Ah, but this is one port to rule them all. Conceivably, this could be the only port (aside from the charger) on an ultrabook, maybe a USB port or two in addition. Add a Thunderbolt docking station and you can add ANY port that can be placed on a PCIe bus, even an external GPU.
But we've already had docks and ports for those docks that let you add ANY port that could be placed on ANY bus. Yes, they were proprietary, but they worked and had available accessories.
Furthermore, external PCIe came out 7 fucking years ago. Nobody (outside of people running Quadros and Firepros) cared.
Thunderbolt is another shitty port and set of cables to confuse people, an external connection to the PCIe bus, and a controller to make it do things.
We do not need more ports and cables. Thunderbolt's claim is that by using it we'll have LESS cables. This is what they always say and it's always bullshit.
We've had external PCIe for 7 years. No one wanted it.
The only useful part of Thunderbolt is the controller. In theory, you should be able to pipe video, audio, ethernet, usb, firewire, serial, or any fucking thing your Thunderbotl chipset/frimware supports, over a single cable, as well as daisy chain devices like with firewire/SCSI. The controller basically has shit to handle all of those protocols, and then it just figures out how best to send the data over the link. You should be able to, for example, connect a monitor to your PC via a Thunderbolt cable, then chain a second monitor with a short cable from the first monitor, and again from monitor 2 to monitor 3. Monitor 2 (in the middle) could have the typical USB hub for your mouse, keyboard, whatever, and monitor 3's Thunderbolt out could go to your speakers.
In practice, there are almost no devices that use Thunderbolt, and those that do have different physical ports. The controllers also have varying capabilities with regards to throughput. In the above example, you need a Thunderbolt controller capable of handling all that data, then monitors with physical ports for chaining Thunderbolt devices, and cables that connect those (possibly different) physical ports. Then you need a hell of a lot of luck to not get fucked in the ass by having your audio downgraded to stereo because some HDCP shit failed along the way.
Thunderbolt used to be called Lightpeak, but then they realized they weren't ready to release it as such (and optical version), so now there will be Thunderbolt over copper and Thunderbolt over optical, meaning different sets of cables and different sets of ports that adapters will not work for (unless they're active and have an optical transceiver and cost $70).
They should have waited and got hardware manufacturers on board, but Apple needed another bullet point for their press conference.
If you are measuring a distance in 3D space and the time it takes? yes.
If quantum entanglement exists in 5,6 or even 7D space, the entanglement distance may not be anywhere as far as the 3D space distance.
Therefore it IS possible in relation to the observer and based on 3D space constraints to transmit information faster than the speed of light without violating Causality.
Wow you're dumb.
Imagine a 2D plane. Imagine 2 points, A and B, on that plane. They are X units apart. Find a path from A to B whose length is shorter than X. Feel free to use as many dimensions as you want.
Furthermore, there is exactly zero evidence that more than 3 spatial dimensions exist.
Uh, yes you can. Entanglement is order of magnitude faster than the speed of light. It has nothing to with light however. Experiments have been done to see how "fast" it is.
Stop posting this bullshit. Information cannot travel faster than the speed of light. Entanglement does not get around this.
RSA key/pair is something you have... you still need something you are, and something you know... Once someone has your key, it's no more secure than your password. A trojan can read local files, just as easily, if not more so than snoop for a password.
When you send bits out, everything in those bits is "something you know".
You don't need to have the keyfob, you just need to know what it will output at any given time, or what a prior output was (as long as you use it within the time window for which it is valid - typically 30 seconds to 2 minutes). Yes, it's mathematically hard to get the key by brute forcing, but it's not impossible. When you log in with one of those, you're not proving that you have the thing, you're proving that you know what it output at a given time.
Imagine if PS4 games had built in RSA shits right onto game discs. (Or the Vita game cards if you can't imagine a thing battery, cpu, and display on a disc.) Touch an area on the surface of the game disc (or card) and get a password on a little display. You have to put that password in within X time to access the game. This isn't secure because even if Bob holds onto the disc physically, Alica can call him up and ask him to read the code.
Sony wants the disc to be in Bob's physical possession (and no one else's) at any given time, but they cannot rely on this type of security to ensure that. For all they know Bob is visiting Alice and brought his new game over.
Windows infection vectors these days are either through Flash or Java VM. Slashdot previously ran a story on how windows gets infected with malware back on Oct 5, 2011 with an included source link in the summary.
I'd be surprised, since even Google Analytics itself is affected...
Anyway, please be careful before announcing "Chrome usage surpassed this or that":P
Yup. This is correct. The stats are by page views. Google fetches everything under the sun when you start typing, and only shows it to you when you actually want it. It's a terribly wasteful practice when you're just thinking of the increased burden on ISPs and servers, but it's even more absurd when you consider the bandwidth caps most people live under.
All of the web traffic monitoring sites only monitor a the top X most popular sites that have analytics or some other shit tracking engine layered on top.
Chrome users, who are tracked out the ass and who prefetch the entire internet, will be over represented. Firefox users who install things to actively block tracking and ads and mountains of content they don't want will be under represented.
Then you have to consider that most web traffic is generated by a small percent of the population. Grandma on IE9 isn't going to register on these reports, but every insufferable blogger will.
Hmm I think we agree the majority controls. I'm going further and saying truth or falsehood is in the eye of the 51%. You're saying a false transaction believed by 51% is still false, I'm saying it defines truth, at least in-band. If you also had GPG signed web of trust receipts to compare with the in-band history... well thats cheating, kinda, because its out of band.
Majority of hashing power != majority of users. Not by a long shot.
Beyond that...
A bad block is verifiable. Either the hash is correct or it isn't. If certain hosts are pushing out bad block, other clients will see them and reject them. There is no mechanism in place to black list nodes, though if it becomes a problem it's trivial to do. All blacklisting does is reduce the noise on the network and the overhead of verifying blocks and rejecting bad ones.
You can only forge a transaction only if you have the victim wallet's private key. If you're going to crack that you might as well mine and earn coins legitimately.
And the final option is to copy someone's unencrypted wallet and then transfer money to a wallet only you have. You'd have to get at someone's wallet file to do this. It has no impact on the network, only the individual user who got his shit stolen. It's just like stealing cash from someone on the street.
Would you be able to get the police involved, since it's theft and the Bank is actively aiding thieves? Not saying that you should (or shouldn't).
So when some guy on the street steals your money he's committed a crime, but if some company steals money from thousands of people they're just a good customer of the Bank?
Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)
BTC only "decentralizes" properly if less than 50% of the transactions etc come from one person.. or group... so just dumping BTC on top of visa and mc will merely result in a oligopoly majority screwing with the block stream.
That is a problem with rolling out BTC, if you have a completely centrally controlled monopoly or oligopoly based financial system like the US, its hard to roll out gradually. The first mover will automatically control 99.9999% of the block stream making it no longer decentralized, or at least not decentralized until everyone ELSE moves to BTC.
No, it has nothing to do with 50%. It's simply that if you control more of the network, you are more likely to get away with tampering with transactions unnoticed.
You would need 100% control to guarantee no one would see you rigging shit. Even then, the entire transaction history is viewable to all, and all mined results are verifiable. In order to falsify a transaction you'd have to falsify a mining result and steal some wallet files. Since it's just mountains of hashwork, you're better off just mining.
Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card...
Maybe I'm wrong - does anyone use a bank card and feel safe?
I left Bank of America because of this (and other, previous horse shit). Some scam "company" initiated an ACH transaction against my checking account (not even a debit purchase, it was straight ACH).
They farm account numbers from dumpsters, internets, and call center slaves who are easy to bribe. Then they initiate fraudulent transactions for "supplemental medical insurance". You can go to their various shell websites and quickly see that the insurance is of course non-existent. The only service they offer is theft.
So I called Bank of America and said "This is bullshit." and they wanted to do the whole 7-10 day, affidavit, wait to get my money back, horseshit. I got my money back faster (from the company) by threatening to sue and reporting them to the NY State Attorney's office.
Bank of America said they could not (would not) block future transactions from that company. Sure, they could block debits from that company for the same amount (down to the cent), so if they try to take $49.95 they can't get it, but if they try $49.96 or $4999.95 they get it instantly. BoA wouldn't even let me file a complaint against them. Since I had gotten my money back, they refused to let me file a claim where I did not seek a refund. Of course, why would the bank want to make my money secure or investigate fraud? They profit off transactions, interest, fees, fraudulent charges, etc.
My only option, according to BoA, was to open a new checking account to get a new number that hopefully they wouldn't be able to steal. So I did. Except the new checking account wasn't at BoA.
It's not. But if you turn around and file a fraud claim on those charges, that would be illegal.
And that's not what he said he was going to do. He said he was going to max it out to perform a DoS on potential attackers. If they want to charge shit with his card, they'll first have to make a payment so the account is below the credit limit.
If the Google token can only be verified by "the real Google", then Gawker can't tell a fake one from a legit one either. Derp! Regardless, the real token is real once the attacker passed your credentials through the normal login routines. The attacker doesn't care about the token, the attacker cares about your username and password.
The tokes are use-once tokens. When a website asks Google’s OpenID provider (IDP) for someone’s email address, Google always sign it in a way that cannot be replaced by an attacker. The website won't be able to log you in.
True, the attacker may already have your Google password, if they are very very good. But this still won't get them much, because google's two factor authentication will stop them in their tracks, and even if the account doesn't use 2FA, google's IP range checking will. (Got caught by this just the other day when I tried to log in to google from a distant hotel. Had to answer the additional security question).
And you still danced around the question of why something you claim is so vulnerable is becoming the standard. Could it be its far far harder than you glibly claim? Could it be you have never actually done any such programming in the real world? Pretty good at slinging the insults to cover you lack of knowledge. If its so easy go out and DO it some time.
Yeah, you're an idiot. The attacker can get around all of the protections in place if they can get their own script to run on the page. And I have no idea why you're thinking about fucking tokens at all. The attacker doesn't want a fucking token, they want a username and password. All they have to do is send it out to their own server via XHR and then let the normal stuff go on as usual.
Two factor authentication? Who gives a shit? Accounts that have a dongle will be skipped. Accounts that don't have a dongle will be harvested. It's trivial to get around the IP restrictions. You could even just do everything from an IP in a "mobile" block since the check is ignored. And then there's the cascade effect - when attackers have your google username, password, and IP, they'll start hitting other accounts you may have.
If you think it's so inconsequential, please post your gmail address and password.
"Designed to provide 99.999999999% durability and 99.99% availability of objects over a given year"
Which basically means, in practical terms, they're allowing for up to 9 hours per year where you can't access the data, but they promise to basically never lose the data. It's not about 1ms in 317 years, it's about how many of your bytes could go corrupt or missing out of the total, in the space of a year.
And I quoted, from his own post, more 9s that that.
Tape is a terrible thing to rely on. When you're backing up to a medium that has less reliability than your primary data storage, you have already failed.
Multiple Data Replication + Bit Rot Monitoring is the only thing that serves as a remotely reliable backup solution. Either from good cloud storage (e.g. Amazon S3) or through various more traditional non-cloud solutions (really the preferred option IMHO) from various vendors.
Amazon provides a 99.99999999999% SLA on data integrity for data stored in S3. Tape backup data integrity averages about 60%.
I would never use tape backup in this day and age.
99.99999999999% ? That's 1 millisecond of downtime in 317 years. When picking numbers out of your ass, please give them a sniff to make sure someone will think there's a kernel or truth in there.
Tape is the most reliable form of backup we have today. And remember kids: If it's powered on it's a copy, not a backup.
Except the real Google hands back a token that can only be verified by the real Google. The fake token would trip even Gawker's lax security giving you a clue that you have been duped.
If the Google token can only be verified by "the real Google", then Gawker can't tell a fake one from a legit one either. Derp! Regardless, the real token is real once the attacker passed your credentials through the normal login routines. The attacker doesn't care about the token, the attacker cares about your username and password.
The login buttons aren't on the area available for people to post. (They are not within the posts themselves). As such, you can't sneak in your own hacker code to do what you propose. The posting engine limits just what you can post.
You're an idiot. Tons of sites have the "login" link on the same exact page you need to post from. Look at Kotaku, a Gawker site. Comments are posted right below the main article, and you can type out your comment and hit submit, then get prompted with a login prompt. Each page also has an assload of "share" links, as well as the master "login" link.
Any page that has user-submitted content on it is potentially vulnerable to XSS attacks. One flaw in the commenting engine and it all goes to shit. And of course, there's all the annoying ads on their sites, another potential vector.
Look, if it was this easy to break OpenID NOBODY would use it. Yet its gaining acceptance all the time. The GP was blowing smoke.
Look, if it was so easy to steal credit card information, NOBODY would use them. People don't give a shit about security, they only want immediate access to fast food and mind-numbing social content. Ad-driven sites must cater to that desire above all else.
Since you're either retarded or willfully obtuse, I'll spell out one XSS scenario for you.
Go read up on OpenID and then come back and apologize for calling people names. See also how Google does this.
1) Gawker puts a sign in with Gmail account button on the page. 2) You click that and a NEW HTTPS window shows up, sent to you by GOOGLE. (You do understand HTTPS don't you?) 3) You enter your Gmail address and password. 4) GOOGLE sends an encrypted token saying Yes/No and possibly your name back to Gawker. 5) Gawker waits for this token and validates it directly with Google.
Once you get hit by XSS the entire page containing that script can be altered, including that NEW HTTPS window, which is now sent to you by SOMEONE WHO IS NOT GOOGLE.
What is the security risk? All Gawker gets is whether you were authenticated or not. They don't get access to your account or any of the nonsense FUD being spread around.
Tons of possible fuck ups can happen. Since you're either retarded or willfully obtuse, I'll spell out one XSS scenario for you.
1) Attacker uploads malicious script to Gawker's site through a flaw in the commenting system. 2) The script replaces the standard "Login with your Google, Facebook, OpenID, or OtherBullshit account" block with a different one. 3) Users who log in don't notice any visible difference, and their credentials are sent off to the attacker. 4) The attacker doesn't want to get caught, so he also passes on the credentials to the legit servers and lets the login process normally. 5) You're fucked.
>People are going to buy anyways. No one actually needs to tell consumers to consume. Supply attempts to meet demand.
Many people would disagree with you. The US consumer confidence index, while in the rise, has been pretty damned low for the past few years. Unfortunately, the US economy is largely reliant on rampant consumerism. Lack of consumer confidence means consumers are less likely to spend money, less spending of money by consumers is bad for the US economy.
Oh look! It's the consumer confidence fairy! It doesn't exist. The vast majority of consumers don't think past next Friday. They never even consider the possibilities of losing a job, their retirement plans crashing, the market going tits up, etc. You can't peg a number to consumer confidence in the economy when 99% of consumers don't ever think about the economy.
Protip: Peace of mind doesn't exist either, but that won't stop them from trying to sell it. Buyer's remorse and life crushing debt do exist, though.
Ah, but this is one port to rule them all. Conceivably, this could be the only port (aside from the charger) on an ultrabook, maybe a USB port or two in addition. Add a Thunderbolt docking station and you can add ANY port that can be placed on a PCIe bus, even an external GPU.
But we've already had docks and ports for those docks that let you add ANY port that could be placed on ANY bus. Yes, they were proprietary, but they worked and had available accessories.
Furthermore, external PCIe came out 7 fucking years ago. Nobody (outside of people running Quadros and Firepros) cared.
Thunderbolt is another shitty port and set of cables to confuse people, an external connection to the PCIe bus, and a controller to make it do things.
We do not need more ports and cables. Thunderbolt's claim is that by using it we'll have LESS cables. This is what they always say and it's always bullshit.
We've had external PCIe for 7 years. No one wanted it.
The only useful part of Thunderbolt is the controller. In theory, you should be able to pipe video, audio, ethernet, usb, firewire, serial, or any fucking thing your Thunderbotl chipset/frimware supports, over a single cable, as well as daisy chain devices like with firewire/SCSI. The controller basically has shit to handle all of those protocols, and then it just figures out how best to send the data over the link. You should be able to, for example, connect a monitor to your PC via a Thunderbolt cable, then chain a second monitor with a short cable from the first monitor, and again from monitor 2 to monitor 3. Monitor 2 (in the middle) could have the typical USB hub for your mouse, keyboard, whatever, and monitor 3's Thunderbolt out could go to your speakers.
In practice, there are almost no devices that use Thunderbolt, and those that do have different physical ports. The controllers also have varying capabilities with regards to throughput. In the above example, you need a Thunderbolt controller capable of handling all that data, then monitors with physical ports for chaining Thunderbolt devices, and cables that connect those (possibly different) physical ports. Then you need a hell of a lot of luck to not get fucked in the ass by having your audio downgraded to stereo because some HDCP shit failed along the way.
Thunderbolt used to be called Lightpeak, but then they realized they weren't ready to release it as such (and optical version), so now there will be Thunderbolt over copper and Thunderbolt over optical, meaning different sets of cables and different sets of ports that adapters will not work for (unless they're active and have an optical transceiver and cost $70).
They should have waited and got hardware manufacturers on board, but Apple needed another bullet point for their press conference.
TL;DR: Thunderbolt is the new Firewire.
Define speed of light.
If you are measuring a distance in 3D space and the time it takes? yes.
If quantum entanglement exists in 5,6 or even 7D space, the entanglement distance may not be anywhere as far as the 3D space distance.
Therefore it IS possible in relation to the observer and based on 3D space constraints to transmit information faster than the speed of light without violating Causality.
Wow you're dumb.
Imagine a 2D plane. Imagine 2 points, A and B, on that plane. They are X units apart.
Find a path from A to B whose length is shorter than X. Feel free to use as many dimensions as you want.
Furthermore, there is exactly zero evidence that more than 3 spatial dimensions exist.
Uh, yes you can. Entanglement is order of magnitude faster than the speed of light. It has nothing to with light however. Experiments have been done to see how "fast" it is.
Stop posting this bullshit. Information cannot travel faster than the speed of light. Entanglement does not get around this.
Or do they use OS services like DirectX11, etc? When they say 64k, is it a 64k executable using up another dozen meg of OS DLLs?
That was exactly my question. If it's not 64K running on bare metal, it's cheating.
What a clown.
RSA key/pair is something you have... you still need something you are, and something you know... Once someone has your key, it's no more secure than your password. A trojan can read local files, just as easily, if not more so than snoop for a password.
When you send bits out, everything in those bits is "something you know".
You don't need to have the keyfob, you just need to know what it will output at any given time, or what a prior output was (as long as you use it within the time window for which it is valid - typically 30 seconds to 2 minutes). Yes, it's mathematically hard to get the key by brute forcing, but it's not impossible. When you log in with one of those, you're not proving that you have the thing, you're proving that you know what it output at a given time.
Imagine if PS4 games had built in RSA shits right onto game discs. (Or the Vita game cards if you can't imagine a thing battery, cpu, and display on a disc.)
Touch an area on the surface of the game disc (or card) and get a password on a little display. You have to put that password in within X time to access the game. This isn't secure because even if Bob holds onto the disc physically, Alica can call him up and ask him to read the code.
Sony wants the disc to be in Bob's physical possession (and no one else's) at any given time, but they cannot rely on this type of security to ensure that. For all they know Bob is visiting Alice and brought his new game over.
The users just surfed wrong.
Windows infection vectors these days are either through Flash or Java VM. Slashdot previously ran a story on how windows gets infected with malware back on Oct 5, 2011 with an included source link in the summary.
Don't forget Adobe Reader.
What a piece of shit.
Does StatCounter take in account Chrome's page views inflation caused by its Instant Pages prerendering feature?
I'd be surprised, since even Google Analytics itself is affected...
Anyway, please be careful before announcing "Chrome usage surpassed this or that" :P
Yup. This is correct. The stats are by page views.
Google fetches everything under the sun when you start typing, and only shows it to you when you actually want it. It's a terribly wasteful practice when you're just thinking of the increased burden on ISPs and servers, but it's even more absurd when you consider the bandwidth caps most people live under.
All of the web traffic monitoring sites only monitor a the top X most popular sites that have analytics or some other shit tracking engine layered on top.
Chrome users, who are tracked out the ass and who prefetch the entire internet, will be over represented.
Firefox users who install things to actively block tracking and ads and mountains of content they don't want will be under represented.
Then you have to consider that most web traffic is generated by a small percent of the population. Grandma on IE9 isn't going to register on these reports, but every insufferable blogger will.
If you're paying sticker price for a car, you're getting ripped off regardless.
It's like he didn't watch that episode of King of the Hill.
Hmm I think we agree the majority controls. I'm going further and saying truth or falsehood is in the eye of the 51%. You're saying a false transaction believed by 51% is still false, I'm saying it defines truth, at least in-band. If you also had GPG signed web of trust receipts to compare with the in-band history... well thats cheating, kinda, because its out of band.
Majority of hashing power != majority of users. Not by a long shot.
Beyond that...
A bad block is verifiable. Either the hash is correct or it isn't.
If certain hosts are pushing out bad block, other clients will see them and reject them. There is no mechanism in place to black list nodes, though if it becomes a problem it's trivial to do. All blacklisting does is reduce the noise on the network and the overhead of verifying blocks and rejecting bad ones.
You can only forge a transaction only if you have the victim wallet's private key. If you're going to crack that you might as well mine and earn coins legitimately.
And the final option is to copy someone's unencrypted wallet and then transfer money to a wallet only you have. You'd have to get at someone's wallet file to do this. It has no impact on the network, only the individual user who got his shit stolen. It's just like stealing cash from someone on the street.
Would you be able to get the police involved, since it's theft and the Bank is actively aiding thieves? Not saying that you should (or shouldn't).
So when some guy on the street steals your money he's committed a crime, but if some company steals money from thousands of people they're just a good customer of the Bank?
Police don't give a shit lol.
Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)
BTC only "decentralizes" properly if less than 50% of the transactions etc come from one person.. or group... so just dumping BTC on top of visa and mc will merely result in a oligopoly majority screwing with the block stream.
That is a problem with rolling out BTC, if you have a completely centrally controlled monopoly or oligopoly based financial system like the US, its hard to roll out gradually. The first mover will automatically control 99.9999% of the block stream making it no longer decentralized, or at least not decentralized until everyone ELSE moves to BTC.
No, it has nothing to do with 50%. It's simply that if you control more of the network, you are more likely to get away with tampering with transactions unnoticed.
You would need 100% control to guarantee no one would see you rigging shit. Even then, the entire transaction history is viewable to all, and all mined results are verifiable. In order to falsify a transaction you'd have to falsify a mining result and steal some wallet files. Since it's just mountains of hashwork, you're better off just mining.
Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card...
Maybe I'm wrong - does anyone use a bank card and feel safe?
I left Bank of America because of this (and other, previous horse shit).
Some scam "company" initiated an ACH transaction against my checking account (not even a debit purchase, it was straight ACH).
They farm account numbers from dumpsters, internets, and call center slaves who are easy to bribe. Then they initiate fraudulent transactions for "supplemental medical insurance". You can go to their various shell websites and quickly see that the insurance is of course non-existent. The only service they offer is theft.
So I called Bank of America and said "This is bullshit." and they wanted to do the whole 7-10 day, affidavit, wait to get my money back, horseshit.
I got my money back faster (from the company) by threatening to sue and reporting them to the NY State Attorney's office.
Bank of America said they could not (would not) block future transactions from that company. Sure, they could block debits from that company for the same amount (down to the cent), so if they try to take $49.95 they can't get it, but if they try $49.96 or $4999.95 they get it instantly. BoA wouldn't even let me file a complaint against them. Since I had gotten my money back, they refused to let me file a claim where I did not seek a refund. Of course, why would the bank want to make my money secure or investigate fraud? They profit off transactions, interest, fees, fraudulent charges, etc.
My only option, according to BoA, was to open a new checking account to get a new number that hopefully they wouldn't be able to steal.
So I did. Except the new checking account wasn't at BoA.
It's not. But if you turn around and file a fraud claim on those charges, that would be illegal.
And that's not what he said he was going to do.
He said he was going to max it out to perform a DoS on potential attackers. If they want to charge shit with his card, they'll first have to make a payment so the account is below the credit limit.
If the Google token can only be verified by "the real Google", then Gawker can't tell a fake one from a legit one either.
Derp! Regardless, the real token is real once the attacker passed your credentials through the normal login routines. The attacker doesn't care about the token, the attacker cares about your username and password.
Gawker hands the token back to google via statically coded portions of their web and google validates it. This is built into the library. If your putative XSS attacker can compromise a system library they you are far more screwed than you think.
The tokes are use-once tokens. When a website asks Google’s OpenID provider (IDP) for someone’s email address, Google always sign it in a way that cannot be replaced by an attacker. The website won't be able to log you in.
True, the attacker may already have your Google password, if they are very very good. But this still won't get them much, because google's two factor authentication will stop them in their tracks, and even if the account doesn't use 2FA, google's IP range checking will. (Got caught by this just the other day when I tried to log in to google from a distant hotel. Had to answer the additional security question).
And you still danced around the question of why something you claim is so vulnerable is becoming the standard. Could it be its far far harder than you glibly claim? Could it be you have never actually done any such programming in the real world? Pretty good at slinging the insults to cover you lack of knowledge. If its so easy go out and DO it some time.
Yeah, you're an idiot. The attacker can get around all of the protections in place if they can get their own script to run on the page. And I have no idea why you're thinking about fucking tokens at all. The attacker doesn't want a fucking token, they want a username and password. All they have to do is send it out to their own server via XHR and then let the normal stuff go on as usual.
Two factor authentication? Who gives a shit? Accounts that have a dongle will be skipped. Accounts that don't have a dongle will be harvested. It's trivial to get around the IP restrictions. You could even just do everything from an IP in a "mobile" block since the check is ignored. And then there's the cascade effect - when attackers have your google username, password, and IP, they'll start hitting other accounts you may have.
If you think it's so inconsequential, please post your gmail address and password.
For the same reason RAID/NAS/SAN/DAS is not a backup.
That wasn't out of his ass: http://aws.amazon.com/s3/ will tell you, and I quote:
"Designed to provide 99.999999999% durability and 99.99% availability of objects over a given year"
Which basically means, in practical terms, they're allowing for up to 9 hours per year where you can't access the data, but they promise to basically never lose the data. It's not about 1ms in 317 years, it's about how many of your bytes could go corrupt or missing out of the total, in the space of a year.
And I quoted, from his own post, more 9s that that.
1 bit every 11.642 GB? Pretty shitty.
IE 6 forever!
Turn that 6 upside down, and change that forever to "until Windows 8 and IE 10", and you'd have a fair statement.
Tape is a terrible thing to rely on. When you're backing up to a medium that has less reliability than your primary data storage, you have already failed.
Multiple Data Replication + Bit Rot Monitoring is the only thing that serves as a remotely reliable backup solution. Either from good cloud storage (e.g. Amazon S3) or through various more traditional non-cloud solutions (really the preferred option IMHO) from various vendors.
Amazon provides a 99.99999999999% SLA on data integrity for data stored in S3. Tape backup data integrity averages about 60%.
I would never use tape backup in this day and age.
99.99999999999% ? That's 1 millisecond of downtime in 317 years.
When picking numbers out of your ass, please give them a sniff to make sure someone will think there's a kernel or truth in there.
Tape is the most reliable form of backup we have today.
And remember kids: If it's powered on it's a copy, not a backup.
Except the real Google hands back a token that can only be verified by the real Google.
The fake token would trip even Gawker's lax security giving you a clue that you have been duped.
If the Google token can only be verified by "the real Google", then Gawker can't tell a fake one from a legit one either.
Derp! Regardless, the real token is real once the attacker passed your credentials through the normal login routines. The attacker doesn't care about the token, the attacker cares about your username and password.
The login buttons aren't on the area available for people to post. (They are not within the posts themselves). As such, you can't sneak in your own hacker code to do what you propose. The posting engine limits just what you can post.
You're an idiot. Tons of sites have the "login" link on the same exact page you need to post from.
Look at Kotaku, a Gawker site. Comments are posted right below the main article, and you can type out your comment and hit submit, then get prompted with a login prompt. Each page also has an assload of "share" links, as well as the master "login" link.
Any page that has user-submitted content on it is potentially vulnerable to XSS attacks. One flaw in the commenting engine and it all goes to shit.
And of course, there's all the annoying ads on their sites, another potential vector.
Look, if it was this easy to break OpenID NOBODY would use it. Yet its gaining acceptance all the time. The GP was blowing smoke.
Look, if it was so easy to steal credit card information, NOBODY would use them.
People don't give a shit about security, they only want immediate access to fast food and mind-numbing social content. Ad-driven sites must cater to that desire above all else.
Since you're either retarded or willfully obtuse, I'll spell out one XSS scenario for you.
Go read up on OpenID and then come back and apologize for calling people names.
See also how Google does this.
1) Gawker puts a sign in with Gmail account button on the page.
2) You click that and a NEW HTTPS window shows up, sent to you by GOOGLE. (You do understand HTTPS don't you?)
3) You enter your Gmail address and password.
4) GOOGLE sends an encrypted token saying Yes/No and possibly your name back to Gawker.
5) Gawker waits for this token and validates it directly with Google.
Once you get hit by XSS the entire page containing that script can be altered, including that NEW HTTPS window, which is now sent to you by SOMEONE WHO IS NOT GOOGLE.
Thanks for trying, though.
What is the security risk? All Gawker gets is whether you were authenticated or not. They don't get access to your account or any of the nonsense FUD being spread around.
Tons of possible fuck ups can happen.
Since you're either retarded or willfully obtuse, I'll spell out one XSS scenario for you.
1) Attacker uploads malicious script to Gawker's site through a flaw in the commenting system.
2) The script replaces the standard "Login with your Google, Facebook, OpenID, or OtherBullshit account" block with a different one.
3) Users who log in don't notice any visible difference, and their credentials are sent off to the attacker.
4) The attacker doesn't want to get caught, so he also passes on the credentials to the legit servers and lets the login process normally.
5) You're fucked.
I'd prefer to see this plan executed successfully before trying it myself, thanks.
Why?
Just take a day off of your current job to do a circuit of interviews at random places.
Then sue the ones that took the bait.
You're not jeopardizing your employment by doing that. And hell, you may actually be offered a job better than your current one.
>People are going to buy anyways. No one actually needs to tell consumers to consume. Supply attempts to meet demand.
Many people would disagree with you. The US consumer confidence index, while in the rise, has been pretty damned low for the past few years. Unfortunately, the US economy is largely reliant on rampant consumerism. Lack of consumer confidence means consumers are less likely to spend money, less spending of money by consumers is bad for the US economy.
Oh look! It's the consumer confidence fairy! It doesn't exist. The vast majority of consumers don't think past next Friday. They never even consider the possibilities of losing a job, their retirement plans crashing, the market going tits up, etc. You can't peg a number to consumer confidence in the economy when 99% of consumers don't ever think about the economy.
Protip: Peace of mind doesn't exist either, but that won't stop them from trying to sell it.
Buyer's remorse and life crushing debt do exist, though.
"The first team to upload photographs of each of the five by noon eastern time on April 1 will win the competition"
I bet they've all got red and white striped shirts and big ol' glasses and have names that are "Waldo".