WTF Bites
-
I tried to send money (rent) to my landlord online, and included a message "... per §5B of the lease..." BofA would not allow me to make the transfer until I removed the "restricted character" § from the message.
-
@HardwareGeek said in WTF Bites:
§5B
Misread as $5B... dammit, didn't
move away from Silly Valley prices? 
-
@sebastian-galczynski said in WTF Bites:
Why is the "TearFree" option always disabled by default in Xorg.conf?
In this case, we have a definitive answer:
Works great, no more tearing.
Wait, what century is this?!?
No kidding. The tears problem was solved last century.
-
@levicki I was wondering why we haven't heard from @TheCPUWizard in a while...
-
Sometimes, Zoom's full screen view goes behind the task bar and it's impossible to move it in front. This wouldn't be too bad of a problem, except the Zoom controls live on the bottom of the full screen window, and are almost completely covered by the taskbar
-
@HardwareGeek said in WTF Bites:
I tried to send money (rent) to my landlord online, and included a message "... per §5B of the lease..." BofA would not allow me to make the transfer until I removed the "restricted character" § from the message.
When depositing a check using CapitalOne's mobile app, I found that using an apostrophe in the memo would cause an error. Not that they told you but it backed out to the previous step, which I interpreted as some kind of error.
-
@TwelveBaud Hmmh?
-
@Zerosquare said in WTF Bites:
If it was a random manufacturing fluke, I'd agree with you: it isn't feasible to run a complete test suite on every manufactured chip.
But this is a design bug, and tests suites for CPU design/verification absolutely do include checking that every single instruction operates correctly. When each manufacturing run costs several hundred of dollars, you don't take chances and test everything to death.
It's likely a firmware bug, not hardware bug. It's entirely possible the test suite for the hardware itself does contain extensive tests of handling that instruction in hardware, and all those tests passed. I never worked with hardware, but if my experience in semi-embedded software is anything to go by, then the final integration tests with real firmware on board are likely much less extensive than the hardware-only tests from earlier.
If you consider how often fuckups of this caliber happen in other branches of the industry, you should be amazed that AMD managed to only release broken hardware once every few years.
-
Sometimes, Zoom's full screen view goes behind the task bar and it's impossible to move it in front. This wouldn't be too bad of a problem, except the Zoom controls live on the bottom of the full screen window, and are almost completely covered by the taskbar
(my task bar is on the left, where all proper task bars belong)
-
@dcon Heresy! But also, good luck muting/unmuting yourself
-
@dcon Heresy! But also, good luck muting/unmuting yourself
thanks to a headset with buttons.
-
@dcon Heresy! But also, good luck muting/unmuting yourself
No worries... We don't use Zoom (RingCentral). And I'm on Ubuntu.
-
@Rhywden Your screenshot of your Moodle server's health includes a name in the upper-right corner.
-
Auto
correctcorrupt failure, I guess. Just received this message on Slack:Let me rice you eve list
I don't even.
-
@TwelveBaud said in WTF Bites:
@Rhywden Your screenshot of your Moodle server's health includes a name in the upper-right corner.
Ah, thanks. Well, I don't mind much but replaced it regardless.
-
@HardwareGeek said in WTF Bites:
Auto
correctcorrupt failure, I guess. Just received this message on Slack:Let me rice you eve list
I don't even.
Eve List is in trouble. Xhe's about to be riced! Hope xhe's at least 80% lean (I was just grocery shopping and went with the 93% ground beef.)
-
(my task bar is on the left, where all proper task bars belong)My taskbar is on the right.
-
(my task bar is on the left, where all proper task bars belong)My taskbar is on the right.
I had mine on the right until going from Windows 7 to 10. I'm not sure this was the reason, but I think I changed to the left because the notifications pop up on top of the button to get rid of them.
On my tablet I wish I could tell Windows to keep it on a Narrow side (Left in Landscape, Bottom in Portrait) but looking at the Feedback Hub nobody else seems to care. I'd write a little utility to do it myself, but they took away the simple way to do so back in Vista.
-
@boomzilla said in WTF Bites:
@hungrier the video ABI thing is a huge PITA. They switched at some point. The driver for my card is only available in the old ABI, so every time the kernel updates now I have...issues. That said, I haven't had any problems in my 18.04 guest, since it just uses the virtualbox video drivers.
But the virtualbox addons (or whatever they're called) make the VM nonfunctional so I don't have them installed.
Oh, some of the issues included the fact that I no longer got the graphical login screen which was annoying. Finally figured out that in installing / uninstalling / etc drivers I removed some stuff that
sddmneeded. Reinstalling that fixed it up. Now I make sure that this is still installed whenever I reboot after a kernel update:xserver-xorg-legacy-hwe-18.04
-
On my tablet I wish I could tell Windows to keep it on a Narrow side (Left in Landscape, Bottom in Portrait)
That would be a good way of doing it...
-
Here's the thing: how do you test whether random number generator is generating random numbers?
A story of a bug that I fixed very recently:
We have some code that uses our own RNG (for, let's say, hysterical raisins... I know it's a
but let's move on). This RNG is used to generate numbers on a normal distribution (Gaussian), that are then mixed with other stuff to build the data that the user sees in the end. This worked fine for literally years.And then recently, we had one project where one such randomly generated data set was showing overall statistics very different from other data sets (generated with the same parameters, just a different random sequence -- it's stochastic modelling). Our first instinct was to dismiss it -- after all, a correct RNG not only may generate outliers, if you draw enough numbers it must generate some outliers, so maybe that single data set was just that, one random outlier? But after more investigation, it did seem like several random sequences were contributing to the anomaly, which made it less and less likely that it was just normal random fluctuation.
I ended up drawing several thousands of sequences of random numbers and computing the histogram of the n-th value of each sequence (i.e. take the 1st value of each sequence and compute the distribution of that, then take the 2nd value of each sequence and compute the distribution, and so on). All distributions were fine (perfectly Gaussian, as they should have been), except the distribution for the 1272nd number, which was Gaussian with an additional spike at a totally wrong place! Only value 1272 of each sequence was wrong.
I did not investigate any further what was wrong in our RNG, I just replaced it by a better one and called it a day.
-
I did not investigate any further what was wrong in our RNG, I just replaced it by a better one and called it a day.
Maybe someone was ripping off the Lucky Deuce.
-
@levicki said in WTF Bites:
Is today a
day or something?Ah. Good morning!
Welcome to the automated April Fools Day.
-
@levicki said in WTF Bites:
Liar! I heard it got scrapped due to COVID-19, someone must have hacked the forum.
It was the reduced version, we used to have a variant that tilted everything just a tiny bit.
-
@cvi
We once had a moment where everything was spinning ...
-
We once had a moment where everything was spinning ...
Yeah, but that wasn't an April's fools. Just an ordinary feature of the forum software back then.
-
Astrophysicist gets magnets stuck up nose while inventing coronavirus device
Australian Dr Daniel Reardon ended up in hospital after inserting magnets in his nostrils while building a necklace that warns you when you touch your face
-
@levicki
While the attack works only against Windows users
-
@levicki
Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction.
-
We once had a moment where everything was spinning ...
Yeah, but that wasn't an April's fools. Just an ordinary feature of the forum software back then.
The whole forum software was a joke.
-
Wikimedia Commons has media related to Columba livia.
-
@levicki said in WTF Bites:
The option is ON BY DEFAULT which means I wasn't asked for consent which means I never allowed it in the first place, and now they are telling me rather condescendingly that I am no longer allowing it?!?
I wonder if this consists of a GDPR violation. They must send at least one unique identification field, and such transmission should then be opt-in rather than opt-out...
@levicki said in WTF Bites:
This world deserves COVID-19 for this shit.
Overreact much?
-
@levicki
The Zoom app for Windows automatically converts these so-called universal naming convention strings—such as \attacker.example.com/C$—into clickable links. In the event that targets click on those links on networks that aren’t fully locked down, Zoom will send the Windows usernames and the corresponding NTLM hashes to the address contained in the link.
So Zoom is just opening a link. This is 100% a Windows problem.
-
@levicki said in WTF Bites:
everyone participating in making such shady shit could all die and I wouldn't miss any of them at all.
I'm pretty sure the impact on available software would be big enough for you to notice.
-
@levicki said in WTF Bites:
The problem is that Zoom is creating links based on data from untrustworthy sources.
That is not a problem at all. Opening links should be a safe action. Sending credentials that can be reused to random computers is obviously not the right thing to do ever.
Compare that to what happens if your email client gets a suspect mail and disables links in the message so that users cannot accidentally click on them.
That's a secondary security measure. What about all the emails that are not "suspect" but not from trusted contacts either? Should they get links or not?
-
@levicki Maybe I'm missing something, but it seems to me that all Zoom does is turn plain text that looks like a link into a clickable link. Everything that happens afterward is completely out of Zoom's hands. You even say so in your own post, but then for some reason list Zoom as the #1 culprit
-
@levicki said in WTF Bites:
FUCK YOU, MOZILLIANS.
What I "love" is that "Allow Firefox to install and run studies" is on by default (at least it used to be - I haven't installed a clean copy in a while). I didn't even know about that until something suddenly changed and googling revealed that piece-o-shit option.
-
@levicki Maybe I'm missing something, but it seems to me that all Zoom does is turn plain text that looks like a link into a clickable link. Everything that happens afterward is completely out of Zoom's hands. You even say so in your own post, but then for some reason list Zoom as the #1 culprit
And yet, the act of turning plain text into something actionable is the dangerous operation, opening the door for injection attacks.
Compare it to user-submitted forms: it should not matter that some attacker is trying to stuff the form full with HTML and Javascript, as long as the code displaying the form's contents makes sure to escape anything so that it is never actionable. If it doesn't escape things then that piece of software is vulnerable to script injection and XSS.
So this URL attack is similar to XSS, and thus Zoom should be treated as an "accomplice".
-
@JBert except turning arbitrary links into actionable controls is a pretty important feature that they just can't drop.
-
@JBert except turning arbitrary links into actionable controls is a pretty important feature that they just can't drop.
Nowhere did I say that they need to drop this feature outright. They could work with a whitelist of URL schemes or formats which they allow,
For example, the NodeBB post processor which Ben made allows some HTML tags, and yet it doesn't allow random JavaScript injection to plaster
class="fa_spin"on everything.
-
@JBert except turning arbitrary links into actionable controls is a pretty important feature that they just can't drop.
Nowhere did I say that they need to drop this feature outright. They could work with a whitelist of URL schemes or formats which they allow,
Imagine the outrage when MS starts arbitrarily deciding which domains are worthy of being turned into links and which aren't. It would spawn an anti-monopoly lawsuit of epic proportions.
For example, the NodeBB post processor which Ben made allows some HTML tags, and yet it doesn't allow random JavaScript injection to plaster
class="fa_spin"on everything.Bit it still turns URLs of Russian porn sites into links. Hell, it tries to embed them whenever possible!
-
@levicki said in WTF Bites:
Opening links is NEVER a safe action, sometimes not even with web browsers which use their own malware/badware URL filtering
It still should be. It's either that or disable all links everywhere except for a few whitelisted protocols. And I don't want that.
Clicking said link is no different from user launching Windows Explorer clicking on Network and then clicking on any computer they see there -- SMB protocol will attempt to authenticate with remote computer using currently logged-in user's credentials. If that fails, user will be asked for alternate credentials.
Yes, I understand that. But when I click on a link with my browser, it doesn't send any valuable data (like cookies, or whatever other authentication methods HTTP has that nobody uses) to it unless that data was explicitly associated with that domain.
As for NTLM hash replay attack, it won't work when NTLMv2 is enforced which is most enterprises and corporate issued PCs.
[...]
People to blame if it succeeds are therefore:
IT admin not disabling LM and NTLMv1 via GPO.Things should be secure by default. Either that or I would have to go through all the settings of every program I use and figure out what to disable before using it.
-
@levicki said in WTF Bites:
Just look at this wording:
The option is ON BY DEFAULT which means I wasn't asked for consent which means I never allowed it in the first place, and now they are telling me rather condescendingly that I am no longer allowing it?!?
I think the first sentence is worse. "collect only what we need".
What you NEED is NOTHING.
-
@levicki said in WTF Bites:
a piece of expensive hardware tied to Windows XP machine running an application whose vendor doesn't exist anymore where you need to move larger files back and forth.
Such a machine shouldn't be networked with any "untrusted" machine to begin with.
-
Bit it still turns URLs of Russian porn sites into links. Hell, it tries to embed them whenever possible!
That's a feature!
-
@dkf that's my point!
-
@levicki said in WTF Bites:
SMB protocol will attempt to authenticate with remote computer using currently logged-in user's credentials
Why would Windows use the current user's credentials to contact a random site that it's never seen before?
-
@levicki said in WTF Bites:
What I "love" is that "Allow Firefox to install and run studies" is on by default
Don't worry, it is still on by default.
Don't you also "love" how all this is also on by default?
You'll never guess what browser this is!
-
@levicki said in WTF Bites:
SMB protocol will attempt to authenticate with remote computer using currently logged-in user's credentials
Why would Windows use the current user's credentials to contact a random site that it's never seen before?
Same reason it uses the current user's credentials to connect to any random server on the network it's never seen before.
Not saying it's a good reason, mind.
-
@levicki said in WTF Bites:
Tell that to everyone striving to maximize compatibility.
As @blakeyrat would have put it: not my problem, still a broken product.
If you are saying that opening links should be safe then we agree but it's up to the application creating those links to ensure that it is, not on the operating system.
It should be on the application opening them. Because I should be able to make my own application that uses the zxcvbnfrfghffsazx protocol and register it to handle links like
zxcvbnfrfghffsazx://example.com. In fact if Zoom allows https links but blocks zxcvbnfrfghffsazx links I'll sue them for unfair competition.
37686 – TearFree
