yes testdisk is great. It should be used on an image of the media, preferably a read-only image. Do NOT try to recover from the original media, if it's valuable to you
While in general this advice is good, it doesn't actually apply to testdisk. Testdisk does not restore in place (i.e. by "fixing" the filesystem's inodes and directory entries to point again to the files), but rather dumps the files it finds to another disk.
Actually, testdisk is filesystem agnostic, and recognizes the the data to be recovered by their signatures at beginning of file, and then works basically with the assumption (often true) that each file occupies a number of consecutive sectors. Assumption breaks down as soon as original filesystem was almost full, and files thus fragmented.
The hipsters will be fine, as the most likely setting falls back to the system DNS when TRR fails.
... which negates any purported security benefit from this "feature". All a malicious access point wanting to send you to phishing sites would need to do would be to block TRR.
Actually, the issue is much worse than just the admin being able to read intercepted https traffic.
These proxies make it possible for other rogue middlemen on the path to read the traffic too.
Indeed, as the corporate man-in-the-middle proxy is the only one to "see" the server's certificate, either he can blanket deny certificates that don't validate (such as self-signed, but with a fingerprint known and checked by end user), or blanket allow any certificate no matter how dodgy (seems to be the default behavior of most of these proxies)
Which means that third parties outside the company can spy on the traffic without any warning to show up anywhere.
Btw, a similar issue exists with those mobile apps that ask for your email password (social media, push notifiers, etc.): not only can the app's developer read and abuse your email, but so can everybody else who sits between the app developer's datacenter and your mail server, because typically these don't verifiy certificates before blurting your password over the line.
No. If they are using Yubikey (as in the picture next to the article), it's just a time- or counter based security token like those homebanking tokens that display a number when you press the key. Except that the Yubikey doesn't display it but emulates a keyboard, and "types" it in. If you're focused on a password field, you don't see the key. But if you're focused on an editor or a terminal you sure well can see it. The Yubikey is an input only device (only sends data to the computer) with no way of knowing at which URL you are.
you can't even spoof a web page for them to go to
Just make a web page with a password entry field, and tell user to press the key. That way user doesn't even have to read it out aloud.
However, there are more sophisticated devices out there. One bank I use has a device with a tiny camera. Their Website displays a QR code. You point the token at your computer screen, it reads the QR Code (challenge), and calculates/displays the response and comment (id of bank). Makes phishing almost impossible (user is supposed to get suspicious if he sees a different id in the comment than the website where he actually is).
Lots and lots of major websites use smart quotes. It's very common on news sites, especially. Not handling them gracefully is inexcusable.
Hmmm, but with the recent legal climate, it might not be so advisable to change Slashcode for the express purpose of facilitating "stealing" valuable content from news sites ("Leistungsschutzgesetz", etc.). Better find a different excuse.
... or maybe Slashdot could use a different string than âoe for smartquotes? Unicode character 0x1F4A9 might be appropriate:-)
Also, smart quotes often appear in pasted content,
In the present case, however, I doubt that the user had to copy-paste the word sync. 4 letters. It's quicker to type it.
so the problem is bigger than just people with defective browsers
And defective webservers (where people might copy-paste such content from). However, as far as I know, nowadays even Wordpress no longer does this nonsense. Other web servers still might. Or might pull similar stunts using CSS (transparent "glass" layer over whole page so that you can't paste anything). Best is to bring it to the webmasters' attention, so that he can update / change his software.
(This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)
Actually, now I notice it, he is one of these guys, with his weird misplaced trademark signs in his sentence... Quite understandable that his employer preferred to outsource IT to the cloud:-)
Well people who consider themselves at a particularly big risk of revenge porn might participate (after a nasty break-up, and where such pictures are known to exist and to indeed be in the hands of the vengeful ex). Might only be a small minority, but for these the risks of "sharing" the pictures with facebook might indeed be dwarfed by the risk of the ex to do something funny.
Why can't FB issue a utility to the users to process their own images and generate a hash for the images they don't want shown?
Comparing hashes would only find exact duplicates. Just crop two pixels to the left, or make the image slightly darker or lighter would break the hash.
Heck, even changing the metadata would break most hashes.
Quotation marks (0x22) and apostrophe (0x27) are in the Ascii set. And if iOS or Safari break them, how is that Slashdot's fault? Get a non-broken phone, or use your computer!
Well, even though ASCII is a subset of Unicode, and thus any ASCII text (such as yours) is technically also Unicode, I'd have strong doubts that Slashdot would break on that. Slashdot supports the subset of Unicode that is called ASCII just fine. And even the slightly larger subset Iso-Latin-9. Or else, all comments would be littered with these extraneous (TM) flags.
So methinks fortfive tried something funny there...
Hey, if "no longer needed" is a legitimate reason to return an item, does that mean it's ok to order an expensive TV set before the superbowl (or other sports event), and return it after the event? Or order an expensive gala dress, and return it after the party you wore it to? Or an air conditioner, and return it before winter (... to buy another one next spring...)? And I assumed that the crackdown on returns was targeting exactly those kinds of customers...
Maybe they should reword that choice as "arrived too late - no longer needed", which is probably what they intended.
Slashdot Mirror
Big Falcon rocket
In any case, if you say that quickly, without fully articulating, it sounds just like the real phrase :-)
... except the earth shook when she walked over ...
... and it shook so much that a bag of rice toppled over in China.
yes testdisk is great. It should be used on an image of the media, preferably a read-only image. Do NOT try to recover from the original media, if it's valuable to you
While in general this advice is good, it doesn't actually apply to testdisk. Testdisk does not restore in place (i.e. by "fixing" the filesystem's inodes and directory entries to point again to the files), but rather dumps the files it finds to another disk.
Actually, testdisk is filesystem agnostic, and recognizes the the data to be recovered by their signatures at beginning of file, and then works basically with the assumption (often true) that each file occupies a number of consecutive sectors. Assumption breaks down as soon as original filesystem was almost full, and files thus fragmented.
or old microwaves
Doesn't work. Put phone into microwave. Shut door. DON'T TURN MICROWAVE ON. Call phone. It rings.
When the bus master tells you to jump, it tells you when and how high.
And he will tell you to sit in the back. So we need to ban the term bus as well.
grep WMDs-in-Iraq /dev/kmem
will sure find some
First I have this question: does this research mean homeopathy and "memory of water" is true after all?
Please stop drooling while typing your slashdot comments. It drops on your keyboard, shorting it out, and this produces plenty of garbage characters.
The hipsters will be fine, as the most likely setting falls back to the system DNS when TRR fails.
... which negates any purported security benefit from this "feature". All a malicious access point wanting to send you to phishing sites would need to do would be to block TRR.
It's not the content, it's how you say it
Indeed.
I donâ(TM)t care
Heed your own advice. You look like a twat (TM).
but for possible perjury â" in a civil case.
You really do have a problem keeping the drool in your mouth while typing...
These proxies make it possible for other rogue middlemen on the path to read the traffic too.
Indeed, as the corporate man-in-the-middle proxy is the only one to "see" the server's certificate, either he can blanket deny certificates that don't validate (such as self-signed, but with a fingerprint known and checked by end user), or blanket allow any certificate no matter how dodgy (seems to be the default behavior of most of these proxies)
Which means that third parties outside the company can spy on the traffic without any warning to show up anywhere.
Btw, a similar issue exists with those mobile apps that ask for your email password (social media, push notifiers, etc.): not only can the app's developer read and abuse your email, but so can everybody else who sits between the app developer's datacenter and your mail server, because typically these don't verifiy certificates before blurting your password over the line.
the key is signed per url
No. If they are using Yubikey (as in the picture next to the article), it's just a time- or counter based security token like those homebanking tokens that display a number when you press the key. Except that the Yubikey doesn't display it but emulates a keyboard, and "types" it in. If you're focused on a password field, you don't see the key. But if you're focused on an editor or a terminal you sure well can see it. The Yubikey is an input only device (only sends data to the computer) with no way of knowing at which URL you are.
you can't even spoof a web page for them to go to
Just make a web page with a password entry field, and tell user to press the key. That way user doesn't even have to read it out aloud.
However, there are more sophisticated devices out there. One bank I use has a device with a tiny camera. Their Website displays a QR code. You point the token at your computer screen, it reads the QR Code (challenge), and calculates/displays the response and comment (id of bank). Makes phishing almost impossible (user is supposed to get suspicious if he sees a different id in the comment than the website where he actually is).
Lots and lots of major websites use smart quotes. It's very common on news sites, especially. Not handling them gracefully is inexcusable.
Hmmm, but with the recent legal climate, it might not be so advisable to change Slashcode for the express purpose of facilitating "stealing" valuable content from news sites ("Leistungsschutzgesetz", etc.). Better find a different excuse.
Also, smart quotes often appear in pasted content,
In the present case, however, I doubt that the user had to copy-paste the word sync. 4 letters. It's quicker to type it.
so the problem is bigger than just people with defective browsers
And defective webservers (where people might copy-paste such content from). However, as far as I know, nowadays even Wordpress no longer does this nonsense. Other web servers still might. Or might pull similar stunts using CSS (transparent "glass" layer over whole page so that you can't paste anything). Best is to bring it to the webmasters' attention, so that he can update / change his software.
A sign that Slashdot's text handling is pathetic.
No. It's a sign that the Anonymous Coward who wrote âoesyncâ is an idiot who shouldn't be trusted with a keyboard. Or a troll. Or both.
(This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)
Actually, now I notice it, he is one of these guys, with his weird misplaced trademark signs in his sentence... Quite understandable that his employer preferred to outsource IT to the cloud :-)
(This guy reminds me of those people that don't even manage to type a simple apostrophe, and then blame slashdot for it...)
All the other users don't indeed need to bother.
Why can't FB issue a utility to the users to process their own images and generate a hash for the images they don't want shown?
Comparing hashes would only find exact duplicates. Just crop two pixels to the left, or make the image slightly darker or lighter would break the hash. Heck, even changing the metadata would break most hashes.
But I'm sure, even by next year Apple won't have fixed this, and the iPhone will be as broken as it is now.
Quotation marks (0x22) and apostrophe (0x27) are in the Ascii set. And if iOS or Safari break them, how is that Slashdot's fault? Get a non-broken phone, or use your computer!
So methinks fortfive tried something funny there...
Why did you feel the need to flag every other word of your first sentence as a trademark? May I return those defective (TM) signs? :-)
Hey, go low on the trademarks. It's not because the discussion is about commerce that every other word is a trademark.
Maybe they should reword that choice as "arrived too late - no longer needed", which is probably what they intended.