HackerTrans
TopNewTrendsCommentsPastAskShowJobs

aleks224

no profile record

Submissions

[untitled]

1 points·by aleks224·letztes Jahr·0 comments

comments

aleks224
·vor 8 Monaten·discuss
So this would be the first stack overflow after the Morris' fingerd one (well, first one that's widely publicized):

https://seclists.org/bugtraq/1995/Feb/109

> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01) and I've found, that it can be tricked into executing shell commands. Actually, this bug is similar to the bug in fingerd exploited by the internet worm. The HTTPD reads a maximum of 8192 characters when accepting a request from port 80.
aleks224
·vor 8 Monaten·discuss
This was great to read. Related: Morris also discovered the predictable TCP sequence number bug and described it in his paper in 1985 http://nil.lcs.mit.edu/rtm/papers/117.pdf. Kevin Mitnick describes how he met some Israeli hackers with a working exploit only in only in 1994 (9 years later) in his book "Ghost in the Wires" (chapter 33). I tried to chronicle the events here (including the Jon Postel's RFC that did not specify how the sequence number should be chosen) https://akircanski.github.io/tcp-spoofing
aleks224
·vor 10 Monaten·discuss
There's a quote in the bible that says something similar:

"Verily, verily, I say unto you, Except a corn of wheat fall into the ground and die, it abideth alone: but if it die, it bringeth forth much fruit.”

(John 12:24)
aleks224
·letztes Jahr·discuss
This blog post exposes the badness of SMS-based recovery. I think other recovery options such as Yubikey aren't ideal either, as a Yubikey may simply stop working and you're completely locked out. The specific situation the author of the blog post isn't dramatic - he can't receive SMS - personal decision to avoid roaming charges.

But in all seriousness, if there's an authentication recovery standard, it should serve all people including those who are in seriously difficult circumstances (e.g. homeless or ill). The question then is what should recovery look like in those cases.

To me it looks like good old recovery code on paper is the best solution, as it doesn't depend on ever-changing device ports, or hardware malfunction due to lack of use long-term (such as 10-15 years).

I wonder whether authentication apps nowdays address that aspect and make and I kinda doubt so (i.e. can you print out a QR code with all account information in your typical TOTP app?).
aleks224
·letztes Jahr·discuss
Do TOTP authentication apps typically provide recovery codes option? Can they squash all of the added TOTP codes you have in the app into one code?
aleks224
·letztes Jahr·discuss
Some folks claimed it's a LRAD https://en.wikipedia.org/wiki/Long-range_acoustic_device

However, there was no perceptible sound and folks describe it kinetic force that causes a state of panic and rush in the chest.

From the other angle: https://x.com/alef_pendule/status/1900980300093468844