Re: Annoys me sooo much
so.. who's the mug?
108 posts • joined 28 Sep 2009
so.. who's the mug?
Ironic, that theregister tries to impose conditions upon people linking to their website..
"The Register permits any website to link to any of our stories, provided it clearly states its source and does not include the full text of the story on its own site"
Pretty much implying, that they too believe it is within their power to permit (or not) people to link to their site.
Ok. that's 19.. but easy to remember:
Deep down in Louisiana close to New Orleans ...
The fact you have to use tricks like that, or technology, to 'remember' passwords just proves why we need to find a better option.
OWASPs Application Security Verification Standard is a good starting point. IT has some weight to it (a lot of people have heard of OWASP) and it's quite pragmatic in its approach.
Am I Close?
Nah, get them tattooed on the bottom of your foot; that way you'll almost certainly notice if someone steals them.
One option, off the top of my head: take a piece of paper, write your passwords on it, stick it in your wallet.
That way, you'll know what they all are (primary function), they will be almost completely secure (primary requirement) and you'll know who has access to them, and if/when they've been stolen.
Don't have to be particularly techno-savvy to drive a biro.
You're basically storing all of your passwords on someone else's computer, using software you have no way of validating, running on servers who's configuration you have no way of validating.
I always get looked at like the internet-age version of a luddite for saying 'maybe some things shouldn't be on the cloud' ... but I'm glad I stuck to my principles on this one.
There's no guarantee all of your passwords haven't been exposed.
Step 1: Hack the webserver
Step 2: Change the code on the page that shows you your passwords, after they're decrypted to also save them somewhere on the server in plaintext
Step 3: ????
Step 4: Profit!
Off the top of my head; assume they do actually have access to a working email account. (Pushing the 'password reset' problem onto the email provider, in effect) But if everyone did this, you'd only need one password anyway...
Log them in by sending a one-time link to that email that sets an authentication cookie. They want to log in again, they click, 'log in' and get a new link via email.
I failed to create an account with a certain UK bank because the required me to provide answers to 3 of 10 'secret questions' and I didn't know/have answers to any of them..
E.g. I don't have a 'Favourite colour' because I'm not 7.
As I responded to a complaint of "You only changed one line of code, why did it take so long?"
"Changing one line of code: 3 minutes"
"Changing the right line of code: 3 weeks"
These days it's all in the big blue bin marked 'confidential shredding'... which someone comes every day to wheel out, without anyone checking their ID.....
Those pen testers were clearly idiots then.
Besides, since when have penetration tests been 'pass or fail'? Normally they return a long list of recommendations of varying degrees of severity. Do you mean they raised the existence as robots.txt as an issue? if so, what severity issue was it, if it was 'informational' I can see their point...
Lots of people saying 'Old news', of course it is, but that does beg the question of how so many sites still get it so badly wrong?
One genuine failing in the article is that it doesn't even mention the right solution, which is to use a Robots meta tag within resources you want to hide like
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
So the file will be ignored IF a spider finds it, but won't be advertised via the robots.txt file, this only works for HTML resources though.
The bigger 'take away', of course, is the fact that you should never rely on obscurity as your only security; if you don't want files to be accessible; block/control access on the server-side.
"On-board avionics are secured through fire-walls " Surely implying that they're separated by software only, and not air-gapped... anything is possible.
Only if an act of parliament is passed allowing the TV license man to hack into your PC...
You missed the bit where it says :
enactment” means any enactment, whenever passed or made, contained in—
an Act of Parliament;
an Act of the Scottish Parliament;
a Measure or Act of the National Assembly for Wales;
an instrument made under any such Act or Measure;
any other subordinate legislation (within the meaning of the Interpretation Act 1978);
11:10, to anyone wondering if/when he shows it working.
It's a bit more subtle than that, but not much more. I think it's a nasty script that is also a valid JPEG. so if you check that the use has uploaded a valid JPEG, it works, but it also executes as a valid .aspx.
"That's a nice website you've got here, would be a shame if something was to ... happen to it."
I think, from prolonged observation of the 'digital' tribe, they are talking about what we used to call 'software', normally web applications and mobile applications with some sort of back-end.
The main distinguishing feature of 'digital' over 'software' is that the products have names that are comprised mostly of made up words that sound like real words; and the logos have rounded corners. Very much like the teletubbies.
As someone said, Joseph Bazalgette became famous for pumping shit OUT of people's homes...
I've seen an enterprise-level finance package that 'encrypted' it's passwords using ROT-1
We read it, but reject the assertion that downvoting your post makes us 'look dumb.' Besides, for the non-technical user trying to hide files from their non-technical friends this encryption scheme is probably sufficient.
Good to see el Reg living up to it's famed journalistic integrity... Reporting on what the telegraph said that GCHQ said, rather than bothering to read the report.
On mobile phones, they ACTUALLY said :
“Mobile working offers great business benefit but exposes the organisation to risks that will be challenging to manage. Mobile working extends the corporate security boundary to the user’s location. It is advisable for organisations to establish risk-based policies and procedures that cover all types of mobile devices and flexible working if they are to effectively manage the risks.”
As their FAQ says:
"..backers must understand that Kickstarter is not a store. When you back a project, you’re helping to create something new — not ordering something that already exists. There’s a chance something could happen that prevents the creator from being able to finish the project as promised"
Then no, you didn't misunderstand at all.
The problem is, that without scanning all traffic, it's impossible to identify which bits of data are to/from your suspect. If they have a device that you're not aware of; or use a properly encrypted VPN connection to get onto the interweb (or both) how do you find which traffic is from them without reading it first to find out?
Because a barge can move many hundred of miles around the sea to catch stages that finish their burn at different times/places.
More practically there isn't a desert to the east of Florida until you get to the Sahara, and the first stage wouldn't make it that far and have enough fuel to control its descent.
Except when the legitimate domain for the secure site is something like bankname-online.com rather than bankname.com . If the phisher used bankname-secure.com how would a user know the difference?
My record is 2 hours, and I got them to call me back 3 times...
I can't be only person who cares whether a game is fun first and foremost...
Definitely feel sorry for people who can't play because it's on-line only; but a lot of people seem to be having a tantrum over "BUT I WANTED OFFLINE PLAY" and forgetting to actually enjoy the game....feel even more sorry for them.
Do you also propose licensing LIPO Batteries, Brushless Motors, polystyrene and Radio Control transmitters (which can also be used for RC cars/Boats)?
Because if you're not, anyone with YouTube and a hot glue gun could make a 'drone' without a license.
In game theory that's called the Minimax Algorithm. Find the 'worst case' outcome of every action, and picking the action with the best 'worst case.'
Probably not, the actual complaint seems to be that it doesn't metaphorically 'give you wings' any more than anything else with caffeine in it. rather than the fact it doesn't literally give you wings.
The suit says:
“Even though there is a lack of genuine scientific support for a claim that Red Bull branded energy drinks provide any more benefit to a consumer than a cup of coffee, the Red Bull defendants persistently and pervasively market their product as a superior source of ‘energy’ worthy of a premium price over a cup of coffee or other sources of caffeine.”
Yep! People have been selling stolen client lists for decades. It would also be a goldmine for social engineering, e.g. If MegaSoft was using salesforce for post-sales support, you could find a user with an open trouble ticket, and send them some malware as a 'fix.' Only the very paranoid would spot that one.
What the author is trying to demonstrate, is that he's been asked by an editor to jump on the 'Exam results' bandwagon, so had to make something out of the IT results regardless of whether there's any real story.
"To be fair, public or private seems to be absolute no barrier to being utterly clueless "
Fixed that for you
They seem to be shy to say how many of those arrested were actually charged, and subsequently convicted of anything.
So this story so far is that 660 people are innocent of any wrongdoing (until proven otherwise)..... which is a bit of a non-story.
To be fair, a lot of the people who call the office claiming to be "Calling From Microsoft" don't actually work for Microsoft either
There's an argument that one of the IBM Chess playing supercomputers passed the Turing test. not because it beat Kasparov, but because he was convinced that one particular move had direct human intervention.
"Stephen Fry is an English comedian, actor, writer, presenter, and activist" ... Why exactly should we care that he made a mistake about network protocols?
The sound of the 'Degauss' button on a CRT monitor that hasn't been degaussed in years is one of the best sounds in the world :)
Unless I'm sorely mistaken, the NSA were operating in 2001, and quite evidently didn't succeed in protecting anyone from anything.
The most interesting question is whether we're building our economy on systems that we have no right to believe will be available to us for as long as we would like.
If Amazon decided that 'cloud' was no longer something they wanted to be involved in and turned all their AWS servers off with the minimum notice; unless one of the other providers made the commercial decision to pick up the slack (And had the capacity) there would be a lot of companies that wouldn't survive, and the people using the services of those companies would struggle for a bit too.
I know that under-using them allows resistant bacteria to survive; I just don't know if over-using them is an issue.
The mental illness one sounds too easy to not be a trick question.. I'd actually be hesitant with that one.
The age of the universe/world, I have no idea if those numbers are correct. I also know that the 'big bang' theory fits all of the observable evidence, but the way that question is worded makes it sound a bit too simplistic for me to say it's absolutely true.
Well I can tell you, lots of pen-testing companies don't do due diligence! I don't ever remember a pen testing firm asking me to confirm my identity...
I've always wondered that. e.g. If someone called me asking for a penetration test to be performed on their network, signed all the normal contracts etc. Then turned out to be either someone without the proper authorization, or someone completely unrelated to the company .. Who would be liable! IS there a precedent for this sort of thing?