WTF Bites
-
@ben_lubar said in WTF Bites:
The Windows version also requires administrator privileges for no reason.
Yeah, one day they'll fi-- Sorry, couldn't say it with a straight mouth!
-
Status: Google, you tried, really you did.
Original text: へそ天
Initial translation from site-translation: Eggplant.
Clicked the link:Edit: For even more fun, the translation of the same text that was placed in the title: Search result of "Tag is" "Episode"
WTF Google?
Edit edit: Based on the search results, the tag was more like "itchy back"?
-
@ben_lubar said in WTF Bites:
The Windows version also requires administrator privileges for no reason.
Do a bit of digging and you find the reason: their API and implementation aren't implemented securely, so they need to wall it off to stop all sorts of trouble with apps. (For example, it interacts poorly with the way various parts of Windows's security model are keyed on application name.)
-
@ben_lubar said in WTF Bites:
The Windows version also requires administrator privileges for no reason.
Actually you only require the "Create symbolic links" permission. However, if you are an administrator, it requires elevation even if you have that permission.
-
However, if you are an administrator, it requires elevation even if you have that permission.
Yeah, the elevation thing is crap. It is requested explicitly and is not connected to the actual permission you need and the command hard-codes it without checking whether "create symbolic links" actually needs administrator, because it does not actually know from where it is getting that permission.
Now the cmd.exe can't actually elevate. So it should really not be checking anything—either the right is there or it is not. But it checks and fails.
-
Still facepalming over this.
Some of you may remember that I maintain a website that stores passwords in plaintext and defaults them to the user's password when setting up a new account or resetting a password. You may also remember that there's a regex in the code to check whether the password entered is in the form of a postcode, and if so checks it against the user's postcode not their password.
For the benefit of non-UK people, a postcode is in the form:
- 1 or 2 letters
- 1 or 2 digits
- A space (optional)
- 1 digit
- 2 letters
One user has a typo in their postcode, meaning it doesn't match the regex. (there's an O instead of a 0). This user forgot their password and had it reset. Because their postcode is not a postcode, the authentication goes down the normal route.
One of the things it does, for some reason, is strip all spaces from the entered text before comparing it to what's in the database.
The reset password includes a spaceDo you see where this is going?...
Without manual intervention (changing the password in the database or amending the postcode in the data, which has to be done by admins), this user can never log in once their password is changed, because the database value of "AA11 OAA" can never come up as a positive match in the password checking code.
I'm still trying desperately to get approval to rip out this awful authentication logic and replace it with something sane. Ideally, replacing the whole site with something in MVC
-
Some of you may remember that I maintain a website that stores passwords in plaintext
I don't remember that, but right there is already an overload of
I'm still trying desperately to get approval to rip out this awful authentication logic and replace it with something sane.
Good
-
@RaceProUK said in WTF Bites:
right there is already an overload of
Tip of the iceberg, man. Tip of the iceberg.
Here's some sample columns from the
aspnet_membership
table:Column Notes Password As mentioned, plaintext PasswordFormat Integer. Unused PasswordSalt Unused Email (did I mention, it emails the user their new password, along with their username, every time they change or reset their password?) LoweredEmail Yes. Email address without any of those pesky capital letters. Also unused
-
-
it emails the user their new password, along with their username, every time they change or reset their password
In plaintext, I presume.
Why don't they just publish the whole frukkin' table publicly? It'd be just as secure.
-
@RaceProUK The best compromise between security and convenience would be if the "Forgot password" link redirected you to a page where you entered your username and, if it is deemed to be a valid username, shows the user's current password on the screen. Then you can just copy/paste it from there back to the login screen without: (1) having to wait for the email to arrive, and (2) we all know plaintext passwords over email is insecure
-
@Vault_Dweller said in WTF Bites:
if the "Forgot password" link redirected you to a page where you entered your username and, if it is deemed to be a valid username, shows the user's current password on the screen
If you log in as an admin, you can do that for any user, just enter their username and organisation number and you get the password for the user on screen
-
@Jaloopa Awesome! So all you have to do is remove the
if (user.IsAdmin) {
part and boom! Implementation complete.
-
@Jaloopa On an application I used to support, when an admin changed a user's password the new password boxes were defined as password fields and correctly starred out. Submitting it and successfully changing the password results in a message box confirming the successful change - including the uncensored password.
-
@Vault_Dweller We can avoid all these password security problems by not having one. Just ask for the username on login.
-
@Vault_Dweller We can avoid all these password security problems by not having one. Just ask for the username on login.
Ask for both but allow login with neither like Windows 95.
-
-
@bb36e At least there's a choice.
-
Also 2 minutes after I posted that screenshot I BSODed.
CRITICAL_PROCESS_DIED
. Uh oh.
-
Also 2 minutes after I posted that screenshot I BSODed.
Stop running Windows on Linux hardware
-
Windows Defender asked me every time I downloaded a database schema updater from the corporate VPN whether it could upload it to Microsoft.
I mean, thanks for asking, but no, I'm not giving Microsoft all my datas just because a program that deletes my files and re-enables itself if it's disabled told me to.
-
The two seconds of fear before you realise you're not root and it's just
mv
complaining:mv subdir /* . ^--- extra space
Reminds me of a
sysadminidiot friend who was of the opinion that "I don't need a user. I'm logging-in as root because I need root always anyways." His Browser ran with root privileges.
-
-
... I see...
-
@Jaloopa except for parts of London that do things like W1T as the first part of the postcode.
-
His Browser ran with root privileges.
Can't be chrome though. Chrome will yell at you about how that's a terrible idea.
-
@Jaloopa except for parts of London that do things like W1T as the first part of the postcode.
Any clients from those parts of London would never be able to log on
-
@Jaloopa except for parts of London that do things like W1T as the first part of the postcode.
Any clients from those parts of London would never be able to log on
Presumably that's a feature not a bug?
-
-
@Yamikuronue These results proudly sponsored by Bing
-
@Yamikuronue And then Cortana says "to improve these results, please give me the right to access your passwords, bank accounts, and permanently store all your private conversations and share them with any Microsoft employees."
-
IntelliJ IDEA:
update size: 1 to 18 MB
Is it that hard to give an accurate size of the update you created?
-
<ValidValue code="NO" min="NaN" decodeForGui="No" max="NaN"/> <ValidValue code="PS" min="NaN" decodeForGui="Please Specify" max="NaN"/> <ValidValue code="YES" min="NaN" decodeForGui="Yes" max="NaN"/>
Because not including
min
andmax
for text attributes would be
-
@loopback0 How else would you know that YES can't be bigger or smaller than not a number?
-
Our instance of Confluence has been unstable for a few days resulting in intermittent periods of downtime. After a couple of days of updates basically being nothing more than "our Best People™ are on it" there's now a page to track updates.
The page is on Confluence
-
-
@ben_lubar said in WTF Bites:
I mean, thanks for asking, but no, I'm not giving Microsoft all my datas just because a program that deletes my files and re-enables itself if it's disabled told me to.
You might start doing that if it keeps up. I mean...not with anything sensitive, obviously, but either they get better at false positives or you make them waste time or disk space.
-
@ben_lubar said in NodeBB Updates:
I skimmed the diff and this caught my eye:
It's this change: https://github.com/NodeBB/NodeBB/commit/3361a72725ce455d14cc3a301b91a80ba7d8dcd9
Whyy-hy-hy-hy-hyyyyyy?
http://eslint.org/docs/rules/no-plusplus said:
Because the unary ++ and -- operators are subject to automatic semicolon insertion, differences in whitespace can change semantics of source code.
That's why you enable the lints about missing semicolons, you dolt!
-
-
Whyy-hy-hy-hy-hyyyyyy?
because fuck unary increement/decrement.
they shall not live in code i touch!
WHARGARBLE!
-
YouTube thinks I simultaneously do and do not have YouTube Red:
So, YouTube Red subscriptions are tied to your "real person" Google account. A "real person" Google Account can be a manager/owner of multiple "brand" accounts. I primarily use my brand account because that's where my YouTube channel ended up in the Google+ migration. Brand accounts can have gmail accounts and passwords like real Google accounts, and when you sign into them they act just like a real Google account and even have their own 15GB of free drive storage, etc. However, it's not possible to subscribe to YouTube Red with them. To use YouTube Red on a brand account, you have to sign into your "real person" account and then use the channel switcher to switch to your brand account on YouTube. The screenshot above is not such a scenario - instead, it's from when I am signed directly into the brand account, no personal account cookies involved. It doesn't normally say "Red" next to the YouTube logo when signed into the brand page account.Some help articles that will make you even more confused:
- Using YouTube Red as a Brand Account manager - does a poor job of explaining what I explained above, and even confused the support staff I contacted (they told me I could purchase YouTube Red while signed into the brand account, but the option is completely disabled).
- Channels migrated to Brand Accounts - explains what happened back when the Google+ integration occurred and you picked the "use a different name" option.
- Manage YouTube channels - explains the whole idea of "real people" managing/owning "brand accounts" with helpful diagrams.
Now, I like some of the benefits of the way this is all set up, but it's seriously confusing to learn about and deal with. To keep things straight I actually use two Chrome users side-by-side with one signed into my "real person" account and the other signed into my "brand page" account. That worked until this whole YouTube Red thing where now the "brand" account Chrome user needs to also have my "real person" account signed in at the same time. Oh well, at the end of the day I figured out how to get YouTube Red to work for me so I can watch Mind Field :p
Oh, and if you can't change your YouTube display name to something without a space in it, it's because you have it associated with a "real person" account instead of a brand page. Because all real people have at least a first and last name, of course.
-
@bb36e Yeah, that thing was annoying. I had it on. It wouldn't shut up until I finally clicked the turn-it-on button.
-
@HardwareGeek said in WTF Bites:
But the API, you may say. The only documentation on the API seem to be, RTFSC, and read the source code of the (disappeared) CLI fork for examples of how to use it.
I can't believe I never looked at this before. I just discovered that the program's native file format is a totally readable text file: numeric values of all the GUI's sliders, nicely labelled with the full names of each slider. We don't need no stinkin' API! My script can just create a project file all by itself.
The export format is JSON, but it's a lot more complicated to generate. It contains all the mesh data and whatnot for the asset, as modified by the program's controls. But setting all the GUI controls to configure the asset is the time-consuming part, and it turns out that's dead simple to automate. Generate a bunch of project files, then loading each into the program to generate the export files is a matter of something like 4 mouse clicks per file (not counting scrolling to find the right file each time), but that is still a huge savings of effort.
Edit: Of course it can't be quite that simple. There are some GUIDs and stuff in there, but those look to be either (effectively) constant or one of a small number of choices. I can just copy-paste the relevant string values into my script. I is still happy!
-
Status: every time I get a notification, an error comes right after, despite that I have sounds turned off.
-
@Tsaukpaetra If you do a hard refresh, does it still happen?
-
@RaceProUK said in WTF Bites:
@Tsaukpaetra If you do a hard refresh, does it still happen?
Probably not, checking now.
But the WTF is why it's trying every time.
-
@Tsaukpaetra said in WTF Bites:
@RaceProUK said in WTF Bites:
@Tsaukpaetra If you do a hard refresh, does it still happen?
Probably not, checking now.
But the WTF is why it's trying every time.
I saw 2 on the same page. Then they went away...
-
@Tsaukpaetra said in WTF Bites:
@RaceProUK said in WTF Bites:
@Tsaukpaetra If you do a hard refresh, does it still happen?
Probably not, checking now.
But the WTF is why it's trying every time.
Update: yeah refreshing fixed it. Still!
-
@Tsaukpaetra Part of today's update included a change to how the sounds are loaded (apparently).
-