WTF Bites
-
Hilarious. Security by Ewwe-I’m-not-touching-that-.
Printers are so fucked even the juicy target of 'fax everything printed to a third party' isn't good enough.
If you wanted to be clever about it you could do incredible things. Every time paychecks get printed print another one to you. Lower every paycheck 1$ and print yourself a check for the remainder. Fax their registrar DNS change paperwork. Print resignation letters complaining about high level wrongdoing as the first page(so it ends up underneath) of every fiftieth print job. Print indepartmental memos about secret meetings. Change printed contract text. Modify NDAs in flight. Fax fat invoices(with all the right signatures) to random litigious people.
Silently, for years, switch two numbers on every printout. Every paycheck cycle pick one person who always gets someone else's paycheck until they quit. Continuously fudge down 10% all checks to that person. Repeat until they quit. Repeat with increasingly critical personnel.
-
@AyGeePlus slow down there,
SatanBOFH.
-
-
@AyGeePlus said in WTF Bites:
Silently, for years, switch two numbers on every printout.
Already a feature.
Xerox scanners/photocopiers randomly alter numbers in scanned documents
Xerox scanners/photocopiers randomly alter numbers in scanned documents Please see the „condensed time line“ section (the next one) for a time line of how the Xerox saga unfolded. It for example depicts that I did not push the thing to the public right away, but gave Xerox a lot of time before I...
-
@loopback0 said in WTF Bites:
If you have an SSL certificate with IP addresses in the SAN field, and you connect to that server using the IP address, IE goes NOPE and shows the "There is a problem with this website's security certificate" error.
Excuse me being practical, but have you heard of .nip.io (or one of its alternatives)? These exist exactly to work around applications that have issues with IP addresses in SSL certificates—plus allow you to have virtual hosts without official DNS names.
-
-
Posting here since it's on topic…
Are we really arguing over Latin grammar? That's a new level of thread derailment I've never seen before.
Robin Harwood:
According to my dictionary*, “prius” is an adverb (meaning “previously, before”), and so it does not have a plural.
“Prius” as the name of the car is a noun, and so, regardless of whether it is taken from the adverb or not, it will have a plural. But how can we decide whether it is a second declension noun, and thus take the nominative plural “prii” (as Rat suggests), or a fourth declension noun, and thus take the nominative plural “priūs”?
Can anyone help?
(*D. A. Kidd, 1959, Collins Latin Gem Dictionary, Collins, London and Glasgow.)
dadoctah¹:
I researched this a few years ago, and decided that the plural of Prius should follow the pattern of “corpus” and “tempus”. Thus: one Prius, two or more Priora.
Some years earlier, Click and Clack decided that the drivers who deserve the finger most are in VW Jettas.
¹ @da_Doctah?
-
@Zerosquare said in WTF Bites:
borked
boxenDoes seeing this jargon in a news article bother anyone else or am I just ok boomering myself?
-
@Zerosquare said in WTF Bites:
borked
boxenDoes seeing this jargon in a news article bother anyone else or am I just ok boomering myself?
It's El Reg (The Register). They're known for taking the piss in pretty much everything. Doubly so since they host the BOFH.
-
@loopback0 said in WTF Bites:
Bonus WTF is that even though the Install button appears disabled (it's green on a useable drive) you can click it anyway and the install attempts to start before quickly failing with a typical Microsoft error code.
Remember how in 2008 you could just bind a button in your view to a command in your viewmodel and the command told the button when to disable and it all Just Worked™?
-
WTF Bite: The embed-box for Dell
URL: https://www.dell.com/en-us/work/shop/accessories/apd/210-arev
.com, en-us, all looks
As it appears:
Update: Clicking the link redirects to the main home page instead of whatever (a large monitor, I think) the link was meant to go to
-
Does seeing this jargon in a news article bother anyone else or am I just ok boomering myself?
Yeah, it's bugging me too. The proper spelling is "b0rked".
-
Which version was this again?
-
Which version was this again?
The “upstream released a b0rked version and now we have to deal with it” one.
(and maintainer does not want to do epochs, possibly because they realize they'd soon be at69:3.20181128.1~ubuntu0.18.04)
-
So, NodeBB only supports SVG as a data URL (
) and is restricted to the 32kb message limit (including 33% Base64 bloat).To make games like Minesweeper possible I have to engage in Stupid Compression Tricks.
I noticed that it's serializing the XML namespace for XLink as "xlink:". Well, no need to be so verbose, I can just change that to something shorter, and since it's repeated hundreds of times, I should shave a good bit off the size!
Except... I'm digging through the docs... and. There's literally no API for changing the prefix of an XML namespace.
SwampShackOverflow suggests a regex replacement (ugh) or copying each node in the document to a new document (double ugh).
-
There's literally no API for changing the prefix of an XML namespace.
In normal XML, AFAIK you can assign any prefix with
xmlns:[prefix]="http://whatever". However as I'm sure you've found just like I did, using anything other than xlink for the xlink prefix doesn't work in this case.
-
In normal XML, AFAIK you can assign any prefix with xmlns:[prefix]="http://whatever"
You're talking about XML like it's a string. I have a
Documentobject.
-
@error Yes, I'm just manually working with the XML text. Google suggests that .net lets you do it easily but that's not relevant to your setup
-
. However as I'm sure you've found just like I did, using anything other than xlink for the xlink prefix doesn't work in this case.
Um. Yes. Yes, of course. You've... Passed my test! Well done.
Also: what the fuck
That's not how XML works. That's not how any of this works.
-
. However as I'm sure you've found just like I did, using anything other than xlink for the xlink prefix doesn't work in this case.
Um. Yes. Yes, of course. You've... Passed my test! Well done.
Also: what the fuck
That's not how XML works. That's not how any of this works.
It works when I save it to an .svg file and open it in Chrome.
I think the rules for svg-embedded-inside-html are different (hard-coded prefixes).
-
I think the rules for svg-embedded-inside-html are different (hard-coded prefixes).
-
@levicki said in WTF Bites:
Your honor, I was just saving a dog from the car.
What about that laptop bag and a car stereo? Did you "save" those as well?
Of course! Both were in direct sunlight, and laptop has a battery which explodes when overheated.
You are free to go. Guards, bring me the owner of the car! That reckless person has to be punished!True-ish story that I told a long time ago (in the garage, but nothing garagey in that post): https://what.thedailywtf.com/post/1332449
-
@levicki said in WTF Bites:
Because rasterization for display is done by the OS, and rasterization for printing is done by the printer itself? Malicious data could still be present in protected view -- say a subtly malformed image file which on printer causes buffer overflow but on screen doesn't do jack shit.
So the solution is to only enable printing after turning off the "safety" feature, thus ensuring that if there was any malicious script embedded in the document, it would definitely run. That sounds like the right way to prioritize threats.
-
@loopback0 said in WTF Bites:
If you have an SSL certificate with IP addresses in the SAN field, and you connect to that server using the IP address, IE goes NOPE and shows the "There is a problem with this website's security certificate" error.
Excuse me being practical, but have you heard of .nip.io (or one of its alternatives)? These exist exactly to work around applications that have issues with IP addresses in SSL certificates—plus allow you to have virtual hosts without official DNS names.
I hadn't but for what I briefly needed telling IE to ignore the error was good enough.
-
Does seeing this jargon in a news article bother anyone else or am I just ok boomering myself?
Anywhere other than The Register, I'd agree.
-
@levicki said in WTF Bites:
Because rasterization for display is done by the OS, and rasterization for printing is done by the printer itself? Malicious data could still be present in protected view -- say a subtly malformed image file which on printer causes buffer overflow but on screen doesn't do jack shit.
So the solution is to only enable printing after turning off the "safety" feature, thus ensuring that if there was any malicious script embedded in the document, it would definitely run. That sounds like the right way to prioritize threats.
You realise that it must be that way because of what must be an epic
in how printing is implemented inside Office?
-
@levicki said in WTF Bites:
What if you have a hot-swap disk enclosure and you routinely swap the disks and make the drive letter for all of them to be the same (which is possible because the other drive is no longer connected)? How do you know which disk is currently in the enclosure without label?
Then if you're doing that, it's a poor choice to install anything on since things like shortcuts don't obey labels.
-
@levicki said in WTF Bites:
@loopback0 said in WTF Bites:
Goddammit Internet Explorer!
E_CANNOT_REPRODUCE
Is that defined in the SAN field as an IP address (not a DNS name) and is it ONLY in the SAN field and not the CN?
-
@levicki said in WTF Bites:
Because rasterization for display is done by the OS, and rasterization for printing is done by the printer itself? Malicious data could still be present in protected view -- say a subtly malformed image file which on printer causes buffer overflow but on screen doesn't do jack shit.
So the solution is to only enable printing after turning off the "safety" feature, thus ensuring that if there was any malicious script embedded in the document, it would definitely run. That sounds like the right way to prioritize threats.
You realise that it must be that way because of what must be an epic
in how printing is implemented inside Office?I was gonna suggest that if saving as PDF is allowed in protected mode, then there should be no reason printing wouldn't be allowed, but it turns out they had thought of that and disabled save as (not save, although all save does is show a message saying that you have to turn off protected mode)
-
@levicki said in WTF Bites:
So why not have "Protected Print" which just prints what gets displayed in Protected View?
Because rasterization for display is done by the OS, and rasterization for printing is done by the printer itself? Malicious data could still be present in protected view -- say a subtly malformed image file which on printer causes buffer overflow but on screen doesn't do jack shit.
That may or may not be a problem, but it's almost certainly not what this feature is supposed to protect you from. Otherwise you'd need to have this "protected view" in everything from Paint to WordPad. But it's an Office feature, so in all likelihood it's supposed to protect you from Office based macro malware. That not printing at all prevents another potential class of different - and much less common - threats is rather tangential.
Printing should not need any macros.
If you ever checked GPO for Windows printing (security related) and saw the defaults, you would be scared shitless and disabled even Print Spooler service, not just the printer.
Maybe, no idea. But that's a problem in a different layer.
-
@topspin Are there 'on print run this macro' hooks in Office? There must be, shirley.
-
@AyGeePlus said in WTF Bites:
@topspin Are there 'on print run this macro' hooks in Office? There must be, shirley.
I suppose there are, but why
wouldshould that prevent you from printing with macros disabled? Just not run the macros then.
-
URL: https://www.dell.com/en-us/work/shop/accessories/apd/210-arev
WTF? Click on the larger ones (starting at $3200) and the original (at $900) is now unclickable.
-
@topspin What's fun about Office security decisions is you can reverse-engineer the use case they must be optimizing for, and it's horrifying.
There must be someone(or several someones) with a very large MS support contract who needs to print things with macros in, and the macros have to run or it won't look right, and being sure to click the button so it looks right is unworkable. Someone is doing business logic(well, something important.) in Office macros, and it's mission-critical, and it's arriving over email from untrusted sources, and whoever is receiving it is either an idiot or an executive. You can tell because if they weren't, "do your job right instead of wrong" would be the answer, instead of "make microsoft change the behavior of Word so doing my job wrong is impossible".
Someone's nephew wrote a word document that automatically expands an Access call into paychecks in 2004, and now Goldman-Sachs /the NFL/Ford uses this system to make payroll. Or calculate C-level analytics for someone who gets reports printed out by someone else, and you need to be able to mail the file to an intern who can print it?
Whatever the workflow is, it's very important.
Either that, or some team in Microsoft is populated entirely by insane morons and nobody is checking their work. You decide which is less depressing.
-
@AyGeePlus said in WTF Bites:
What's fun about Office security decisions is
that Microsoft never taught about security when implementing macros, so now they're stuck with this mess.
-
@AyGeePlus said in WTF Bites:
either an idiot or an executive ... or some team in Microsoft is populated entirely by insane morons
Those are, of course, inclusive ORs.
-
@HardwareGeek The behavior of Word tells us quite a lot of companies are incompetently managed. Statistics tells us Microsoft is probably not special.
-
@HardwareGeek said in WTF Bites:
@AyGeePlus said in WTF Bites:
either an idiot or an executive ... or some team in Microsoft is populated entirely by insane morons
Those are, of course, inclusive ORs.
:why_not_
bothANDs:
-
@levicki said in WTF Bites:
The difference is that this is not a self-signed root, it is a proper server cert self-issued by my own root CA which is in the computer trusted CA store
I was at work where we have server certs issued by our own internal intermediate CA which is signed by the internal root CA.
The fact remains that IE refused a cert that was completely valid and a quick Google search turned it up as a known behaviour of IE.
-
"Protected mode" isn't just a MS thing ; Adobe Reader has it as well (except I think it's not active by default). And yes, you can't print documents unless you turn it off.
-
-
Status: About to do something I think is stupid, but should work as intended.
Consider the following code:
and its intended usage:
Am I assuming too much that it will first call the set function, and then call the get function?
I'm going to try it momentarily....
-
@AyGeePlus said in WTF Bites:
Nobody does this because now you have to write printer firmware, and nobody wants to do that.
Yeah. If you're a nefarious hacker, you've got the problem of wanting to get into a secure system. But if you hack a printer, you've now pwned a printer, which means you have another problem.
Hacker: "I finally did it. I found a way to hack into this office through their printer. Now I just need to upload my payload and the entire network will be mine."
[6 hours later]
"I can't write to the firmware until they change the magenta ink cartridge?"
-
@Tsaukpaetra said in WTF Bites:
I'm going to try it momentarily....
Well, it didn't immediately die and fall over, so here's to hoping a round of dropped pings doesn't immediately kill the unmanaged VM entries...
-
@Tsaukpaetra
My first guess: the getter doesn't get called andvm.Statusis assignedCloudVMStatus.Stoppeddirectly.
-
@Tsaukpaetra
My first guess: the getter doesn't get called andvm.Statusis assignedCloudVMStatus.Stoppeddirectly.Easy enough to determine by setting breakpoints I suppose...
Edit: Yes, seems you are correct. Whelp, easy enough to separate into two statements.
-
@levicki So why not have "Protected Print" which just prints what gets displayed in Protected View?
You could hurt other people's feelings by raping their copyright.
-
@anonymous234 said in WTF Bites:
[6 hours later]
"I can't write to the firmware until they change the magenta ink cartridge?"Surely you can think of a way of making them do that within the next half hour?
"It's no good. I've run out of pink. No pink, See? No good you going on pressing the lever when there's no pink, is there? If you wanted pink you shouldn't of took all those pictures of young ladies, should you? It's monochrome from now on, friend. Alright?" —Twoflower's iconograph
-
((?<=^|[\s#,"=\(\[\|\{])(?:1[0123456]|9)\d{8}|^@[\da-fA-F]{16,24})(?:\.?(\d{1,6}))?(?![\d\(])What could possibly go wrong?
This: XML, Y2K reloaded, and a temporary fix for date "parsing"
Bingo!
-
@anonymous234 said in WTF Bites:
"I can't write to the firmware until they change the
magentacyan ink cartridge?"FTFM.
Gospel according to HPE: And lo, on the 32,768th hour did thy SSD give up the ghost
