HackerTrans
TopNewTrendsCommentsPastAskShowJobs

larssorenson

no profile record

comments

larssorenson
·قبل 5 سنوات·discuss
Your concerns aren't unfounded, but they're a bit misplaced. Password managers aren't intended to protect you from a local attacker, on your machine, like the malware you described. It is trivial to capture clipboard contents, as you say, but it's also similarly easy to keylog so your passwords would be exposed either way. If you consider your computer compromised or antagonistic like this, don't use it for anything sensitive.

Password managers are mostly intended to help facilitate unique passwords per account, to avoid password re-use which prevents credential stuffing. That is, if an attacker gets a hold of your password from one website they can't use it to log in everywhere.

Back to your concern, there isn't a solution for Windows in this space at the moment. Malware that's alive in your user context (or Satya forbid, SYSTEM) can do quite a bit thanks to Win32 APIs.
larssorenson
·قبل 5 سنوات·discuss
You're right, it is done. I worded my comment carefully to leave room for this because it's hard to prove a negative, but I stand by my statement, specificay in refuting the implication from the original comment: we aren't haphazardly blasting plant genome with radiation, at scalr, and guessing it's safe enough to feed to the world. I don't have numbers but GMO crops today are by and large the result of non-radiation genetic engineering.
larssorenson
·قبل 5 سنوات·discuss
GMO's are not produced by targeted radiation in the way you have described, at least not as common practice (i.e. the GMO food you buy isn't created this way). GMO crops are generated in two ways: targeted gene modification (with deliberate modifications being made in contrast to the randomness of the radiation method you described) and crossbreeding (which has a more randomized effect but does not involve radiation).

If you look at the [Wikipedia article on genetic engineering techniques](https://en.m.wikipedia.org/wiki/Genetic_engineering_techniqu...) radiation doesn't appear once.
larssorenson
·قبل 6 سنوات·discuss
It's worth drawing the distinction that Steam, as opposed to Apple and their app store, does not hold an exclusive monopoly and cannot dictate where users can install software from. If a Dev doesn't like Steam, there are other publishers and store fronts that they can peddle their wares through. Similarly users can go elsewhere to buy and install, even direct from the manufacturer.

Steam being the de facto choice is another issue entirely, and yet another discussion for their fee structure.
larssorenson
·قبل 6 سنوات·discuss
I had this happen recently with a finance website! Although technically the reverse, it silently stopped logging me in because the password field was changed to use HTML validation to enforce a max length of N, but they had previously accepted my password that was length N+1. Maddening.
larssorenson
·قبل 6 سنوات·discuss
Interesting, I haven't worked with rainbow tables very much since by the time I got into the world of hash cracking it had either been deprecated by salting or wasn't relevant (i.e. NTLM). That is a clever trick of trading back some of the space for extra time; I remember some of the rainbow table file sizes being ridiculous to the point of almost unusable haha.

edit: spelling
larssorenson
·قبل 6 سنوات·discuss
Unfortunately short of forcing everyone to use an ORM I don't see how we can block the unsafe API, which I'm assuming to be the string-based query interface e.g. `conn.query("SELECT * FROM users")` since any interface that accepts a string will allow a dynamically constructed string which lets developers open themselves to injection attacks. Only ORMs AFAIK can prevent this, e.g. db().users.all() or db().users.select(name="bob").

Maybe there's a clever trick I'm missing here.
larssorenson
·قبل 6 سنوات·discuss
Compromising the hash and salt, since they must be stored close together, makes it possible to identify if the salted hash is a password in a corpus of previously compromised passwords. An attacker can do Hash(PW, Salt) for all PW in a list of leaked/cracked plaintext passwords. If they've guessed your password and it's shared across multiple services, lateral compromise. Salting only prevents the rainbow table attacks, where an attacker precomputes all possible hash values for a known keyspace (like, say, 8 alphanumeric length passwords) and just look up for a match. Encryption is concerning because it necessitates the ability to decrypt since they're often inverse operations of each other, and presumably there's a shared key stored somewhere to do the comparison, which means it's likely trivial to recover the password compared to hash cracking and undermines any strength or complexity benefits. This also likely points to other bad behaviors utilizing this "feature", such as helpfully emailing you your plaintext password when you forget it.
larssorenson
·قبل 6 سنوات·discuss
You're probably thinking of the twitter account @justsaysinmice, https://twitter.com/justsaysinmice.

For the uninitiated and otherwise unaware, many studies regarding illnesses, disease, nutrition, exercise, medicine, etc. perform clinical trials with mice. Resultant publications are picked up by news outlets who headline the results, without the caveat that the results were only found in mice. Mice are, notably, not humans and the results don't (in fact, rarely ever) carry over 1:1.