Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×

Comment Re:How authentication cookies should work (Score 1) 50

IP address certainly seems like a great way to filter, but some users are switching IP addresses randomly by using proxies or get new IP addresses more often, because of their connection. So IP can be an unreliable detection method. Also, since it's possible the person is on your network when sniffing your request, they could possibly just use your same IP address anyway.

Using the browser ID (or other headers) is no good either, because the attacker can sniff and use that as well. In fact, nothing that is in a request or response can be helpful, because the attacker can sniff all that and craft their headers to be the same.

HTTPS is the way to stop all this.

The only thing I can see being helpful would maybe be some sort of prenegotiated key to sign the requests with. It would have to be negotiated before the attacker sniffs the connection and last for a long time, though.

Comment Re:Not a new exploit (Score 4, Informative) 50

All the hacker has to do is embed a link or image into an email and send that email to the Yahoo account of the victim. The victim then logs in and clicks the link or views the images. Assuming Yahoo doesn't filter out he embedded code the hackers gets the victim's cookies.

This assumes Yahoo doesn't filter. Every online company is most definitely going to filter javascript. No website wants someone to inject javascript into their pages. Your attack only works if there is a bug in the filter.

If the user can inject javascript, they don't even need to use an image. They can directly do whatever they want in javascript.

Obviously more complicated because you need to mask your embedded code to get through the filters but that is the basis of the XSS hack that has been hitting Yahoo all year ...

If this was true, Yahoo would be completely incompetent for not patching their filter. Do you have a source for this?

And because the sessions on the server never expire the hacker can gain access. I'm not sure how https would help in this scenario.

Session expiration only can minimize the possible damage. In reality, the second the attacker gets the session id they could do whatever they wanted with it. Unless you are expiring the session every second, it does not stop an instant attack. I do agree that it can help minimize the danger, though, so it is still useful.

Basically you need to pass a salted, hashed version of the session ID or random string (as a hidden form field) on all page views or form submissions and check that against both the session cookie and the hidden form field to make sure the cookie is coming from the original source (since there would be no way for the hacker to get that string as well). And invalidate the session if it doesn't match up. Also expire and delete the sessions after 6 hours of inactivity would help as well.

Your whole assumption is based on the attacker having access to javascript. If they have that, then your hidden form field is useless, because they have access to that as well.

Real solution for your javascript attack method: Add HTTP_ONLY attribute to cookies, which prevents javascript access.

As far as stopping a person attacking by sniffing the line, HTTPS is the only way to fix that. I could possibly see a way for a site to create a predetermined key for the user and store it with HTML5 Web Storage. Then submissions via javascript could use that key to sign the content being submitted. (Or encrypt it outright.) Since most of these attacks are drive-bys, it's less likely the attacker would have the pre-negotiated key. This is a more complicated solution and has its own flaws of course.

Comment Re:WRT54GL? (Score 1) 133

WRT54G is not WRT54GL.

The WRT54GL is the reincarnation of the original WRT54G. The WRT54G used linux until version 5 when it switched to VX Works OS. It sounds like AC's was one of the original ones, so it is relevant this thread.

See here for details: http://en.wikipedia.org/wiki/Linksys_WRT54G_series#WRT54GL
"The WRT54GL is technically a reissue of the version 4 WRT54G."

Comment Pro Tip (Score 1) 114

Pro-tip: Take care of your mouth. Brush your teeth and tongue at least twice a day. In particular get that white/yellow stuff off your tongue, including on the back of it. You may gag a bit at first, but you'll get used to it. Also, floss. 90% of issues fixed. Now garlic and other smells you are on your own.

Comment Patch Tuesday? (Score 2) 126

Steam has a very consistent schedule of getting updates on Tuesday, many of which take the network down. I would not be surprised if this was the case. I've learned to avoid any games that require a Steam connection on Tuesdays. (Usually ones that are tracking achievements that affect the game or using steam cloud I would guess.)

Comment Re:Seeing how most companies won't migrate... (Score 2) 675

You don't see how displaying a list over a full screen is less efficient that displaying it as a... list?

Your response would be taken much better if it wasn't in the form of a condescending question that contributes nothing to the discussion. How about some logic or real world examples why you think I'm wrong? (Something that doesn't involve 0.001% of users.)

As far as user efficiency goes, 99.9% of users take the exact same steps that take all of about 1-3 seconds. They don't lose any efficiency, because the workflow to complete the action is the same for both.

If your question is about actual software/hardware efficiency of displaying a list on desktop vs fullscreen, then that's an entire different ballgame and I won't argue against that. (Lame argument, though, considering how powerful hardware is these days.) I, also, was not arguing on whether the metro start is better than Win7 start. Win7 start is better to me. Being popped to a fullscreen start is an annoyance, but does not hinder normal user efficiency of accessing top programs.

Comment Re:Seeing how most companies won't migrate... (Score 1) 675

So put them on the Metro page, WTF? That way, I can jump back on forth from the metro page to the pseudo desktop without the start menu everytime I need to open an app. How efficient is that? Why not allow apps that require the pseudo desktop to have a menu entry on the desktop, unless your fear is that nobody will use the metro apps or the metro page?

Using the metro start for your top programs is no different than for the Windows 7 top programs. Hit the windows key and select your program. One just happens to be a fullscreen start menu. I don't really see how that is less efficient. I'd prefer to have a start menu of course, but really I'm on the desktop 99.99% of the time and all the functionality I used in Windows 7 is just as efficient in Windows 8.

I think you are correct that Microsoft wants everyone to use metro apps. (I don't use them myself. I just use the desktop and metro is my start menu.) I believe it is so they can get a foot hold on mobile and get a cut of software sales. Part of it could be a vision of taking your OS everywhere, though.

Comment Re:That bad? (Score 1) 740

So sort of another con or pro, depending on how you look at it:
Windows 8 has removed the Previous Versions functionality. It has a new functionality called File History, which doesn't use shadow copies and instead only copies some files (libraries, desktop, etc) to a second hard drive. This is a bit of a step backwards in my opinion for these reasons:

1) Previous Versions didn't need an entire copy of the file. So you only used space as it was changed. I think File History copies the entire file every time it backs it up.
2) Previous Versions worked on the entire hard drive, not just a small subset of files.

The pros for File History:
1) On a separate hard drive, so if one being backed up goes down, you are good to go.
2) Interface allows copies to be made more regularly. However, this could've been done just as easily with if Previous Versions had been beefed up.

I've found that you may still be able to use Previous Versions, though. You have to re-enable system protection on the drive first, though. After that, you have to access the drive through the network interface. ie: \\ComputerName\C$. Then Restore Previous Versions should be in the menu again. I haven't seen this work in action, though, as I just recently installed, so I can't confirm for sure it works. Here's a site with more info: http://winhowto.blogspot.com/2012/09/windows-8-how-to-recover-previous.html

Comment Re:That bad? (Score 1) 740

The cynical side of me, which is probably correct, says that this is done to promote phone sales and encourage use of the walled garden and is not at all about making things easier for the user.

I definitely agree with this.

Thanks for the suggestion of RetroUI. I hadn't thought of using the metro apps inside of a window on the desktop.

Comment Re:That bad? (Score 1) 740

Did they fix the copy mechanism so you can add files to an existing transfer? That was one of the more frustrating things that OSX got right. Copying a file while an existing transfer is going on just slowed them both down to the point that neither transfer would do much of anything.

This is one feature where I think they could've done better. File copies are added to the same window, however, you have to manually pause them if you don't want them running simultaneously. I definitely consider that a con, but not in the context of this discussion of Windows 7 vs 8, since 7 didn't have it either.

As far as the task manager, yeah it's not perfect. It misreports my overclocked CPU and RAM. (Displays the default speed instead of actual.) You can display multiple CPUs in it still, though. Right click on the graph, click "Change graph to" and select logical processors.

As far as running processes without an associated username. Are you sure that windows isn't just hiding the user until they are logged out before actual deletion? (So they still run with same basic permissions until that point.) I would imagine this is something they would check for and handle somehow.

Comment Re:That bad? (Score 0) 740

I read about all the Windows 8 hate, but I also read about the many cool new features. From everything I read, Windows 8 sounded better except the metro interface and that was mitigated if you used keyboard shortcuts. I decided to give it a try at the limited time upgrade price of $40.

My take on it is that I like Windows 8 over Windows 7. Would I like a start menu over metro tile UI? Well, yeah. However, the fact of the matter is that I rarely use metro. 99% of my time is spent in desktop mode. I only use it for searching apps, just as I did in Windows Vista/7. Hit Windows key and start typing and hit enter on my app. Metro, also, displays your most used apps, just like 7. So you can just click those if you want too. Any apps I don't have automatically start, I just pin to my taskbar, though, and then I can run them in desktop mode.

Here are my reasons why I like Windows 8:
*) Boot/shutdown time reduced. I don't really notice this, though. Windows 7 was fast too.
*) Much improved task manager. This thing is a beast. A bunch of performance measurements in one SIMPLE place. Seeing what is using cpu/network/disk/memory in one spot is nice.
*) Windows explorer has a bunch of advanced and simple to use toolbar options by default. (I use them rarely, but I appreciate they are there.)
*) Master volume is overlayed on the screen as you change it with keyboard buttons. Previously I had to use 3rd party drivers/software for this.
*) No more Aero UI. Just a plain interface. I don't need the extra pretty graphics and I assume this gets better performance even if only a sliver.
*) File copying is much better. You get a nice graph and the time estimate is actually accurate now. You can, also, pause it. This has made a world of difference for my external drive.
*) Win-X: Pops up a menu of many administration tasks. (ie. Control panel, disk management, command prompt, run, etc). You can, also, modify this list with a 3rd party program.
*) Notepad is MUCH faster now. I'm not sure what they did, but in 7 and below, notepad would take seconds to load/display a simple 25MB file. Now it is instant.
*) Storage Spaces. I'm not using it yet, but being able to put drives in a pool is nice and I foresee use in the future. Built-in unraid. Yes, please.
*) Microsoft Security Essentials built in. (Called Windows Defender.) Malware/antivirus for the masses. (Supposedly it isn't quite as good at 0 day exploits as some other antivirus software, but for my purposes it is fine and it doesn't take up much resources.)
*) Win-P Shortcut: Easily change monitors in use and/or extend desktop. I use this to activate/deactivate my tv.

Cons:
*) I disabled the login/lock screen foreground wallpaper. This required you to click once before you saw your login box. This was simple and works the way I want now.
*) Don't like how metro tries to handle windows updates. However, the old Windows update from Vista/7 is still there, so I usually access that through the control panel.
*) Metro. I've disabled most tiles. It's pretty much used to search only and isn't a hindrance to me.

Here's what I think: If the start menu was available in Windows 8, it would've been very well received as a better OS than 7. The lack of it for me is not a problem as I search my apps anyway, just as I did in Vista/7. For those that are used to clicking with the mouse and can't change, they can get Classic Shell or Start8. I haven't tried either and probably won't, though, because they aren't needed for me. I definitely do not regret my purchase.

Comment Re:Why? (Score 2) 403

Storage Spaces sounds interesting to me. Basically, you can create a pool of disks and by using mirroring or parity you can have redundancy. The mirroring allows data to be backed up to 1 or more drives. The parity part is most interesting to me, because it sounds similar to Unraid for those that have heard of that. Could be nice to get extra storage space that is portable to any computer as long as it has Windows 8. (Not held down by certain hardware such as motherboard raid controller.) Here is the article from Microsoft on it.

That along with faster booting, better file copying interface (which still could use work in my opinion), better task manager, and some other things make me interested for sure. However, all the bad information I am hearing about the Metro interface has me hesitant. I will probably wait until service pack 1 to decide whether to pick it up. It sounds like a good OS if you aren't worried about the UI, though. Since UI is so important, I'm not sure why Microsoft didn't give the option to just use the classic interface. I guess they want to try and force people to accept the Metro interface.

Slashdot Top Deals

Real Users never use the Help key.

Working...