WTF Bites
-
Why do so many apps do this shit?
I definitely do not know what you’re talking about.
Free webapp idea: tool that adds a transparent margin 20.71% the width of an uploaded image.
-
I have to verify my email address to verify my email address.
Recursive security™
-
@TimeBandit said in WTF Bites:
Give me my badge.
If you don't understand what it means, now you know how I feel most of the time when I read you
No problems here, seems pretty clear and a useful warning.
-
-
Was about to submit an abstract. After I had sent it to a co-author they added too much stuff so I had to trim it down just enough to fit the character limit. Word claims I have 1 character left.
Copy and paste it into the online submission form and it cuts off several characters at the end. Fuck. Is this some JS monkey retardery?
Save it as plain text and the file size is about 40 bytes higher than the character count. Which is more than a few, so hopefully that's not what they did? Runwc -mon it and it gives the same character count as word. Okay. Just to be sure I paste it into python andlen(text)gives me the number of bytes. WTF, this is now how that works you f... oh wait, I started Python 2, sorry, my mistake.When I try to look at the page source to see what shit it does I realize it's actually a PDF (Firefox transparently opened that), so now I have no clue what it does. It's not completely stupid and mistakes byte count for character count, because then it would have cut off much more, but it still can't count characters correctly.
-
Was about to submit an abstract. After I had sent it to a co-author they added too much stuff so I had to trim it down just enough to fit the character limit. Word claims I have 1 character left.
Copy and paste it into the online submission form and it cuts off several characters at the end. Fuck. Is this some JS monkey retardery?
Save it as plain text and the file size is about 40 bytes higher than the character count. Which is more than a few, so hopefully that's not what they did? Runwc -mon it and it gives the same character count as word. Okay. Just to be sure I paste it into python andlen(text)gives me the number of bytes. WTF, this is now how that works you f... oh wait, I started Python 2, sorry, my mistake.When I try to look at the page source to see what shit it does I realize it's actually a PDF (Firefox transparently opened that), so now I have no clue what it does. It's not completely stupid and mistakes byte count for character count, because then it would have cut off much more, but it still can't count characters correctly.
You really don't want to go digging into PDFs inner workings.
-
PDF with internal scripting should be in the 'Nope' thread
-
@bobjanova said in WTF Bites:
PDF with internal scripting should be in the 'Nope' thread
I really have no idea how to "author" PDFs but I assume this one is just a standard "limit to X characters" setting. Any actual scripting would require more knowledge than whoever set this up has.
-
@topspin ␍␊ versus ␊?
-
@TwelveBaud said in WTF Bites:
@topspin ␍␊ versus ␊?
Could be possible. checks... Removing one line break allows one more character, so I think that's not it.
But then who would use CRLF in memory anyway?
-
Bought something on the web, enter credit card number, get to the 2FA thing that is now more or less standard. OK, let's go for it.
Grab my phone, wait for the text message to come in. Oh wait, my bank has changed and now to validate the operation I need to go to their website (no, not app, they don't have one -- to be fair they have a reasonably decent website instead, so I'm not complaining here).
(insert
-is-me here: for a couple of seconds I started to rant that it was a scandal to require an internet connection and what if I don't have a data plan (which I don't), and how dare they assume I have an internet access to validate a purchase I'm making... on the internet. Right, well, let's move on, shall we? 
)But wait, I still get a text message! With a link to go to the bank website. Mm, okay, why not.
(I then actually went to my bank website from my computer because I am already on my computer (see point above) and I'd rather look at a real screen rather than a phone, but I don't think it would make any difference -- in fact if anything it made things a tiny bit simpler as I actually entirely ignored the first text message)
So I log onto the website. I expected it to pick that time to go through the "you haven't logged in for more than 42 min, let me send you a 2FA code on your phone to let you in" but not this time.
I get the message to validate my purchase, yes, OK, that's the right amount. Click "validate" and... it sends me a text message with a code. To validate the validation.
Let's sum up: to validate a purchase, I got two text messages and had to switch devices (context, application, tab...) 5 times. Original website to text message, text message to bank website, bank website to text message, back to bank website, and finally back to original website (since the validation took place in the bank website that meant it was a full fledged page and not just an embed inside the original website).
That also required using my full bank credentials (you know, the thing with a virtual keyboard "for your security" that means anyone peeping over my shoulder can see what numbers (yes, numbers only, "for your security") I'm clicking on), and then copying a regular 6 digits code sent by text message.
Counting the number of possible points of failure and timeouts is left as an exercise to the reader.
-
But then who would use CRLF in memory anyway?
It's just the sort of thing I'd expect from MS.
-
Let's sum up: to validate a purchase, I got two text messages and had to switch devices (context, application, tab...) 5 times. Original website to text message, text message to bank website, bank website to text message, back to bank website, and finally back to original website (since the validation took place in the bank website that meant it was a full fledged page and not just an embed inside the original website).
I open up https://messages.google.com/ so I can send and receive (and therefore easily copy those codes) texts from my computer in situations like this.
-
But then who would use CRLF
in memoryanyway?I mean...
If you mmap() a file, you end up with whatever's on disk. Being able to deal with CRLF in memory can come in handy.
-
@boomzilla said in WTF Bites:
I open up https://messages.google.com/ so I can send and receive (and therefore easily copy those codes) texts from my computer in situations like this.
I didn't know you could access messages like this, it's nice to know.
But... first it requires (I assume) that I'm using the Google messages app. Which is currently the case, but wasn't always so (at one point it wasn't able to use different notifications depending on the sender, or some other setting long ago that caused me to not use it... anyway, my point here is that if I'm not using this app, that wouldn't work).
And more importantly, it means that I'd be making copy-the-code easier, but at the cost of opening yet another tab and another "device" to interact with (the messages page). It does make things a tiny bit easier, but on the whole... not much.
-
-
-
@hungrier I'm about 2 dozen films in the MCU away from understanding these memes.
-
@error Just watch Ant Man and Endgame, you don't need the rest
-
You really don't want to go digging into PDFs inner workings.
If you try to because you own a copy of Acrobat 8, well
. Just throw that software away because you can't validate it (server is gone). Or call for validation (not supported). And a special installer they had for a while is gone. So that software is completely useless. As I discovered this weekend when I needed it (the installer lets you, but once the grace period is over, bend over).
-
to validate a purchase, I got two text messages and had to switch devices (context, application, tab...) 5 times.
And some people wonder why many of us just say "screw it, here ya go Amazon"
-
@hungrier I'm about 2 dozen films in the MCU away from understanding these memes.
There are films in the MCU?
-
You really don't want to go digging into PDFs inner workings.
If you try to because you own a copy of Acrobat 8, well
. Just throw that software away because you can't validate it (server is gone). Or call for validation (not supported). And a special installer they had for a while is gone. So that software is completely useless. As I discovered this weekend when I needed it (the installer lets you, but once the grace period is over, bend over).I wonder if my copy of Acrobat 4 still works.
-
to validate a purchase, I got two text messages and had to switch devices (context, application, tab...) 5 times.
And some people wonder why many of us just say "screw it, here ya go Amazon"
I've had multiple Android apps require 2FA, so I had to switch apps to approve, only to find out that the original app forgot it was waiting for approval when I returned to it.
-
@TimeBandit said in WTF Bites:
Give me my badge.
If you don't understand what it means, now you know how I feel most of the time when I read you
Careful, newly
fork()ed instance!
-
@remi: if that bothers you, you can ask your bank if they support authentication thru an external card reader. Here's an example:
Banks don't promote that solution because they are in full "everything is mobile! install our app!" mode, but I still could get it enabled by explicitly requesting it.
It's also significantly more secure than the phone app solution. Nobody can make an online purchase unless they have both a reader and your physical card, and know your PIN code. And unlike the phone app, it's not vulnerable to malware.
-
@Zerosquare said in WTF Bites:
Nobody can make an online purchase unless they have both a reader and your physical card, and know your PIN code. And unlike the phone app, it's not vulnerable to malware.
Something you have and something you know? Real 2FA? Come on, it's a bank; they'll never go for that.
-
@HardwareGeek said in WTF Bites:
@hungrier I'm about 2 dozen films in the MCU away from understanding these memes.
There are films in the MCU?
-
@BernieTheBernie said in WTF Bites:
Till, out-of a sudden, it crashes.
If you're changing some apps config like that, you deserve all the crashes it can generate. Preferably in a data corrupting manner.
It was not me to do so. The guy who creates the configuration for the devices in our in-house test center did so. Fortunately before using it on customer devices...
-
@BernieTheBernie said in WTF Bites:
@BernieTheBernie said in WTF Bites:
Till, out-of a sudden, it crashes.
If you're changing some apps config like that, you deserve all the crashes it can generate. Preferably in a data corrupting manner.
It was not me to do so. The guy who creates the configuration for the devices in our in-house test center did so. Fortunately before using it on customer devices...
Ah, go "take care" of them. A jury of your peers will never convict you.
-
to validate a purchase, I got two text messages and had to switch devices (context, application, tab...) 5 times.
And some people wonder why many of us just say "screw it, here ya go Amazon"
I've had multiple Android apps require 2FA, so I had to switch apps to approve, only to find out that the original app forgot it was waiting for approval when I returned to it.
I recently experienced an App that wanted full access to my bank account for the purpose of checking if I did a particular thing. Went through the flow, bank sent me a text and confirmation email that I gave full access, yadda yadda, finish the flow, come back to the original App and it claims I must be locked out of my account!
I'm totally not. End up trying three times before just giving up. It just needed two numbers anyways.
-
@Tsaukpaetra said in WTF Bites:
I recently experienced an App that wanted full access to my bank account for the purpose of checking if I did a particular thing. Went through the flow, bank sent me a text and confirmation email that I gave full access, yadda yadda, finish the flow, come back to the original App and it claims I must be locked out of my account!
Wow, uh. Want to try my app?
Filed under: Worst pickup line ever.
-
@error I've heard that some popular payment apps use that method for their operation. Just give'em full access, you can pay for your coffee, trust them they won't do anything bad.
-
@Tsaukpaetra said in WTF Bites:
I recently experienced an App that wanted full access to my bank account for the purpose of checking if I did a particular thing. Went through the flow, bank sent me a text and confirmation email that I gave full access, yadda yadda, finish the flow, come back to the original App and it claims I must be locked out of my account!
Wow, uh. Want to try my app?
Filed under: Worst pickup line ever.
Will you invert the taxes owed? I'd like to be back in refund land. It sounds much nicer...
-
@Tsaukpaetra said in WTF Bites:
Will you invert the taxes owed? I'd like to be back in refund land. It sounds much nicer...
Sure. You can write off any funds that disappear on your taxes.
-
@hungrier I find that not caring also suffices.
-
-
@Zerosquare isn’t PHP itself a large enough backdoor?
-
I was considering posting something like "Adding a deliberate security breach to PHP is like sprinkling sugar on cotton candy".
-
@Zerosquare isn’t PHP itself a large enough backdoor?
"Yo dawg, I heard you like backdoors, so I put a backdoor into your backdoor, so you can get backdoored while you get backdoored."
-
-
WhyTF is this gaming podcast talking about cryptocurrency? And explaining it to me for the gazillionth time.
-
you can backdoored while you get backdoored
My thread is
-
@Zerosquare said in WTF Bites:
if that bothers you, you can ask your bank if they support authentication thru an external card reader.
I didn't know that you could indeed (sometimes) request that from your bank, I thought it was entirely up to them to pick the authentication method they provide to you, so thanks. Though I doubt my bank supports it, I can't find any mention of that (and of course there isn't one industry-wide name for it so I can't search easily and searching for e.g. "card reader
bank name" show results for paiement terminals, not token generators
).I had a(nother) bank in the past that did this, and I thought it was rather nice. But of course it means that you need to carry the card reader with you when e.g. travelling, which makes it slightly less convenient. Not that I really often need to validate internet purchase while on the go, but you never know (for example I remember once last summer where I booked some tourist attraction a day in advance). And even when at home, having to go fetch the reader is just inserting the
in an already protracted process. Plus there is the issue that it's another device that can break, or run out of batteries (not in a long time, probably, but still).But as @HardwareGeek says, it's actually a very good device from a security point of view. The bank that did that also did not limit my password to numbers, and did not use a stupid on-screen-keyboard to type it, so it really felt like they actually thought about security!
They also did not ask for the full password every time but rather just 3-4 chars from it (say, "1st, 3rd and 4th char") which means a keylogger on a computer you only use once will not see your full password. But it's also more annoying to type than a regular password (I usually mimicked typing the password to use my muscle-memory, but only pressing the required keys -- at least the focus on the fields in the form moved correctly!).If one wants to get philosophical, one could say it illustrates the difficulty of finding the right balance between security and ease of use...
-
Plus there is the issue that it's another device that can break, or run out of batteries (not in a long time, probably, but still).
On the plus side, from my limited experience (two different banks, two different readers), they seem to be based on a generic design with no customization besides cosmetic stuff: using the reader from bank A with a card from bank B works. Which makes sense since all the actual security stuff is done inside the chip on the card ; the reader is just an interface. So it may be possible to borrow one if yours is lost or out of order.
-
Back to actual WTF bites:
Child tweets gibberish from US nuclear-agency account
The tweet “;l;;gmlxzssaw", posted to US Strategic Command's Twitter account, causes confusion.
-
@Zerosquare said in WTF Bites:
Plus there is the issue that it's another device that can break, or run out of batteries (not in a long time, probably, but still).
On the plus side, from my limited experience (two different banks, two different readers), they seem to be based on a generic design with no customization besides cosmetic stuff: using the reader from bank A with a card from bank B works. Which makes sense since all the actual security stuff is done inside the chip on the card ; the reader is just an interface.
That's interesting, I hadn't thought of that (probably because I only ever saw a single bank do that!). I'd have thought that the reader would integrate e.g. some sort of unique key (random seed, whatever) tied to the bank, or that there would be several slightly different variations of algorithm implemented (to go from pin to validation number), but maybe there is one widely accepted standard...
So it may be possible to borrow one if yours is lost or out of order.
Indeed, if they're shareable and common enough, that would be a good workaround.
-
@Zerosquare said in WTF Bites:
Plus there is the issue that it's another device that can break, or run out of batteries (not in a long time, probably, but still).
On the plus side, from my limited experience (two different banks, two different readers), they seem to be based on a generic design with no customization besides cosmetic stuff: using the reader from bank A with a card from bank B works. Which makes sense since all the actual security stuff is done inside the chip on the card ; the reader is just an interface.
That's interesting, I hadn't thought of that (probably because I only ever saw a single bank do that!). I'd have thought that the reader would integrate e.g. some sort of unique key (random seed, whatever) tied to the bank, or that there would be several slightly different variations of algorithm implemented (to go from pin to validation number), but maybe there is one widely accepted standard...
I got one of those. Can confirm the reader itself isn't part of the secret or of the thing "you own", it's generic.
It's real 2FA because I need to own the card and know the PIN. On top of being logged in to the bank account, which is just another "thing I know" with a shitty password restricted to 5 digits.
Still better than getting nagged with nonsense 2FA shit for stuff I don't care about (no Play, I don't want to add 2FA, I don't even want you to fucking exist, just start the fucking game) or getting bombarded with mails whenever I log into Netflix or Google or whatever that pretends it doesn't know the device because I use private browsing.
-
They also did not ask for the full password every time but rather just 3-4 chars from it (say, "1st, 3rd and 4th char")
Wat. Unless they're storing hashes of those char combinations in advance (or have a very funky hashing algorithm), this means that your password lives somewhere in the clear.
-
I got one of those. Can confirm the reader itself isn't part of the secret or of the thing "you own", it's generic.
I did have one (with that other bank I mentioned) and while I knew I could use another reader from the same bank (e.g. my wife's), that still doesn't tell me if I could have used one from another bank.
Obviously the reader doesn't contain any user-specific secret (that's in my card), but it does contain an algorithm to use that secret to generate the code that it prints on the screen. I don't see any reason why that algorithm should be exactly identical for all banks, unless there is an industry-standard one (I've never heard about it, but I never had any reason to look for it nor hear about it, so my ignorance doesn't prove anything here).
Assistance BPALC
