The Official Status Thread
-
@Zenith said in The Official Status Thread:
My guess is they both route, somehow, through the browser.
They do, for two reasons.
- If you render those four text boxes and a button, you need to be a PCI-DSS-compliant application software vendor, including filing the proper attestations of compliance, because your application "processes and stores cardholder data". If you embed a browser that renders a webpage that has those four text boxes and a button, then those obligations are on whoever run that web server, not you. Rationale: If your application was a website, the additional layer supposedly means nothing running on your site can intercept and get the cardholder data. You're not a website, so you have godlike powers over the embedded browser, so none of that applies, but the JS hipsters didn't quite think that through.
- 3D Secure (i.e. Verified by Visa) adds a step where you redirect or embed a webpage allegedly controlled by the payor's bank (usually some sketchy company like Arcot) that snoops around and confirms that the environment looks similar to the environment the customer usually browses in, potentially demanding additional secret passwords or online banking credentials. Somehow you're supposed to know that this extremely sketchy, phishy behavior is actually completely legitimate, and distinguish it from the extremely sketchy, phishy behavior of attackers.
-
@TwelveBaud said in The Official Status Thread:
the JS hipsters didn't quite think
-
@TwelveBaud said in The Official Status Thread:
3D Secure (i.e. Verified by Visa) adds a step where you redirect or embed a webpage allegedly controlled by the payor's bank
Fuck, I forgot that I still need to call the fucking bank after their fucking shite didn’t work again, as always, and they made me figuratively lose my mind and literally lose my credit card fucking around with their shit on a busy train station.
-
@TimeBandit I do not regret leaving behind working for a Moodle consulting company.
Atto - the stock editor in Moodle - is a handrolled piece of shit even if the guy who mostly wrote it is a nice guy who I thought knew better.
I have seen it mangle tags even without hand-editing.
-
@loopback0 said in The Official Status Thread:
five year old version
You know him and I have battles with stuff way older than that, right?
-
@Tsaukpaetra said in The Official Status Thread:
@loopback0 said in The Official Status Thread:
five year old version
You know him and I have battles with stuff way older than that, right?
Duh.
I also know at least for him it's by choice.
-
@TwelveBaud I hate Verified by Visa. There was a few years where I had to use a MasterCard at NewEgg because VbV kept shitting the bed trying to make me set up yet another username and password.
Status: Anyway, plugging along at this. Sometimes Win32 is dumb. There's a function called
WinHttpCrackUrl()
that's more or less the ancestor to theSystem.Uri
class. But in the name of reducing any stupid variables, I tried to use it. Marshalling structs and strings always has something stupid going on. This function takes a in/out struct that defined as a bunch of LPCSTRs and DWORDs. What nobody tells you is that they aren't really usable strings. You have to marshal them out using the corresponding length as the second parameter. Otherwise "scheme" returns scheme and host and path, "host" returns host and path, and "path" returns just the path. Sort of a pain in the ass because WinHTTP wants all these parts separated. I have absolutely no idea why it does that or how the marshaller is magically fixing them. And absolutely nobody has any modern documentation on the function so you'd never know unless you randomly tried what I did.
-
@Zenith said in The Official Status Thread:
Status: Nothing like watching movies of the late 80s or early 90s to make you hate modern cinema.
Top Gun Maverick is fucking great. @HardwareGeek is right though. Movies peaked in the 30s and 40s and we’ve being threading old ground since.
-
@error said in The Official Status Thread:
I had my wisdom teeth removed today.
You work in IT. That boat sailed long ago.
Feel better soon!
-
@Zenith Well I can get a GET through to Microsoft's page but that's about it. Won't go to mine (PHP), won't go the SSL/TLS checker, won't go to the toy store (ASPX like MS). Weird. It's probably some undocumented missing headers.
-
@Zenith do you at least have a Host header and an Accept header?
-
@Arantor I did add a host header and whether it works on MS (https) or my site (http) seems to hinge on whether I flip a secure flag or not. I get that it wouldn't hit a secure site with the flag off but it doesn't like my insecure site with the flag on. So now it's just the SSL checker and toy store that don't respond and they snag at Send and Receive respectively. The toy store returns some error about its certificate but setting the options to ignore it hasn't helped.
I don't have an accept header (that I know of) because I set it to the default which in the .h file is null. There's a parameter for user agent as well but I don't know if it actually sets the user agent header either. It's a bit confusing with there being two patterns.
Edit: Bizarrely, there's a COM scripting object that wraps alot of this ugly and it's returning the same results.
-
status: "I remember when I could switch radio stations while backing up."
I suspect she could have still switched radio stations if she used the selector on the steering wheel rather than the touch screen, but I don't think she's ever used those.
It's a mildly interesting first world problem though.
-
Status: this particular group of people are utterly aghast at the excessive quantities of sugar in some hot chocolate powder. Feel free to fill your mugs with cocoa powder but I rather doubt you’ll enjoy it – not like the brownies you love so much have three times as much sugar than cocoa powder in them… :@levicki:
Wholly-unrelated status: Successfully dissuaded someone from the
evilspoor financial feasibility of Wacom
-
@Arantor said in The Official Status Thread:
imagine how much log file you can view at once!
Maybe as much as half a Spring+CXF startup-failure stack trace?
-
@dkf steady there, let’s not be too enthusiastic. Let’s start with a quarter and see if the text is still legible.
-
@Zenith said in The Official Status Thread:
it's returning the same results.
Did you try sanity checking on a modern system?
Filed under: #not-a-help-thread
-
@TwelveBaud said in The Official Status Thread:
3D Secure (i.e. Verified by Visa) adds a step where you redirect or embed a webpage allegedly controlled by the payor's bank (usually some sketchy company like Arcot) that snoops around and confirms that the environment looks similar to the environment the customer usually browses in, potentially demanding additional secret passwords or online banking credentials. Somehow you're supposed to know that this extremely sketchy, phishy behavior is actually completely legitimate, and distinguish it from the extremely sketchy, phishy behavior of attackers.
Why yes, Mastercard, I sure do love entering a password that I never remember, because only one store uses this stupid feature. It makes me feel so much more secure than checking out on Amazon or anywhere else without any of that crap
-
@Tsaukpaetra said in The Official Status Thread:
Did you try sanity checking on a modern system?
What, a fully-electronic? Sorry, no thanks. If I can't directly control the step speed with a cam crank it's not a real computer.
-
@Zenith said in The Official Status Thread:
I have absolutely no idea why it does that or how the marshaller is magically fixing them.
The string pointers you get back out are pointers to the inside of the single string you passed in, so there's no memory management involved. The marshaller "magically fixes" them by making a separate copy of each part. The "constructor" (
WinHttpCreateUrl
) that consumes that structure doesn't care whether the string pointers point to (parts of) the same string or different strings, so either way works.
-
Status: is counting the number of people who ask him what he is counting. He will not increment this counter in response to this post.
-
@Gribnit said in The Official Status Thread:
Status: is counting the number of people who ask him what he is counting. He will not increment this counter in response to this post.
No one has asked, not even you. This is not what I am counting. I am pleased the counter has yet to be further incremented, two in one day was a lot, but may it remain there.
-
@Gribnit said in The Official Status Thread:
Really? That sounds usual.
@Arantor said in The Official Status Thread:
This is not what I am counting.
Fucks given away?
Now that attention has been brought, curiosity levels are rising.
-
@TwelveBaud said in The Official Status Thread:
@Zenith said in The Official Status Thread:
I have absolutely no idea why it does that or how the marshaller is magically fixing them.
The string pointers you get back out are pointers to the inside of the single string you passed in, so there's no memory management involved. The marshaller "magically fixes" them by making a separate copy of each part. The "constructor" (
WinHttpCreateUrl
) that consumes that structure doesn't care whether the string pointers point to (parts of) the same string or different strings, so either way works.I understand that. What threw me was that I have several other functions that define outputs as LPCSTR that act like normal strings with no marshaller bullshit required. My Win32-CLR cheat sheet only translates LPVOID and HRESULT to IntPtr. I guess I've been in the managed code world too long where I can treat strings like every other primitive.
@Tsaukpaetra said in The Official Status Thread:
@Zenith said in The Official Status Thread:
it's returning the same results.
Did you try sanity checking on a modern system?
Not yet. It was 2AM or thereabout when I was fighting this. My sleep schedule's all sorts of fucked up right now.
-
@Tsaukpaetra yes but that would be telling and as any fule kno, snitches get stitches.
-
Status Made the mistake of opening the browser console (Chrome, latest) on the Jira dashboard page. 304 errors and counting within a matter of seconds. May be ad block related, but still....
-
-
@Tsaukpaetra said in The Official Status Thread:
Fucks given away?
Nope, it can't be that: it's not a negative number.
-
Status: Well that's dumb. Turned out setting some options is necessary. Now I have the manual version reading more sites than the COM object. Turns out some of these sites go batshit if you even try an older encryption method instead of, I don't know, negotiating like I've read.
The header, and the enumerator in COM, has predefined options for SSL2-3 and TLS1-1.2 (well, not the enumerator, somehow I got stuck with winhttp 5.0 even though Windows 7 was supposed to have winhttp 5.1) plus an "all" that ORs them all together. My site is http so it doesn't care. Microsoft apparently supports everything. The toy store goes batshit if you include SSL2. Neither the SSL check nor header check site works yet for different reasons (but the header check does work in COM strangely enough).
-
status Our cat is a drug addict. He's being eating all the new plants we got and he's being more mental than usual. So we look up the plants. They're hallucinogenic for cats! He's being off his head for days. I've raise a drug addict instead of an alcoholic!
-
@Zenith said in The Official Status Thread:
plus an "all" that ORs them all together.
Which is pointless these days - you should only need TLS 1.2.
A site that doesn't support at least that should be avoided.
-
@loopback0 Aside from the fact that not every site needs encrypting, that would break forward compatibility if you set a maximum encryption level which is exactly what using
PROTOCOL_TLS1_2
overPROTOCOL_ALL
does. You can see that in action on an app stores and browser plugins where the only reason they don't work with an update is the author isn't constantly watching to increment the max version counter.
-
@Zenith said in The Official Status Thread:
that would break forward compatibility
What forward compatibility? You're on Windows 7.
TLS 1.2 is as far as it goes.
-
@loopback0 Just because I'm writing this on Windows 7 doesn't mean it couldn't be used on a newer operating system.
-
@DogsB said in The Official Status Thread:
status Our cat is a drug addict. He's being eating all the new plants we got and he's being more mental than usual. So we look up the plants. They're hallucinogenic for cats! He's being off his head for days. I've raise a drug addict instead of an alcoholic!
The next step, is to replace the plants, slowly, one by one, with pictures of the target.
-
@Zenith said in The Official Status Thread:
@loopback0 Just because I'm writing this on Windows 7 doesn't mean it couldn't be used on a newer operating system.
Yeah as long as you're not compiling it there, sounds fine.
-
@DogsB said in The Official Status Thread:
we look up the plants. They're hallucinogenic for cats!
Poor thing
(how does one find out if something is hallucinogenic for cats? )
-
@Zerosquare said in The Official Status Thread:
@DogsB said in The Official Status Thread:
we look up the plants. They're hallucinogenic for cats!
Poor thing
(how does one find out if something is hallucinogenic for cats? )
Sounds like you're looking to get on a list.... 😇
-
@Zerosquare said in The Official Status Thread:
(how does one find out if something is hallucinogenic for cats? )
"When I took this, I became a cat AND I had a couple of hallucinations."
-
@Zerosquare said in The Official Status Thread:
(how does one find out if something is hallucinogenic for cats? )
First, do you have access to a cat? Also helpful are a control cat and a backup cat, but at minimum you need one.
Next, establish a baseline of the cat's behavior, by observing it for several months.
ed. steps omitted
Finally, you have become a cat. Congratulations!
-
Status: This HTTP stuff got alot weirder in the last decade. Last time I did this, it was 20 lines to pull down an entire page. Now it's just so many hoops to jump through.
- I got my site working in .NET, Win32, and COM, probably because it's regular old HTTP.
- The toy store looked like it was working in Win32 until I actually read the response and saw it was lorem ipsum garbage. It did not like a custom user agent. When I pretended to be IE6 it worked fine. Even though I don't think IE6 itself actually works anymore.
- Microsoft's site is weird. All three worked until I started identifying as IE6. Then the .NET, and only the .NET, version timed out.
- The SSL/TLS checker site bombs out with three different errors (as IE6). Timeout, ERROR_WINHTTP_INVALID_SERVER_RESPONSE, and "oops, schannel." Which is weird, because wouldn't you want such a site to accept anything?
- The header site bombs out with two different errors (as IE6). Unexpected close in .NET and WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR in Wiun32...but works in COM.
I've set every stupid registry flag that I can find so they should all be using mostly the same options.
-
status Upgrading to Ubuntu 22.04 (from 20). I'll let the VM finish before I click "Start Upgrade" on the hardware.
edit: Updates
- During the upgrade process, I was warned about Firefox moving to Snap. That dialog froze hard. After a bunch of clicking, the system asked the "kill/wait" question. Kill. It continued.
- @PleegWat If it's what I think you're talking about, I tried drag/dropping it back to the desktop. (oh hell, I can't even move it to the top. Maybe there's an option somewhere... later...) (The trash can is now stuck at the bottom of the sidebar)
edit2: Point 1 above happened when installing on hardware too.
-
@dcon said in The Official Status Thread:
status Upgrading to Ubuntu 22.04 (from 20). I'll let the VM finish before I click "Start Upgrade" on the hardware.
They did something to the app selection sidebar I don't agree with and something weird happened with my mouse sensitivity.
-
Status: Found this nifty little Intermec barcode scanner with Windows CE 6 on it.
Trying to figure out if there's a client application to connect it to my PC as a bluetooth keyboard and just use it as a scanner passthrough... Having a wireless barcode scanner could be nice.
Since, you know, it most definitely cannot connect to the WiFi, and even if it did, there's no way in Tartarus it would be able to load up Service How on IE Embedded....
-
@Tsaukpaetra said in The Official Status Thread:
Found this nifty little Intermec barcode scanner
@Tsaukpaetra has hardware:
-
@HardwareGeek said in The Official Status Thread:
@Tsaukpaetra said in The Official Status Thread:
Found this nifty little Intermec barcode scanner
@Tsaukpaetra has hardware:
H-hey, it works! I scanned a code into Notepad!
-
@Tsaukpaetra said in The Official Status Thread:
it works!
Well, there's a first time for everything, I guess.
-
@HardwareGeek said in The Official Status Thread:
@Tsaukpaetra said in The Official Status Thread:
it works!
Well, there's a first time for everything, I guess.
The question now is how long for?
-
@loopback0 We can expect 55.5555555% uptime.
-
@HardwareGeek We can but should we expect that much?