Valve does not reverse exchanges as it can be difficult to do so. Scammer trades item to unsuspecting Player A, Player A trades that item and something else to Player B, Player B sells it to Player C on the market...Player B's unrelated item he got is traded to Player D... The Scammer sells his account with Player A's stuff on it for real money... and it just gets more convoluted form there. Valve has tended to just duplicate the affected items instead but this has been abused by people who fake being scammed to get free duplicates. So Valve no longer reverses or duplicates items; they instead have put any account not using 2FA under a strict lockdown with a two-week delay before any attempted market or trade is allowed to take effect (if you're friends with the guy you're trading with, it's only 1 day) giving users a chance to spot their account being emptied before they lose everything.
Google does the whole survey thing with its Google Opinion Rewards app, with Google Play Store credit as an incentive. They address this problem by asking you a bogus question like "Have you been to any of the following locations recently?" and then listing locations that do not exist. If you answer in the affirmative, they know you're lying and cut you off from surveys in the future.
This is not a problem with Tor. This is the server operator failing to properly anonymize their server.
It's like if I go and download and use the Tor Browser, but then fall victim to a phishing scam and give out personal information while using it. Tor will anonymise your connection to websites perfectly fine, but you the user are leaking information about yourself and Tor can't do anything about that. This is the same kind of issue.
node.js is a console-based JavaScript interpreter based off of Chrome's JavaScript engine. So you can basically write cross-platform (Windows, Max, Linux) desktop console apps in JavaScript. There is also NodeWebKit which is pretty much the same thing for desktop GUI applications, which uses HTML/CSS for that side of things.
Node has a few extra pieces of functionality over standard JavaScript for allowing for some normal desktop-y functionality. One of these things is the ability to run a HTTP or HTTPS server. However it's pretty bare-bones, relying on your code to do a lot of the work. You can set up an event handler to fire when someone requests a URL from your server, and you get your HTTP headers parsed for you, but it's up to your code to figure out what the URL is supposed to point to, resolve a local file path, set up the proper HTTP response headers, and then stream the file to the requester. That's just if you want a simple server, if you want to run custom code for specific URLs or URL patterns that's more work.
Express is a bunch of JS code bundled in a library (node calls these "modules") that builds a framework on top of the HTTP/HTTPS server functionality to make things a lot easier if you want one in your code. You can tell it in one line if you want a simple web server that serves on-disk files from a specific directory, or you can define "routes" (mapping URLs to specific blocks of code) to have custom functionality for specific URLs or URL patterns. You can even chain routes together so if multiple routes all match the same URL all the code runs, if that makes sense (eg a logging function that triggers on any request). It does a lot more too I'm sure, that is just the stuff I have used it for.
MSDN is saying, by default, "Safe DLL" loading is used, in which the current directory is only used if loading the DLL from most other locations failed. So this would not be viable any more. It sounds like this problem was identified and fixed long ago. Any attempt to exploit this now would require gaining greater access first, and once you're there there's no point to using DLL hijacking any more.
You have that backwards... the article you linked says it is enabled for all apps by default. Calling SetDllDirectory DISABLES Safe DLL Loading and causes the problem!
MSDN documents guidelines for preventing malicious DLL loading. Windows has already cut off "current directory" forms of attacks by changing the DLL load order (called "Safe DLL Search Mode" in that document), and with Vista locking down Program Files for admin-only access, "application directory" attacks are also out unless apps intentionally install themselves elsewhere (then they're on their own). As for installers, users have to get tricked into downloading the DLL first, and at least Chrome gives you a big warning that the file is suspicious due to its extension. And if you can get the user to do that, you might as well just give them an EXE and skip the warning. It's easier to put together a malicious EXE too.
I'm pretty sure Ubuntu at least locks by default. There's a -no-root-preserve switch or something that you HAVE to specify to do an rm -rf/, otherwise the command fails.
This isn't surprising if you've been following Chrome. By some metrics it's the most used browser now, and they dropped support for NPAPI plugins (like Java) due to security concerns. Oracle's official reply to this has been "use Firefox" which in my opinion was incredibly short sighted, unless they feel Java just won't work using PPAPI. Who on earth is going to use a plugin in their website that doesn't support one of the biggest browsers? That person would have to build a fallback for Chrome, and at that point they might as well just ditch Java and use the fallback for all browsers if it's good enough.
All modern OSs will initialize the memory because there is a clear security issue with allowing one application access to the old contents of a random block of memory. It could contain passwords or who knows what else.
On the other hand, GPU memory is primarily used for rendering graphics. The security implications are less severe if information leaks. Has there ever been any guarantee information won't leak? So why do users assume that it won't? It is likely NOT cleared for speed reasons. Everyone wants a fast GPU cheap. Well, that's one way to get speed boost on allocation operations I'm sure.
It really should be Chrome's responsibility to zero out their GPU memory when they're done with it, to prevent information leakage. That's what incognito mode does with regards to history, cache, and cookies, so why not GPU memory?
Yeah. Your GPU was not designed with security of the information stored in it in mind. It was designed to play video games and a few other things, and it's not a big deal if a few of your game textures leak, if it means the GPU can be slightly faster at managing its memory. The responsibility should be Chrome's to clear out its GPU memory in incognito mode after it's done using it.
Or just use the same standard Google and a lot of other people use which doesn't use text messages or even require a phone number or internet access at all.
A robot may not injure a human being or, through inaction, allow a human being to come to harm. (Ensure accidents do not occur even if the car has to violate laws to do it.)
A robot must obey orders given it by human beings except where such orders would conflict with the First Law. (Otherwise, obey all traffic laws.)
A robot must protect its own existence as long as such protection does not conflict with the First or Second Law. (Back up the user's self-driving preferences to the cloud! OK maybe this one doesn't fit as well as the other two.)
Sounds to me like the researcher sideloaded a package, which of course carries the risk of malware, MitM attack or not. I imagine Google Play Store has protections against MitM attacks, at least I hope it would.
They do. You boot to recovery mode (or I think the bootloader can do it too?) and then wipe the/data partition, that should restore everything to defaults. Nothing should be able to write to/system (the OS) while the OS is running. I don't know exactly how Android TV is supposed to expose recovery mode functionality though, or even if it does, but it seems to me like it's essential for support.
It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught. Ransoming encrypted computer files is one thing. Murder is something else.
Time and time again, with each console generation, the answer is the same: what games do you (or in this case your kids) want to play? Buy the console that has them.
Slashdot Mirror
Valve does not reverse exchanges as it can be difficult to do so. Scammer trades item to unsuspecting Player A, Player A trades that item and something else to Player B, Player B sells it to Player C on the market...Player B's unrelated item he got is traded to Player D... The Scammer sells his account with Player A's stuff on it for real money... and it just gets more convoluted form there. Valve has tended to just duplicate the affected items instead but this has been abused by people who fake being scammed to get free duplicates. So Valve no longer reverses or duplicates items; they instead have put any account not using 2FA under a strict lockdown with a two-week delay before any attempted market or trade is allowed to take effect (if you're friends with the guy you're trading with, it's only 1 day) giving users a chance to spot their account being emptied before they lose everything.
Uhhhhhhhhhhhh...
Google does the whole survey thing with its Google Opinion Rewards app, with Google Play Store credit as an incentive. They address this problem by asking you a bogus question like "Have you been to any of the following locations recently?" and then listing locations that do not exist. If you answer in the affirmative, they know you're lying and cut you off from surveys in the future.
This is not a problem with Tor. This is the server operator failing to properly anonymize their server.
It's like if I go and download and use the Tor Browser, but then fall victim to a phishing scam and give out personal information while using it. Tor will anonymise your connection to websites perfectly fine, but you the user are leaking information about yourself and Tor can't do anything about that. This is the same kind of issue.
node.js is a console-based JavaScript interpreter based off of Chrome's JavaScript engine. So you can basically write cross-platform (Windows, Max, Linux) desktop console apps in JavaScript. There is also NodeWebKit which is pretty much the same thing for desktop GUI applications, which uses HTML/CSS for that side of things.
Node has a few extra pieces of functionality over standard JavaScript for allowing for some normal desktop-y functionality. One of these things is the ability to run a HTTP or HTTPS server. However it's pretty bare-bones, relying on your code to do a lot of the work. You can set up an event handler to fire when someone requests a URL from your server, and you get your HTTP headers parsed for you, but it's up to your code to figure out what the URL is supposed to point to, resolve a local file path, set up the proper HTTP response headers, and then stream the file to the requester. That's just if you want a simple server, if you want to run custom code for specific URLs or URL patterns that's more work.
Express is a bunch of JS code bundled in a library (node calls these "modules") that builds a framework on top of the HTTP/HTTPS server functionality to make things a lot easier if you want one in your code. You can tell it in one line if you want a simple web server that serves on-disk files from a specific directory, or you can define "routes" (mapping URLs to specific blocks of code) to have custom functionality for specific URLs or URL patterns. You can even chain routes together so if multiple routes all match the same URL all the code runs, if that makes sense (eg a logging function that triggers on any request). It does a lot more too I'm sure, that is just the stuff I have used it for.
MSDN is saying, by default, "Safe DLL" loading is used, in which the current directory is only used if loading the DLL from most other locations failed. So this would not be viable any more. It sounds like this problem was identified and fixed long ago. Any attempt to exploit this now would require gaining greater access first, and once you're there there's no point to using DLL hijacking any more.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx
You have that backwards... the article you linked says it is enabled for all apps by default. Calling SetDllDirectory DISABLES Safe DLL Loading and causes the problem!
MSDN documents guidelines for preventing malicious DLL loading. Windows has already cut off "current directory" forms of attacks by changing the DLL load order (called "Safe DLL Search Mode" in that document), and with Vista locking down Program Files for admin-only access, "application directory" attacks are also out unless apps intentionally install themselves elsewhere (then they're on their own). As for installers, users have to get tricked into downloading the DLL first, and at least Chrome gives you a big warning that the file is suspicious due to its extension. And if you can get the user to do that, you might as well just give them an EXE and skip the warning. It's easier to put together a malicious EXE too.
Then everyone can use his voice as their voicemail. Sounds good to me!
I'm pretty sure Ubuntu at least locks by default. There's a -no-root-preserve switch or something that you HAVE to specify to do an rm -rf /, otherwise the command fails.
This isn't surprising if you've been following Chrome. By some metrics it's the most used browser now, and they dropped support for NPAPI plugins (like Java) due to security concerns. Oracle's official reply to this has been "use Firefox" which in my opinion was incredibly short sighted, unless they feel Java just won't work using PPAPI. Who on earth is going to use a plugin in their website that doesn't support one of the biggest browsers? That person would have to build a fallback for Chrome, and at that point they might as well just ditch Java and use the fallback for all browsers if it's good enough.
The idea is you think someone else would be interested in the item and want to share it with them. Share buttons provide a quick way to do that.
All modern OSs will initialize the memory because there is a clear security issue with allowing one application access to the old contents of a random block of memory. It could contain passwords or who knows what else.
On the other hand, GPU memory is primarily used for rendering graphics. The security implications are less severe if information leaks. Has there ever been any guarantee information won't leak? So why do users assume that it won't? It is likely NOT cleared for speed reasons. Everyone wants a fast GPU cheap. Well, that's one way to get speed boost on allocation operations I'm sure.
It really should be Chrome's responsibility to zero out their GPU memory when they're done with it, to prevent information leakage. That's what incognito mode does with regards to history, cache, and cookies, so why not GPU memory?
Yeah. Your GPU was not designed with security of the information stored in it in mind. It was designed to play video games and a few other things, and it's not a big deal if a few of your game textures leak, if it means the GPU can be slightly faster at managing its memory. The responsibility should be Chrome's to clear out its GPU memory in incognito mode after it's done using it.
It likely only shows for a single frame or two until Diablo renders its content to it.
You are confusing civil and criminal court.
Steam requires you to reenter your credit card CVC if you've been making a lot of purchases recently. Apple could do something similar.
Or just use the same standard Google and a lot of other people use which doesn't use text messages or even require a phone number or internet access at all.
It's also a good lesson in "sometimes the documentation sucks, and you'll have to experiment to see what the API actually does".
It SHOULD be ok. The problem is some ISPs make it expensive. Hopefully if nothing else this will put them under an uncomfortable magnifying lens.
Sounds to me like the researcher sideloaded a package, which of course carries the risk of malware, MitM attack or not. I imagine Google Play Store has protections against MitM attacks, at least I hope it would.
They do. You boot to recovery mode (or I think the bootloader can do it too?) and then wipe the /data partition, that should restore everything to defaults. Nothing should be able to write to /system (the OS) while the OS is running. I don't know exactly how Android TV is supposed to expose recovery mode functionality though, or even if it does, but it seems to me like it's essential for support.
It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught. Ransoming encrypted computer files is one thing. Murder is something else.
Time and time again, with each console generation, the answer is the same: what games do you (or in this case your kids) want to play? Buy the console that has them.