 'software' is that the products have names that are comprised mostly of made up words that sound like real words; and the logos have rounded corners. Very much like the teletubbies.
Re: I've got an idea - implement it!
As someone said, Joseph Bazalgette became famous for pumping shit OUT of people's homes...
Re: I've seen worse
I've seen an enterprise-level finance package that 'encrypted' it's passwords using ROT-1