@blakeyrat said:
Now sure why you didn't link to the video.That is some creepy-ass shit right there. I'm scared.
The psychotic cackling at the end just makes it.
@blakeyrat said:
Now sure why you didn't link to the video.That is some creepy-ass shit right there. I'm scared.
The psychotic cackling at the end just makes it.
@joe.edwards said:
Perhaps you could post your PoC here, and some grayhat vigilante might teach them a security lesson with a cluestick.
For a period of about 3 years, the PHP documentation comments (evidently considered canon by the PHP community at large) contained this masterpiece of EvilEval for parsing JSON in older versions.
I came across it shortly after its posting, and dutifully reported it, as well as making a comment pointing out how dangerous it was. The documentation maintainers responded by promptly removing the rogue code doing absolutely nothing.
Largely ignored, I later posted a Proof-of-Concept demonstrating how easy it was to exploit. Finally realising the grave severity of the issue, the documentation maintainers jumped into action, replacing the comment with a responsible explanation as to why the code was removed deleting my PoC and prior comment warning of the danger and leaving the dangerous comment unscathed.
Thankfully, someone later wrote a less-stupid version, and, earlier this year, the comment was finally removed for its security risk being too old, and the code was never put into widespread use is now used in over 30,000 places.
If I had a nickel for everytime I've seen this on a major news agency's website, I'd be able to afford my own staff to write these posts for me.
Google used to have a dirty trick that would replace a search-result link with a redirect when you right-clicked, just so it would still show the real link in the address bar but give the redirect when copied. It wouldn't surprise me if Facebook's redirect worked the same way. I assume it's done so they can continue to track (and sell) analytics of clicks on those links when they're subsequently pasted/shared on other people's websites. (Of course, they'll make up some kind of BS about “protecting users from ‘dangerous’ external sites” to explain this away)
@Pascal said:
ComEd (my local electric company) just changed their online account information website. I had to choose and answer three of the below "Security Questions". I had to just make up answers to three of them. Do people really know these things?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is your maternal grandmother’s maiden name?
What is the name of the place your wedding reception was held?
What is the name of a college you applied to but didn’t attend?
What‽
I was concieved in-vitro, my mother never met my father!
I never went to school!!
My maternal grandmother is known only as "gramma", she has no "maiden" name!!!
I'm not married!!!!
I never went to college!!!!!
I can't sign up for this‽‽
THISS.
ISS.
DISCRIMINATIONN!!!!!!
@Ronald said:
@Ben L. said:@mikeTheLiar said:@Ben L. said:25. Next question?@Ronald said:Do you have any idea what the common SMTP port is?@Ben L. said:Do you have any idea how HTTP works?@Ronald said:@Lorne Kates said:@Ronald said:
@Lorne Kates said:Obviously you can't rely on .ToString(). What if the database changes the way to makes strings? You need your strings to be consistent with the database.The problem with using ToString() in the client application is that you make the system vulnerable to a MITM attack. What if someone was to inject something that cannot be converted to a string on the way between the database and the application? Lives could be lost.Little known fact: that's exactly what caused Mir to crash. They tried to put Cyrillic in there. "Decomissioning" was a cover-up.
Also, I'm tempted to DDOS your sig image to see what happens when it rolls over.
I just made your DDOS much easier... Even without doing a thing, within a day or two we should know what happens. My money is on 0000.
Nah, it just disregards your request to limit the digits.
You don't know that. You forced a number of digits that is smaller than the current value, that's a different test case.
Ok since you need to have everything explained to you in details (as usual) here is why HTTP has nothing to do with this. Below are 3 possible scenarios; we do not have access to the codebase so it's not possible to know which of these scenarios is implemented (there are of course more possible scenarios). To cover these, three different test cases would be needed; in any event, the DDOS proposition would be in a different test case than your solution of forcing a value of
nbdigits
that is lower than what can be displayed by the current value of the counter.Scenario 1
if(currentCounterValueCanBeDisplayedWithProvidedNumberOfDigits()) { increaseCounter(); } displayCounter();Scenario 2
if(currentCounterValueCanBeDisplayedWithProvidedNumberOfDigits()) { increaseCounterThenDisplayIt(); } else { displayCounterWithoutIncreasing(); }Scenario 3
increaseCounter(); displayCounter();Note: it would be quite a challenge to cover all three cases since for at least one of them it would require to prevent anyone else in the world from calling the remote server with that specific page id. That's the challenge of red teaming a live system.
Of course since you are a noob you will probably "decide" which one is more likely and ignore the risk of missing the target. That's why when you get your first job you will probably spend 6 months or 1 year executing test cases for real developers, until you understand that nobody gives a shit what you "decide" and that edge scenarios are not a luxury to test.
Now do some typical Ben L and post some offtopic Go link and let's move on.
Warning: imagecreatefrompng(/usr/www/users/counter/ezeeinternet/images/digits/odometer/s.png) [function.imagecreatefrompng]: failed to open stream: No such file or directory in /usr/www/users/counter/ezeeinternet/Ez_Counter.php on line 115
Warning: imagesettile(): supplied argument is not a valid Image resource in /usr/www/users/counter/ezeeinternet/Ez_Counter.php on line 117
Warning: Cannot modify header information - headers already sent by (output started at /usr/www/users/counter/ezeeinternet/Ez_Counter.php:115) in /usr/www/users/counter/ezeeinternet/Ez_Counter.php on line 123
‰PNGIHDRh õQPLTEÿÿ4àæºtRNS@æØfIDAT™c
<ºÏÃäIEND®B
‚
@dhromed said:
@DrPepper said:
so that it is readable by rootCan a file be given permissions so that even root can't read it?
FUSE mount points, by default, are readable only by the user who mounted them; other users have no access, not even root.
@anonymous235 said:
You made me log out and realize my former password doesn't work, now I had to create a new user. Hope you're happy.
My work here is done.
Oh hell, [url=http://forums.thedailywtf.com/forums/t/20943.aspx?PageIndex=2#342587]thats[/url] where that post went—
@FrostCat said:
@HardwareGeek said:[b]TRWTF is@FrostCat said:
@serguey123 said:[quote user="blakeyrat"]@serguey123 said:
Blakeyrat, cool off man,Sorry for being "uncool", but I use a handle on this site for a reason. Don't be an asshole.I'd appreciate it if a mod could remove my name there.
Remove it myself, sorry about that, but if you want to remain anonymous, you should really check what you put on those webforms, it takes like 1 minute of googling, I thought you were aware that pretty much everybody can know who you are if they care, FYI, my handle is my name except for the numbers so...
Given that he's previously provided links to multiple other sites where
he's used his real name, he probably is well aware that people can find
out who he is. You crossed a line there. Good for you, fixing your
mistake, but it was still an asshole thing to do.
necroing this thread after 3 years, thanks to signature guy sending
replies to random posts.[/b]However, I learned something from this. I
found out who blakey is, and that he does not live in the same city I
do; he lives in the next city over. I also learned that Network
Solutions is willing to sell me the domain ratsmating.com. For only
$475. Uh, no thanks.
Oops. Well, it's his fault, not mine, for necroing the thread. I mean,
how far back up the post chain should i look at the dates?[/quote]
@e4tmyl33t said:
Sam discovered the magic of signature trickery today.So what happens if I do this? [mod - logout abuse removed - PJH]
So where the fuck did this post come from, and why does replying to it send that reply into oblivion?