Link to actual research: https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf
because Slashdot editors are lazy. More seriously, this paper appears to be a must-read if you're responsible for desktop or other end-user security. (The examples are great.)
Are you sure? Usually we need a little more advance notice to do that for you.
>> ordinary internet users to meet directly with their senators and representatives to tell their stories
I don't think I've heard the phrase "internet users" in about 20 years. You might find that most people already in touch with their reps are already on the Internet, but sure, let's see what you dig up!
Until at least late 2016, there was this hardcoded into their mobile app (http://www.apkmonk.com/app/com.equifax/):
UtilitiesHandler.java
static final String masterKey = "EqUiFaX2468";
Not quite "1...1!...2....2!..." but it's pretty darn close.
To be fair, I couldn't tell if it's actually ever used in the mobile app. It seems like the kind of intentionally stupid/obvious password-but-not-really-a-password string you'd leave hanging around in a file on the network if you were tuning your DLP. (The full Zip code of the company is 30309-2468 so the "plus 4" is probably where the ending came from.)
Yeah, there might be some clues in there. From a quick decompile:
UtilitiesHandler.java
static final String masterKey = "EqUiFaX2468";
network/WebServiceConnection.java
public static class HttpWebServiceCredentials {
public static final String API_KEY = "cbaADwLofedTCHMKihgtSyIPlkjqPMosonm";
public static final String API_PASSWORD = "cabdnF3Bfedv4ve4ihggXTJ0lkjey0r0omn";
static final String PARTNER_CODE = "WEB";
static final String URL_statefull = "http://sdlc37.atl.ec.equifax.com/mws/web/services/v4_2/PsolMemberStatefullPort";
static final String URL_stateless = "http://sdlc37.atl.ec.equifax.com/mws/web/services/v4_2/PsolMemberStatelessPort";
static final String VERSION = "4.2";
}
public static class HttpsWebServiceCredentials {
public static final String API_KEY = "cbaLacfrfedTKXgqihg4kzSklkjlJ3IBonm";
public static final String API_PASSWORD = "cbagnNz0fedMIJOSihgXkoe4lkj-LRouonm";
private static final String PARTNER_CODE = "WEB";
static final String URL_MERCHANT_statefull = "http://apst2lc9a001.app.c9.equifax.com:5106/mws/web/services/v4_2/PsolMemberStatefullPort";
static final String URL_MERCHANT_stateless = "http://apst2lc9a001.app.c9.equifax.com:5106/mws/web/services/v4_2/PsolMemberStatelessPort";
static final String URL_PRODUCTION_statefull = "https://www.econsumer.equifax.com/mws/web/services/v4_2/PsolMemberStatefullPort";
static final String URL_PRODUCTION_stateless = "https://www.econsumer.equifax.com/mws/web/services/v4_2/PsolMemberStatelessPort";
private static final String VERSION = "4.2";
}
>> is it the fault of Struts developers or Equifax's developers, system admins, and their management?
None of the above. It's the officers on the corporate board, who demanded "cheaper" rather than "secure." The managers who carried out their demands (putting emphasis on cheap contractors vs. quality work and investment in patching dependencies) were just doing their jobs, the sysadmins really don't have much to do with it (if you know how Struts works) and the developers are pretty blameless because their either do what management told them or not eat.
>> Tech people have always had more in common with artists than businessmen, so it's no surprise that techs prefer the artistic drugs over the businessman's drug (cocaine).
This loser's a "27 year old VC". That pretty much means he was lucky enough to be sitting in the right place at the right time, has no real technical ability (otherwise he'd be out on the lecture circuit or picked up by a tech company to lead X, Y or Z), he's trying out the "businessman" thing (since investing and managing your investments is what VCs do), and he's failing (so he's about to blow his assets on drugs and/or bad investments).
According to those criteria, he SHOULD be doing cocaine instead - there's no creativity to enhance here.
I thought we covered the dosing morons in an earlier article: https://yro.slashdot.org/story/17/05/16/0330245/uploadvr-had-a-kink-room-pressured-female-employees-to-microdose-alleges-lawsuit
Long story short, if you need this crap to "perform", it's time to get out of the gene pool.
Not sure if anyone else has pointed out that RSS is decentralized (like the good old web 1.0 sites that serve it up), and therefore not subject to the whims of an editor like Facebook or Twitter.
Can people add their thoughts/opinions and additional facts to the press releases, marketing blurbs and occasional actual reader submission that make up the "stories" here?
>> Yes.
Then...yes, SlashDot is social media. [Close: Solved]
On that note, I'd be happy to take your Apple and Google(Alphabet) shares off your hands for 99.999% off. (Both companies are essentially marketing companies powered by a little tech.)
>> Throughout history, automation commonly creates more, and better-paying, jobs than it destroys
The aggregate job count is rarely the complaint of existing workers and their families. It's that the new jobs get created somewhere else and often require skills that the original workers don't have, and that the workers don't feel like moving, don't want to retrain and/or are considered too old to retrain or hire. See "West Virginia" or most of America's near-inner cities for examples...
It sounds like DACA was just a regulatory statement from the previous head of the executive branch. If so, it seems the current president can kill it, and is being extra-nice by at least offering a grace period.
If you want things with the force of law, well then, pass LAWS, right?
Here's the actual code of conduct: https://github.com/nodejs/TSC/blob/master/CODE_OF_CONDUCT.md
I can see some problems with this CoC. For example, "trolling" is in the same league of "unacceptable behavior" as "derogatory attacks". One could also state that someone was "in violation of the CoC" by not "using welcoming and inclusive language"...enough.
Maybe someone with more HR/legal background can pipe up, but perhaps what should be done is to break out the "you're being a jackwagon" behaviors from the "you're gonna get fired" behaviors, and then evaluate potential offenders against that. (Plenty of real world organizations thrive by successfully managing jackwagons, but very few are willing to carry a legal timebomb.)
>> forked again -- the second time in less than three years -- with...contributors charging that...leadership is ignoring repeated violations of the project's code of conduct
>> On the surface, this offering sounds compelling. But X is a total deal breaker for me. I refuse to use any (thing I value) that uses X (as a default option).
Your day job wouldn't happen to be "Republican Member of Congress", would it?
Slashdot Mirror
Link to actual research:
https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf
because Slashdot editors are lazy. More seriously, this paper appears to be a must-read if you're responsible for desktop or other end-user security. (The examples are great.)
>> Massive 'Net Neutrality' Protest Next Week
Are you sure? Usually we need a little more advance notice to do that for you.
>> ordinary internet users to meet directly with their senators and representatives to tell their stories
I don't think I've heard the phrase "internet users" in about 20 years. You might find that most people already in touch with their reps are already on the Internet, but sure, let's see what you dig up!
>> data on (400K) Britons was being held in the U.S. due to a "process failure"
I suspect it would have been MORE Britons, but that Equifax only had data on 400K Britons.
>> "We only store EU member data on EU servers..."
(memebot: "Maury Povich": [anything Equifax says]: "our lie detector says that is a lie")
>> We saw black screens for up to 10 minutes after our Windows 10 upgrade. (Sniff.)
Did it come back AT ALL?
>> Yes, but...
Then I'd call it success. You won't find any sympathy from people whose computers refused to boot after a Windows 10 "upgrade".
Until at least late 2016, there was this hardcoded into their mobile app (http://www.apkmonk.com/app/com.equifax/):
UtilitiesHandler.java
static final String masterKey = "EqUiFaX2468";
Not quite "1...1!...2....2!..." but it's pretty darn close.
To be fair, I couldn't tell if it's actually ever used in the mobile app. It seems like the kind of intentionally stupid/obvious password-but-not-really-a-password string you'd leave hanging around in a file on the network if you were tuning your DLP. (The full Zip code of the company is 30309-2468 so the "plus 4" is probably where the ending came from.)
Yeah, there might be some clues in there. From a quick decompile:
/>" + "<soapenv:Body><ns:login-consumer-request><version>" + this.version + "</version><web-service-credentials><partner-code>" + this.parterCode + "</partner-code><api-key>" + this.apiKey + "</api-key><web-service-access-token /><password>" + this.apiPassword + "</password><new-password /></web-service-credentials>" + "<member-credentials><user-name>" + userName + "</user-name><password>" + password + "</password><consumer-id /><consumer-access-token /><partner-code>" + this.parterCode + "</partner-code></member-credentials>" + "</ns:login-consumer-request></soapenv:Body></soapenv:Envelope>";
UtilitiesHandler.java
static final String masterKey = "EqUiFaX2468";
network/WebServiceConnection.java
public static class HttpWebServiceCredentials {
public static final String API_KEY = "cbaADwLofedTCHMKihgtSyIPlkjqPMosonm";
public static final String API_PASSWORD = "cabdnF3Bfedv4ve4ihggXTJ0lkjey0r0omn";
static final String PARTNER_CODE = "WEB";
static final String URL_statefull = "http://sdlc37.atl.ec.equifax.com/mws/web/services/v4_2/PsolMemberStatefullPort";
static final String URL_stateless = "http://sdlc37.atl.ec.equifax.com/mws/web/services/v4_2/PsolMemberStatelessPort";
static final String VERSION = "4.2";
}
public static class HttpsWebServiceCredentials {
public static final String API_KEY = "cbaLacfrfedTKXgqihg4kzSklkjlJ3IBonm";
public static final String API_PASSWORD = "cbagnNz0fedMIJOSihgXkoe4lkj-LRouonm";
private static final String PARTNER_CODE = "WEB";
static final String URL_MERCHANT_statefull = "http://apst2lc9a001.app.c9.equifax.com:5106/mws/web/services/v4_2/PsolMemberStatefullPort";
static final String URL_MERCHANT_stateless = "http://apst2lc9a001.app.c9.equifax.com:5106/mws/web/services/v4_2/PsolMemberStatelessPort";
static final String URL_PRODUCTION_statefull = "https://www.econsumer.equifax.com/mws/web/services/v4_2/PsolMemberStatefullPort";
static final String URL_PRODUCTION_stateless = "https://www.econsumer.equifax.com/mws/web/services/v4_2/PsolMemberStatelessPort";
private static final String VERSION = "4.2";
}
Lots of inline calls like:
public String createConsumerLoginRequest(String userName, String password) {
return "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ns=\"http://xml.equifax.com/services/psol/member/" + this.version + "\"><soapenv:Header
}
The source of the paid article is a16z.com, which sounds like a phishing site but it's actually some crappy VC's blog.
I just downloaded a late 2016 copy of the Equifax Android app from here:
http://www.apkmonk.com/app/com.equifax/
Going to go see what's in there now.
>> is it the fault of Struts developers or Equifax's developers, system admins, and their management?
None of the above. It's the officers on the corporate board, who demanded "cheaper" rather than "secure." The managers who carried out their demands (putting emphasis on cheap contractors vs. quality work and investment in patching dependencies) were just doing their jobs, the sysadmins really don't have much to do with it (if you know how Struts works) and the developers are pretty blameless because their either do what management told them or not eat.
>> Tech people have always had more in common with artists than businessmen, so it's no surprise that techs prefer the artistic drugs over the businessman's drug (cocaine).
This loser's a "27 year old VC". That pretty much means he was lucky enough to be sitting in the right place at the right time, has no real technical ability (otherwise he'd be out on the lecture circuit or picked up by a tech company to lead X, Y or Z), he's trying out the "businessman" thing (since investing and managing your investments is what VCs do), and he's failing (so he's about to blow his assets on drugs and/or bad investments).
According to those criteria, he SHOULD be doing cocaine instead - there's no creativity to enhance here.
I thought we covered the dosing morons in an earlier article:
https://yro.slashdot.org/story/17/05/16/0330245/uploadvr-had-a-kink-room-pressured-female-employees-to-microdose-alleges-lawsuit
Long story short, if you need this crap to "perform", it's time to get out of the gene pool.
Not sure if anyone else has pointed out that RSS is decentralized (like the good old web 1.0 sites that serve it up), and therefore not subject to the whims of an editor like Facebook or Twitter.
>> Is SlashDot social media?
Can people add their thoughts/opinions and additional facts to the press releases, marketing blurbs and occasional actual reader submission that make up the "stories" here?
>> Yes.
Then...yes, SlashDot is social media. [Close: Solved]
On that note, I'd be happy to take your Apple and Google(Alphabet) shares off your hands for 99.999% off. (Both companies are essentially marketing companies powered by a little tech.)
>> Nearly 85% of the 3,000-plus executives surveyed expect AI will give them a competitive advantage
I am quite certain that at least 35.03% of them are wrong.
Test-drive where life is cheap?
And/or where you can sweep the peasants out of the way of progress.
>> (Delivers heavy box with "Quantum Computer" printed on the outside.) Here's your new quantum computer!
How can I be sure it works?
>> That's what our Global Services are for. Gotta go!
>> IBM began selling Watson...three years ago. But is it really doing its job?
Are the customers paying the bills we send them?
>> Yes.
Then...yes, it's doing it's job.
>> Throughout history, automation commonly creates more, and better-paying, jobs than it destroys
The aggregate job count is rarely the complaint of existing workers and their families. It's that the new jobs get created somewhere else and often require skills that the original workers don't have, and that the workers don't feel like moving, don't want to retrain and/or are considered too old to retrain or hire. See "West Virginia" or most of America's near-inner cities for examples...
It sounds like DACA was just a regulatory statement from the previous head of the executive branch. If so, it seems the current president can kill it, and is being extra-nice by at least offering a grace period.
If you want things with the force of law, well then, pass LAWS, right?
Not quite. From TFA:
>> PayPal is working with Mastercard Inc. and lender Synchrony Financial, the largest issuer of private-label credit cards, on its offer.
Here's the actual code of conduct:
https://github.com/nodejs/TSC/blob/master/CODE_OF_CONDUCT.md
I can see some problems with this CoC. For example, "trolling" is in the same league of "unacceptable behavior" as "derogatory attacks". One could also state that someone was "in violation of the CoC" by not "using welcoming and inclusive language"...enough.
Maybe someone with more HR/legal background can pipe up, but perhaps what should be done is to break out the "you're being a jackwagon" behaviors from the "you're gonna get fired" behaviors, and then evaluate potential offenders against that. (Plenty of real world organizations thrive by successfully managing jackwagons, but very few are willing to carry a legal timebomb.)
>> forked again -- the second time in less than three years -- with...contributors charging that...leadership is ignoring repeated violations of the project's code of conduct
Enterprise-ready and eating the world. Got it.
>> Electronic payment systems
Don't you need "electricity" for those? Seems like "instant fail" for this location...
>> On the surface, this offering sounds compelling. But X is a total deal breaker for me. I refuse to use any (thing I value) that uses X (as a default option).
Your day job wouldn't happen to be "Republican Member of Congress", would it?