WTF Bites
-
It's been
One week since I ordered shit
Made the order and clicked "two day shipping"
Five days since it should've arrived
"Where's my shit, I'm paying for Prime"
Four days since you lied to me
Told me you shipped it, but you still didn't
Yesterday, you submitted it
But it would still be one day before delivery
-
When you tell Chrome to wipe private data about you, it spares two websites from the purge: Google.com, YouTube
Is this another case of one rule for the Chocolate Factory and one for everyone else?
-
@boomzilla said in The Official Likes Topic:
Status: Upgrading to the new Ubuntu LTS is usually mildly traumatic trying to figure out which customizations (mostly stuff I install from third parties) need to be done. This time wasn't too bad.
Update on this: Ubuntu 20.04 and VirtualBox 6.1.12 do not get along. Very crashy and freezy. Asked my boss to buy me a VMware license, which she emailed to me in, like, half an hour.
Of course, getting it to install was a whole 'nother experience. We download everything through our IT dept (you have to request it from them first). It was downloading a 500MB installer in single and double digit KB/s. Then it wouldn't install until I'd restarted a few times and wasn't on the corporate VPN.
However: My license was for v16 and IT only offers 15. Ugh. So I had to get my boss to downgrade the license, which she did on Tuesday since she was out on Monday.
But now it runs and does not crash. However, I'm not a fan of VMware's multimonitor support. I could have two windows on separate monitors with Virtualbox. VMWare requires you to be in fullscreen mode. OK, fine, whatever. Except...
It can't agree which one is which. It really confused me for a while because it seemed like it was frozen or something when my mouse wouldn't do anything. Then I realized that I could click and stuff on one monitor when the mouse was on the other monitor, if I could get the coordinates right.
Oh, well, back to stretching one window across two monitors.
-
@boomzilla said in WTF Bites:
Ubuntu 20.04 and VirtualBox 6.1.12 do not get along.
Ubuntu 20.04 does not contain VirtualBox 6.1.12. It contains virtualbox 6.1.6-dfsg-1 or 6.1.10-dfsg-1~ubuntu1.20.04.1 in updates, and at least in my experience the 6.1.10-dfsg-1~ubuntu1.20.04.1 works fine. Installing things from upstream on Ubuntu when Canonical provides supported, reasonably up to date packages is a
. By the way, Groovy already has 6.1.14-dfsg-4, so there would be an update to try before declaring it irreparably crashy and freezy.
-
Ubuntu 20.04 does not contain VirtualBox 6.1.12.
Ubuntu was the guest. The host is Win10 (1809?). 6.1.12 is the version my corporate IT overlizards allow us to use.
-
@boomzilla Ah, ok.
And it's the guest additions crashing the guest or what? Trying different versions of the guest addition might make sense then.
@boomzilla said in WTF Bites:
The host is Win10 (1809?).
Why not Hyper-V then? It's build in already.
-
@boomzilla Ah, ok.
And it's the guest additions crashing the guest or what? Trying different versions of the guest addition might make sense then.
Might be.
@boomzilla said in WTF Bites:
The host is Win10 (1809?).
Why not Hyper-V then? It's build in already.
That it's built in is the only good thing I've ever heard about it. I've used VMware a lot in the past so I'm comfortable with it. I was just
to go through the process of getting a license before and virtualbox was easy to get and since it worked...
-
@boomzilla I do admit that Hyper-V, at least when I did something with it a year and half or so ago, the UI was rather lacking, specifically for the stage where you wanted to convert a VM in some generic format to its own
format. Instructions were like ‘cast this incantation with powershell’…
-
@Bulb that's good enough for me. This VM was originally a VMware VM that VirtualBox was happy to convert nearly painlessly, and that VMware was happy to pick back up nearly as painlessly (had some difficulty in getting NAT set up...just selecting NAT didn't do it, had to do the Custom...Vmnet8 or whatever).
-
@boomzilla said in WTF Bites:
Ubuntu 20.04 does not contain VirtualBox 6.1.12.
Ubuntu was the guest. The host is Win10 (1809?). 6.1.12 is the version my corporate IT overlizards allow us to use.
@Bulb may mean the guest additions from the ubuntu repo's aren't quite compatible.
I've had some shakiness with multi-monitor in virtualbox recently, namely it not switching to it correctly on boot. I have to go to windowed mode, activate the 2nd window (which doesn't do anything), activate the 2nd window again (works this time), then go back to full screen.
No experience with ubuntu - I'm on dogfood linux for dogfood reasons and at home I run everything native.
-
JIRA-17337
Submitted by user: Head, Richard
Description: The Foo report is missing items for Blearg and Blarx. We need the report to show everything. This is important when dealing with customers.
Hmmm...let's take a look...
runs report
...
looks at Bearg and Blarx in the systemComment by
Hey, dickhead, the shit's all there. FOAD.I ran the report and found four items, 3 for Blearg and 1 for Blarx. I looked at them in the system and found the same items. Can you please specify what's missing?
-
I get an email from Ubiquiti this morning. They are opening a new "MX store".
is a "MX Store"? Mail exchange? Well, it is offering to help me find everything I need to build better networks. Let's see what's going on:
Nothing seems different. Except that little emblem in the store link....
is this all about? Let's scroll down.
Why the hell would I be interested in their new store for Mexico? I've never ordered anything to be delivered in Mexico. I don't even live in the southern US.
-
@boomzilla said in WTF Bites:
I ran the report and found four items, 3 for Blearg and 1 for Blarx. I looked at them in the system and found the same items. Can you please specify what's missing?
Work-Boomzilla is definitely very different from TDWTF-Boomzilla.
-
@Zerosquare Just a pretend-persona.
The one that does actual work.
-
: OK Google, play The Sound of Silence.
: Playing The Sound of Silence by Disturbed on Spotify.
: 
-
I would have expected it to play 4'33" by John Cage.
-
: OK Google, play The Sound of Silence.
: Playing The Sound of Silence by Disturbed on Spotify.
: Hello, @error, my old friend...
-
@error To be fair, it's a really good version
-
Firefox has this cool feature where it can automatically generate strong passwords if you register for a new website. What happens if you try to use it?
"Weak password"
"A secure password should fulfill these criteria:
At least 8 characters long
Contain capital and small letters
Contain special characters
Contain numbers
Blood of a virginUm, sure. Let's try this:
"Strong password"Fucking morons!
-
Firefox has this cool feature where it can automatically generate strong passwords if you register for a new website.
This cool feature that has no options for the passwords it generates.
-
@loopback0 said in WTF Bites:
Firefox has this cool feature where it can automatically generate strong passwords if you register for a new website.
This cool feature that has no options for the passwords it generates.
: Options are confusing to users!
-
: Options are confusing to users!Let's infuriate them instead, by only being usable some of the time!
Also, is it the users who don't like options or developers who don't like debugging things with these options?
-
@frillunflop said in WTF Bites:
Also, is it the users who don't like options or developers who don't like debugging things with these options?
Yes.
-
@frillunflop said in WTF Bites:
Also, is it the users who don't like options or developers who don't like debugging things with these options?
No.
-
-
keeping them legible
E_NOT_A_REQUIREMENT
Just make the font thinner, I said. Yes, even thinner!
-
WTF of my day: And once again cargo cult reared its head. I just left a Webex meeting where I brought up the password change rule for one particular service (i.e. expiration after 3 months).
This was supposed to be an admin meeting. I'm not sure that these people understand what the actual problem is. Plus, they scoffed at the notion that there are reliable studies about this and that not only the NIST but also Germany's federal ministry for IT security also strongly recommends not making people change passwords.
And then they wonder why user engagement with this platform is so low.
While I personally use a password manager, they actually managed to configure this in a way to actually break the usual workflow. Some subpages need a second login which leads to a separate login URL which then routes back to the original URL. Which now means that I need to keep in sync two separate entries in my password safe - and of course, the names for those URLs are also wildly divergent (i.e. not www.foo.bar => login.foo.bar => www.foo.bar but instead www2.foo.bar => activewhatever.baz.fark => www.foo.bar)
I'm a strong proponent of "keep the bar to entry as low as possible" but they seem to be on the "let's use whatever looks secure" path.
I mean, they don't even offer some kind of 2FA.
-
@Polygeekery said in WTF Bites:
Why the hell would I be interested in their new store for Mexico?
They're preparing you for emergency evacuation post-Election.
-
keeping them legible
E_NOT_A_REQUIREMENT
Just make the font thinner, I said. Yes, even thinner!
-
I mean, they don't even offer some kind of 2FA.
Two Fuck-up Authentication? They seem to be well ahead of that…
-
: Options are confusing to users!I used to work for a company like that.
-
I mean, they don't even offer some kind of 2FA.
Two Fuck-up Authentication? They seem to be well ahead of that…
I'm not even sure which problem the "3 months expiry" is supposed to solve. The argument I've heard is: "But if your account is compromised then it'll become uncompromised after three months at the latest!"
Dude, if an account which supposedly has access to sensitive data is compromised it doesn't matter if it's for one hour or 3 months. And if you do not even notice that it's compromised for three months then I dare question the need for all that security anyway - because either no one cares or the sensitive data is not that interesting.
-
@Rhywden the best rationalization I can come up with for this sort of policy is that it somewhat prevents people from using the same password everywhere. At a minimum, expiry cycles are likely to be offset.
I suppose that changing could help in case of a data leak where the attackers brute force a DB full of weakly hashed passwords.
None of that is worth the pain, of course, but then I suppose that pain's a plus to some of the people who administer systems over the rest of us.
-
@boomzilla said in WTF Bites:
None of that is worth the pain, of course, but then I suppose that pain's a plus to some of the people who administer systems over the rest of us.
Wait, are you calling system administrators sadists?
-
@boomzilla said in WTF Bites:
@Rhywden the best rationalization I can come up with for this sort of policy is that it somewhat prevents people from using the same password everywhere.
Considering that another big talking point was SSO or at least "One username, one password for everything", this argument also would not make too much sense :)
-
@Rhywden I'm thinking about external systems, so your email and your Amazon and your local pizza place and your etc, etc, etc accounts all have the same password. Which is a security thing that's worth avoiding.
-
@boomzilla Yeah, but what I've notice my users actually doing is simply plonking a consecutive number at the end of it.
Which, I think, was kind of mentioned in the NIST document about why they changed their recommendation.
-
Dude, if an account which supposedly has access to sensitive data is compromised it doesn't matter if it's for one hour or 3 months. And if you do not even notice that it's compromised for three months then I dare question the need for all that security anyway - because either no one cares or the sensitive data is not that interesting.
If the hash is compromised rather than the password, then if the password expires in the time it takes to crack it then it might render the password useless. Assuming old password doesn't make it easy to guess the new one. Probably less relevant now cracking happens way faster.
A lot of password policies seem to be because that's what has always been perceived to be more secure.
Of course like a lot of them the reality is they do more harm than good, and cause people to use easy passwords, or write them down on a postit under their keyboard, or store them in an email, or in a page of a Onenote document they use for other useful information (these latter two being picked because they were responsible for two different people in my team exposing their passwords when screen sharing on Webex).
-
@loopback0 Having the passwords physically written down is actually not that bad, unless you have a news crew coming in to film or something. With a digital copy in an email or OneNote, it could get accidentally screen shared like you mentioned, or get leaked in some other way, but if it's on a piece of paper it's unlikely that someone could get access to it unless they physically broke into your office.
-
Having the passwords physically written down is actually not that bad
It is if you do it insecurely.
if it's on a piece of paper it's unlikely that someone could get access to it unless they physically broke into your office.
People rarely have offices to themselves these days. Pandemics aside, there are usually lots of other people with access to the office.
-
@Polygeekery said in WTF Bites:
Why the hell would I be interested in their new store for Mexico? I've never ordered anything to be delivered in Mexico. I don't even live in the sourthern US.
They are just phishing for your passport etc. Afterwards, they will sell that to some people paying the highest price for it. And you will have some trouble when you try to get back to the US....
-
@loopback0 If you have a post-it with your password stuck to your monitor, sure that would be bad security. But if you write it down in your notebook and keep it in your drawer (and assuming you trust your coworkers and janitors not to maliciously go through your stuff) it should be ok
-
they seem to be on the "let's use whatever looks secure" path.
Long ago, I had to take over the administration job of our system administrator while he was on holidays.
He was a big fan of odd password rules, and of course users had to change them once a month, not use one of the last 20 passwords again, and blah blah blah...
So I needed the administration password - though it was long, a simple dictionary attack would crack it....
-
But if you write it down in your notebook and keep it
in your draweron your desk along with thousand of papers/books/etc (and assuming you trust your coworkers and janitors not to maliciously go through your stuff) it should be okFTFY
When your desk is a mess, nobody can find anything on it
-
@loopback0 said in WTF Bites:
Having the passwords physically written down is actually not that bad
It is if you do it insecurely.
You should frame it.
-
@loopback0 If you have a post-it with your password stuck to your monitor, sure that would be bad security. But if you write it down in your notebook and keep it in your drawer (and assuming you trust your coworkers and janitors not to maliciously go through your stuff) it should be ok
I do write some things down, but I keep it together with all my other important bits of paper (in my wallet).
-
@loopback0 Having the passwords physically written down is actually not that bad
My father writes down his passwords in a personal notebook he always keeps at home, as he can't be arsed to remember them. It's a major PITA sometimes because he cannot log into anything if he's not at home. He's not very familiar with the concept of saving a password in the browser either.
-
@Gąska Sounds somewhat familiar. While my father actually writes them down in a small notebook he carries around, he typically writes down only the password (but not necessarily what it's for or what username he used).
-
@loopback0 If you have a post-it with your password stuck to your monitor, sure that would be bad security. But if you write it down in your notebook and keep it in your drawer (and assuming you trust your coworkers and janitors not to maliciously go through your stuff) it should be ok
I do write some things down, but I keep it together with all my other important bits of paper (in my wallet).
If I have to create a new password for which I can't use use my password manager, like the Windows login password that I need to know in order to be able to access the password manager, I make up a quasi-random (because human brains are typically not very good at statistically high-quality randomness (although a few forum posters may be exceptions to that)) password that is long enough to be reasonably secure against a realistic brute force attack ( @error_bot xkcd 538 ) but short enough to memorize fairly quickly. This is written on a sticky note in my wallet, which is always in my pocket when I'm in a place where that password would be useful (i.e., work) with no context to identify what it's a password to. To be useful to a hacker, the hacker would have to 1) mug me to get my wallet, 2) know where I work, and 3) get access to my place of work 4) without being noticed as being an intruder for long enough to log into Windows. He/she would further have to somehow 5) hack into my (or someone's) Linux account (and that password is not on the sticky note), because my Windows machine typically doesn't have much interesting stuff on it, and finally 6) exfiltrate the data, 99% of which would only be useful to a business competitor, which would narrow the list of suspects quite a bit. I guess taking my laptop when he/she mugs me for my wallet might eliminate a couple of steps, but would add the step of logging into my work VPN, the password for which isn't in my wallet, either. And if he/she also stole the USB stick that has a copy of my password manager, and assuming he/she knew what to do with it, the master pass phrase for that is long, really long; it usually takes me a couple of tries to type it without typos.
-
@cvi mine was actively opposing connecting his Gmail account with his Android phone for years. This led to losing the entire phonebook and hundreds of photos with no backup when the phone broke down, on 2 separate occasions. After that he set up a new Google account just for the phone, which he promptly forgot about, leading to a 3rd data loss.
