Posts by Entropy

@Andus McCoatover

"Better, maybe would be a star of David. That used to work....Once, in Adolf's time."

See http://en.wikipedia.org/wiki/Godwin's_law

@ Everyone who seems to think that invisible = secure

"So what happens if someone deletes your visible folder ? I'll tell u what happens, the owner of the finger is screwed. "

A folder being visible does not mean that it can be deleted... And it being invisible (though I don't know how a folder can be kept hidden from the OS) does not mean that it cannot be.

If there is proper permission settings such that only an admin has access to the folder that is enough security. If you can tamper with it then you've already gained admin access. I really don't see how being invisible from the OS adds any security. Of course it will prevent the regular user from noticing it, but it sure wouldn't stop an experienced hacker which is precisely what it claims to do.

@ All the people saying "They shouldn't look through our files"

If you don't want your files to be looked at then simply move them to a different location before handing in the computer(and if its really sensitive data, its better to wipe it entirely and better yet to have it encrypted). When you go to that shop and hand in the computer for repair, though it is true that you don't give those people the permission to "rummage" through your files their's nothing stopping them from doing so.

>Happily, I'm never going to have to use such a place, and my friends all know better than to trust their privacy to some pimply kid in a computer shop.

I wouldn't trust my PC to anyone, and its not just a privacy thing, I'm just happier knowing *exactly* what is on there even if that means hours spent reading documentation to fix a particular problem.

@Jim

>Also, why would the fact that the 1st gen iPod had a dud battery be of any significance? Particularly when they have produced a further 4 generations without the same problem...

Well i bought a 2nd generation mini-Ipod a year and half ago and it also had a bad battery(and there are other people I know who had battery trouble with that particular generation). After about 3 months with me it became almost unusable(it would die after about 30min of playback).

Right now, I still have that Ipod but I only use it in the car with a power adapter(it can hold way more music than a CD and my player has an auxiliary input) so it is still useful in a way but it is definitly not flexible in how I can use it. If the battery had been replaceable(even though I had a guarentee they refused to replace it for me) I would still be able to use my Ipod normally. Although this was quite annoying it would be way worse to buy an IPhone only to find that the battery has died on you after 3 months of usage.

>Apple has analysed how people ACTUALLY use their phones and come up with the shock finding that 99% of them never replace the battery

Apple stated that they expected as much as 10 million people to buy they IPhone so thats 1% => 100 000 people who will pay 500+$ for a phone with a bad battery they can't replace?

Re: Gloyn?

>Wasn't he a character in The Hobbit?

Yep. And his son Gimli is one of the main characters in Lord of the Rings :)

so whats up with:

>Another web inspired word I've heard bounded around recently. This should be cast away really, the meaning is far too disgusting for a nice wholesome publication like El Reg.

Re: Great Train Robbery Revealed to be a Security Survey

@Keith T

The real problem in security is not people who test the security of websites(even illegally) it is the lazy, careless and negligent webmasters and so-called IT professionals and the way security is dealt with in general. I will take an example from a close but different field to illustrate, cryptography.

A cryptographic algorithm is not considered secure if its inner workings are unknown and are just claimed to be secure by their creators. It is especially not secure if its security relies on its workings being secret. An algorithm is only considered to be secure if its working is fully public and it has been tested by professionals and non-professionals alike for flaws and none have been found.

The same is true of websites. A web site's security should not rely on the inner workings of the website remaining secret and it being untested by anyone other than the creators and contracted professionals. Having that would be irresponsible as any flaw that was not spotted by them could be spotted by a malicious person and exploited.

If the "amateurs" and "joyriders" as you call them test a website's security it shouldn't be a problem to your "IT professionals" in fact unless their intent is to harm or is malicious in any way(and we are not talking about those kinds of hackers are we?) then they are a great asset to webmasters. Indeed non-malicious hackers don't publish flaws immediately, they contact the webmaster and warn them. If the webmaster doesn't take action then it is their own fault and publishing the results is very ethical since it would help warn unsuspecting users that their information is potentially at risk(And has probably been compromised) and that they should take whatever actions they deem necessary.

Webmasters should respond quickly to warnings about their security especially if they have sensitive information about users(credit card numbers, social security numbers, etc...). They should be grateful for the amateurs who find flaws and warn them about them since that helps them fix those flaws so that they are not exploited by malicious attackers.

I am sorry that this turned into an unplanned rant... I just hate it when somebody bring such stupid sentences out of their asses and cite them as fact: "These amateurs, joyriders, vandals and extortionists are a real problem for IT professionals."

And there I was thinking that the real problems were the script kiddies, spammers, bot-net owners, worm makers and malicious attackers.... But no, no, the real problem was those people looking for security flaws in websites and reporting them to the webmasters.

So, he found the commented link in the source....

But he couldn't find the download link in the first page? How did that happen?

@Igor Mozolevsky

Being able to cause a client's browser to crash just by serving them a webpage or redirecting them to a certain URL would count as a denial of service(would also interrupt downloads and such)

>So every time my windows box crashes, I'll file a critical DoS vulnerability with Microsoft?.. Huh?..

If that crash was induced by an outside attacker then yes, But certainly not every time windows crashed or Microsoft would be flooded with people filing critical DoS vulnerabilities

>Just because something is *designed* to be secure, doesn't make it secure because of various other steps/technologies involved... Have people stopped reading security books???

And what technologies might those be? Are you saying that the security vulnerabilities found in safari come from *other* applications/steps/technologies and not from safari itself? So why didn't they manifest themselves except in safari?

>Don't make me laugh - you can write a malformed URL, which gets parsed (presumably by MS's URL parser)

Wow, you sound like you know what you're talking about, I'm sorry if someone made you laugh. Now tell me, please why would safari have utilize and MS URL parser? And if that is the case(though it is not) why don't other browsers crash with that same URL. Please, laugh all you want, but keep your urges to flame people based on dumb misconceptions to yourself.