pop ebp - Slashdot User

Comment Re: Wait....... (Score 2) 82

by pop ebp on Friday April 10, 2020 @10:40AM (#59928450) Attached to: Signal Threatens To Dump US Market If EARN IT Act Passes

Erm, you can refuse to give Signal access to your contacts and it will still work. I just tried it.

You will see phone numbers instead of names, and starting a new conversation is a bit tricky, just like when you don't give WhatsApp your contacts. But it works.

Facebook Messenger doesn't need your phone contacts because it operates on the basis of Facebook contacts and Facebook already has all your Facebook contacts.

Comment Re:Why is this a surprise? (Score 1) 91

by pop ebp on Thursday April 19, 2018 @02:16AM (#56462507) Attached to: 'Login With Facebook' Data Hijacked By JavaScript Trackers

Facebook may be evil, but I don't understand why we blame Facebook for this "exploit".

The user grants Website X permission to use their Facebook data. Website X obtains that data. Website X subsequently runs a malicious script on their own website which harvests that data.

Wouldn't this be, like, the fault of Website X?

1.1.1.1: Cloudflare's New DNS Attracting 'Gigabits Per Second' of Rubbish (zdnet.com) 136

Posted by BeauHD on Thursday April 05, 2018 @06:00AM from the dirty-hacks dept.

An anonymous reader quotes a report from ZDNet: Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Center (APNIC). The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy. "We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post. "We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.

Comment Re: Summary not very helpful, here's my attempt. (Score 1) 120

by pop ebp on Friday January 05, 2018 @05:48AM (#55867655) Attached to: Google Says CPU Patches Cause 'Negligible Impact On Performance' With New 'Retpoline' Technique

EXACTLY. The summary is horrible. It made it sound like Google invented a novel technique that makes the KPTI/Variant 3 (Meltdown) mitigation slowdown "negligible". But actually the blog post simply says:

They invented a technique called Retpoline that mitigates Variant 2, with negligible performance impact; and
When testing KPTI/Variant 3 (Meltdown) mitigation on their own workflows, they found the performance impact negligible.

Comment Re:Edge pitches so funny it hurts (Score 1) 152

by pop ebp on Wednesday December 20, 2017 @12:54PM (#55776593) Attached to: Do More People Use Firefox Than Edge and IE Combined?

FTP pretty much died as mainstream when NAT routers became ubiquitous. Switching from active (PORT) to passive (PASV) ftp on the client side only worked until the FTP servers themselves were also behind a NAT.

If both sides are behind a NAT, HTTP wouldn't work either (without the serious reconfiguration they you mentioned), no?

Comment Re:I love to hate perl but it's not that bad... (Score 1) 472

by pop ebp on Wednesday November 01, 2017 @12:17PM (#55469885) Attached to: Perl is the Most Hated Programming Language, Developers Say

I'm curious, how would you deploy code in other languages that also depend on external modules/packages?

Comment Re:Never an Apple user (Score 1) 162

by pop ebp on Wednesday October 11, 2017 @04:01PM (#55351865) Attached to: Security Researcher Finds a Fundamental Flaw in iOS

Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)

Comment Re:Never an Apple user (Score 1) 162

by pop ebp on Wednesday October 11, 2017 @02:02PM (#55350987) Attached to: Security Researcher Finds a Fundamental Flaw in iOS

From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.

Comment Re:Terrible headline (Score 1) 162

by pop ebp on Wednesday October 11, 2017 @01:55PM (#55350937) Attached to: Security Researcher Finds a Fundamental Flaw in iOS

You can't really compare this to desktop OSes like Windows or Mac OS.
The security model there is different. All "apps" you run on them are implicitly trusted; there is no security barrier between apps.

You don't need to fake a Gmail login prompt on Windows because you can simply read the memory of the browser or Gmail app and it will gladly give the memory contents including the password to you (if it still has it).

In iOS, each app is supposed to be isolated from each other and from the OS so this is a big(ger) deal.

Comment Re:Terrible headline (Score 1) 162

by pop ebp on Wednesday October 11, 2017 @01:43PM (#55350847) Attached to: Security Researcher Finds a Fundamental Flaw in iOS

If your browser would let any web site show https://myaccount.google.com/ in the address bar with the green padlock, is that not a security flaw?

Not saying this is exactly the same, but if a platform makes it very hard or impossible for the user to detect a phishing attack, it is a security flaw.

Comment Re:Not noticing?? That's bad (Score 4, Insightful) 196

by pop ebp on Saturday September 16, 2017 @01:27PM (#55210333) Attached to: Equifax CSO 'Retires'. Known Bug Was Left Unpatched For Nearly Five Months

When the break-in first came to light, lots of people criticized Equifax, but a vocal minority said something along the lines of "No system is absolutely secure. We don't know if the hackers used a zero-day vulnerability against Equifax. They could have followed all the security best practices and still be hacked."

My response was "If the past is any guide, every time a major company was hacked, it was eventually traced to vulnerabilities in outdated software that should have been patched months ago. I am going to assume this is the same."

Turns out I was right. Companies never learn.

Comment Re:if they verified DNSsec... (Score 1) 317

by pop ebp on Sunday September 03, 2017 @05:50AM (#55131443) Attached to: TechRepublic: Mozilla 'Is Desperately Needed to Save the Web'

I fail to see how DNSSEC is the solution.
You'll be going from trusting a bunch of different CAs, to trusting a single domain name registry for your security.
Yes, the current CA system is bad, but having a single point of failure is even worse IMO.

Comment Re:An error (Score 4, Informative) 142

by pop ebp on Monday July 17, 2017 @12:11PM (#54826165) Attached to: HTC Keyboard Ads Likely an Error, But Damage is Already Done

I believe it was an error. Although HTC does deserve part of the blame.
You see, the "stock keyboard" was actually a third-party app, which is ad-supported by default.
The HTC version is supposed to be a special ad-free version, but somehow during the latest update the app developers pushed the ad-supported version to HTC devices as well.

If anything, this demonstrates the dangers of bundling apps that you don't directly control.
And who's to say the ad-free version doesn't still track the user or collect personal information? If it wants it could collect all your passwords too!
It was really poor judgement on HTC's part to use such an app for a sensitive component like the stock keyboard.

Comment Re:Even stupider (Score 1) 80

by pop ebp on Friday June 23, 2017 @07:09AM (#54674207) Attached to: Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics

Google works fine for me on Firefox.
You really should check if you are being MITM'ed.

Comment Not open source (Score 1) 303

by pop ebp on Tuesday May 16, 2017 @04:10AM (#54424727) Attached to: Should You Leave Google Chrome For the Opera Browser?

As much as I don't trust Google, at least Chrome is (mostly) open source.
Opera is not open source except for the third-party open source components that they used and modified.
And given that it was adware not too long ago, I simply can't trust it.
I need to trust my browser.

Slashdot Top Deals