Posts by GnuTzu

Re: I thought Chrome already did this, at least sometimes?

It does. They mentioned it. But, they make a distinction:

Passive mixed content refers to content that doesn't interact with the rest of the page, and thus a man-in-the-middle attack is restricted to what they can do if they intercept or change that content. Passive mixed content includes images, video, and audio content, along with other resources that cannot interact with the rest of the page.

I'm not sure how well they can distinguish in the browser engine though, because I know I've seen images blocked for being HTTP in HTTPS before (which I had to fix on a server).

Snort for planes, but I can't think of a pun for that..

Re: demonstrating that the apps are sufficiently sophisticated to get past Google’s security review.

Which is just another reason why advertising services are regarded as potential sources of malware--and thus blocked by many proxy administrators.

Yup, that site that says you have to enable ads on your corporate workstation, sorry, that site is effectively off limits (unless they have a pay option, and you're willing to pay).

Re: Backups are faster & cheaper ...

Call it: "budget induced ignorance."

Re: Make these a federal crime -- Keys in the Car

There should be fines for this, just as there citations for leaving your keys in the car.

Oh wait, did I hear that HIPAA was not a compulsory standard? Are law suits for non-compliance possible?

Re: won’t be saved to your Google Account

Yup. And, there are times that I'm just not going to use a Google account. In fact, a good portion of my queries are going to be by way of privacy oriented services like Duck Duck Go and Open Street Map.

Also, I make good use of Ghostery, EFF Privacy Badger, UTM parameter strippers, Self-destructing Cookies, and JavaScript blockers. It's a bit of work with all this, but it's very educational, learning just how much tracking is going on.

Oh yes, most web sites optimize for Google by using UTM parameters in URL's. They're all over the place. So, you're being tracked even when you don't use Google directly.

Re: "For a fee, of course"

Yup, that's exactly what I was referring to, and it can be controlled by GPO so that users can't get away with cheating.

GPO can even block add-ons and other settings in Chrome.

O.K. so that's not Microsoft controlling that. But, previous versions of Windows came with options and alternatives--and it was Microsoft that took those away.

That company needs a program to monitor its own mental health.

Social services should declare them unfit for looking after children.

Anyway, if nurturing is going to be done by computers in the future, what future is there--especially when those computers are likely to be IoT with apps?

Re: NOOOOO!!!!!!!

It's low hanging fruit filling.

We've reach the critical mass in which every business is now virtually obligated to be online in some form or another, and those with the tightest budgets are simply going to be the easy targets.

"How does one do traditional penetration testing when apps use blabla.bucket.amazon.com using a pool of shared IP ranges?"

Yeah, I've had that discussion before. There needs to be something that guarantees there can't be any rogue devices, whether that's done by scanning or not. That is, if you have a bunch of different organizations sharing a pool, there just has to be a way to know if someone's pissed in the water.

Once rogue device detection is dealt with, you end up having to feed scanners with lists of exact destinations. And, if you have some kind of ephemeral service in which a server is spawned and vanishes in a short period of time, that passing of an exact destination is going to have to be automated--except the destination isn't going to exist for a full scan. So, you either end up "arranging" to have an instance held up long enough for a full scan, or scanners will need a feature to move to the next vulnerability test for the next instance.

And, all this would be fine for plain-old vulnerability scanning. For pen testing, this is going to feel very artificial, and full pen testing is going to have to get very dynamic--and soon, lest the black hats get there first.

Re: Average drivers

I've always loved that statistic, simply because it doesn't need any special scale of what constitutes good driving to qualify the meaning of it. The logic is obvious; only half the population can be better than average. It's that simple.

Re: Threats have always been escalating

Preaching to the choir (up voted).

Well, I stand corrected. I've only known the word "pore" as a small opening and had always expected that the term "pore over" would metaphorically relate to the concept of "pouring". Is "pore over" supposed to refer to squinty eyes passing over something? That sounds so weird to me. Just what is the etymology of such an expression?

Sigh, well at least I learned something new.

Right, that's what they get for not having a box for "completely confused, undecided and/or just plain fickle".

Re: Trustworthy? -- Betrayed

And, I was loyal to HP for their Linux compatibility -- damn.

Well, I've got an actual firewall, so...

Re: hire a more reputable firm

Yup, "scope" must be explicitly agreed upon at an appropriate level for the test to be meaningful. End of story... mostly.

The funny thing is that, yes, it should be a high up official, meaning that maybe guards and officers should not have been warned, which then means that the testers should have been cuffed, what fun--but then they should already have been released. Come to think of it, they should have had a number to call to get released. Yup, these things should have been worked out before any physical access was attempted.

Re: They WILL bypass the hosts file

"...this way they can bypass any controls on content that exist in the environment that might serve to block ads."

Any? I can think of a counter example, a proxy using a service that categorizes destination FQDN's that are ad services and blocks them accordingly, which I assure you does exist.

Yes, there are places that block ad services per security policy as a potential source of malware. Because, what responsibility do ad services have to ensure that the ads their many customers feed them are free from malware.

The thing I'm wondering about is how this affects ad-blocking plugins.

Re: So basically

Well, it seems that I have to correct myself.

It's worse than this. You data is not the product--it's a resource, and it's one that the banking industry doesn't just let them tap at will, but it's a resource that the banking industry willingly spews at them without restraint.

And then, the really bad news: their product is their opinion on your merits. Oh yes, they have a mathematical formula--presumably, based on Scientific or actuarial principals. But, they own that algorithm.

So, who represents us in validating that algorithm? Who represents us in evaluating the merit of the thing that rates our merit.

Well, read the rest of the thread, as others have already answered that question--as well reasonably rated the merits of that agency.

Re: Funny

Uh, it's time to check with the EFF to see what the layers found in the EULA--because you know the legalese was written in a way to encourage click-through.

Re: Catcha is the most annoying piece of crap ever

O.K. fair enough. It would be insane if the refresh wasn't there for the text ones. Yet, I'm finding that some of those text ones are so bad that a single refresh doesn't do it. I've definitely had to do more than a few refreshes for some of them.