Recent Posts

1951

Living Room / Re: silly humor - post 'em here! [warning some NSFW and adult content]

« Last post by Deozaan on February 27, 2017, 11:32 AM »

Roxie, a paralyzed baby rat

Roxie the Rat's Story & Update

-holt (February 27, 2017, 11:23 AM)

The rest of the (not silly or humorous) story:

1952

Living Room / Cloudflare data leak, affecting many sites/services #CloudBleed

« Last post by Deozaan on February 24, 2017, 10:57 AM »

I think you're right that most likely it's not as bad as it seems. And I admit to reading the "news" about it and posting here before having finished reading the incident report itself, so I missed the part that specifically laid out the requirements for the memory leak. I've adjusted the title of the topic and the content of the original post to be less alarming.

Also visit the blog for more information: https://blog.cloudfl...oudflare-parser-bug/

-wraith808 (February 24, 2017, 08:44 AM)

That's what I linked to in my original post. But thanks for the link to the Google report. I had a hard time finding it myself.

I think that people are trying to make this something that it's not.

We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.

-https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

So if you're not using those features, your site was not going through the bad code.

-wraith808 (February 24, 2017, 08:44 AM)

That seems to be the case, but I think it's not entirely accurate:

Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.

-https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

So even if your site doesn't use Cloudflare directly, if it made a request to a site or service that does, then sensitive information from your site could have been leaked.

Also, from the Google report, this is worrisome:

Cloudflare did finally send me a draft [of their incident report]. It contains an excellent postmortem, but severely downplays the risk to customers.

-https://bugs.chromium.org/p/project-zero/issues/detail?id=1139#c19

So when I see something like this:

(that’s about 0.00003% of requests)

-https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

I have to think that a percentage means nothing to me without knowing how many total requests there were. For an exaggerated example, 0.00003% of 38 quintillion is still quite a lot.

1953

Living Room / Cloudflare data leak, affecting many sites/services #CloudBleed

« Last post by Deozaan on February 24, 2017, 12:13 AM »

Cloudflare released an incident report detailing a recent discovery and patching of a bug which leaked data in rare instances. This leaked data includes passwords and other sensitive information.

Virtually every site that uses Cloudflare was possibly affected, meaning that basically you should change your passwords everywhere and make sure you have 2FA enabled where possible. EDIT: See further replies to this thread for clarification on potentially affected sites.

I'm on mobile so it's too much work for me to make things pretty right now, but here are pertinent links:

Cloudflare incident report: https://blog.cloudfl...oudflare-parser-bug/

List of sites (possibly) affected: https://github.com/p...tes-using-cloudflare

1954

Living Room / SHA1 is dead - First known collision exploit discovered

« Last post by Deozaan on February 23, 2017, 06:53 PM »

Cryptographers refer to the attack disclosed Thursday as an "identical-prefix" collision, meaning it allows the attacker to create two distinct messages that have the same hash value. This variety is less powerful than the "chosen-prefix" MD5 collision carried out by Flame. In the latter case, attackers can target one or more existing files, such as the digital certificate that a company uses to authenticate its update mechanism. Despite the collision against SHA1 being less powerful, cryptography experts said any real-world identical-prefix attack represented a game-over event for a hashing function.

"In crypto we have the idea that hash function collisions should be really hard to find, even if they're 'useless,'" said Johns Hopkins University professor Matt Green, speaking generally about collisions before he learned the specifics of the new SHA1 attack. A real-world collision attack "is the equivalent of finding out that your scalpel wasn't sterilized properly. It may not verifiably have germs on it, but the whole instrument is considered unsafe."

-https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

Read more here:
https://arstechnica....unction-is-now-dead/

1955

N.A.N.Y. 2017 / Re: NANY 2017: MMAHW! (Make My Active Hours Work!) - Cancelled

« Last post by Deozaan on February 20, 2017, 07:15 PM »

Wasn't sure where to post this, so this thread seemed most related: Sjc1000 recently linked to an article in the IRC channel which says there will be an update which allows Windows 10 Pro/Enterprise to set Active Hours to 18 hours instead of only 12. So that's an improvement.

https://ctrl.blog/en...windows-active-hours

1956

Living Room / Re: The Keybase Filesystem

« Last post by Deozaan on February 17, 2017, 02:31 PM »

Keybase updated itself today and now I'm stuck on the loading screen again...

1957

Living Room / Re: I’ll never bring my phone on an international flight again. Neither should you.

« Last post by Deozaan on February 14, 2017, 04:35 PM »

Some of it doesn't make sense to me. If they can compel you to unlock your own device, they can also compel you to sign into a device that isn't yours, which will then sync all your data to it.

It's actually a really strong case for not knowing any of your own passwords, period:

I don't know any of my passwords and neither should you

But following the advice in that article still relies on knowing your master password for your password manager. If only there was a way to not even know that! Well, there is:

I know none of my passwords


Somewhat related:

My guide to securing your digital life

1958

General Software Discussion / Re: Firefox Extensions: Your favorite or most useful

« Last post by Deozaan on February 14, 2017, 01:05 PM »

Not to get too off-topic, but FWIW I had no problems with the Brave installer. It "just worked" for me. Sorry your experience with it wasn't the same in that regard.

Further discussion about Brave (or other browsers) probably ought to be in a new/different thread to prevent this one from being derailed/hijacked.

1959

General Software Discussion / Re: Windows 10 Announced

« Last post by Deozaan on February 14, 2017, 11:35 AM »

Looking for advice for a Windows 10 laptop that hasn't been used for a couple of months --
should I:

(1) let it update itself (if so, any idea how long that might take, and how I can keep an eye on it)
or
(2) download updates and install manually? (dont even know if that possible)

-tomos (February 14, 2017, 07:30 AM)

Microsoft has been pushing cumulative updates every month or so. Which should solve the problem you'd see in Windows 7 or earlier where if you do a fresh install of the OS you then have to download and install years worth of updates separately.

That said, they have also been updating the ISO for Windows 10 somewhat regularly, so it's not that hard to get a recent version made as installation media. But again, this is just for a fresh install of the OS. I don't know if it's possible to download and install updates manually. I'd do as Ath says, and either let it update itself or manually go to Windows Update and click the "Check for updates" button to kickstart the process.

1960

Living Room / Re: Show us the View Outside Your Window

« Last post by Deozaan on February 13, 2017, 05:46 PM »

... They look very different, don't they?
_______________________________

-Arizona Hot (February 13, 2017, 09:44 AM)

Um, yeah. At a guess, that's presumably because they are panoramas of the same range of hills, but showing different parts of that range in each shot - right? At first I thought they were back-to-front. It's a huge range. What's it's name?

-IainB (February 13, 2017, 01:06 PM)

If you look closely you can see the peaks in the center of the second image are on the left of the first image.

1961

General Software Discussion / Re: Firefox Extensions: Your favorite or most useful

« Last post by Deozaan on February 13, 2017, 05:40 PM »

Warning on Ghacks: Firefox Focus privacy scandal

-IainB (February 13, 2017, 01:21 AM)

First of all: Maybe you missed the update which says their source was full of errors.
Secondly: I've started using Brave quite a bit lately to improve privacy.

1962

Living Room / Re: If you have a Wordpress site you need to patch it against latest vulnerability

« Last post by Deozaan on February 11, 2017, 02:04 PM »

That article makes it seem not so bad in the opening paragraph when it talks about it being an exploit for an outdated version of WordPress. Then it says the exploit was fixed only about 2.5 weeks ago.

I do manually check my WordPress sites every so often to make sure they are updated, but that is probably on average about once per month. So yeah, thank goodness for WordPress auto-updates, because if not for that, my sites would probably be vulnerable as well.

1963

Living Room / Re: 21.co - Replace your public email with an inbox that pays you

« Last post by Deozaan on February 10, 2017, 02:10 PM »

Why would anyone want to pay to get in contact with me when they can do it for free?

Surely it works as an anti-spam!

-Mark0 (February 10, 2017, 01:21 PM)

Funny you should mention that, because 21.co is a Bitcoin company, and IIRC, a part of Bitcoin (the proof of work) was inspired by Hashcash, which was an anti-spam technique that never caught on.

1964

General Software Discussion / Re: Brave: A new browser with built-in adblock and payment solutions

« Last post by Deozaan on February 10, 2017, 12:46 AM »

It has been a year and I've recently given the Brave browser a try again.

On Android it is based on Chrome browser. As such it is fully featured and works well. I like it. Much better than that stupid Link Bubble thing they were using a while ago (which still exists, but is no longer considered Brave proper).

On Windows it is based on I don't know what. Safari? It definitely looks and feels like iTunes/Apple. Clean, minimal, and with the address bar centered in the title bar area (like track info in iTunes). In fact I'm pretty sure I went to a download page for some software--one of those new-fangled ones that auto-detects your OS and directs you to the appropriate link for your OS--and it recommended the MacOS version of their software. It still seems a bit bare bones, but it also seems fast and works well. I'm definitely not using it as my primary (or secondary) browser yet, but for those of you who looked into this a year ago and promptly forgot about it, it may be worth looking into again.

I'm growing increasingly wary of all the tracking going on with everything I do, so I've been putting out "feelers" for alternatives to the many Google products I use all the time. Brave may become a nice alternative. I'm not sure it's there yet, but maybe with time it will be.

1965

Living Room / Re: The Keybase Filesystem

« Last post by Deozaan on February 09, 2017, 07:30 PM »

Thanks for that... probably would have taken me more time to figure that out 

-wraith808 (February 09, 2017, 05:39 PM)

It's not due to any intuition of my own. While trying to figure out the problem, I came across this and decided to give it a try:

There was recently a change in target installation directory, from %APPDATA%\Keybase to %LOCALAPPDATA%\Keybase. Sometimes the migration of settings fails. As a last resort, it should be OK to:

• uninstall old Keybase + Dokan
• copy everything remaining from %APPDATA%\Keybase to %LOCALAPPDATA%\Keybase
• install the latest version from keybase.io

-https://github.com/keybase/client/issues/5399#issuecomment-274883278

1966

Living Room / Re: The Keybase Filesystem

« Last post by Deozaan on February 09, 2017, 01:13 PM »

Anyone on Windows (10) got the Keybase client working? When I launch it I just see a Loading screen forever.



EDIT: I got it to work. It seems there was a problem migrating from my old version of Keybase to the latest version. I had to uninstall Keybase, move everything from my AppData/Roaming/Keybase folder into the AppData/Local/Keybase folder, reinstall Keybase, and now it works.

1967

Living Room / Re: The Keybase Filesystem

« Last post by Deozaan on February 09, 2017, 01:07 PM »

Cool. Thanks for posting this. I'd have missed it.

1968

N.A.N.Y. 2017 / Re: NANY 2017: Oplop for Windows

« Last post by Deozaan on February 09, 2017, 12:40 PM »

For what it's worth, Windows Defender gives it a pass.

But indeed, quite a few (5/18) flags on Jotti as well: https://virusscan.jo...lescanjob/7dg9smisfe

If in doubt, download the source from the original post and compile it yourself in AutoIT after verifying its safety.

1969

Developer's Corner / Re: Do you know how the "I am not a robot" anti-spam checkboxes work?

« Last post by Deozaan on February 08, 2017, 02:38 PM »

So, basically, everyone on the internet was used as a giant "botnet" to teach Skynet how to read, understand voices, and differentiate between objects in an image/video. And it probably sent it all to the NSA at the same time.



But seriously, people using Captcha have trained or are currently training computers (through machine learning) in the following fields:

1. How to read and differentiate between letters/words better than humans can. Improving OCR, etc.
2. How to understand various human voices saying words or letters/numbers. Improving speech-to-text engines (such as that used to transcribe voicemail in Google Voice).
3. How to recognize various objects in photos. Street signs, trees, animals, people, etc.
4. ??? I'm sure the "I am not a robot" version is sending a lot of information about us. What is it training the machine to do with that information? Mimic how a human interacts with a browser?

Really cool! And kind of scary.

1970

Living Room / Re: What books are you reading?

« Last post by Deozaan on February 08, 2017, 02:56 AM »

Questioning the Quran

-Renegade (February 06, 2017, 09:20 PM)

One of the best ways of learning about Islam would probably be to study the Quran itself - an English or other language translation of it.

-IainB (February 07, 2017, 08:21 PM)

Why did you change the title of the book when you quoted Renegade?

1971

General Software Discussion / Re: Help! My Firefox has lost Bookmarks Menu + the bookmarks!

« Last post by Deozaan on February 08, 2017, 02:44 AM »

Dear Reader, Do 'you' have a Firefox > Titelbar > Bookmarks > Bookmarks Menu ?    I  don't!

-Curt (February 07, 2017, 07:32 AM)

This is what I have in Firefox 51.0.1:



I don't really know what the Bookmarks Menu is supposed to be or look like, since I don't really use bookmarks at all in Firefox. When I open all bookmarks (Ctrl+Shift+B) I do see a menu item called Bookmarks Menu but it just shows a list of bookmarks, not unlike the Bookmarks Toolbar. So I'm not really sure what the difference is. I guess the menu is what shows up when you click the Star | Clipboard icon?

If you want the Bookmarks Sidebar to show up, click on the clipboard side of the Star | Clipboard icon then click on View Bookmarks Sidebar.

If you want the Bookmarks Toolbar to show up underneath the address bar, click the hamburger menu (three horizontal lines near the top-right corner) and then click Customize. Then select the Show / Hide Toolbars dropdown near the bottom left, and enable Bookmarks Toolbar.

1972

Living Room / Re: DonationCoder Down?

« Last post by Deozaan on February 07, 2017, 07:50 PM »

I use https://uptimerobot.com/ to get down information of important websites including DC 

-anandcoral (February 07, 2017, 03:38 AM)

Thanks for sharing that information. Looks useful.

1973

Living Room / Re: AI Assistant is just selling gimmick

« Last post by Deozaan on February 03, 2017, 01:28 PM »

For what it's worth, in my small group of acquaintances, I do hear people now and then saying "OK Google..." and asking questions or giving commands. But I think a lot of that is because I remind the people I'm around, "You have a phone, don't you? Ask it."

Generally speaking, I think there needs to be time for people to get used to the idea that talking to their computers (or phones/devices) actually works fairly well and then more time to transition from old habits (typing) to the new habit (speaking). It may even need the upcoming generation being raised with the AI assistants there before they become truly ubiquitous.

I think the older and wiser generation is distrustful of such technology and the invasiveness of it. I'm generally reluctant to give my devices permission to listen in on me. That said, I've been suppressing the klaxons in the back of my mind as much as I can that Google already knows basically everything about me. I use their browser, I use their email service, I send and receive phone calls and texts/IMs through Hangouts & Google Voice, I use their calendar to schedule events, I use Android which tracks my location, I use Chromecast to watch stuff on TV, I use Google Drive for my spreadsheets and documents. And there's probably even more of my personal information out there in Google's hands that I'm overlooking at the moment. All voluntarily and willingly given to them from me.

With the knowledge that they literally own almost everything a person could know about me, it's hard to keep up what must be a facade of concern about an AI assistant gleaning more information out of me. So I use it in some minor ways.

If I'm at my computer, I'll just "Google" something (using Duck Duck Go). But if I'm out on the go, I'll use a phone (someone else's) to "OK Google..." and ask a question. I also often use voice commands to set up an alarm or timer on my device, or other reminders. When it's as easy as "OK Google... Remind me tomorrow at 3PM to [whatever]" there's no excuse to forget anything again. It can be really convenient.

That said, I have no need or even desire for an AI assistant sitting in my house, always listening and waiting, ready to answer questions or play some music for me. If I need questions answered, I'll ask my computer or phone/tablet. If I want music played, I'll play it on my computer or phone/tablet. Maybe if I had a "smart home" and the AI assistant could preheat the oven for me, or turn on the heater/air conditioner or adjust the lights, or whatever, I might make more use of it. But a lot of those are actually things that I would want to be able to do while I'm away from home. So I'm still not sure I'd benefit from a stationary AI Assistant on the bookshelf of my home.

1974

DC Gamer Club / Re: XCOM: UFO Defense free on Humble for next 18 hours (until 10am Pacific time)

« Last post by Deozaan on January 31, 2017, 07:00 PM »

Thanks. I've heard great things about the X-COM series but haven't ever played any of them.

1975

DC Gamer Club / Constructor - 24hr giveaway on GOG

« Last post by Deozaan on January 31, 2017, 01:59 PM »

An older game I've never heard of has returned(?) to GOG and they're giving it away to anyone who claims it within the first 24 hours.

https://www.gog.com/game/constructor