|
secfuck from 1980 I got a modem for my Atari 8-bit. in the Atari computers, the sound chip doubles as a 115200bps UART. this leads to the annoying effect of any serial i/o coming through the speakers. you get used to the speaker beeping every time a sector gets loaded from disk or whatever. good programs are supposed to mute the audio registers or at least turn them down. (the OS disk routines do not, ostensibly for debugging) the modem only supports 300bps transfer so I called up a BBS. the phone signal came through the computer, which is pretty neat for such an old device. but then after I connected and it turned off the speaker sound, I turned the volume up on my monitor. turns out you can hear every transferred byte from the modem coming through the TV speaker as clicks of various frequencies as the audio registers are hammered with serial data 
|
#
?
Oct 28, 2017 22:38
|
|
|
|
| # ? May 15, 2024 19:12 |
|
|
Oh no, better write a paper on side channel attacks
|
|
#
?
Oct 28, 2017 22:39
|
|
|
that’s a feature - acoustic coupler support!
|
|
#
?
Oct 28, 2017 22:40
|
|
|
ate all the Oreos posted:
how are you enjoying it? I mean not like details but like thumbs uuuhhh err how many stars... uh rating between one and ten?
|
|
#
?
Oct 29, 2017 03:08
|
|
|
Munkeymon posted:how are you enjoying it? I mean not like details but like thumbs uuuhhh err how many stars... uh rating between one and ten? eh it's like an 8 out of 10, pretty good but i have some quibbles with some of its design choices and the $100 I paid for it is a bit much for what it boils down to my favorite part is it has a little elongated bit that it says to point towards your back because it's where the antenna is and it gets better signal that way 
|
|
#
?
Oct 29, 2017 06:17
|
|
|
i've noticed crapware asking for it afaict you cant turn it off, and it will keep pushing updates even when the app is closed so i figure google are happy with apps abusing it as long as they have an excuse to log the data, "the user installed our music app, so clearly they want their activity uploaded to our servers 24/7 in order to select a fitting playlist"
|
|
#
?
Oct 29, 2017 19:23
|
|
|
 i hate this so loving much
|
|
#
?
Oct 29, 2017 19:34
|
|
|
bump_fn posted:
They shouldn't be able to verify only specific characters of your password, unless their encryption is crap or non-existant.
|
|
#
?
Oct 29, 2017 19:37
|
|
|
Carbon dioxide posted:They shouldn't be able to verify only specific characters of your password, unless their encryption is crap or non-existant. lmao this rules, its obnoxious AND bad sec
|
|
#
?
Oct 29, 2017 19:41
|
|
|
You could hash individual letters I guess Or combinations
|
|
#
?
Oct 29, 2017 19:41
|
|
|
Carbon dioxide posted:They shouldn't be able to verify only specific characters of your password, unless their encryption is crap or non-existant. gee, i wonder what's going on here
|
|
#
?
Oct 29, 2017 19:42
|
|
|
Carbon dioxide posted:They shouldn't be able to verify only specific characters of your password, unless their encryption is crap or non-existant. they salt and hash each individual character and the thing as a whole
|
|
#
?
Oct 29, 2017 19:47
|
|
|
I don't get.. Like, is that their normal login process or what? 
|
|
#
?
Oct 29, 2017 20:02
|
|
|
do any websites ship their users one-time pads yet
|
|
#
?
Oct 29, 2017 20:06
|
|
|
duTrieux. posted:do any websites ship their users one-time pads yet One time shipment yes, reusable.
|
|
#
?
Oct 29, 2017 20:07
|
|
|
duTrieux. posted:do any websites ship their users one-time pads yet My bank used to ship TAN codes on paper before they switched to distributing them by SMS.
|
|
#
?
Oct 29, 2017 20:13
|
|
|
duTrieux. posted:do any websites ship their users one-time pads yet I asked for another time pad but they told me no, you only get one.
|
|
#
?
Oct 29, 2017 20:14
|
|
|
rafikki posted:I don't get.. Like, is that their normal login process or what? yes, any time i want to log into my bank i get that
|
|
#
?
Oct 29, 2017 20:15
|
|
|
bump_fn posted:yes, any time i want to log into my bank i get that is it always the same characters, or do they ask for different ones each time
|
|
#
?
Oct 29, 2017 20:17
|
|
|
Main Paineframe posted:is it always the same characters, or do they ask for different ones each time diff characters but always like three or four
|
|
#
?
Oct 29, 2017 20:20
|
|
|
bump_fn posted:
Hah! We share banks. I also hate this garbage, trying to work out if that character of my password is I, i, l or ¦ is tedious at best. The phone app only asks for 3 characters of the number and foregoes the password altogether.
|
|
#
?
Oct 29, 2017 20:26
|
|
|
somebody at that bank must have a vendetta against password managers
|
|
#
?
Oct 29, 2017 20:37
|
|
|
suffix posted:i've noticed crapware asking for it  bump_fn posted:
What a clever way to reduce the entropy of a password to almost nothing.
|
|
#
?
Oct 29, 2017 20:40
|
|
|
jammyozzy posted:Hah! We share banks. I also hate this garbage, trying to work out if that character of my password is I, i, l or ¦ is tedious at best. yo name and shame
|
|
#
?
Oct 29, 2017 20:56
|
|
|
Banking world does that in the back end so that employees don't get the full password in one shot to make it harder to get back inside an account later to defraud customers ... the human risk is believed greater than the backend one, probably correctly so. One of my banks also sends an SMS otp (well, they're trying!) that you have to give the reps in person/on phone before they can get into the account. When the SMS gateway is slow, that's a good time. I should email and ask about generic TOTP support. Re: presenting that interface to end user, though... I guess it makes it a bit harder for dridex-style malware to steal credentials in one shot, but still ew.
|
|
#
?
Oct 29, 2017 21:01
|
|
|
NEED MORE MILK posted:yo name and shame It's Santander. I know Halifax also do some similar poo poo with asking for 3 letters from a password (or at least did previously).
|
|
#
?
Oct 29, 2017 22:11
|
|
|
jammyozzy posted:It's Santander. I know Halifax also do some similar poo poo with asking for 3 letters from a password (or at least did previously).
|
|
#
?
Oct 29, 2017 22:18
|
|
|
jammyozzy posted:It's Santander. I know Halifax also do some similar poo poo with asking for 3 letters from a password (or at least did previously). Lloyds as well.
|
|
#
?
Oct 29, 2017 23:33
|
|
|
Wiggly Wayne DDS posted:halifax has a separate secret phrase for that, it's not based off of the account password Halifax: Slightly less of a secfuck than Santander
|
|
#
?
Oct 29, 2017 23:36
|
|
|
halifax is part of lloyds banking group, they all use the same website with different branding (as do bank of scotland)
|
|
#
?
Oct 29, 2017 23:37
|
|
|
James Baud posted:Banking world does that in the back end so that employees don't get the full password in one shot to make it harder to get back inside an account later to defraud customers ... the human risk is believed greater than the backend one, probably correctly so. One of my banks also sends an SMS otp (well, they're trying!) that you have to give the reps in person/on phone before they can get into the account. When the SMS gateway is slow, that's a good time. I should email and ask about generic TOTP support. well, I like absolutely nothing about that sentence
|
|
#
?
Oct 29, 2017 23:47
|
|
|
they probably also think they might be held liable for an employee stealing poo poo but not a hacker
|
|
#
?
Oct 30, 2017 00:33
|
|
|
natwest does the same thing for online banking; seems to be a UK thing? super hate it.
|
|
#
?
Oct 30, 2017 05:41
|
|
|
what the gently caress is wrong with your idiot island
|
|
#
?
Oct 30, 2017 06:11
|
|
|
ThePeavstenator posted:Isn't Peel Smart Remote super hosed for Samsung devices? I've heard that is does something like circumvent android API permissions and runs as root so it can draw ads on your screen at any time? i'm not sure if it circumvents API permissions but it does show notifications all the time, even for stuff that is not useful just for the purpose of showing a notification, for example when you lock your phone it will show a notification that the phone is locked, it's also not possible to turn off the notifications without disabling the entire app, here's an example of how it can look: http://www.androidpolice.com/2017/03/29/peel-remote-app-upsets-users-ton-ads-lock-screen-overlays/
|
|
#
?
Oct 30, 2017 09:08
|
|
|
Crust First posted:natwest does the same thing for online banking; seems to be a UK thing? super hate it. I get the same thing for the "verified by visa" security check password in the UK. Surely that's an international system though?
|
|
#
?
Oct 30, 2017 09:25
|
|
|
secfuck: my buddies twitter account got popped, now he's a sexy spambot https://twitter.com/acrocker13  e: ok he's reclaimed control and cleaned it up Pile Of Garbage fucked around with this message at 11:26 on Oct 30, 2017 |
|
#
?
Oct 30, 2017 09:30
|
|
|
edit: quote is not edit i am bad at forums.
Qtotonibudinibudet fucked around with this message at 10:01 on Oct 30, 2017 |
|
#
?
Oct 30, 2017 09:57
|
|
|
anatoliy pltkrvkay posted:may his last post-spambot tweet live on in eternity. a rt of this: in not quite secfuck content news, a client of ours reported that their PCI auditor determined that they were not compliant due to lack of HPKP, and asked us how they could add it gently caress PCI auditors.
|
|
#
?
Oct 30, 2017 10:00
|
|
|
|
| # ? May 15, 2024 19:12 |
|
|
Chalks posted:I get the same thing for the "verified by visa" security check password in the UK. Surely that's an international system though?
|
|
#
?
Oct 30, 2017 12:20
|
|