Any such encryption would have to be invisible to the camera in order to work, so the camera would still be able to view the pictures, and this is how anyone would check your pictures anyway.
Some more info about the other sketchy high score stuff this guy has been up to. Dragster is just the tip of the iceberg.
Ben Heck builds some TAS hardware to attempt to verify the 5.51 Dragster record, using feedback from Todd Rogers himself. The attempt ultimately fails, with Todd's help only getting a 5.6-5.7 while plugging data in from deniers of Rogers' record worked first try for a 5.57 (not counting a data entry mistake).Part 1- Building the hardwarePart 2 - Trying to reproduce the record Interestingly, nobody comments on camera about the failure.
Well, all games run on a fixed set of rules. Think of Monopoly etc. Video games are no exception. And the rules put in place by Dragster do not allow getting any faster than 5.57. One could argue maybe the analysis was incomplete or flawed but there's a whole lot more sketchy stuff about Rogers that makes it probable there's been no mistake (imo). I'll post some videos in a top level comment that go into detail about this stuff.
The synchronization should be handled by the device's clock. Either your wife's phone does not work properly with such a basic feature (which is required for 2FA to work in the first place) or your bank has no idea how to properly handle 2FA security. If I were you I'd be worried about how they handle other types of security.
Two devices can stay in sync using the current date and time. If your bank couldn't figure out how to resync using that obvious mechanism I don't know what to tell you; every single authenticator app I've seen uses it.
I've read comments saying people have had their batteries replaced with new ones and the slowdown goes away. So which one is it? Both of these can't be true. It either happens based on battery age (which is fine, maybe even a desired feature, but it should have been disclosed and maybe had controls) or OS version (which is not fine and can easily be interpreted as predatory).
With "traditional" attacks such as buffer overflows. Newer languages abstract away having to do things like manually allocate string sizes to make buffer overflows less possible. That's why we continue to improve these languages and develop new ones and I expect this process to continue as newer attacks are developed against existing languages.
Sure, but the standards say you don.t, and the browsers abide by the standards. IF you violate the standards, standard compliant browsers are no longer guaranteed to function properly on your network, and it's your responsibility to keep things working, not theirs.
Utilizing someone's location when they request you to do so is a lot different than utilizing someone's location without telling them to their detriment, or your benefit.
This won't work because someone from Facebook would need to look at the images to determine if a request is legit, which, as the article says, is EXACTLY the thing the victim wants to avoid.
If nobody looks at the image, or, as some have suggested, the hash is computed client side (so nobody would be able to look at the image) it would be ripe for abuse. I could easily file takedowns for any pictures I want.
As a side note, someone also mentioned hashes won't work since they can be foiled by simple image manipulations. Doubtless this will be true in some cases, but it is certainly possible to make an image comparison that can take some of these things into account. Plus, the goal is likely to get the easy image postings automatically, while the remainder will be much smaller in number and easier for Facebook support staff to deal with manually as requested.
AFAIK square root is usually estimated. So if you try a square root calculation that you expect an exact answer from you will be disappointed. It's not the calculator app.
Newer versions of Android do not turn off Wi-Fi when you switch it off, the switch is just used to disconnect you. There is a setting that will re-enable WiFi when you come within range of a trusted hotspot (eg your home network). I've found it useful as occasionally I'll turn off WiFi when the free offering at a place is not working properly, and then forget to turn it back on when I leave.
If you REALLY want it all off, you can enable airplane mode and then piecemeal enable things you want (though cell service remains disabled). At least, I think it works this way. Not 100% sure.
I might side with MS on this one, though the response doesn't make them look good. The hardest part of this will be getting the user to try and launch the program in the first place. It may be a lot easier just to tailor the malware to evade detection when scanned.
First of all, you can't just make a link the user can click. Chrome and Firefox both block links from the internet that point to the local PC or SMB shares (not sure what IE/Edge do). Even if you get the user to enter the url manually, Chrome and Firefox won't run files but will download them (and tell the virus scanner to scan it), which is a different process from running it directly off the SMB. Chrome even will warn the user if they try to download dangerous file types (such as EXE) from a SMB share.
IE and Edge both open File Explorer to a share if you get the user to type an address in the address bar. But to their credit, if the address is to a file rather than a folder they seem to ignore the entry.
You could potentially find some desktop application that linkifies UNC paths sent to it and get users to click on your malicious path, but I can't imagine any would do so, I can't see how it would be useful. The only one I know of is Lync/Skype for Business, which is of course local network chat, not internet chat.
Windows will alert you if you try to open a dangerous file type off of a SMB share. So the user would have to bypass this dialog.
And of course you're assuming they're running Windows Defender. I would think Windows still would fail to pass the proper binary to any other virus scanner that might have its hooks into Windows, but other scanners could potentially do things like scan the process when it starts to catch the malware.
If you can convince the user to do all this you can probably exploit them some other way just as easily, I'd think.
.NET Core, which is pretty much.NET remade to be cross-platform, is also for Mac OS/Linux too now. And I won't be surprised if platform support increases in the future though I don't think they've announced any plans for that yet.
I forgot to mention... I think the key combo stretches all the way back to MS-DOS, where CTRL+ALT+DEL would instantly reboot. I assume 16-bit Windows trapped this combination first of all so DOS wouldn't intercept it and reboot right away, and also so they could anticipate the user was having problems and offer to run Task Manager. But the key combo was first declared in DOS as a key press that could be used to soft reset the machine, but would not be pressed accidentally. CTRL+ALT+DEL makes perfect sense for that scenario. Then it just evolved organically.
The reason they used that combo in the first place was for compatibility with legacy applications. In legacy Windows, CTRL+ALT+DEL was handled at a low level and could bring up task manager or restart the machine. Applications could not detect the keypress.
When they went to implement multi-user and logins, they realized they needed to ensure applications could not spoof the login screen to trick users into entering their credentials. A malicious application could potentially save and reuse these credentials especially if they were of a DIFFERENT user or an admin user.
What to do? Well if they had the user press a key combination that applications couldn't detect to log in, or even a key combination that would result in a different action if they were already logged in, a fake application would not be able to detect this keypress and spoof the actual login screen. Guess what, an existing key combination fit this criteria. They could have invented a new combination, of course, but chances are a legacy application might use this combination as a hotkey, and reserving it for login user would break that application.
It is trivial to view the source code of these extensions and analyze exactly what they are doing. The analyser even attached the relevant source code. If you don't believe him you can look it up yourself.
Yeah, like I said on the last website that posted this story, this is a non-issue. If the attacker has local admin access, they've already pwned the system, it's game over. What they do after that point is trivial and not interesting.
Slashdot Mirror
Any such encryption would have to be invisible to the camera in order to work, so the camera would still be able to view the pictures, and this is how anyone would check your pictures anyway.
If you want more info these videos are great.
Some more info about the other sketchy high score stuff this guy has been up to. Dragster is just the tip of the iceberg.
Ben Heck builds some TAS hardware to attempt to verify the 5.51 Dragster record, using feedback from Todd Rogers himself. The attempt ultimately fails, with Todd's help only getting a 5.6-5.7 while plugging data in from deniers of Rogers' record worked first try for a 5.57 (not counting a data entry mistake).Part 1- Building the hardware Part 2 - Trying to reproduce the record Interestingly, nobody comments on camera about the failure.
Well, all games run on a fixed set of rules. Think of Monopoly etc. Video games are no exception. And the rules put in place by Dragster do not allow getting any faster than 5.57. One could argue maybe the analysis was incomplete or flawed but there's a whole lot more sketchy stuff about Rogers that makes it probable there's been no mistake (imo). I'll post some videos in a top level comment that go into detail about this stuff.
Not sure if you care, but the best possible score is 5.57 seconds. That's how he got found out.
The synchronization should be handled by the device's clock. Either your wife's phone does not work properly with such a basic feature (which is required for 2FA to work in the first place) or your bank has no idea how to properly handle 2FA security. If I were you I'd be worried about how they handle other types of security.
Two devices can stay in sync using the current date and time. If your bank couldn't figure out how to resync using that obvious mechanism I don't know what to tell you; every single authenticator app I've seen uses it.
Better the devil you know.
I've read comments saying people have had their batteries replaced with new ones and the slowdown goes away. So which one is it? Both of these can't be true. It either happens based on battery age (which is fine, maybe even a desired feature, but it should have been disclosed and maybe had controls) or OS version (which is not fine and can easily be interpreted as predatory).
With "traditional" attacks such as buffer overflows. Newer languages abstract away having to do things like manually allocate string sizes to make buffer overflows less possible. That's why we continue to improve these languages and develop new ones and I expect this process to continue as newer attacks are developed against existing languages.
Users will always decide for convenience over security and complain about the lack of security when they get hacked.
Sure, but the standards say you don.t, and the browsers abide by the standards. IF you violate the standards, standard compliant browsers are no longer guaranteed to function properly on your network, and it's your responsibility to keep things working, not theirs.
Utilizing someone's location when they request you to do so is a lot different than utilizing someone's location without telling them to their detriment, or your benefit.
Don't worry, I'm sure the next step will be to charge European countries for access to web servers on US soil.
This won't work because someone from Facebook would need to look at the images to determine if a request is legit, which, as the article says, is EXACTLY the thing the victim wants to avoid.
If nobody looks at the image, or, as some have suggested, the hash is computed client side (so nobody would be able to look at the image) it would be ripe for abuse. I could easily file takedowns for any pictures I want.
As a side note, someone also mentioned hashes won't work since they can be foiled by simple image manipulations. Doubtless this will be true in some cases, but it is certainly possible to make an image comparison that can take some of these things into account. Plus, the goal is likely to get the easy image postings automatically, while the remainder will be much smaller in number and easier for Facebook support staff to deal with manually as requested.
AFAIK square root is usually estimated. So if you try a square root calculation that you expect an exact answer from you will be disappointed. It's not the calculator app.
The problem is this could cause legitimate sites to slow down.
Maybe he typed it with a USB-C keyboard.
Newer versions of Android do not turn off Wi-Fi when you switch it off, the switch is just used to disconnect you. There is a setting that will re-enable WiFi when you come within range of a trusted hotspot (eg your home network). I've found it useful as occasionally I'll turn off WiFi when the free offering at a place is not working properly, and then forget to turn it back on when I leave.
If you REALLY want it all off, you can enable airplane mode and then piecemeal enable things you want (though cell service remains disabled). At least, I think it works this way. Not 100% sure.
I might side with MS on this one, though the response doesn't make them look good. The hardest part of this will be getting the user to try and launch the program in the first place. It may be a lot easier just to tailor the malware to evade detection when scanned.
First of all, you can't just make a link the user can click. Chrome and Firefox both block links from the internet that point to the local PC or SMB shares (not sure what IE/Edge do). Even if you get the user to enter the url manually, Chrome and Firefox won't run files but will download them (and tell the virus scanner to scan it), which is a different process from running it directly off the SMB. Chrome even will warn the user if they try to download dangerous file types (such as EXE) from a SMB share.
IE and Edge both open File Explorer to a share if you get the user to type an address in the address bar. But to their credit, if the address is to a file rather than a folder they seem to ignore the entry.
You could potentially find some desktop application that linkifies UNC paths sent to it and get users to click on your malicious path, but I can't imagine any would do so, I can't see how it would be useful. The only one I know of is Lync/Skype for Business, which is of course local network chat, not internet chat.
Windows will alert you if you try to open a dangerous file type off of a SMB share. So the user would have to bypass this dialog.
And of course you're assuming they're running Windows Defender. I would think Windows still would fail to pass the proper binary to any other virus scanner that might have its hooks into Windows, but other scanners could potentially do things like scan the process when it starts to catch the malware.
If you can convince the user to do all this you can probably exploit them some other way just as easily, I'd think.
.NET Core, which is pretty much .NET remade to be cross-platform, is also for Mac OS/Linux too now. And I won't be surprised if platform support increases in the future though I don't think they've announced any plans for that yet.
I forgot to mention... I think the key combo stretches all the way back to MS-DOS, where CTRL+ALT+DEL would instantly reboot. I assume 16-bit Windows trapped this combination first of all so DOS wouldn't intercept it and reboot right away, and also so they could anticipate the user was having problems and offer to run Task Manager. But the key combo was first declared in DOS as a key press that could be used to soft reset the machine, but would not be pressed accidentally. CTRL+ALT+DEL makes perfect sense for that scenario. Then it just evolved organically.
The reason they used that combo in the first place was for compatibility with legacy applications. In legacy Windows, CTRL+ALT+DEL was handled at a low level and could bring up task manager or restart the machine. Applications could not detect the keypress.
When they went to implement multi-user and logins, they realized they needed to ensure applications could not spoof the login screen to trick users into entering their credentials. A malicious application could potentially save and reuse these credentials especially if they were of a DIFFERENT user or an admin user.
What to do? Well if they had the user press a key combination that applications couldn't detect to log in, or even a key combination that would result in a different action if they were already logged in, a fake application would not be able to detect this keypress and spoof the actual login screen. Guess what, an existing key combination fit this criteria. They could have invented a new combination, of course, but chances are a legacy application might use this combination as a hotkey, and reserving it for login user would break that application.
It is trivial to view the source code of these extensions and analyze exactly what they are doing. The analyser even attached the relevant source code. If you don't believe him you can look it up yourself.
.localhost not .local. IIRC .local is reserved for local network usage so you are using it properly.
Yeah, like I said on the last website that posted this story, this is a non-issue. If the attacker has local admin access, they've already pwned the system, it's game over. What they do after that point is trivial and not interesting.