Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Session Fixation? I don't think so. (Score 5, Interesting) 50

I dodn't think my opinion of SC magazine could get any lower, then they publish this!

Despite what TFA says, this is not a session fixation vulnerability, this is simple session hijacking - with the willing cooperation of the 'victim'.

Session Fixation (for those who don't know the term) does not involve stealing the victim's session cookie at all. It is precisely the opposite :-
* The attacker connects to the service without authenticating but creating an application session.
* The attacker accesses the newly created session cookie and somehow (using whatever other vulns or methods available to them) manages to inject that into the victim's browser before they have logged into the target system.
* The victim accesses the target system. their browser supplies the injected session cookie to the server and it is accepted as an existing session.
* The victim logs in. If the target system is vulnerable to fixation, the victim has just authenticated the session that the attacker created.

The protection against this is for the server to destroy the currently active session and create a new one at the point of successful authentication.

Whilst there are mitigation techniques against session hijacking, they all have their own complications and problems and have varying degrees of effectiveness.
keeping the session id cookie a secret between the user and server is a fundamental part of web security and a failure at this level has not been demonstrated here.

Comment Re:MythTV (Score 1) 78

Freesat is a no-go for me - Dave is my comfort channel ;) Also TVs that do DVB-S are a lot less common & more expensive than those that just do DVB-T. TV Aerial plus Ethernet in every room I would ever need a TV seems the best option to me. As the price was almost negligible in comparison to all my other moving & renovation costs, it just wasn't worth doing myself.

BTW, even interior electrics need to be certified by a qualified electrician now. My list of electrical horrors (excluding the expected old/knackered fittings and consumer unit) included :-

* Electrical appliances hard-wired to the mains via the back of plug-sockets (replaced with proper switches).
* Wall plug-sockets wired to the lighting ring.
* Earthing problem on mains ring (requiring a perfectly good wooden floor to be ripped up)
* Broken mains ring (ended up having to drill out through the back of the house and back in elsewhere to avoid having to rip out half of the kitchen)
* Lighting ring switches wired incorrectly.

Please don't mention the plumbing.

Comment Re:MythTV (Score 1) 78

There's no f-ing way I'm getting on the roof!

Even if I did feel confident enough to go up on the roof without breaking my neck, I would have still got someone in to do it, and laziness does not come into the equation. I did not have the time to :-

* Research and source a decent antenna (for what should be a one-time job)
* Figure out the way to actually mount the thing securely (for what should be a one-time job)
* Learn how to align it and get the tools to do so (for what should be a one-time job)
* Do it all again when I realise I have fitted it wrong/got the wrong antenna/booster etc.

Earlier I had an electrician in to re-wire most of the house (good job as it turned out that much of the place was a death-trap) and I had him run data cables and TV coax to the attic for me as it clearly makes more sense to only rip chunks out of the wall the once (yes, I did the cable termination and panels myself), it sounds as though we have similar set-ups

If you consider that time and effort = money then it quite often it makes good economic sense to get a professional in to do the work. I can then use the time to do more productive work. A massive portion of the economy is based on this premise.

Comment Re:MythTV (Score 2) 78

Yeah, that's doable. The extra Myth layer will handle the tuning selction of input card and will function as a network based PVr to boot. It will support DVB-S and C too (though you'd be pretty much on your own in getting DVB-C to work in the UK as Virgin Media are basically the only provider here and they keep things locked up).

Freesat is a good choice, but doesn't have channel 'Dave' which is on Freeview.

Comment MythTV (Score 1) 78

You don't specify if your TV point is an aerial or a cable installation. If it's a cable, you will need to play by their rules for that point.

In most cases, getting an aerial fitted isn't that expensive. When I moved into my current house, I had the old one totally removed and replaced and got a nice signal booster and six way splitter all professionally supplied and fitted for less than £100.

If you'd be happy with the Freeview channels, plug your aerial into a box running MythTV and then use a WLAN to get TV wherever you want in the house.

I'm not sure about yuor other mentioned channels.

Comment Re:The real story... (Score 1) 175

I'm confused that a politician actual understood the issues before spouting off - isn't that illegal?

Very few sites get my real details, but he missed a few other important ones .. banks and insurance companies get correct personal details. I also find it useful to give shops and delivery companies get my address but nothing much else.

Comment Re:Not publicly routed doesn't mean unused (Score 1) 399

Most / all of them. A network like the GSI is intended to link and provide services to a large number of separate and autonomous organisations, not all of whom are government organisations or had plans to join the network when their own internal networks were developed. Therefore the use of RFC1918 addresses is unsuitable.

The Wikipedia article talks of the GSI and I would assume that the AC above has a connection to the GCSX. Many other such national networks for varying different uses also exist. I believe that many of them are in the 51 block.

Comment Re:Not exactly... (Score 5, Informative) 98

The server cannot 'recover' the seed from the serial number.

When you buy hardware tokens, you are supplied with a copy of the seeds, associated with the token serial numbers, to import into the server. The SecurID scheme is time based. What is recovered through supplying the serial number and two token-codes (combined with the existing knowledge of the seed) is the current state of the token's internal clock.

The serial number printed on the back of the token is NOT the seed. It is not (to the best of my knowledge and trust in RSA) related to the seed in any way other than the mapping held in the database of the server.

This story is purely sensationalist. The SecurID algorithm has been known for a long time, that token codes can be generated when the seed is somehow compromised is a non-issue. That a software token seed can be recovered given full access to the host is also obvious to anyone reasonably aware of the realities of cryptography.

Slashdot Top Deals

"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982