Follow Slashdot stories on Twitter


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Is Haselton going to jail? (Score 1) 187 187

To hack the account, they need both the account number and either the PIN or password. This allows them to brute force the PIN, and retrieve the account number as a byproduct of that.

No, you don't get the account number that way. The "forgot account number" page uses the customer name and one of the listed items of information to identify your account. If it can identify your account it sends an EMAIL with the account number to the email address of record on that account.

The horrendous failure is that they don't simply pretend to send an email if you get the PIN wrong, they report that they can't find the account. I've had a bank that pretended to send an email and it was VERY confusing. It kept telling me it was sending an email with my forgotten user ID but I never got anything. I had to go into the bank to find out I didn't have an email address listed on the account -- even though they kept saying they were sending email to me.

Knowing the email address or home address only gets you the account number.

No. It gets you nothing of value, unless you've already hacked into the target's email.

Comment: Re:Is Haselton going to jail? (Score 1) 187 187

I'm not saying they should disable all automated methods to retrieve your account number, just the method that requires a PIN.

I thought you were saying that you were unhappy because they ignored your brute force attack and report of same and didn't hand you a million award miles.

Remember, I said that the "Forgot your account number?" page lets you retrieve your account number if you enter your name along with any ONE of the following: your e-mail address

So you're perfectly happy if someone can "hack" into a United account by knowing someone's name and email address, but not if they know the name and take up to 10000 guesses at the PIN.

your "old MileagePlus number"

And it's ok to brute force the old Mileage Plus numbers (six digits, IIRC), but not a four digit PIN.

Comment: Re:Licenses (Score 4, Interesting) 119 119

Are you sure a pilots license is required? No license is required to fly an Ultralight aircraft.

The definition of "ultralight" includes: "(4) Has a power-off stall speed which does not exceed 24 knots calibrated airspeed." I.e., it must not stall if you go faster than 24 knots. If your fans stop and you're still going 40 knots (74 kph), but you have zero lift, you've stalled. As you fall you will reach terminal velocity. That will probably be more than 24 knots, but you will still have zero lift.

I don't see any technical details other than planned cruise speed, but if it carries more than 5 gallons of fuel or weighs more than 254 pounds dry, it also isn't an ultralight.

If it is an ultralight, the prohibition that it cannot be operated over congested areas of cities, towns, or settlements, or over any open-air assembly of persons makes this a pretty expensive toy.

While there is no legal definition of "congested area", the FAA has said it will be determined on a case by case basis, and cases come about when someone complains. So, if you're flying one of these things over someone's head and they complain, you are going to have to defend yourself.

Comment: Re:Sorry most Americans... (Score 4, Insightful) 119 119

I wouldn't use it without a parachute either.

A parachute will be particularly useless when the pilot loses control at 100 feet above ground and is headed down at 100 fps. It will be more of a shroud over the body than an actual "save the pilot" device. Its main safety function will be to keep passers-by from tossing their lunch from seeing the mangled splat.

Comment: Licenses (Score 1) 119 119

And cue the screams of the people who think they can just buy one, strap it on, and ascend to 1km ... without a pilot's license. For yes, even more so than for drones, these will be classified as manned aircraft and there are already tons of federal regulations regarding operations of such.

Comment: Re:Um... Did you actually read the program? (Score 1) 187 187

Why on Earth aren't you allowed to test brute force attacks against your own account?

Because it isn't your computer and the people who own the computer say you aren't allowed to. Because, while THIS brute force attack may have -- we assume -- little effect on the servers being attacked, other brute force attacks may not be as benign. Because you may not be as good a programmer as you think you are and your "benign" brute force attack may turn out to be quite disruptive. But the main reason is given in the topic sentence of this paragraph.

Comment: Re:Is Haselton going to jail? (Score 1) 187 187

The thing is, you can't find a brute force attack without testing it.

Of course you can. A four digit PIN is, well, there's only 10,000 possible entries, and you can run through those in a relatively short time.

And this one is so basic that it's mind boggling that even a clueless web designer let it slip though.

Huh? You don't think that United might want to allow their paying customers to be able to recover access to their account in some automated way so they can buy more services from United? This is a design decision, not a simple web-designer screw-up.

Yeah, they could disable an account and force the customer to call a phone number to get it re-enabled, like some websites do. Do you realize how expensive that would be for United to manage? An international company with customers in every time zone on the planet would have to add staff to handle the extra calls.

Oh, oh, they could put a captcha on it. That would stop automated attacks, but with only 10000 possible entries the average number to test would be 5000, and if someone can get a dozen friends to help out and they take a minute for each try that's only 7 hours to break in. Who wouldn't pay good money to have control of Barack Obama's United frequent flier account?

By the way, as a user of United's web system, I can tell you that they already do use captchas to prevent automated access. The captcha system they use is the remarkably unfriendly "select all the pictures that show X" system, and seeing the pictures on a 7" tablet is rather difficult at best. When they do it in a way that cannot be pinch-zoomed, it's stupid. And when they think that every sandwich is a "hamburger" (this morning's captcha) it's ridiculous.

but United's position is, frankly, kinda silly.

United's position is that they will accept reports of brute force attack methods but prohibit the actual testing of those methods on operational systems. That seems kinda reasonable. Their position is that they also don't pay out for a patently obvious brute-force "bug" that has certainly been reported more than once by more than one person. That also seems reasonable.

Comment: Re:Um... Did you actually read the program? (Score 1) 187 187

I hate Bennet Haselton as much as the next man, but you are actually wrong according to GP's quote from the rules.

He is actually right, according to GPs quote from the rules.

Do not attempt: ... Brute-force attacks.

He attempted a brute-force attack. From the fine summary:

If the site doesn't limit your number of guesses, you can write a script that iterates through all 10,000 possibilities for the PIN until it finds the right one. I wrote a script that did exactly that, ..."

So our fine author admitted he did what the rules prohibited. The rules appear quite clear: they will accept reports of how a brute-force attack could be done but prohibit them from being attempted.

Also, do you not imagine that someone might have already reported this "bug" (which it isn't really, it is a deliberately programmed convenience for the UAL customers)? So why should Bennett walk in and get a prize for reporting an obvious and previously reported issue that is a design decision in the first place? Why should United waste their time replying to a douche who duplicated a previous report and admitted that he broke the rules by running a brute force attack against their website?

Whatever else BH is, his blogging is a waste of time and electrons.

Comment: Re:No brute-forcing murky... or clear? (Score 1) 187 187

There's no brutality in this attack,

Oh for Christ's sake. That's not what "brute" in "brute force attack" means. You are an idiot.

He isn't pushing the system to the limits while going through all the possible values, which is what happens in traditional brute force attacks.

Brute force attacks don't require pushing the system to its limits. Brute force attack means using a blunt object (all possible combinations) instead of a finer method (SQL injection, etc) to gain access.

The ban on that type of attack is to prevent the researchers to overload the servers.

No it isn't. The ban on getting credit for reporting that type of hack is because it isn't a hack. It is simply using all possible combinations of access credentials until access is granted. It isn't finding a bug.

Comment: Re:No brute-forcing murky... or clear? (Score 1) 187 187

If a server has an issue with 10k requests at night when nobody is using it over a few hours, then they have much bigger problems!

It is daytime somewhere on the planet all the time, United flies internationally, and there are good reasons why someone even in the US would use the United web system when it is their local nighttime. Your excuse that it was "at night when nobody is using it" is ridiculous. People use it all the time. The interwebs are international in scope, dude.

"At night" doesn't mean it wasn't brute force. Brute force, as another has already pointed out, means "trying all combinations", not "there's only 10,000".

And "brute force" is not a hack, it's script kiddy material. Do think I should get a million miles just for telling United that hey, I can attach every unattached itinerary to my frequent flier account by brute forcing the record identifier? It's only six characters, so 36 to the sixth power possible values. I can be a multiple-1K with a billion award miles in no time at all!

Comment: Re:obvious solution (Score 1) 175 175

That sounds like a great system. If you want to fly your drone in controlled airspace, then you should have to have something like that on it.

Nonsense. You shouldn't be in a place where you endanger manned aircraft in the first place.

In the second place, that system depends on ATC providing traffic separation services to the manned aircraft, which they do not do for VFR flights.

Third, it depends on the pilot actually seeing the target to avoid it. Smokey air, turbulence, pilot busy flying and looking for the drop site, not a very good recipe for seeing a small drone before it hits you.

Fourth, it depends on the area having radar service. No radar service, transponders don't do anything. If you are low enough to get good video of the fire, you're probably under the radar coverage area.

And finally, the weight and cost of putting such a system on a DJI Phantom, for example, would make the drone unable to fly.

Last I checked, it was possible to make antennas directional,

Yeah, the directional antennas used for the transponders are those huge spinny things you often see near airports. Actually, the largest spinny thing is the primary radar which depends on the radio echo. The smaller spinny thing mounted on top is the transponder antenna, called secondary radar. Very large and very not portable. You won't have time or ability to set one up near a fire site, and if you did you'd have to worry about coverage. You have to have them in the clear so they can see far enough to be worth it.

It's not a feasible solution to this problem. It's a solution suggested only by people who hate drones to the extent they want to see them eliminated from the skies altogether.

you're being snarky because you're really clever

I'm telling you in a polite way what a ridiculous idea you have and that putting such a transponder on a drone will not keep them out of the way of manned aircraft and will not allow manned aircraft to avoid them. When you are a pilot on a firefighting aircraft you do NOT want to be distracted by trying to identify traffic that may collide with you. THAT IS WHY THEY PUT A TFR UP IN THE FIRST PLACE. It is a big KEEP OUT sign intended to make the operation safe enough to continue. Other aircraft in the area are a hazard for which the only mitigation is to stop flight operations until they leave.

Comment: Re:obvious solution (Score 5, Insightful) 175 175

A drone sitting over the firefighters or behind them is going to be completely out of the flight line.

Firefighting aircraft do not appear magically directly over a fire and then magically disappear after dumping their loads. They have to get from the landing area to the fire and then back again. As a drone operator, you have NO IDEA what the flight path of the firefighting aircraft will be since they have to consider weather and winds and desired destinations in their planning.

And it's not a "flight line" -- that's the place where the airplanes park.

Yes, there will be exceptions, but you can't make stupid illegal.

You can make "dangerous" illegal. And putting an aircraft into a no-fly zone just to take pictures is not just stupid, it is dangerous -- which is why they put temporary flight restrictions over active fires in the first place.

Comment: Re:Mindless drones. (Score 1) 175 175

I'm not afraid of a giant forest fire, but I'm terrified of drones.

If you're the pilot of a firefighting aircraft, you understand and mitigate the risks of flying over fires, and through experience those risks and means of mitigation have become reasonably well known. You are not "afraid", you are appropriately cautious.

Drones, on the other hand, are not a well defined risk and can show up in front of you without any notice. Yes, if it means you might crash into an active fire area*, you are scared of drones.

* said areas are typically mountainous and have few readily available landing areas. "Controlled descent into terrain" is the best way to describe the result.

Comment: Re:obvious solution (Score 2) 175 175

Manned aircraft have to carry transponders and broadcast their license code.

In SOME airspace SOME aircraft have to carry transponders that TRANSPOND to radar interrogation with the code assigned by ATC. It's not a broadcast, it's not a "license code", it's not associated with any specific aircraft until ATC assigns it.

a low-power transponder which can be used to ID them. It could work like active RFID, and only broadcast when ID is requested.

And this would remove the risk of collisions exactly how? "Oh my, there's a drone somewhere in the area. It's ID is ... I guess I can fly right through it because it IDd itself..."

Comment: Re:No such thing, it's been proven to be a hoax (Score 1) 242 242

Since they have to charge a lower price to maximize profit while compensating for the tax,

The other examples I listed disprove the claim that companies have to lower prices to "maximize profit". The water rates did not go down here, for example, when taxes were added as line items. The cable bill has never gone down, and certainly not when more taxes were added as line items. My ISP, ditto. My phone bill, ditto. The last hotel room I stayed in gave me the price without taxes, and then added them on after I was standing in the lobby checking in.

And the last airline ticket I priced showed me the prices without tax, and then added the taxes at the end after I had chosen to buy the ticket.

In none of those cases did the companies involved lower their base prices to make up for the taxes -- which meant I was paying them in full. That doesn't mean some companies don't do that, it's just becoming less common as taxes start to show up as specific charges instead of being lumped into the price.

By the way, since the taxes I'm talking about apply to all providers of a specific service (room taxes at a hotel, for example), those providers know that their competitors will be charging their customers more so they don't have to cut prices to compete. Gas taxes are a shining example of this -- they apply to all gas sales and not just to one company. A rising tide lifts all boats, to adapt a phrase.

We have a equal opportunity Calculus class -- it's fully integrated.