WTF Bites
-
https://i.imgur.com/EwkGeuR.png
Oh, fuck you.
-
@pie_flavor I felt a great disturbance in the wifi, as if dozens of students suddenly cried out in terror as their half-finished tests were automatically submitted.
-
@pie_flavor New year, new bullshit educational software.
Pictured: How to not do (CSS ∪ JS)
-
I hope the pinouts.ru guys are better at counting pins than the are at counting reports.
-
I hope the pinouts.ru guys are better at counting pins than the are at counting reports.
Apparently "ERROR FIXED" reports aren't accounted in the positive/negative counts in any way.
-
@Tsaukpaetra said in WTF Bites:
Someone loves their auto-censorship plugin.
Your software runs on B*****m? I'm impressed!
-
@Tsaukpaetra said in WTF Bites:
Someone loves their auto-censorship plugin.
Your software runs on B*****m? I'm impressed!
Not mine. I sent a message containing that text, and that is what that user received.
-
"If you want to ruin someone's day: use CSS", with a bonus of "hi, I might be the one responsible for this".
https://twitter.com/yourcompanionAI/status/1091081892957437958
-
between 500.007797241211 and 549.9999694824218181565811391
With that many significant figures, someone really needs a new hobby.
-
@pie_flavor I felt a great disturbance in the wifi, as if dozens of students suddenly cried out in terror as their half-finished tests were automatically submitted.
GitHub - SpacehuhnTech/esp8266_deauther: Affordable WiFi hacking platform for testing and learning
Affordable WiFi hacking platform for testing and learning - SpacehuhnTech/esp8266_deauther
-
@pie_flavor said in WTF Bites:
https://i.imgur.com/EwkGeuR.png
Oh, fuck you.That seems pretty hard to get that wrong, I don’t think I could do that.
-
RTFY
-
@pie_flavor said in WTF Bites:
https://i.imgur.com/EwkGeuR.png
Oh, fuck you.That seems pretty hard to get that wrong, I don’t think I could do that.
I think just about the only way to have it break like that is to have a heartbeat checking if the test is still open in the browser, and when said heartbeat goes away, automatic submission. I wouldn't be terribly surprised if it's something even stupider though.
Probably a stupid workaround for some other stupid bugs that causes a lot of unsubmitted tests to linger in the system causing problems.
-
I think just about the only way to have it break like that is to have a heartbeat checking if the test is still open in the browser, and when said heartbeat goes away, automatic submission.
Heartbeat over websockets. Which can never ever ever go wrong, nosiree…
-
I've had an online test at college a few weeks ago. And I've lost connection halfway through. Thankfully, it let me reconnect just fine, and saved all my previous answers, and even added one minute to my time limit. The first time ever that I've been impressed with college software.
-
@Gąska The really fun part is that any connection drops will be 100% the school's fault, because I'm in campus housing. I sincerely hope one happens so I can get admin breathing down someone's neck, whether it be the teacher's or the networking team's.
-
WTF of my day: Seriously, some pupils should drop out of school immediately and go work something completely inconsequential like counting the number of leaves on a tree. In order not to do harm anywhere.
So, my pupils get access to Office365 while they're at school. Nevermind that I provided them with the login information at the beginning of the school year (September 2018), some of them only now have gotten around to setting it up.
One in particular complained to me that I had given her bogus information. Yeah, right. But I reset her password to a one-time one (thus requiring her to choose her own as a second step) and sent her the login information again.
She then complained that she still wasn't able to login - she swore up and down that she retyped the password five times and it wouldn't accept it! She even sent me a screenshot of the error message:
Your chosen password is too simple and too common. Please choose a more difficult and unique password.
-
@pie_flavor said in WTF Bites:
@Gąska The really fun part is that any connection drops will be 100% the school's fault, because I'm in campus housing. I sincerely hope one happens so I can get admin breathing down someone's neck, whether it be the teacher's or the networking team's.
You have so much faith in anyone being able to do anything about school's idiocy.
-
WTF of my day: Seriously, some pupils should drop out of school immediately and go work something completely inconsequential like counting the number of leaves on a tree. In order not to do harm anywhere.
So, my pupils get access to Office365 while they're at school. Nevermind that I provided them with the login information at the beginning of the school year (September 2018), some of them only now have gotten around to setting it up.
One in particular complained to me that I had given her bogus information. Yeah, right. But I reset her password to a one-time one (thus requiring her to choose her own as a second step) and sent her the login information again.
She then complained that she still wasn't able to login - she swore up and down that she retyped the password five times and it wouldn't accept it! She even sent me a screenshot of the error message:
Your chosen password is too simple and too common. Please choose a more difficult and unique password.
Well, better than taking a "please try again later" message at face value. At least she's got the problem solved eventually.
-
@Gąska no, this is just beginning. Being forced to choose a password other than "password" is going to be an ongoing problem. I look forward to reports.
-
So I got recruiters trying to get me back into 84.51, anybody want to work there? It's really toxic and their architect froze their brain at Java 5 and is also the product owner... they may still be trying to run Scrum anyway... anybody?
-
@Gribnit Well, I could tell her to try "hunter123"?
-
something even stupider though.
A websocket to do the ping. Why waste server resources when you can keep a connection alive indefinitely?
Edit: wow,
in literally the next post. I suppose I need to wake up a little more...
-
So I got recruiters trying to get me back into 84.51, anybody want to work there? It's really toxic and their architect froze their brain at Java 5 and is also the product owner... they may still be trying to run Scrum anyway... anybody?
You should go into sales.
TRWTF is that company name.
-
It's American beryllium, not some damn foreign metal.
-
C:\> javaw The system cannot find the file C:\ProgramData\Oracle\java\javapath\javaw.exe.Again?
Fucking damn it, Oracle, are you going to break this for everyminor versionpatch version number?
-
@topspin The IHOC is
Also, use OpenJDK if you can.
-
@topspin The IHOC is
Also, use OpenJDK if you can.
International House of Cookies?
(I know what you mean)In the programming sense, I don't even use anything Java myself. I just want to start a Jenkins server on an (IT administered) machine and apparently things break every damn time the clowns at Oracle release an update.
There might or might not be some partial blame on IT, I don't know or care, I'll blame Oracle anyway.
-
-
C:\> javaw The system cannot find the file C:\ProgramData\Oracle\java\javapath\javaw.exe.Again?
Fucking damn it, Oracle, are you going to break this for everyminor versionpatch version number? Why TF is it looking for binaries in ProgramData of all places!?!?!??!?!?!
-
Why TF is it looking for binaries in ProgramData of all places!?!?!??!?!?!
Oracle
-
So, Windows Defender has been a pretty good product, I'm at the point of using it exclusively on my personal PCs and recommending it over 3rd party AV when I have the chance at work.
But it's still Microsoft, so you get the occasional gem. Such as Windows Defender on Server 2016 doesn't disable itself in the presence of other Anti-Virus, forcing you to remove it via Add/Remove Features instead.
Also, it's supposed to auto-detect exclusions based on server role. Except the auto-detection doesn't work well with Exchange or SQL (unless you're a fan of putting all your data on the C: drive, which is of course an even bigger
), so if you don't set up manual exclusions, Windows Defender will go nuts with real-time scanning when there's a large burst of Exchange database traffic, like, say, from a server failover event.sigh
-
C:\> javaw The system cannot find the file C:\ProgramData\Oracle\java\javapath\javaw.exe.Again?
Fucking damn it, Oracle, are you going to break this for everyminor versionpatch version number? Why TF is it looking for binaries in ProgramData of all places!?!?!??!?!?!
WhoTF knows.
That directory contains 3 symlinks to java.exe, javaw.exe, and javaws.exe. I assume it is their half-assed solution to breaking everything when they change the path of the actual binaries every 6 nano-seconds, so instead they came up with this and put it in PATH instead. Now, of course, they fucked that up by not actually updating the symlinks.
-
Status: Wget apparently can't match wildcards to the parent domain..
Won't be an issue in practice, but just an oddity I saw.
-
@Tsaukpaetra it's not a bug, it's a feature.
Edit: although, I think it should've redirected to www.google.com, and that it didn't is a bug.
-
@Tsaukpaetra said in WTF Bites:
Wget apparently can't match wildcards to the parent domain
It's true that google.com doesn't match *.google.com
-
@TimeBandit said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
Wget apparently can't match wildcards to the parent domain
It's true that google.com doesn't match *.google.com
Yes yes, but it makes me wonder how Chrome and IE (no other browsers I want to feel out with this) get away with this apparent lack of pedantry.
-
Not one I fielded but one of my guys told me that today a client had a scanner that was acting up. Diagnosis: User was putting pages in upside down and scanning the back of the page.
-
@Polygeekery said in WTF Bites:
Not one I fielded but one of my guys told me that today a client had a scanner that was acting up. Diagnosis: User was putting pages in upside down and scanning the back of the page.
That was the same person who couldn't understand why you couldn't just rotate the person in a picture because they were standing with their back to the camera, right? (https://clientsfromhell.net/)
-
@dcon best part is when he suggested that and the user tried it they were so embarrassed that they basically hung up.
-
@Polygeekery
At least they were embarrassed enough not to stammer something of the following:- Well, the arrow on the sticker on the lid says to put it like this. It's certainly not me who's got it wrong.
- My scanner at home (bonus points for: "same model", which it isn't) works like this.
- You just love embarrassing people instead of carefully explaining things. You useless know-it-alls!
- But what if I want to scan both sides?
-
-
@Tsaukpaetra said in WTF Bites:
@TimeBandit said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
Wget apparently can't match wildcards to the parent domain
It's true that google.com doesn't match *.google.com
Yes yes, but it makes me wonder how Chrome and IE (no other browsers I want to feel out with this) get away with this apparent lack of pedantry.
By redirecting correctly.
-
Minor WTF of my day: So, our internet connection went down today. Called our IT support and they told us that the firewall (pfSense) had gone down and they simply rebooted the server it resided on.
Half an hour later, connections to the outside were down again. This time my superior told me to simply come with him, he'd show me how to do that thing and he'd also get me access rights to the server room (which is limited to a few select personell. And due to the sensitivity of the data on some of the servers and the network connected to it also has an independent alarm system).
This lead to two
a) Upon arriving at the door, he first wanted to show me what an unsuccessful disarming of the alarm system looked like - because if you don't do that as a first step, trying to actually unlock the door itself will result in an alarm. Thus he told me: "Okay, try your key fob here - it should show a red light at this device!"Said light went green.
Well, some time back I was turned into a guy of many hats - a bit of IT support, some light&music (i.e. GrandMA2 and a huge Allen&Heath iLive-T112) and generally running around. Which mean that I had to go into the odd room here and there on a regular basis. And as all our rooms are locked electronically on an individual basis, this resulted in four outcomes:
- I had access to the room
- I had to ask someone for access because my keyfob wasn't coded for it
- I had to run around trying to find someone with access to the room
- After result nr.3 I usually told our district's Master of Codes that I needed access to that room.
Number 4 was a regular occurence and I can only guess that this guy got tired of my requests (always backed by my principal!) after a while, said "Fuck that noise!" and simply unlocked everything for my key. Including the server room which he kind of should not have. Oh well. At least I'm now able to reset the servers again in a timely manner should they suffer from a hiccup again.
b) The firewall server did not crash so much as it simply powered down. Without leaving a trace in the logs, mind. We strongly suspect a hardware failure of some kind and a spare server has taken over its duties for the time being.
-
@Tsaukpaetra
Most wildcard certificates I've purchased include a SAN for the root domain, and Google's certificate (as in use on their website, at least) is configured that way as well. So TR is almost certainly one of:- wget is only checking against the Common Name (CN) of the certificate and not the SANs.
- wget chokes after some small(ish) number of SANs, and fails to validate Google's omni-wildcard that includes 46 wildcard domains and their base domain names as SANs.
-
@Tsaukpaetra said in WTF Bites:
@TimeBandit said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
Wget apparently can't match wildcards to the parent domain
It's true that google.com doesn't match *.google.com
Yes yes, but it makes me wonder how Chrome and IE (no other browsers I want to feel out with this) get away with this apparent lack of pedantry.
By redirecting correctly.
Can't get the order to redirect if the initial SSL handshake never completes.
-
wget chokes
This is more likely.
For example, apparently there's support for the
Content-Dispositionheader (kind of), but that's broken and unreliable and holy shit why can't you just run the provided filename parameter through the existing safe-name function?!?!?
-
Software executive exploits ATM loophole to steal $1 million
The software chief tried to explain away his actions as “internal security tests.”
Qin Qisheng realized that cash withdrawals made close to midnight were not recorded by the bank's systems in 2016,
-
https://www.secjuice.com/security-researcher-assaulted-ice-atrient/
The kiosks provide loyal casino customers with a user interface they can use to register their purchases and spending at the casino, receiving loyalty bonuses in return. Bonuses can include theatre and show tickets, comped hotel rooms, entries into cash prize draws and anything the casino wants to use as part of their reward program, including offering cash back on purchases in some casino locations.
Casinos who use these kiosks include Hard Rock and Caesars, the researchers told me that these kiosks are deployed in casinos all across the country.
These kiosks and the back end server communicate the personal details of their users and send data like drivers license scans (used for enrollment), user home addresses and contact details, as well as details about user activity, unencrypted over publicly accessible internet.
The researchers told me that every single kiosk was calling home to the server in plain text and all data sent from the kiosks to the server clearly visible on the network. Because there is no SSL protection and because the API is wide open and vulnerable to abuse, it is possible to identify kiosks by their MAC address and use the unsecured API to change details, track users and add credit to user accounts and even spin up a kiosk on a virtual machine in order to have your own personal kiosk at home.
Atrient were not segregating these kiosks into vlans, their FTP access was wide open and unencrypted, and all of this was discovered using the Shodan search engine, all of it was publicly visible to anyone on the internet who knew where to look.
… the vulnerability was just the tip of the iceberg when it came to sloppy security practices at Atrient. They saw casino WiFi network passwords stored in plaintext, user personal data stored in plaintext and no attempt to secure anything.
They even found Atrient's third party contractors (based in India) posting Atrient's source code on Github and asking stack overflow questions about it, an indicator which made it obvious to the researchers that security was not being taken seriously.
Now that the FBI was involved it seemed as if Atrient was finally taking the vulnerability disclosure seriously which gave us hope that the vulnerability would be taken seriously and quickly remediated.
I am pleased to report that both the FBI did the right thing, their sole interest was resolving what they considered to be a serious vulnerability and at no time did the FBI lay any blame at the feet of the researchers or accuse them of anything.
Atrient's COO Jessie Gill asked what steps they could take to secure these services and the researchers advised them of the urgent actions they needed to take to secure their infrastructure. During the call the FBI asked Atrient if they had properly notified their customers of this breach and vulnerability in their systems, their COO Jessie quickly replied "lets talk about this offline", immediately closing down the question.
When one of the security researchers, Dylan Wheeler, approached COO Jessie Gill and introduced himself as the researcher who Jessie had been dealing with, Jessie suddenly lunged at the researcher and violently grabbed him by his clothes on his chest before then tearing his attendee badge away from him, telling the researcher that he didn't need it anymore and that he would keep hold of it.
I received a strange email from Jessie Gill in response to publishing this story, I have pasted it below so you can see it.
The threatening email is amazing. Check the full article.
Edit: added some more quotes at the beginning to highlight what kiosks/vulnerabilities this is about.
-
Just saw a footer on a corporate-related website that declares "We are not responsible for content on other websites." I can't imagine what happened that made them put that there.
2019-02-02_19-29-19.mp4
