The issue is that the web servers on these little CPEs, and also lots of just general intranet websites, is that they do not inspect the Host: header of the incoming HTTP request. So when someone DNS rebinds your initial request to evil.com, your browser sends this host to the CPE, and the CPE ignores it. Unfortunately, there's no good way to match a host header on a CPE management page because who assigns DNS for their internal networks? Geeks, that's who. No one else. So when you connect by IP address to your gateway, the host isn't even set at all.
This is one of those things that SSL certificates can solve. I learned two weeks ago here on slashdot, thanks to another poster, that you can get free level 1 SSL certificates signed by startssl.com. I got mine returned in about 2 hours, and had it working with 10 minutes of work. Granted, I am not going to be able to reprogram the proprietary CPE with an SSL certificate, but hopefully a few of you find this link useful and can get your hobby website running with SSL, like I was able to do.
Even though you can change the credentials of your website (CPE, wiki, accounting system with web interface), it's still very possible for someone to brute force these credentials. Anything that can be realized with javascript is possible.
The best solution is DNS pinning... your browser locks the website to the initial IP of a round-robin A record response. This is horrible for the general health of the Internet, but not a bad solution for people who wish to avoid these styles of attacks. Me, I'll take my chances with the attacks...
I predict that in a single year from now, the vast majority of browsers being run will be html5 ready; it's only been in the past few years that the browsers began self-updating; everyone wants html5, and so developers will be firmly able to count on it existing very soon.
Re:The Internet as mass appetites
on
The End of Free
·
· Score: 1
I found this insightful enough to save your post's id for later reference. It's a simple point but I believe that expounds its genius. I think this 1996ish delimiter deserves an official name. I have no suggestions.
When I ask questions on slashdot, I know 99% of the answers will not pertain or be useful. It's that beauty of an answer, that soul tuned into the same station, that gets what you're after and leads the way through the darkness.
What are my obligations as a human being to run an open proxy for IP addresses that come from China? (i.e. drop the rest of the IPs to keep freeloaders out); I am torn between the trouble *I* can get in for blindly proxying traffic, versus the feel good vibe from letting someone get onto the unfiltered net. Thoughts?
I can assure you (since we bothered making it in the first place!), that there are a lot of archived packets that require analyzing. It is this subset which we address. Live capture is simply a subset of packet sources. Also, we suck in capture files from other URLs, so any website can essentially spawn a packet viewer simply by linking their own URL as an argument to our site.
Where I work, we were really upset there was no way to use wireshark on the ipad. So we made cloudshark, and I bet a lot of other people are doing identical things -- the beauty of jQuery and other APIs like that is that you can replace 90% of a regular desktop app with a simple web page. There are probably tons of other examples of this sort of thing. There's all sorts of CSS hooks for ipad to accomplish the new modes of use, scolling, double fingers, et cetera. It's frankly very fun.
Oh you mean like I already pay for with netflix? That's neat I guess. I'll have Scully redundancy. Actually that started off as a burn but now.. I feel more comfortable... strangely.
I actually heard once that people with amateur radio licenses, if they can broadcast their callsign, such as in the SSID, are allowed to use the higher power outputs allowed to them than to those using simply the unlicensed spectrum. Has anyone else ever heard of this?
airports dont give dhcp leases to requests with the timer=0. they wait until it increases beyond this. so there's always a delay. check it out on the wire. (if your dhclient doesnt increment the counter, you never get an address from their dhcp server)
I certainly agree with your points on the inherent uselessness of a tree structure being used to map the way a human relates information together, but the issue is that this is the only structure available for the guy with the website to present the data. He's simply using directories. And some arbitrary ordering he uses may make perfect sense and be incorrect to everyone else. But he's sharing it for free, so he doesn't have to consider other people's models, unless he takes it personally.
My website is similarly bad, digitalsushi.com. I've been trying to think of a way to implement a tag cloud without using a database to store them. It's a difficult problem but I am always interested to hear other people's ideas on the concept.
I think it's unfair to suggest someone is too lazy to read up on a topic as broad as HCI, though. That's a serious topic to even casually become familiar with.
It's remarkable in that M.O. Scotty tells Geordi in that novel turned episode, Relics:
from imdb:
Lt. Commander Geordi La Forge: Look, Mr. Scott, I'd love to explain everything to you. But the captain wants this spectrographic analysis done by 1300 hours. Scotty: [thinks about it some time] You mind a little advice? Starfleet captains are like children. They want everything right now and they want it their way. But the secret is to give them only what they need, not what they want. Lt. Commander Geordi La Forge: Yeah. Well, I told the captain I'd have this analysis done in an hour. Scotty: How long would it really take? Lt. Commander Geordi La Forge: [annoyed] An hour! Scotty: [looks unbelieving] Oh. You didn't tell him how long it would REALLY take, did you? Lt. Commander Geordi La Forge: Of course I did. Scotty: Oh, laddie. You've got a lot to learn if you want people to think of you as a miracle worker.
NASA Young Guy: This thing should last for 6 years easy! NASA Old Guy: Er my young peer means it should definitely last for 90 days. Anything past 90 days is amazing.
This wave demo uses kinetic typography to make it (more) interesting. Google wave is interesting, but this cake was delivered with frosting I didn't ask for.
The best way to learn how to design is by trying it. Like anything worth learning, you can't cheat the process by reviewing some tips in a book. Maybe a book will give you some great insights, but the human brain isn't going to apply it until it tries it.
Solutions to things you learn the hard way turn memetic. The best ideas propagate quite a distance, end up in APIs and crud, but most of the things you learn stop after 0 hops, i.e. they dont ever make it out of your own brain. This is your custom brew, what makes you a good or bad designer, and is arguably the slop you evolve on the path to becoming a good designer.
I... I am in shock right now, truly disturbed... I have debated whether to even post this horrific discovery.. but I just found out, just now, that out of all of the world's sexy people, every single one of them was at one point a disgusting, unsexy child. I know, it's true! My buzz, it has been murdered.
Well for starters, I can email you a joke of the day and log whether you've been to the craigslist personals lately. Your wife might not like knowing that.
The odds are low that she's being subjected to hormone therapies that have birth control as a side effect, since a significant portion of females use it to relieve symptoms such as cramping and to reduce ovarian cysts. She does it for herself to keep healthy.
You sound like a porn addict subjugating fantasy to reality.
Slashdot Mirror
The issue is that the web servers on these little CPEs, and also lots of just general intranet websites, is that they do not inspect the Host: header of the incoming HTTP request. So when someone DNS rebinds your initial request to evil.com, your browser sends this host to the CPE, and the CPE ignores it. Unfortunately, there's no good way to match a host header on a CPE management page because who assigns DNS for their internal networks? Geeks, that's who. No one else. So when you connect by IP address to your gateway, the host isn't even set at all.
This is one of those things that SSL certificates can solve. I learned two weeks ago here on slashdot, thanks to another poster, that you can get free level 1 SSL certificates signed by startssl.com. I got mine returned in about 2 hours, and had it working with 10 minutes of work. Granted, I am not going to be able to reprogram the proprietary CPE with an SSL certificate, but hopefully a few of you find this link useful and can get your hobby website running with SSL, like I was able to do.
Even though you can change the credentials of your website (CPE, wiki, accounting system with web interface), it's still very possible for someone to brute force these credentials. Anything that can be realized with javascript is possible.
The best solution is DNS pinning... your browser locks the website to the initial IP of a round-robin A record response. This is horrible for the general health of the Internet, but not a bad solution for people who wish to avoid these styles of attacks. Me, I'll take my chances with the attacks...
I predict that in a single year from now, the vast majority of browsers being run will be html5 ready; it's only been in the past few years that the browsers began self-updating; everyone wants html5, and so developers will be firmly able to count on it existing very soon.
I found this insightful enough to save your post's id for later reference. It's a simple point but I believe that expounds its genius. I think this 1996ish delimiter deserves an official name. I have no suggestions.
When I ask questions on slashdot, I know 99% of the answers will not pertain or be useful. It's that beauty of an answer, that soul tuned into the same station, that gets what you're after and leads the way through the darkness.
Where is today's huge breakthrough announcement?
What are my obligations as a human being to run an open proxy for IP addresses that come from China? (i.e. drop the rest of the IPs to keep freeloaders out); I am torn between the trouble *I* can get in for blindly proxying traffic, versus the feel good vibe from letting someone get onto the unfiltered net. Thoughts?
I can assure you (since we bothered making it in the first place!), that there are a lot of archived packets that require analyzing. It is this subset which we address. Live capture is simply a subset of packet sources. Also, we suck in capture files from other URLs, so any website can essentially spawn a packet viewer simply by linking their own URL as an argument to our site.
Where I work, we were really upset there was no way to use wireshark on the ipad. So we made cloudshark, and I bet a lot of other people are doing identical things -- the beauty of jQuery and other APIs like that is that you can replace 90% of a regular desktop app with a simple web page. There are probably tons of other examples of this sort of thing. There's all sorts of CSS hooks for ipad to accomplish the new modes of use, scolling, double fingers, et cetera. It's frankly very fun.
Oh you mean like I already pay for with netflix? That's neat I guess. I'll have Scully redundancy. Actually that started off as a burn but now.. I feel more comfortable... strangely.
I actually heard once that people with amateur radio licenses, if they can broadcast their callsign, such as in the SSID, are allowed to use the higher power outputs allowed to them than to those using simply the unlicensed spectrum. Has anyone else ever heard of this?
Agreed -- just imagine doing the proof on anything else and discovering the tattoo had an invalid predicate!
http://www.funatiq.com/images/crazy-math-tattoo.jpg
How could it be a mistake?
just ran a quick dig in the terminal on my mac... captured the results with wireshark and put the evidence on cloudshark.org:
airports dont give dhcp leases to requests with the timer=0. they wait until it increases beyond this. so there's always a delay. check it out on the wire. (if your dhclient doesnt increment the counter, you never get an address from their dhcp server)
KHAAANADA.com
I certainly agree with your points on the inherent uselessness of a tree structure being used to map the way a human relates information together, but the issue is that this is the only structure available for the guy with the website to present the data. He's simply using directories. And some arbitrary ordering he uses may make perfect sense and be incorrect to everyone else. But he's sharing it for free, so he doesn't have to consider other people's models, unless he takes it personally.
My website is similarly bad, digitalsushi.com. I've been trying to think of a way to implement a tag cloud without using a database to store them. It's a difficult problem but I am always interested to hear other people's ideas on the concept.
I think it's unfair to suggest someone is too lazy to read up on a topic as broad as HCI, though. That's a serious topic to even casually become familiar with.
http://hackipedia.org/About%20this%20site/Your%20hackipedia%20web%20design%20sucks.txt
just sayin'.
Some people watch M.A.S.H. for the second half of their life, this is no weirder
It's remarkable in that M.O. Scotty tells Geordi in that novel turned episode, Relics:
from imdb:
Lt. Commander Geordi La Forge: Look, Mr. Scott, I'd love to explain everything to you. But the captain wants this spectrographic analysis done by 1300 hours.
Scotty: [thinks about it some time] You mind a little advice? Starfleet captains are like children. They want everything right now and they want it their way. But the secret is to give them only what they need, not what they want.
Lt. Commander Geordi La Forge: Yeah. Well, I told the captain I'd have this analysis done in an hour.
Scotty: How long would it really take?
Lt. Commander Geordi La Forge: [annoyed] An hour!
Scotty: [looks unbelieving] Oh. You didn't tell him how long it would REALLY take, did you?
Lt. Commander Geordi La Forge: Of course I did.
Scotty: Oh, laddie. You've got a lot to learn if you want people to think of you as a miracle worker.
NASA Young Guy: This thing should last for 6 years easy!
NASA Old Guy: Er my young peer means it should definitely last for 90 days. Anything past 90 days is amazing.
This wave demo uses kinetic typography to make it (more) interesting. Google wave is interesting, but this cake was delivered with frosting I didn't ask for.
The best way to learn how to design is by trying it. Like anything worth learning, you can't cheat the process by reviewing some tips in a book. Maybe a book will give you some great insights, but the human brain isn't going to apply it until it tries it.
Solutions to things you learn the hard way turn memetic. The best ideas propagate quite a distance, end up in APIs and crud, but most of the things you learn stop after 0 hops, i.e. they dont ever make it out of your own brain. This is your custom brew, what makes you a good or bad designer, and is arguably the slop you evolve on the path to becoming a good designer.
You must not have relatives that are bad at the computers.
I... I am in shock right now, truly disturbed... I have debated whether to even post this horrific discovery.. but I just found out, just now, that out of all of the world's sexy people, every single one of them was at one point a disgusting, unsexy child. I know, it's true! My buzz, it has been murdered.
Well for starters, I can email you a joke of the day and log whether you've been to the craigslist personals lately. Your wife might not like knowing that.
The odds are low that she's being subjected to hormone therapies that have birth control as a side effect, since a significant portion of females use it to relieve symptoms such as cramping and to reduce ovarian cysts. She does it for herself to keep healthy.
You sound like a porn addict subjugating fantasy to reality.