* Posts by Lucasjkr

23 posts • joined 26 Feb 2013

Badmins: Magento shops brute-forced to scrape card deets and install cryptominers

Lucasjkr

Default passwords?

Does Magento have default passwords? I'm doubting it. Opencart, doesn't, but it's mentioned here too. More the problem is that people are using stupid passwords when they set up their sites. "admin/admin" or "admin/password". It doesn't take a rocket scientist to figure that out.

But unless somethings completely wrong with Magento, it doesn't seem fair to throw them under the bus. It's the site owner and possibly their developer that are leaving these sites wide open for being hacked.

Worse, is that many of these sites are deployed on shared servers. Which means that because default security, anyone with a hosting account on one can go on to read the files in every other accounts home directory. Including, database credentials! At that point it's game over

Opencart USED to use a combination of MD5/SHA1 that would be easy to brute force. In Opencart 3, it moved to Bcrypt (I was responsible for the pull request). A trip to Github says that Magento still uses MD5 or SHA256 for its password hashes. This doesn't do anything for the security of the server itself, it only helps protect passwords from being guessed offline.

Really, there's too much money at stake. I'd be surprised if credit card processors allow customers to connect from shared servers for much longer.

Amazon warns you have 30 days before Music Storage files bloodbath

Lucasjkr

Re: Too expensive for Amazon

The future of subscription based everything makes me want to wretch. Seriously.

I had Apple Music (and I still do turn it on from time to time, if I want to hear a bunch of stuff to decide what to buy), and even in the short time I had it initially, I kept adding stuff to my library, and then a month, two months later get greeted with "this song is no longer available".

This isn't an Apple thing.

Years ago, for a brief moment, the entire James Bond movie collection was on Netflix. I actually still watch them all at least once or twice a year, even if its just in the background, and was like "yes! I don't need these DVD's anymore, that's awesome!", and then sure enough, it all get taken down from Netflix, some re-appeared on Amazon.

On youtube, I'll see something i like, and find that hte owner took it down later on, or Google took it down at the request of something else.

Even more recently, It's Always Sunny was taken down from Netflix. I think it moved to Amazon or Hulu or whatever. So now, I need two subscriptions? No, I bought it.

Point is, by buying into these subscription services, we're forced to only be offered what's in each of theirs limited collections. Sure, they might seem vast, you only find out their limited AFTER they remove something that you thought you had and wanted. And then it'll hit you that you're paying perpetual license fees and you're not even sure if the content you want will be included in it...

Lucasjkr

Re: It's a whooping

Lots of people (myself included) don't have anywhere secure at their house to store stuff if, say, a fire happened. I'd be out a lot of stuff, except I thankfully use cloud backup solutions to not have to worry.

Plus, a lot of people aren't interested in manually managing the redundancy that you're doing...

FLAC source

FLAC backup 1

FLAC backup 2

FLAC mp3 backup 1

FLAC mp3 backup 2

No thanks. I have my music and the rest of my digital life on a RAID1. The music I bought from Apple I can redownload, the music I didn't buy from them is still backed up with iTunes Match. Plus stored at my cloud backup provider. My regular files are backed up with Time Machine to an additional hard drive, and also backed up "to the cloud".

That's far easier (to me) than maintaining 5 different sets files myself.

Astroboffins say our Solar System is a dark, violent, cosmic weirdo

Lucasjkr

How can we tell what's normal?

Just because of limits of technology, aren't we extremely limited in what sorts of systems we can even discover? Like unless a star is extremely close, we can only spot planets if they pass inbetween us and their sun. ANd therefore, very close, with very fast orbits.

Put another way, if we were situated in any of the solar systems we're observing, would we be able to detect ANY of the planets here? You'd have to stare at the sun for a year to see the slight twinkle earth would cause when passing in front of it, another year for confirmation. Now, start trying to spot Jupiter (which is all we can really spot from too far away), and you might have to stare at the same start for nearly 12 years to see it the first time, and another 12 for the second glimmer.

It just seems like our technology is far too limited to be able to make any extrapolations about the rest of the galaxy. Maybe we can extrapolate about one particular type of solar system, but we don't know how many types there even are at this point...

Data-slurping keyboard app makes Mongo mistake with user data

Lucasjkr

Keyboard Apps?

Being an iOS user, I simply can't imagine why someone would switch out the keyboard that is provided by the developer of their OS, with a widget from the Play store, where you have zero assurance that it isn't up to something nefarious, like what happened here.

Perhaps one of those keyboard users can tell us, when installing this App, did it at any time warn that it would be transmitting every word your name, email, phone number and everything you ever typed in it to their servers?

And we wonder why we don't have security. No matter how secure people make their passwords, its all for nothing if it just winds up in your keyboard loggers, I mean, keyboard app makers, database.

Tor torpedoed! Tesco Bank app won't run with privacy tool installed

Lucasjkr

Re: Security risk?

How can the bank tell that a phone has been rooted in order to remove factory apps, install ad blockers, etc, versus a phone that was suripiciously rooted in order to have a key logger installed? And the bank is the one that will take the financial hit if they spot a rooted phone logging in and assume the first but which turns out to be the second...

Your next server will be a box full of connected stuff, not a server

Lucasjkr

“There is no inflection point coming that will increase demand for non-x86 and Unix"

So, when will we stop seeing all the hype about ARM-based servers?

LinkedIn mass hack reveals ... yup, you're all still crap at passwords

Lucasjkr

How come nearly the first thing that was ever told to me was that each password gets its own unique salt, yet so many developers who are paid multiple times what I earn thanks to lucrative stock options at places like LinkedIn, never think about this?

Apple pulled 2,204lbs of gold out of old tech gear

Lucasjkr

Re: Love 'em or hate 'em...

every iPhone i've had has been considerably more durable than the androids I've owned. Same for laptops even better, phone or computer, apple continues to provide support and updates for years after the purchase. compared to android phone vendors especially, apple is miles and miles ahead...

Hubble spies supermassive black hole in surprising spot

Lucasjkr

Re: Ummm... Dark matter? Huge black holes?

If dark matter is distributed more or less evenly throughout galaxies and accounts for such an vast amount of the mass out there, why aren't we detecting it right here?

Meanwhile, we tried to measure masses of galaxies and thought there's not enough gravity to keep them intact, but only recently realized that nearly all galaxies have super massive black holes at their centers. It's almost impossible to detect other black holes until they interact with stuff, so we have no idea of the numbers of black holes in our galaxy. And on a smaller scale, we're now seeing planets nearly everywhere we look. Isn't all of that a decent chunk of the universes missing mass?

Further, and I asked Reddit once (haha) but got no answer, could it be that interstellar space could be a lot more cluttered than we think? Rather than being surrounded by the Oort Cloud, how are we certain that that's not what space is like, vast regions relatively full of chunks frozen hydrogen, helium and oxygen? So rather than an Oort Cloud, we actually exist in the Oort Bubble, which the sun has cleared out over the billions of preceding years?

Couldn't all that, applied to the rest of our galaxy and all the others, account for huge amounts of the missing mass were looking for?

Lucasjkr

I feel like eventually we're going to find out that black holes account for most of the dark matter out there, and just other mass in interstellar space that we have no means to detect, rather than some new type of particle. But then, I'm not an astrophysicist...

US govt says it has cracked killer's iPhone, legs it from Apple fight

Lucasjkr

Re: Do as we ask...

It's fine, really.

From Day 1, both parties made it clear that what the FBI was after was only possible because the 5c used software to handle keys on the device, rather than the 6's secure enclave chip, which, we're told, such an attack would be useless against.

If anything, knowing that Apple fought back might spur 5c owners to upgrade. Honestly it's doubtful, most people couldn't care less about device encryption.

But this case should be illustrative to Apple and the rest of the industry if what the FBI will be after (not just furnishing warrants for hosted data, but using All Writs to demand software be written and failing that, threatening to sieze source code). So even though Secure Enclave has gotten no mainstream advertising, future upgrades (for new phones) will likely be talked up a lot more, well resourced companies like Apple will spend significantly more on security reviews, and who knows, could even spur Apple, Google and the like to transfer ownership and development of their devices source code, or even the security aspects, to countries with stronger legal protections - certainly there's some island in the Caribbean that's drafting legislation specifically to address that.

At that point, when confronted with a demand, Apple could say "hey, we'd love to, but we can't. We only license the source code from this wholly owned subsidiary of ours. Why don't you try asking them?"

I think this whole case was a fail for the FBI. Whoever had the bright idea of going after Apple to set a precedent.... Well, I don't know! The saner thing to have done is to have gone after a less well-resourced company, win your ruling against them, then point to that precedent when going after Apple.

So at the end of the day, the FBI loses, because if nothing else, all they accomplished was to cause Apple, Google, Facebook, etc to all rethink their development policies to insure that they can't be subject to overreaching All Writs demands in the future, much less add many more sets of qualified eyes to security review. It's like the NSA and prism - worked fine, but once it was discovered/publicized, it only spurred the uptake of encryption by most the affected parties. Apple, with their device security, Google by encrypting not only external network links, but also all internal traffic as well.

Confused by crypto? Here's what that password hashing stuff means in English

Lucasjkr

Correct me if I'm wrong, but the suggestion to use SHA for password hashing seems not appropriate. SHA2's hashing function, at least, runs easily on AMD Radeon chips, as a result it's trivial to set up password hashing farms. SHA is still useful for verifying the integrity of data, but a more secure function should be used for password authentication purposes.

Hand in glove: Google and the US State Dept

Lucasjkr

Re: This really isn't new news...

Easy enough to download the font and serve it from the site, rather than Google's servers.

Would be nice, perhaps, if someone wrote a plug-in to do that.

Scan WP theme - pull fonts to wp-uploads folder, then use javascript to rewrite the calls to Google to the stand alone server.

I'd pay for it.

Problem is, most people wouldn't. Why should they care that Google tracks their visitors?

Amazon douses flames, vows to restore Fire OS fondleslab encryption

Lucasjkr

Re: ROT13

Everyone knows that modern computers have made ROT13 extremely vulnerable to attacks. Double ROT13 is the new standard, it's what all the intelligence agencies are recommending.

Google gives ringing endorsement to US VPN providers with 'right to be forgotten' expansion

Lucasjkr

Re: Nudge, nudge, wink, wink. Say no more...

What's Orwellian is that something you say or do online, which could have broken no laws at all, and could have happened years ago, has the potential to haunt you forever and ever. The right to request removal of that data from search indexes - the newfound "Right to be Forgotten", is a natural offshoot from that. The only sad thing is that Google won't simply mark data as forgotten without regard for the requestors geolocation. But then this right to be forgotten is only a european right, and would surely conflict with Google's First Amendment rights in the US.

Really, Google should have offered such a service years ago, to people regardless of their citizenship, rather than create half-baked solutions to make a geographically limited solution as they keep trying to do.

But please, rethink your definition of Orwellian.

Cook moves iPhone debate to FBI's weak ground: The media

Lucasjkr

Re: Tim Cook < Steve Jobs.

Wrong.

If he wins, he and his company are the guys that fought on behalf of their users all the way to the Supreme Court

If he loses, Apples standing is no worse than any others, because if their hand can be forced, so can everyone else's.

Apple can only stand to win or draw in this argument, not lose, save for, as you said, maybe a few ultra patriotic customers. The same ones that renamed French fries to freedom fries, probably.

Lucasjkr

Re: Wipe the device

>The proposed court order says that Apple should create a hack that only works on that one iPhone. So you couldn't try it on another iPhone.

The phones serial number is just a code variable. Obviously they'd use a different phone, with that phones unique properties in place in the code, to test their application before deploying it to the iPhone in question.

Question is, if they gave that compiled code to the FBI, what's to stop them from reverse engineering it to allow them to change those variable at will?

Bitcoin's governance bungles stain the blockchain's reputation

Lucasjkr

Headline about Bitcoin. Go on to read about spying on sleeping babies. No explanation at all about the potential for fracture, what the different camps suggest. I love the Reg, but this story needed some help before getting published, IMO

Here's your Linux-booting PS4, says fail0verflow

Lucasjkr

Re: loss leader...

I doubt that this is running through a virtualization layer - if anything, that would be even more complicated. Besides, Linux and NetBSD have been ported to run on just about every architecture out there.

iOS 9 kludged our iPhones, now give us money, claims new lawsuit

Lucasjkr

Seems pretty simple. I've liked my iPhones and iPads over the years, but I've always been extremely hesitant to install any software updates for the simple fact that Apple makes it a one-way procedure. Seems like it shouldn't be difficult to allow it to roll back to the previous version, either through a saved image on the computer or downloading it from iCloud.

Such a capability would be welcomed by so many users, I'm sure. And I can't think of a single reason why it shouldn't be available.

You’re clever? But are you clever enough to give a Reg lecture?

Lucasjkr

This might be the first advertisement that I can remember going out of my way to click on. At least for long time. Good job. I don't think I'm a lecturer though..

Elon Musk: 'Fudged' NYT article cost Tesla $100m

Lucasjkr

Re: Who cares?

So you're saying the only way for a review to be reliable is if the reviewer is reporting on things from outside of the field in which they're familiar? Forget reading The Register, then, we should all be getting our tech news from Estee Lauder? Or should the Register just fire their current staff writers and replace them with cosmeticians?

Whoever he is, the NYT reviewer being "beholden" to the auto industry is meaningless - if Musk's car means the end of the car industry as we know it (it won't, I don't think, but that's a whole other story), then the reviewer will continue working in journalism - he'll in fact continue reporting on vehicles with 4 wheels that go from point A to point B , the only diferentiating factor will be that the vehicles he reports on will use an input different that gasoline. I don't see how the end of the gasoline powered vehicles woul affect an auto journalist, so long as the end of gas beasts coincided with the rise of electric powered vehicles.

So, no - i will continue to take my news from writers who regularly report on the industries I need news on, rather than calling for reviews to be written only by people no tie to that industry at all. Though I guess having an Amish farmer report on cars, gas or electric, that would be amusing... I'd read it!

Biting the hand that feeds IT © 1998–2019