They aren't talking about any method of gaining access to the cookie, just demonstrating what you can do one you have, somehow, magically, gained the information. May as well demonstrate what you can do if the victim tells you their passwords.
I dodn't think my opinion of SC magazine could get any lower, then they publish this!
Despite what TFA says, this is not a session fixation vulnerability, this is simple session hijacking - with the willing cooperation of the 'victim'.
Session Fixation (for those who don't know the term) does not involve stealing the victim's session cookie at all. It is precisely the opposite:- * The attacker connects to the service without authenticating but creating an application session. * The attacker accesses the newly created session cookie and somehow (using whatever other vulns or methods available to them) manages to inject that into the victim's browser before they have logged into the target system. * The victim accesses the target system. their browser supplies the injected session cookie to the server and it is accepted as an existing session. * The victim logs in. If the target system is vulnerable to fixation, the victim has just authenticated the session that the attacker created.
The protection against this is for the server to destroy the currently active session and create a new one at the point of successful authentication.
Whilst there are mitigation techniques against session hijacking, they all have their own complications and problems and have varying degrees of effectiveness. keeping the session id cookie a secret between the user and server is a fundamental part of web security and a failure at this level has not been demonstrated here.
Freesat is a no-go for me - Dave is my comfort channel;) Also TVs that do DVB-S are a lot less common & more expensive than those that just do DVB-T. TV Aerial plus Ethernet in every room I would ever need a TV seems the best option to me. As the price was almost negligible in comparison to all my other moving & renovation costs, it just wasn't worth doing myself.
BTW, even interior electrics need to be certified by a qualified electrician now. My list of electrical horrors (excluding the expected old/knackered fittings and consumer unit) included:-
* Electrical appliances hard-wired to the mains via the back of plug-sockets (replaced with proper switches). * Wall plug-sockets wired to the lighting ring. * Earthing problem on mains ring (requiring a perfectly good wooden floor to be ripped up) * Broken mains ring (ended up having to drill out through the back of the house and back in elsewhere to avoid having to rip out half of the kitchen) * Lighting ring switches wired incorrectly.
Even if I did feel confident enough to go up on the roof without breaking my neck, I would have still got someone in to do it, and laziness does not come into the equation. I did not have the time to:-
* Research and source a decent antenna (for what should be a one-time job) * Figure out the way to actually mount the thing securely (for what should be a one-time job) * Learn how to align it and get the tools to do so (for what should be a one-time job) * Do it all again when I realise I have fitted it wrong/got the wrong antenna/booster etc.
Earlier I had an electrician in to re-wire most of the house (good job as it turned out that much of the place was a death-trap) and I had him run data cables and TV coax to the attic for me as it clearly makes more sense to only rip chunks out of the wall the once (yes, I did the cable termination and panels myself), it sounds as though we have similar set-ups
If you consider that time and effort = money then it quite often it makes good economic sense to get a professional in to do the work. I can then use the time to do more productive work. A massive portion of the economy is based on this premise.
Yeah, that's doable. The extra Myth layer will handle the tuning selction of input card and will function as a network based PVr to boot. It will support DVB-S and C too (though you'd be pretty much on your own in getting DVB-C to work in the UK as Virgin Media are basically the only provider here and they keep things locked up).
Freesat is a good choice, but doesn't have channel 'Dave' which is on Freeview.
You don't specify if your TV point is an aerial or a cable installation. If it's a cable, you will need to play by their rules for that point.
In most cases, getting an aerial fitted isn't that expensive. When I moved into my current house, I had the old one totally removed and replaced and got a nice signal booster and six way splitter all professionally supplied and fitted for less than £100.
If you'd be happy with the Freeview channels, plug your aerial into a box running MythTV and then use a WLAN to get TV wherever you want in the house.
I'm confused that a politician actual understood the issues before spouting off - isn't that illegal?
Very few sites get my real details, but he missed a few other important ones.. banks and insurance companies get correct personal details. I also find it useful to give shops and delivery companies get my address but nothing much else.
Most / all of them. A network like the GSI is intended to link and provide services to a large number of separate and autonomous organisations, not all of whom are government organisations or had plans to join the network when their own internal networks were developed. Therefore the use of RFC1918 addresses is unsuitable.
The Wikipedia article talks of the GSI and I would assume that the AC above has a connection to the GCSX. Many other such national networks for varying different uses also exist. I believe that many of them are in the 51 block.
I think that the 'if they get a chance' condition was actually implying that ACTA may not get passed by the EU at all, therefore the Dutch won't get a chance to block something that isn't happening.
The server cannot 'recover' the seed from the serial number.
When you buy hardware tokens, you are supplied with a copy of the seeds, associated with the token serial numbers, to import into the server. The SecurID scheme is time based. What is recovered through supplying the serial number and two token-codes (combined with the existing knowledge of the seed) is the current state of the token's internal clock.
The serial number printed on the back of the token is NOT the seed. It is not (to the best of my knowledge and trust in RSA) related to the seed in any way other than the mapping held in the database of the server.
This story is purely sensationalist. The SecurID algorithm has been known for a long time, that token codes can be generated when the seed is somehow compromised is a non-issue. That a software token seed can be recovered given full access to the host is also obvious to anyone reasonably aware of the realities of cryptography.
Yes, my comment was a little tongue in cheek but the fact remains that it's also far from the sharpness and detail that TV salesmen are using to sell HDTV.
So, in which fantasy land do these streamed or downloaded films match the 20-30Mb/s data rate of playing a film off Blu-Ray? Or have they managed to invent some magical new codec that's ~10x as efficient as what you find on disk without losing quality?
Enjoy downloading your high resolution but blocky and fuzzy mess. I'll stick to a high quality, sharp picture thanks.
Sure, one day in the hypothetical future Valve's servers could disappear, leaving you unable to play your games any more. This is no different from non-DRM-encumbered games you own on physical media, which could stop working at any time due to loss of or damage to the CDs.
Wrong. there is one big difference. It['s a thing that is becoming more and more fashionable to ignore and pretend doesn't exist. It's called responsibility.
Looking after my copies of my games bought from GOG is my responsibility. I have all the tools at hand to protect against any loss of data. If one copy is lost or damaged, I have a backup copy (which I can then use to make another copy just in case I have another accident). If something happens to that data, it's my fault and my problem.
If Steam (or whatever other service) goes away or is taken away, it's someone else's fault but my problem.
The pirates will find a way around that. Either by patching out the code that continually checks for the servers or runs a dummy 'Ubisoft Server' on your local system - more likely some combination of both.
This consultation is about the infrastructure of by far the biggest broadcast TV network in the UK. The BBC have a massive amount of power here should they choose to use it.
Play by the rules or have very little exposure in the UK. Simple as that.
The problem isn't that the BBC is planning to 'block open source', it is that the BBC is planning to block open access. It's a subtle but important difference.
The BBC is different from almost any other company, it is a bizarre mash-up of private and public sector and as such it's primary concern is not profit but value to British citizens.
The first question that should be asked (and the one I think OFCOM asked the first time around) is 'how does this benefit the British consumer?'. It is quite clear that the encryption does not bring any benefit over not encrypting it to the average British consumer. In fact the opposite is true as there are then artificial restrictions and limits on the equipment that people can buy.
mostly fairly minor consequences of the vast majority of non-mission critical computers thinking it's the wrong date
Taken individually and in isolation, it is true that the problem with many such systems is trivial. Howevr many of these trivial systems feed into or from other trivial systems and this makes the system viewed as a whole rather complex. It is extremely difficult to predict the outcome of even a simple looking system (see Conway's game of life for example) so there was no telling what would or could happen with all of these non-critical systems suddenly hitting faulty data. As close to feasibly possible to 'all of it' had to be fixed because otherwise there would be too many unknowns that could come back to bite us later.
Slashdot Mirror
A big differentiator for me is that GoG (as great as they are) do not, despite many requests, support Linux.
Humble Store gives a nice place to purchase Linux indie games without going through Steam.
I was going to say pretty much the same thing. I would imagine that Fantec are now looking to sue whoever supplied those components to them.
They aren't talking about any method of gaining access to the cookie, just demonstrating what you can do one you have, somehow, magically, gained the information. May as well demonstrate what you can do if the victim tells you their passwords.
I dodn't think my opinion of SC magazine could get any lower, then they publish this!
Despite what TFA says, this is not a session fixation vulnerability, this is simple session hijacking - with the willing cooperation of the 'victim'.
Session Fixation (for those who don't know the term) does not involve stealing the victim's session cookie at all. It is precisely the opposite :-
* The attacker connects to the service without authenticating but creating an application session.
* The attacker accesses the newly created session cookie and somehow (using whatever other vulns or methods available to them) manages to inject that into the victim's browser before they have logged into the target system.
* The victim accesses the target system. their browser supplies the injected session cookie to the server and it is accepted as an existing session.
* The victim logs in. If the target system is vulnerable to fixation, the victim has just authenticated the session that the attacker created.
The protection against this is for the server to destroy the currently active session and create a new one at the point of successful authentication.
Whilst there are mitigation techniques against session hijacking, they all have their own complications and problems and have varying degrees of effectiveness.
keeping the session id cookie a secret between the user and server is a fundamental part of web security and a failure at this level has not been demonstrated here.
Freesat is a no-go for me - Dave is my comfort channel ;) Also TVs that do DVB-S are a lot less common & more expensive than those that just do DVB-T. TV Aerial plus Ethernet in every room I would ever need a TV seems the best option to me. As the price was almost negligible in comparison to all my other moving & renovation costs, it just wasn't worth doing myself.
BTW, even interior electrics need to be certified by a qualified electrician now. My list of electrical horrors (excluding the expected old/knackered fittings and consumer unit) included :-
* Electrical appliances hard-wired to the mains via the back of plug-sockets (replaced with proper switches).
* Wall plug-sockets wired to the lighting ring.
* Earthing problem on mains ring (requiring a perfectly good wooden floor to be ripped up)
* Broken mains ring (ended up having to drill out through the back of the house and back in elsewhere to avoid having to rip out half of the kitchen)
* Lighting ring switches wired incorrectly.
Please don't mention the plumbing.
There's no f-ing way I'm getting on the roof!
Even if I did feel confident enough to go up on the roof without breaking my neck, I would have still got someone in to do it, and laziness does not come into the equation. I did not have the time to :-
* Research and source a decent antenna (for what should be a one-time job)
* Figure out the way to actually mount the thing securely (for what should be a one-time job)
* Learn how to align it and get the tools to do so (for what should be a one-time job)
* Do it all again when I realise I have fitted it wrong/got the wrong antenna/booster etc.
Earlier I had an electrician in to re-wire most of the house (good job as it turned out that much of the place was a death-trap) and I had him run data cables and TV coax to the attic for me as it clearly makes more sense to only rip chunks out of the wall the once (yes, I did the cable termination and panels myself), it sounds as though we have similar set-ups
If you consider that time and effort = money then it quite often it makes good economic sense to get a professional in to do the work. I can then use the time to do more productive work. A massive portion of the economy is based on this premise.
Yeah, that's doable. The extra Myth layer will handle the tuning selction of input card and will function as a network based PVr to boot. It will support DVB-S and C too (though you'd be pretty much on your own in getting DVB-C to work in the UK as Virgin Media are basically the only provider here and they keep things locked up).
Freesat is a good choice, but doesn't have channel 'Dave' which is on Freeview.
You don't specify if your TV point is an aerial or a cable installation. If it's a cable, you will need to play by their rules for that point.
In most cases, getting an aerial fitted isn't that expensive. When I moved into my current house, I had the old one totally removed and replaced and got a nice signal booster and six way splitter all professionally supplied and fitted for less than £100.
If you'd be happy with the Freeview channels, plug your aerial into a box running MythTV and then use a WLAN to get TV wherever you want in the house.
I'm not sure about yuor other mentioned channels.
It's an Ironkey. The encryption is in hardware. The quoted speed is with the encryption.
I'm confused that a politician actual understood the issues before spouting off - isn't that illegal?
Very few sites get my real details, but he missed a few other important ones .. banks and insurance companies get correct personal details. I also find it useful to give shops and delivery companies get my address but nothing much else.
Most / all of them. A network like the GSI is intended to link and provide services to a large number of separate and autonomous organisations, not all of whom are government organisations or had plans to join the network when their own internal networks were developed. Therefore the use of RFC1918 addresses is unsuitable.
The Wikipedia article talks of the GSI and I would assume that the AC above has a connection to the GCSX. Many other such national networks for varying different uses also exist. I believe that many of them are in the 51 block.
That's on their site. The one where you download the software from. The point of his question was how to store data on your own site.
Download and install owncloud, and there's no sign of googleapis.
Gah! I didn't even notice the typo.
I think I'll take this as my cue to leave the keyboard as I clearly need more tea.
I think that the 'if they get a chance' condition was actually implying that ACTA may not get passed by the EU at all, therefore the Dutch won't get a chance to block something that isn't happening.
The server cannot 'recover' the seed from the serial number.
When you buy hardware tokens, you are supplied with a copy of the seeds, associated with the token serial numbers, to import into the server. The SecurID scheme is time based. What is recovered through supplying the serial number and two token-codes (combined with the existing knowledge of the seed) is the current state of the token's internal clock.
The serial number printed on the back of the token is NOT the seed. It is not (to the best of my knowledge and trust in RSA) related to the seed in any way other than the mapping held in the database of the server.
This story is purely sensationalist. The SecurID algorithm has been known for a long time, that token codes can be generated when the seed is somehow compromised is a non-issue. That a software token seed can be recovered given full access to the host is also obvious to anyone reasonably aware of the realities of cryptography.
Instead they've had to resort to the telecoms act to catch him.
He was targeting and harassing people via a telecommunications system. Part of our telecommunications laws specifically deal with that situation.
I can't see how that is anywhere near being a technicality.
Yes, my comment was a little tongue in cheek but the fact remains that it's also far from the sharpness and detail that TV salesmen are using to sell HDTV.
The point of HD is high quality, right?
So, in which fantasy land do these streamed or downloaded films match the 20-30Mb/s data rate of playing a film off Blu-Ray? Or have they managed to invent some magical new codec that's ~10x as efficient as what you find on disk without losing quality?
Enjoy downloading your high resolution but blocky and fuzzy mess. I'll stick to a high quality, sharp picture thanks.
Sure, one day in the hypothetical future Valve's servers could disappear, leaving you unable to play your games any more. This is no different from non-DRM-encumbered games you own on physical media, which could stop working at any time due to loss of or damage to the CDs.
Wrong. there is one big difference.
It['s a thing that is becoming more and more fashionable to ignore and pretend doesn't exist. It's called responsibility.
Looking after my copies of my games bought from GOG is my responsibility. I have all the tools at hand to protect against any loss of data. If one copy is lost or damaged, I have a backup copy (which I can then use to make another copy just in case I have another accident). If something happens to that data, it's my fault and my problem.
If Steam (or whatever other service) goes away or is taken away, it's someone else's fault but my problem.
The pirates will find a way around that. Either by patching out the code that continually checks for the servers or runs a dummy 'Ubisoft Server' on your local system - more likely some combination of both.
The last one was here
http://www.ofcom.org.uk/tv/ifi/tvlicensing/enquiry/ofcom_bbc.pdf
Not too sure what is actually going on with the second round yet.
This is a second consultation because OFCOM have already told the BBC where to go over this.
This consultation is about the infrastructure of by far the biggest broadcast TV network in the UK. The BBC have a massive amount of power here should they choose to use it.
Play by the rules or have very little exposure in the UK. Simple as that.
The problem isn't that the BBC is planning to 'block open source', it is that the BBC is planning to block open access. It's a subtle but important difference.
The BBC is different from almost any other company, it is a bizarre mash-up of private and public sector and as such it's primary concern is not profit but value to British citizens.
The first question that should be asked (and the one I think OFCOM asked the first time around) is 'how does this benefit the British consumer?'. It is quite clear that the encryption does not bring any benefit over not encrypting it to the average British consumer. In fact the opposite is true as there are then artificial restrictions and limits on the equipment that people can buy.
Taken individually and in isolation, it is true that the problem with many such systems is trivial. Howevr many of these trivial systems feed into or from other trivial systems and this makes the system viewed as a whole rather complex. It is extremely difficult to predict the outcome of even a simple looking system (see Conway's game of life for example) so there was no telling what would or could happen with all of these non-critical systems suddenly hitting faulty data. As close to feasibly possible to 'all of it' had to be fixed because otherwise there would be too many unknowns that could come back to bite us later.