WTF Bites
-
@levicki said in WTF Bites:
Why would Windows use the current user's credentials to contact a random site that it's never seen before?
Because there is no way to tell the difference between \\files.myworkdomain.adf\share and \\files.blackhats.are.us\share? D'oh!
Windows could store some marker in e.g. the Windows Credential Store to remember that it already connected to
files.myworkdomain.adfbefore. If connecting to a different server, be thatfiles.blackhats.are.usorfiles.myworkdomain.adfButInTheUSit could detect the missing marker, then pop up a window "Which credential do you want to use? < Current User > < Other >" similar to how RDP does.So what I think that @dkf means is that you could implement a system to offer a choice on whether you want anything to do with any particular "new" server similarly to SSH, it's just that Windows chose convenience over security and thought that that it could safely respond to any auth challenge coming its way.
(Note to others: the "safely" part being that it doesn't send plain credentials, it sends a MAC as response to a challenge. This would work alright if the protocol wasn't locked to a particularly outdated hash algorithm due to compatibility reasons - which levicki is aware of)
So Windows could use some change for better security, but it would likely break even more stuff which now relies on the current user's credentials being tried first.
-
@levicki said in WTF Bites:
If it wasn't on their end why fix it?
It doesn't mean much. Have you never implemented workarounds for bugs/design issues that were in third-party code?
-
@levicki said in WTF Bites:
In any case this is from Zoom's blog post:
"Released a fix for the UNC link issue."
If it wasn't on their end why fix it?
One party admitting wrong-doing doesn't mean the other party is not guilty in any way.
I think it's a bit like how Microsoft is maintaining a metric ton of shims for broken software, simply because people would upgrade Windows and find their snowflake software stopped working, thus making Windows look bad from a PR point of view.
Zoom releasing a patch and making some "brave" blog post is just an attempt to look like they care.
@levicki said:
I get the standard Windows bash-ing (pun intended), but in this case it is totally uncalled for.
Well... They did make the choice to just continue with the auth challenge before informing the user, so that's on them.
But I can also understand that changing things in Windows now would break even more stuff. Not in the least because it breaks the user's expectations when after updating they would get a popup asking "Are you sure you want to connect to server 'your NAS'? " when they used to just connect to it without trouble in the past.
I have seen people panic and just shutting down their computer because "it must have been hackers!".
You are right though that this whole mess should only be a problem for home users - IT should have disabled NTLM over a decade ago.
-
One party admitting wrong-doing doesn't mean the other party is not guilty in any way.
INB4
"Blame is not a conserved quantity"
-
One party admitting wrong-doing doesn't mean the other party is not guilty in any way.
INB4
"Blame is not a conserved quantity"I am
and I approve this message.
-
Trying to uninstall Logitech G-Hub:
-
@levicki said in WTF Bites:
I am treating this firewall as backdoored piece of shit and I am looking for alternatives. Good job, Netgate!
Don't forget to tell them that in the survey.
-
@levicki said in WTF Bites:
Trying to uninstall Logitech G-Hub:
That error code means
STATUS_INVALID_IMAGE_NOT_MZ:The specified image file did not have the correct format, it did not have an initial MZAh yes, the famous Mark Zuckerberg easter egg.
Filed under: with apologies to Mark Zbikowski
-
@levicki said in WTF Bites:
Trying to uninstall Logitech G-Hub:
That error code means
STATUS_INVALID_IMAGE_NOT_MZ:The specified image file did not have the correct format, it did not have an initial MZLuckily I was able to use one of the 150 other copies of vcruntime140 I had lying around with the right MZ to successfully perform the uninstall
-
So what I think that @dkf means is that you could implement a system to offer a choice on whether you want anything to do with any particular "new" server similarly to SSH, it's just that Windows chose convenience over security and thought that that it could safely respond to any auth challenge coming its way.
Specifically, sending credentials by default to another computer that can definitively determined to be in the same domain is OK. Sending those same credentials without asking to a random third-party host… not OK (which isn't to say that sending credentials that you've specifically previously authorized for that host is a problem, of course). Very few (possibly zero) other machines are in the same domain as an ordinary home computer. It's not rocket surgery.
-
@levicki Beats me. The file's timestamp was the same as the rest of the files in the install directory, so I can only assume they did it intentionally to try to stop you from uninstalling G-Hub
-
@levicki
-hub
-
@levicki Beats me. The file's timestamp was the same as the rest of the files in the install directory, so I can only assume they did it intentionally to try to stop you from uninstalling G-Hub
Or maybe it was just a random corruption due to cosmic rays or whatnot.
-
@levicki said in WTF Bites:
None of them are Windows' problem.
Windows's problem is that it continues to use the goatse approach to security all too often. The fundamental problem has always been that much of it (not all, but more than enough) was written by people who assume that other computers' operating systems are inherently trustworthy. That's the sort of thing that layers security fuckups through huge parts of the system on many levels, and which then becomes very hard to fix. (Harder still without breaking any existing deployments of anything, as some of those depend on the insecurity to work at all. Which is just massively fucked.)
-
@Carnage
Systemd, putting the D in Dumb since 2010
-
@levicki said in WTF Bites:
You can only argue that the problem are the default relaxed security settings, not that security itself isn't good.
-
@levicki said in WTF Bites:
At that point I would have entered paranoia mode and visually inspected file contents,
I was going to ask if the original was still there so we could do this. I am rather curious if it was a repeated string of
Haha fuck you you can't run the installer!
-
some of those depend on the insecurity to work at all.
See also Re: My adventures in (marginally) isolating a "key server" tray application that requires a desktop session (or it just silently crashes) and a public Everyone-accessible share to function...
-
I just got an advertising invoice from Amazon for my ebooks. One of the line items is a -$0.35 charge because one of my ad campaigns received -1 clicks. I do not know how to interpret this information.
-
I do not know how to interpret this information.
They thought someone clicked it, but later discovered it was a bot?
-
Huh... a 5 second video? Must be a mistake, I'll go watch it before it gets deleted...
Oh... it's not 5 seconds... well, guess I'll add some other videos to my queue in the meantime...
Weird...
-
@LB_ I find that I am pleased with your choice of youtube content creator's content to consume.
(I also like MoltenMetal for MechWarrior Online, DisguisedToast for TFT, and WinterSC for Starcraft II.)
-
-
@levicki said in WTF Bites:
I get the standard Windows bash-ing (pun intended), but in this case it is totally uncalled for
Who are you and what have you done with @levicki ?
-
Huh, there's something wrong. We normally have plenty of sources to feed
/dev/wtf.
-
@Zerosquare said in WTF Bites:
Huh, there's something wrong. We normally have plenty of sources to feed
/dev/wtf.Supply chain issue.
-
@levicki said in WTF Bites:
@Zerosquare said in WTF Bites:
Huh, there's something wrong. We normally have plenty of sources to feed
/dev/wtf.What if... people get smart and stop making WTFs?!?
What are we gonna do?!? Who are we gonna mock?!?
Wake up. It was just a nightmare. This will never happen.
-
@levicki said in WTF Bites:
@Zerosquare said in WTF Bites:
Huh, there's something wrong. We normally have plenty of sources to feed
/dev/wtf.What if... people get smart and stop making WTFs?!?
What are we gonna do?!? Who are we gonna mock?!?
no one
-
@levicki said in WTF Bites:
@Zerosquare said in WTF Bites:
Huh, there's something wrong. We normally have plenty of sources to feed
/dev/wtf.What if... people get smart and stop making WTFs?!?
What are we gonna do?!? Who are we gonna mock?!?
Maybe we could do something constructive for once.
...
...
Sorry, couldn't keep a straight face.
gonna
-
-
@Zerosquare said in WTF Bites:
@levicki said in WTF Bites:
Make Forums Great Again
What, you want us to go back to Discourse?!
-
@levicki said in WTF Bites:
Maybe we could do something constructive for once.
I propose we start constructing a WTF. A big one, the best. We should put our best people on it. Our top people. And it will be great. And we'll make
MexicoDiscourse pay for it.Make Forums Great Again
@Zerosquare, I think I addressed your concern...
-
@levicki From what I understand, that's Microsoft doing their part in reducing transmission of a plague. In this case, COM development.
-
@Benjamin-Hall more realistically, the server has noticed that the MSDN link is no longer valid (which is what usually happens after about 6 nanoseconds) and helpfully removed it.
-
@Zerosquare said in WTF Bites:
@levicki said in WTF Bites:
Make Forums Great Again
What, you want us to go back to Discourse?!
Fun fact: Discourse rhymes with dead horse.
-
@levicki said in WTF Bites:
@Benjamin-Hall said in WTF Bites:
@levicki From what I understand, that's Microsoft doing their part in reducing transmission of a plague. In this case, COM development.
Not sure why you hate COM, it's useful.
For example, you have a 64-bit driver for a hardware device.
However, stupid device vendor provided only 32-bit SDK to interface with said device and they went under.
You can discard device which is otherwise good because you can't use it from 64-bit code, or write an out-of-process 32-bit COM server which will expose the interface of said 32-bit SDK to 64-bit applications.
I was just attempting to make a funny. Only contexts I know of COM in is drivers and this site, and I've had nothing but trouble with drivers, and, well, TDWTF is TDWTF.
-
@levicki said in WTF Bites:
You can discard device which is otherwise good because you can't use it from 64-bit code, or write an out-of-process 32-bit COM server which will expose the interface of said 32-bit SDK to 64-bit applications.
Or use any other inter-process communication scheme to the same effect. There's zero benefit from choosing COM over something else.
Wait, you're not gonna see it, are you. Oh well. It's not like you could be convinced anyway. I'm just wondering what you would say in defense of COM and why you think it's so good.
-
@levicki said in WTF Bites:
@Benjamin-Hall said in WTF Bites:
I was just attempting to make a funny. Only contexts I know of COM in is drivers and this site
I got the joking part, but there is more to COM than just that. For example, it is used extensively in Windows Explorer (literally all property pages, preview handlers, column handlers, context menus, etc. It is also a cornerstone of DirectShow, DirectX, Direct2D, and DirectWrite APIs, OLE automation (Office apps interop), etc.
It's not a bad system, it's just has a rather steep learning curve and at this point poor documentation and not a lot of people who can write COM code.
Yeah. Bunches of things that I'm very very grateful I never have to touch. And if I know anything about the underlying fundamentals of the Windows OS...there be dragons there. Very nasty, mean-tempered, ill-documented dragons with big pointy teeth and nasty breath.
-
@Benjamin-Hall said in WTF Bites:
Very nasty, mean-tempered, ill-documented dragons with big pointy teeth and nasty breath.
To my recollection, I just avoid anything not ending in W unless I can only find an A version.
-
@Tsaukpaetra said in WTF Bites:
@Benjamin-Hall said in WTF Bites:
Very nasty, mean-tempered, ill-documented dragons with big pointy teeth and nasty breath.
To my recollection, I just avoid anything not ending in W unless I can only find an A version.
I'm glad I don't know what those mean. Especially if that would mean getting C++ on me.
-
@Benjamin-Hall said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
To my recollection, I just avoid anything not ending in W unless I can only find an A version.
I'm glad I don't know what those mean. Especially if that would mean getting C++ on me.
C, technically. A == ANSI (8-bit chars in code pages), W == Wide (16-bit chars in "Almost Unicode"). Occasionally the Ws have functionality that the As do not, like support for longer file paths. Newer stuff only comes in W versions.
-
@Benjamin-Hall said in WTF Bites:
@levicki said in WTF Bites:
@Benjamin-Hall said in WTF Bites:
I was just attempting to make a funny. Only contexts I know of COM in is drivers and this site
I got the joking part, but there is more to COM than just that. For example, it is used extensively in Windows Explorer (literally all property pages, preview handlers, column handlers, context menus, etc. It is also a cornerstone of DirectShow, DirectX, Direct2D, and DirectWrite APIs, OLE automation (Office apps interop), etc.
It's not a bad system, it's just has a rather steep learning curve and at this point poor documentation and not a lot of people who can write COM code.
Yeah. Bunches of things that I'm very very grateful I never have to touch. And if I know anything about the underlying fundamentals of the Windows OS...there be dragons there. Very nasty, mean-tempered, ill-documented dragons with big pointy teeth and nasty breath.
It certainly seemed that way to me back when I was learning COM. The books made things look more complex than they actually were, though. :P
Nowadays I imagine they'd want you to do a .NET thing instead of doing COM directly.
-
@mott555 said in The Official Status Thread:
Status: Why do I have to have a Steam account and a Bethesda account to play Quake Champions? This multi-account multi-launcher stuff is BS.
EDIT: Should probably move this over to WTF Bites. The UI....everything is disabled except the "Play" button. I can't go into settings to set mouse sensitivity or pick the graphics options.
FAKE EDIT: And it won't let me play because it says my graphics driver is out-of-date. Oh really.
REAL EDIT: It says that, then it goes into "Searching for a match." Also, the game settings menu only works while searching for a match, not before when you're just idle in the game menu, so it kicked me out a few seconds later before I could check/set anything.
REAL EDIT 2: The game crashes when a match ends.
I lost connection to something, and now I'm stuck at this screen. The game is really half-baked.
-
@levicki said in WTF Bites:
@Benjamin-Hall said in WTF Bites:
I'm glad I don't know what those mean. Especially if that would mean getting C++ on me.
It might have also been a pun on W looking like "big pointy teeth"?
If so, I applaud him. Because I always appreciate bad jokes (as one can tell from my frequent additions to the Bad Joke thread).
-
@levicki said in WTF Bites:
Not sure why you hate COM, it's useful.
Don't forget: That's how C++ with .Net works.
-
@Benjamin-Hall said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
To my recollection, I just avoid anything not ending in W unless I can only find an A version.
I'm glad I don't know what those mean. Especially if that would mean getting C++ on me.
C, technically. A == ANSI (8-bit chars in code pages), W == Wide (16-bit chars in "Almost Unicode"). Occasionally the Ws have functionality that the As do not, like support for longer file paths. Newer stuff only comes in W versions.
And they're all hidden behind
#defines. Which means if you have a method on a class namedGetSystemDirectory, well, no you don't. It's so nice when the global namespace is fucked with.
-
@mott555 said in The Official Status Thread:
Status: Why do I have to have a Steam account and a Bethesda account to play Quake Champions? This multi-account multi-launcher stuff is BS.
EDIT: Should probably move this over to WTF Bites. The UI....everything is disabled except the "Play" button. I can't go into settings to set mouse sensitivity or pick the graphics options.
FAKE EDIT: And it won't let me play because it says my graphics driver is out-of-date. Oh really.
REAL EDIT: It says that, then it goes into "Searching for a match." Also, the game settings menu only works while searching for a match, not before when you're just idle in the game menu, so it kicked me out a few seconds later before I could check/set anything.
REAL EDIT 2: The game crashes when a match ends.
I lost connection to something, and now I'm stuck at this screen. The game is really half-baked.
Is this bad netcode? I know I'm not the best player, but I used to play a lot of Quake III Arena back in the day. Something just doesn't seem right when I shoot someone four times with a railgun while they charge across the map at me, then they one-hit-kill me with the gauntlet (melee) weapon.
I tried using the gauntlet, too. I was not able to get a kill with it.
-
Something just doesn't seem right when I shoot someone four times with a railgun while they charge across the map at me, then they one-hit-kill me with the gauntlet (melee) weapon.
I tried using the gauntlet, too. I was not able to get a kill with it.You didn't buy the "Actually hit enemies you shoot at" for additional $9.99 (was $4.99 at pre-order). Which also happens to disable several connection "bugs".
-
@mott555 I'm calling bad netcode. Me and another player spawned at the start of a match, facing each other, both armed with the starter shotgun. I shot him three times, he shot me once, I died, he lived.
-
@Applied-Mediocrity said in WTF Bites:
Something just doesn't seem right when I shoot someone four times with a railgun while they charge across the map at me, then they one-hit-kill me with the gauntlet (melee) weapon.
I tried using the gauntlet, too. I was not able to get a kill with it.You didn't buy the "Actually hit enemies you shoot at" for additional $9.99 (was $4.99 at pre-order). Which also happens to disable several connection "bugs".
Whoever made the decision that Quake needs microtransactions and loot boxes needs to have a BFG10K shoved up his rectum and fired. But there's no BFG in this Quake, either
.
