Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the/etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting/dev/urandom could have crashed the whole fucking server because of the stupid webmaster!
Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!
I'm pretty sure that there's a similar situation in the US.
Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges:).
But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
</rant></rave>
NOW I see how botnets are so easy to do on Windows. Just hand the code to a widely-distributed network protocol or some RPC, and boom I have male enhancement spam in all of my inboxes. How could I have missed this?
Now suddenly this is redundant. Does slashdot really even need a Science category? I mean really, this joke was perfect, it must be the batch of mods we got today. Keep up the good work, slashdotters!
Hmm, thanks for that little tip. I still have the leaked NT code from around 2004, and linking to that (granted it remained the same) might just be a good practice for some POSIX-esque cross-windows features, perhaps even undocumented, in future apps. Thanks!
Playstation Home has worse content/comments (thanks to the human players) then some GTA stories. Yeah, the ESRB can say "online experience may change", but case in point - its not rated T, yet contains bad content. Just proof that the labels, censorship, and this BS bill really can't stop every little thing kids get exposed to, but come on - can you really expect kids to not be drawn to something so censored from their lives? Hell I know I did everything I could to find a playboy back in the day...
The whole case screams FAILURE to me, as this has been around for quite a while (pre-patent) and ACLs have more implementations than we could list. They are going after AV vendors, and I fail to see how heuristics violates an ACL/permissions patent.
On an unrelated note, all of the fucking trolls on this page made firefox crash, followed by my X server (I had no swap file at the time). The trolls on/. are getting worse, I think I need to send some patches to the slashcode team.
I completely agree. No matter how many times I've told people my signature was part of a larger cmd.exe prank, I was hiding the fact that I accidentally used that code for the real cmd.exe back when I was on the Microsoft NT team. It got me fired, because after the code shipped and users were complaining about freezing batch files, I was fired and since then I have burned my copy of The C Programming Language and started my own company.
My company is devoted to abandoning C, and we write device drivers in pure Java. We are also working on an operating system, codenamed "pleasework", coded from the ground up in java - we already have a GUI and everything, and are now just getting the BIOS and bootstrapping code to work, where we seem to have some trouble. Sadly, my company will be filing for chapter 11 bankruptcy pretty soon, and truth be known none of our Java device drivers have worked, and our OS team members keep leaving, saying the project is "impossible", although some tell me to use JNI, which is nothing but C again.
If things don't get better, I'll have to start another company, maybe this time writing drivers in Perl, but I completely agree - C should never be used, not in userland apps, drivers, operating systems, bootstrappers, or anything.
There are jokes on slashdot we "get" everyday without seeing - mainly Futurama quotes in the HTTP headers. I've known about this for a while, and before I discovered that (very useful) nwtools.com site, I would just telnet port 80 to get them. On that note, anyone know of a good futurama video site?
Gtk? Ugh. Why not write the whole damn thing in Python with tkinter and just write a webkit interface for the python app? Then, when webkit changes, just update a DLL/shared library, and use Py2Exe or something similar for Win deployment.
A little competition is a good thing. Though I do have to say that opening up their platform for custom user extensions was a brilliant move by Mozilla.
Yeah, nevermind that Google funds the Mozilla project. Thats like saying that Sun's StarOffice is good competition for OpenOffice, except the two browsers aren't made by the same company, just funded like it.
Its too bad everytime I call Linksys/Cisco (get ready for the irony), I get an Indian person I can't wholly comprehend. Not that I have anything against English-speaking people from India, but most of the time I can only understand two out of every five words they say, which is really bad for service calls.
For me, cheating is using on the Cisco certs was using Dynamips(Cisco 7200 emulator) to load a Cisco IOS image from the pirate bay and studying for them from home, only touching the huge books for practice exams, etc.
Its great for just configuring one router, but college still played a huge role for testing a whole "virtual internet" of routers, since I lacked the funding for such a setup at the time (again, college being the keyword here). I'm due up for taking the exam again pretty soon, so I might have to dig out the images again.
Look, nobody calls book publishing "Alpha/numeric character distribution".
Am I wrong for naming content by its content (MIME) type? My mother asked if I would send her pictures of my vacation, and I told her "yep, I'll have those image/jpegs to you in a multipart/mixed by saturday", then she called me a human/x-weirdo and I modem/NO-CARRIER'd her! We haven't spoken since, but at first I thought you were her posting AC before I noticed your improper labeling of publish/multichar so you couldn't possibly be her. Besides, a human/female on http://slashdot.org./article.pl? No way!
Well even if I would take so many pictures on my camera that I'd need twice the size of the library of congress to hold them all, not too happy about some proprietary filesystem (assuming it isn't ro/rw on all platforms yet).
But still, I would buy one just so I could take it out of my pocket whenever I was having a problem so I could say, "Well, this was possible, so...." despite never using it.
</humor></criticism>
Re:Doctors, Researchers, Get Your Brains, Quick!
on
More Brains Needed
·
· Score: 4, Funny
For some reason, my tired eyes read that as "someone programming in D", and I thought to myself, "When did D become a huge hax0r language all of the sudden?" Because everyone knows the real black hats use M!
Slashdot Mirror
Some bright spark noticed his TFN in the URL the day they launched their new service and changed the number only to find that it gave him access to someone else's data.
Really? They should have fired the webmaster for both putting that sensitive of information in the URL query string (HTTP GET), and for not managing sessions in the authentication process. It amazes me the query string vulnerabilities these sites have these days - the other day I pulled the /etc/passwd file from a guitar tab website (don't judge me) because I noticed the path in the query string to the ascii tabs used in the shtml, which a little directory traversal and lack of permissions aided. A few nodes requesting /dev/urandom could have crashed the whole fucking server because of the stupid webmaster!
Yes, in 2000 we had no php or asp.net session management like we do today (where a 3 year old with the proper training could code a secure session), but we had perl, C, and even Java, so lack of a babying framework is no excuse for lack of security, especially something as obvious as that! Its just one of those raw nerves to me!
I'm pretty sure that there's a similar situation in the US.
Dear lord I hope not. If my information is still to this day in 2009 retrievable via changing a query string parameter (or cookie, or directory trversal, or even shell code via some obscure method) then I swear I'm going to start my own country, where we manage our own servers so little script kiddies can't get harvest information that easily (not really, don't need treason charges :).
But seriously, especially if working with secure information retrievable publicly, please secure your site and check for server vulnerabilities and all (php registered globals, etc.). Sorry for all of that but it just absolutely bugs me when a simple bad web app can bring down information, security, or even a whole server deployment. Thats all.
</rant></rave>
Then boy, do I have news for you that you ain't gonna like: Mac OS X Leopard on PC hardware!
:)
(Sorry I couldn't help feeding the trolls, but I think their head will explode after reading that
Hmm, after re-reading my own comment, I just remembered I have a piece of malware code in my .sig...
NOW I see how botnets are so easy to do on Windows. Just hand the code to a widely-distributed network protocol or some RPC, and boom I have male enhancement spam in all of my inboxes. How could I have missed this?
Now suddenly this is redundant. Does slashdot really even need a Science category? I mean really, this joke was perfect, it must be the batch of mods we got today. Keep up the good work, slashdotters!
Not during the 5th grade I bet. Besides, this is /..
Hmm, thanks for that little tip. I still have the leaked NT code from around 2004, and linking to that (granted it remained the same) might just be a good practice for some POSIX-esque cross-windows features, perhaps even undocumented, in future apps. Thanks!
Playstation Home has worse content/comments (thanks to the human players) then some GTA stories. Yeah, the ESRB can say "online experience may change", but case in point - its not rated T, yet contains bad content. Just proof that the labels, censorship, and this BS bill really can't stop every little thing kids get exposed to, but come on - can you really expect kids to not be drawn to something so censored from their lives? Hell I know I did everything I could to find a playboy back in the day...
It depends on if Python can actually fork() on Windows yet without using Cygwin.
What we have is non-living, but we've been able to show that it has some life-like properties, and that was extremely interesting
I bet robots would fascinate these people.
(Score: -2, ineedthisjob)
People actually visit the linked articles? Astounding...
The whole case screams FAILURE to me, as this has been around for quite a while (pre-patent) and ACLs have more implementations than we could list. They are going after AV vendors, and I fail to see how heuristics violates an ACL/permissions patent.
/. are getting worse, I think I need to send some patches to the slashcode team.
On an unrelated note, all of the fucking trolls on this page made firefox crash, followed by my X server (I had no swap file at the time). The trolls on
I completely agree. No matter how many times I've told people my signature was part of a larger cmd.exe prank, I was hiding the fact that I accidentally used that code for the real cmd.exe back when I was on the Microsoft NT team. It got me fired, because after the code shipped and users were complaining about freezing batch files, I was fired and since then I have burned my copy of The C Programming Language and started my own company.
My company is devoted to abandoning C, and we write device drivers in pure Java. We are also working on an operating system, codenamed "pleasework", coded from the ground up in java - we already have a GUI and everything, and are now just getting the BIOS and bootstrapping code to work, where we seem to have some trouble. Sadly, my company will be filing for chapter 11 bankruptcy pretty soon, and truth be known none of our Java device drivers have worked, and our OS team members keep leaving, saying the project is "impossible", although some tell me to use JNI, which is nothing but C again.
If things don't get better, I'll have to start another company, maybe this time writing drivers in Perl, but I completely agree - C should never be used, not in userland apps, drivers, operating systems, bootstrappers, or anything.
</sarcasm>
There are jokes on slashdot we "get" everyday without seeing - mainly Futurama quotes in the HTTP headers. I've known about this for a while, and before I discovered that (very useful) nwtools.com site, I would just telnet port 80 to get them. On that note, anyone know of a good futurama video site?
Somebody typed all of that?
Gtk? Ugh. Why not write the whole damn thing in Python with tkinter and just write a webkit interface for the python app? Then, when webkit changes, just update a DLL/shared library, and use Py2Exe or something similar for Win deployment.
A little competition is a good thing. Though I do have to say that opening up their platform for custom user extensions was a brilliant move by Mozilla.
Yeah, nevermind that Google funds the Mozilla project. Thats like saying that Sun's StarOffice is good competition for OpenOffice, except the two browsers aren't made by the same company, just funded like it.
Are you aware they have video conferencing software? That seems more likely than a phone and video recorder. Sheesh.
Its too bad everytime I call Linksys/Cisco (get ready for the irony), I get an Indian person I can't wholly comprehend. Not that I have anything against English-speaking people from India, but most of the time I can only understand two out of every five words they say, which is really bad for service calls.
For me, cheating is using on the Cisco certs was using Dynamips(Cisco 7200 emulator) to load a Cisco IOS image from the pirate bay and studying for them from home, only touching the huge books for practice exams, etc.
Its great for just configuring one router, but college still played a huge role for testing a whole "virtual internet" of routers, since I lacked the funding for such a setup at the time (again, college being the keyword here). I'm due up for taking the exam again pretty soon, so I might have to dig out the images again.
Look, nobody calls book publishing "Alpha/numeric character distribution".
Am I wrong for naming content by its content (MIME) type? My mother asked if I would send her pictures of my vacation, and I told her "yep, I'll have those image/jpegs to you in a multipart/mixed by saturday", then she called me a human/x-weirdo and I modem/NO-CARRIER'd her! We haven't spoken since, but at first I thought you were her posting AC before I noticed your improper labeling of publish/multichar so you couldn't possibly be her. Besides, a human/female on http://slashdot.org./article.pl? No way!
Well even if I would take so many pictures on my camera that I'd need twice the size of the library of congress to hold them all, not too happy about some proprietary filesystem (assuming it isn't ro/rw on all platforms yet).
But still, I would buy one just so I could take it out of my pocket whenever I was having a problem so I could say, "Well, this was possible, so...." despite never using it.
</humor></criticism>
Hey, I resemble that remark!
...pulling a D in Programming 101...
For some reason, my tired eyes read that as "someone programming in D", and I thought to myself, "When did D become a huge hax0r language all of the sudden?" Because everyone knows the real black hats use M!