God forbid someone find out my username



  • Yeah, I know DD-WRT is open source community developed software, but still, you'd think everybody would realize that usernames aren't supposed to be secure.

    You'd think they'd at least fix the misaligned headers the very first time they were seen by a developer. I wonder what their backend looks like...

    Suddenly I don't want to know.

    Addendum: Did some testing and found out that the labels are misaligned in every browser but Firefox... open source everybody!



  • I've noticed that a crazy lot of router panels use ".asp" for webinterface, despite the files really running some custom CGI or stuff.

    The other popular fake-extension is ".do".

    Does anyone know why?

    Does using ".asp" automatically forces some ancient broken version of IE to not overaggressively cache the page and thus work right?





    Also, OpenWRT works better than DD-WRT, in my experience. ;)
    And its LuCI webinterface (written in LUA, doesn't use fake-.asp) is nice, functional, and works correctly (and displays correctly) in Firefox, Chrome, Opera, and IE9 (didn't check older ones).



  • The time you spent writing this rant, taking screenshots, etc. Would have been better used fixing the damn layout, because, you know, it's open source.

    It's like those people who complain because Linux is broken somehow: http://www.geek.com/articles/apple/retina-macbook-pro-linux-20120817/



  •  Where is the bottom part if your browser's back button?



  • @pbean said:

    Where is the bottom part if your browser's back button?

    You may choose from the following:

    1. Microsoft cut it off as a sign of what would happen to the Forward button if it failed to comply with its wishes.

    2. Microsoft designed it that way.



  • @bannedfromcoding said:

    I've noticed that a crazy lot of router panels use ".asp" for webinterface, despite the files really running some custom CGI or stuff.

    The other popular fake-extension is ".do".

    Does anyone know why?

    Does using ".asp" automatically forces some ancient broken version of IE to not overaggressively cache the page and thus work right?





    Also, OpenWRT works better than DD-WRT, in my experience. ;)
    And its LuCI webinterface (written in LUA, doesn't use fake-.asp) is nice, functional, and works correctly (and displays correctly) in Firefox, Chrome, Opera, and IE9 (didn't check older ones).

    In fact, not only IE, but lots of proxies have different rules for pages namd .asp. I don't know of any special treatment of .do, but it was on the early howtos of how to use Java's web frameworks, so it become a default. At least .do describes the "content" (you only use it when you want the server to do something - that excuse ignores that serving a page is an action, but well...), not the internal state of the server (like a filename), so  it is less a WTF.

    Anyway, I don't know why DD-WRT would be concerned with proxy behaviour.



  • @Douglasac said:

    2. Microsoft designed it that way.

    It looks better when you do have the tab bar enabled...



  • @bannedfromcoding said:

    @Douglasac said:
    2. Microsoft designed it that way.

    It looks better when you do have the tab bar enabled...

    It looks even better like this




  • @bannedfromcoding said:

    The other popular fake-extension is ".do".

    Does anyone know why?

    ".do" has been made popular by Struts, a java mvc framework. In typical servlet-driven web applications, the logic is not page-driven but workflow-driven, so a ".do" does not match a web page but rather a step in the workflow (for which the "page" associated with an url is dynamically composed based on the context).

    I've never seen a situation where using something else than ".html" was very useful and most CMS get rid of the extension altogether, but playing with known extensions can be fun. Every year on April 1st I expect to see something like that: http://www.google.com/search.bat



  • @El_Heffe said:

    @bannedfromcoding said:

    @Douglasac said:
    2. Microsoft designed it that way.

    It looks better when you do have the tab bar enabled...

    It looks even better like this


    That's a good picture, because everyone knows that Firefox is not moving forward and yet will not stop.



  • @MiffTheFox said:

    you'd think everybody would realize that usernames aren't supposed to be secure.

    Which is probably why the software reports that not the username itself, but using the default username/password combination is insecure.



  • @Speakerphone Dude said:

    I've never seen a situation where using something else than ".html" was very useful and most CMS get rid of the extension altogether

    I once made a CMS that used the initials of the site name for its extension. (Like http://www.example.com/somepage.tdwtf, but it wasn't those letters or anything remotely offensive) Some people complained about it so I just changed it to .html. A lot of companies do that so I don't understand (Ref Media Temple and its Account Center).




  • .html is a perfectly valid extention for webpages, because it's fucking HTML. It doesn't matter how it was generated (server from a file or script), it's still HTML.

    No extension would be okay, as would be the scripting engine (.php, .asp etc.). But using a random one doesn't really seem to make sense (even if technically possible)


  • Discourse touched me in a no-no place

     Further, the message is stupid because it's there to scare the user.  Apparently the idea of more reasonable wording never occurred to them:  "It's your first time here.  We need you to set up a new username and password for the administrative web site of this router for security purposes. Click here for an explanation."

     



  • It's open source. They don't give a fuck. Go ahead and shove it in their bug tracker, watch it be ignored for 3 years then closed with a message like "this component is being rewritten, refile the bug if it is still relevant" or perhaps simply, "bug too old, no longer valid."

    You can't help people who don't want the help.



  • @Zemm said:

    @Speakerphone Dude said:
    I've never seen a situation where using something else than ".html" was very useful and most CMS get rid of the extension altogether

    I once made a CMS that used the initials of the site name for its extension. (Like http://www.example.com/somepage.tdwtf, but it wasn't those letters or anything remotely offensive) Some people complained about it so I just changed it to .html. A lot of companies do that so I don't understand (Ref Media Temple and its Account Center).

    Ars Techina used to use .ars, but it seems they finally just went to directories like everybody else does.



  • @ubersoldat said:

    The time you spent writing this rant, taking screenshots, etc. Would have been better used fixing the damn layout, because, you know, it's open source. It's like those people who complain because Linux is broken somehow: http://www.geek.com/articles/apple/retina-macbook-pro-linux-20120817/
    You should know that by now the fundamental core rules of programming, in particular the rule which states: "The last developer to touch a piece of code or project becomes an instant expert and is fully responsible for all the code there in."  I am guessing he does not want his name associated with it (I know I wouldn't).



  • @blakeyrat said:

    It's open source. They don't give a fuck. Go ahead and shove it in their bug tracker, watch it be ignored for 3 years then closed with a message like "this component is being rewritten, refile the bug if it is still relevant" or perhaps simply, "bug too old, no longer valid."
     

    Something I had to write for my college senior project:

     

        /*
    * "libarchive version 3 is just around the corner! Honest!"
    * -- Libarchive developers, Mar 2010
    */

    if ARCHIVE_VERSION_NUMBER < 3000000

        archive_read_support_compression_gzip(newarc);
    

    else

        archive_read_support_filter_gzip(newarc);
    

    endif

     

    This snippet was written in late 2011. Libarchive version 3 has since been released... on February 26, 2012.

    Open source development tends to be slow as hell.



  • I see nothing wrong with securing the username. It's a little weird, but if someone is looking over your shoulder, they wouldn't know the username or the password. If they knew the username, it would be a lot easier to brute force the password. Since I don't believe dd-wrt has secure password requirements, not having the attacker know the username adds a layer of security.

    On a side note, we have the same password : "hunter2"



  • The .asp is most likely an attempt at security through obscurity... which, on a router, is about as useful as telling you to have a "secure username".



  • @blakeyrat said:

    It's open source. They don't give a fuck. Go ahead and shove it in their bug tracker, watch it be ignored for 3 years then closed with a message like "this component is being rewritten, refile the bug if it is still relevant" or perhaps simply, "bug too old, no longer valid."

    You can't help people who don't want the help.

    That's like leading not a horse, but a Wicked Witch of the West (WWW) to water. And trying to get her drink it.


  • @russ0519 said:

    I see nothing wrong with securing the username. It's a little weird, but if someone is looking over your shoulder, they wouldn't know the username or the password. If they knew the username, it would be a lot easier to brute force the password. Since I don't believe dd-wrt has secure password requirements, not having the attacker know the username adds a layer of security.

    On a side note, we have the same password : "hunter2"

    Except it doesn't have you confirm the user name, but it masks what you type. So if you mistype your username when you first enter it then you've fubared yourself because even if you know the password you don't know what the username actually is.

    A good rule of thumb is if you are masking a data field which will be used for validation or verification at a later time then you should ask for it twice and make sure the values match. Otherwise you are just creating a hole for someone to fall into.


  • Winner of the 2016 Presidential Election

    @sabbott64 said:

    Except it doesn't have you confirm the user name, but it masks what you type. So if you mistype your username when you first enter it then you've fubared yourself because even if you know the password you don't know what the username actually is.

    A good rule of thumb is if you are masking a data field which will be used for validation or verification at a later time then you should ask for it twice and make sure the values match. Otherwise you are just creating a hole for someone to fall into.

    Of course if your hands aren't on home row and you type the same keystrokes twice you're still fucked.

    I love sites that make me type my email address twice. I always copy and paste it (my spamgourmet account, of course).


  • Discourse touched me in a no-no place

    @blakeyrat said:

    It's open source. They don't give a fuck. Go ahead and shove it in their bug tracker, watch it be ignored for 3 years then closed with a message like "this component is being rewritten, refile the bug if it is still relevant" or perhaps simply, "bug too old, no longer valid."

    You can't help people who don't want the help.

     

     

    Are you sure you're not Jamie Zawinski?



  • Pretty sure, yeah.



  • @FrostCat said:

    Are you sure you're not Jamie Zawinski?

    @Jamie Zawinski said:

    Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.

    Here is my version of Zawinski's law of software envelopment. It's called the Speakerphone Dude Law of Forum Derailment:

    Every thread in this forum attempts to expand until someone can inject a reference to Lotus Notes. Those threads which cannot so expand are picked for the front page story.



  • @Speakerphone Dude said:

    Every thread in this forum attempts to expand until someone can inject a reference to Lotus Notes. Those threads which cannot so expand are picked for the front page story.

    Nobody mentioned dancing pictograms?



  • @sabbott64 said:

    Except it doesn't have you confirm the user name, but it masks what you type.
     

    Need something like this! Not hiding passwords is a good idea, as mentioned here, which even mentions Lotus Notes for good measure.


  • Discourse touched me in a no-no place

    @Speakerphone Dude said:

    @FrostCat said:

    Are you sure you're not Jamie Zawinski?

    @Jamie Zawinski said:

    Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.

    Here is my version of Zawinski's law of software envelopment. It's called the Speakerphone Dude Law of Forum Derailment:

    Every thread in this forum attempts to expand until someone can inject a reference to Lotus Notes. Those threads which cannot so expand are picked for the front page story.

    Cute, but I asked because JWZ made the _exact_ same complaint. http://www.jwz.org/doc/cadt.html


  • Discourse touched me in a no-no place

    @Zemm said:

    @sabbott64 said:

    Except it doesn't have you confirm the user name, but it masks what you type.
     

    Need something like this! Not hiding passwords is a good idea, as mentioned here, which even mentions Lotus Notes for good measure.

     

    Interestingly (?), WIndows 8 supports password reveal in text boxes:  password fields have a little eye icon in them that you can click to show the password.



  • @FrostCat said:

    WIndows 8 supports password reveal in text boxes:  password fields have a little eye icon in them that you can click to show the password.

    I don't believe you. Prove this with a screen shot of the login page on this forum (or your online banking account)



  • @Speakerphone Dude said:

    Prove this with a screen shot of the login page on this forum
    Eye



  •  Why does everyone have the password as me!?!?!



  • @pbean said:

     Why does everyone have the password as me!?!?!


    Because, Mrs. Bean, this is the most brillant password in the universe. You surely know that. :)



  • @ender said:

    @Speakerphone Dude said:
    Prove this with a screen shot of the login page on this forum
    Eye

    As I suspected, I just tried and it does not work. (neither did hunter1, hunter3 or tinahashugetitslol). Ergo, Windows 8 is broken.



  • @Speakerphone Dude said:

    As I suspected, I just tried and it does not work. (neither did hunter1, hunter3 or tinahashugetitslol).
    Everyone knows it's password.   Duh.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.