How did all my fellow Linuxtards miss the sarcasm in that first COTW? Buncha hardcore 'spergs? Never seen Win8.x? Even XFCE has more bling than this throwback to the 80s. And in terms of technical fuckery, systemd's got nothing on it.
291 posts • joined 4 Feb 2011
Re: Alternatives? [and weird Java requirements]
Just put a shortcut/symlink to the binary on your desktop. Better than having Java.
Re: There are benefits...
You can auto-update by running wp-cli from a cron job.
Dumping WP sounds like the best solution though.
Yeah, this is easy to overlook - just a bit of JS in an HTML file. Only problem is, it's using unsanitized input from window.location.hash, and it's found in predictable locations on target sites. The hardest part of exploiting it is tricking an admin into clicking a crafted URL.
The WTFs are that the offending JS was newly added window dressing (it's not in the twentyfourteen theme's example.html) and that something so innocuous is enough to own WP or any CMS.
Nuke icon because WWW doomsday is coming...
Re: Good idea
Have an upvote, even though I loathe Android and Ubuntu. Nokia actually had a few decent OSes, but alas... Microsoft.
The reason switching mobile OSes is such a pain: too much locked-down proprietary hardware, and douchebag manufacturers and carriers. OSdevers have better things to do.
That bored, huh? I've got better things to do. Mint MATE is working, not great, but better than my old pre-systemd Debian desktop. I can't imagine any improvement from systemd (which I've experienced in Fedora 17-18) or the Ubuntu stuff that Mint excludes for a reason.
And conversely, if you don't want spooks sniffing your metadata (say you're reading anti-goverment blogs in China, or merely NSFW at work) then HTTPS isn't enough. Hell, TOR isn't enough unless it's baked into the net so that using it isn't a red flag.
You're probably right. Apparently I live in a remote oasis where Yelp is spot on - which surprises me. I've never seen another ratings startup that hasn't been gamed into irrelevance. As far as I can tell, most are outright pay-for-ratings scams.
heh... Yelp stock crashed 25% a couple days ago.
Yelp is the only useful one on the list. Everyone running a US business in the last 5 years remembers Google's blatant campaign to eat their lunch by incorporating business reviews into Maps and G+. If that's not abuse of dominance I don't know what is. I wouldn't say it worked here, but maybe it did in Europe.
Re: Targeting platforms not OSes
WordPress is also egregious; I relented a few years ago and started working with it, thinking my opinion of it was too harsh... nope, it's far worse than I imagined. Why does everyone use it? It's a cult of noobs, feeding the hype cycle until they awaken, too late, to the monstrous reality of it...
Windows 8 already has an identity crisis. This won't help.
Useless for iOS/Android testing because it's not the real thing. I would be surprised if Apple's and Google's own apps don't refuse to run on it. There'll be compatibility problems too.
MS store is still a joke, right? Nobody needs another stupid app store.
You can get owned by a ~200-char comment.
Re: Ah Comments.
Don't forget to block the retarded 'pingback' stuff. I saw a few XSS attempts coming in through that backdoor.
I'll get me coat... had enough of WP's crap security and emergency updates.
Re: Surgery Via A Stallite Link???
Not to mention, satellite links can be hacked.
Yep, it's a great size, beautiful screen, just needs a better OS. I stopped at 4.4 and performance is so-so, and Android just ... sucks. I'll have to put Cyanogen or something on it if I want to get a decent lifespan out of it. Which I do, seeing how nobody's making anything I like these days.
That's Velv's argument, and I'll second it. The web is not the internet - no need to play ball with bureaucrats who insist it is. Let their censored networks become useless.
Re: bureaucrats rather than techies
Tried the load balancer approach recently. Good idea, should've been easy, but no such luck.
Ting has sprint+tmobile now too, though not on the same SIM. Neither network is as good as Verizon's out here, but at $6/mo per device with volume discounts for increased usage, that's a trade I'm happy to make.
Re: I've got it now.
I did that a few years ago, if you want to call it a screensaver. Probably not the first.
I've attempted enough JS game programming to have a pretty good idea how this attack works. Create a TypedArray containing the OS keyboard driver structure for each key. Every ~50ms, read them all, measuring each access time. If it's fast, and it was slow last time, that key was just typed.
Countermeasures: type your pw super fast. Transcode 5 videos at once to bust the cache. Stop everything to stagnate the cache. Run a program that simulates random key/mouse event structures used by all common OS drivers and other programs that handle keyboard input (good luck with that). Dump passwords in favor of keys, biometrics, etc.
This could be the Tacoma Narrows Bridge of future computer engineering 101 courses. :)
I used just enough oil... strained the excess back into the pan for step 2. Turned out just fine.
Re: Nail -> head - missed totally.
My town is actually very good about potholes, plowing, parks, drinking water, and hopefully broadband soon. I don't have a problem with paying property tax. It's not the fairest but it's simple and non-intrusive.
The IRS and the state income/sales taxes, on the other hand, require mountains of paperwork and as discussed below, are really starting to undermine basic human rights worldwide. These taxes were banned by the US constitution for good reason. Unfortunately those protections were trashed in WW1 and we're still suffering 100 years later. WTF.
Is this the plan?
1. Deprecate the CAs
2. We'll stop laughing, maybe
4. Encrypted connections to ALL privacy-invading websites!!!
Re: This is the problem I have with auto-updates generally
Exactly... Chrome/Android apps already have a reputation for abusing auto-updates to foist adware and malware.
The Android (and Chrome?) permission system is a complete joke, too. Updates can grab additional permissions within a group - approx location -> precise location for example - without notice to the user.
Took long enough
This issue was well known in WordPress ... WordPress!!! ... forums a few months back. Of course, a bunch of those people stuck their heads in the sand. And they hold the keys to a bazillion websites.
If the Chocolate Factory actually produced poisoned chocolate, billions would've died by now. But it's only privacy at stake...
Sit back and enjoy the trainwreck :D
Re: Requires a valid nonce?
@Robert, unfortunately your outdated knowledge is closer to the truth. I recently had a look at WP's perverted nonce code, and... it's NOT a cryptographic nonce (number used once). You can use it as many times as you want for 12-24 hours. Seems near worthless for security purposes.
As I remarked yesterday, Android apps are 99% crap. I'd rather run vanilla Linux on Android hardware, thank you.
I'm pretty sure the amount of crap extensions is closer to 99%. Same with Android apps.
General rule: if I can't read the code, I don't install it.
Re: Will there be a jury trial?
Nah, these guys know the game is rigged. Also, considering public opinion of cops these days, they're practically guaranteed a conviction on all counts. Et tu...
And the same old shitty software, with more eyecandy and bugs.
Re: Blaming it on the SatNav in ... 3, 2, 1
"Siri, where can we get some Mead around here?"
Will browsers finally ban cross-site JS?
I can see CORS becoming mandatory for JS this year... Chrome and Firefox start it; site owners jump to keep their analytics working; IE9-and-under users have to upgrade. That would break half the internet, but if this kind of attack becomes rampant it'll break the whole thing.
High-end hosting biz needs VC marketing money to chase low-end growth market.
There goes the high end.
Re: Few missing questions
They didn't even tell users to change passwords, just said they use bcrypt which is one-way. Uh huh, sure.
This doesn't surprise me given their primary userbase: wordpress users.
Safe Harbor is a joke
I actually looked into it years ago when working on a website to market US crap to Europe. Basically it exempts US companies from most EU privacy laws. All of them, if you consider that it's enforced by our Commerce Dept which really doesn't give a flying fuck about your rights.
CMake is pretty nice for cross-platform C++. Beats the hell out of VS; I can't imagine MSBuild being much better except that it's not(?) tied to a friggin' IDE.
Cut to the chase
Security starts with chip fabrication and involves every bit of code in every little peripheral microcontroller. So maybe when "silicon printing" becomes as accessible as 3D printing is today, security will start to become practical... for 1970s-PC-level hardware barely capable of encrypted text messaging. One would need to learn enough about circuits and VLSI to verify that the schematic matches the mask matches the finished product under a microscope. Think that's too hard? You haven't done web-dev lately...
The endgame, decades from now, is 100% open hardware *and* software that's simple enough to give end users real control. If anybody ever cares about that...
I'd have to install their mobile app and give them my CC#... hell no.
Besides, most of my FB friends live within throwing distance :)
Re: Conspiracy of Optimism
Nah, we hate our own crap code. However, we hate other people's crap even more. Some of us, anyway, sometimes. Most coders don't give a shit.
Re: "has to be written in C"
You can write crap code in any language, yep. I worry more about PHP, SQL injection, and XSS than I do about OpenSSL. Of course that's because I don't pretend it's possible to build secure websites.
To be fair, I see tons of security patches coming through for C libs used in web servers/browsers; those concern me. It's too bad that C didn't evolve a bit further before becoming the de facto standard systems language.
Re: Or, just *maybe*
lol.. the conspiracy theorists are way ahead of you. That's exactly how I first saw this story, days before The Register picked it up.
If it.sucks is taken, you'll just have to take it to the next level... it.sucks.ass perhaps.
In all seriousness, this tld is going to suck. What are the chances that the first person to register a this.sucks domain is going to be a good critic of said thing?
Re: One page?
Wow, it is long. Marketing fail, hahaha
Re: Even better idea.
I'll take a guess... management run Windows (evidenced by all those leaked PPT slides) and the techies are forced to use a clunky locked-down Linux distro that doesn't have all the latest security patches, let alone patches for the secret vulns NSA created/discovered. This is a government agency we're talking about.
I suspect that a lot of ad networks are run by sketchy people, so it's no surprise if they allow outright criminals to use their services to distribute spam and malware.
So ought there be more laws against this? No, we just need more secure systems/networks.
The person you really need to talk to isn't in this system because your company didn't deem them worthy of a license fee. Not that they have time for this shit, anyway...
Re: oh well
Hackers will find a way to edit binary logs, or simply delete them. Remote logging is the proper solution for that.
Huge text logs are actually pretty manageable. If they're up in the gigabytes range, you're probably running a huge internet empire and already remote logging to a central cloud database. But that's overkill for the other 99.9999% of users.
Mainframes didn't exist in the sixties! We're not reinventing them even worse than before!
Re: Color management
Good question. Works for me, on Linux at least. Check your about:config - if you have old custom settings for gfx.color*, try the defaults.
I got an 840 *and* an 850 a couple months back. If Samsung doesn't come up with a fix that doesn't involve transplanting my SSDs into a Windows box I'm just gonna wipe 'em, give 'em to some kid who's got time to patch 'em, and replace them with Intel SSDs, and blacklist Sammy for a few years.
....should lose its root cert for doing this. Browser vendors could revoke it unilaterally.
And then there'll be, what, 2 major SSL CAs? And when their conflicts of interests come to light, there'll be zero, and SSL will finally die.
Wishful thinking, I know...