An open letter to websites that require your registration, then email you your details, including the password, in cleartext.
Dear cleartext-email password people,
You've got to be fucking kidding me.
Firstly, let's pretend you have some kind of technology that allows you to safely store passwords in cleartext. Let's further pretend that there's a way to safely transmit and store those password through email. Pretending that, why are you sending people the password they just set 30 seconds ago? Do you think they've forgotten already? Do you think they blindly mash the keyboard, in order to keep their password SO SECRET that not even THEY know it? Did you not bother to code a "I forgot my password" function?
Secondly, let's merely pretend you have the magic Safe Storage of Cleartext Passwords technology. Why are you sending cleartext passwords through email? Suppose a Bad Guy gets into the user's email account, whether it's the user's fault [poor password, unattended session, insecure environment] or not [server hack, vulnerable authentication method, session hijacking]. Thanks to the miracle of YOUR technology, all the Bad Guy needs to do is search for "Password:" and now he has your user's account details, along with the details for any other crappy sites just like yours. If the user doesn't choose a different password for every account (and who does? I don't even do that, and here I am writing obscene security rants), the Bad Guy now has a nice user/pass pair to try for more significant services than your crappy site [banks, paypal, etc.]. Thanks for doing your part to deploy Vulnerability In Depth!
Thirdly, let's abandon all pretense and face it: there's no reason for you to store cleartext passwords in your crappy database. I'll let you in on a secret: thanks to time travel, I've come up with a more secure way to do things! I've traveled back in time to the 1970s and brought back a magical pile of voodoo called password hashing. If you want to go nuts, you might even consider salt! [Haha, I do not refer to food in the previous sentence. An explanation of "salt" is here, and an explanation of "nuts" is that you're retarded.]
Fourthly, go to hell. If you actually wrote that code, fuck you. Put some forethought into it. If you merely use that code, fuck you. Don't make your users pay for someone else's stupid mistake.
Love,
Me
Tuesday, January 13, 2009
Dear cleartext-email password people,
Posted by hogg at 4:21 PM 0 comments
Labels: get off my lawn
Thursday, November 27, 2008
__stack_chk_fail_local
So there I was, trying to build SPIKE in an Ubuntu 8.10 VM. GCC gave about 9,000 warnings, then said something like this:
/usr/bin/ld: (blahblahblah)
Since it took me longer than 10 minutes to find the solution, I'm posting it here. The solution is to manually edit the Makefile and add "-fno-stack-protector" to the CFLAGS. Then make clean; make. The end. Happy Thanksgiving.
Posted by hogg at 10:05 PM 0 comments
Friday, October 10, 2008
Saturday, August 30, 2008
libpcap 0.9.8
Because tcpdump.org is shit, and I had to scour pages to the ends of the internet to find this, I'm putting it here in this easy-to-find location. Enjoy the fruits of my labor.
Download libpcap-0.9.8.tar.gz
Posted by hogg at 12:52 AM 0 comments
Wednesday, August 13, 2008
Broadband Speed and Whiny McCryface
Every now and then one of these stories comes along saying "WAAAAAAAAAAAAH, the United States has broadband that's way slower than everyone else in the world!"
Let's ponder this for a moment. Can you think of a reason why Japan, South Korea, and France have more bandwidth on average?
Maybe it's because, compared to the United States, they're THE SIZE OF A FUCKING POSTAGE STAMP?
I mean, I have a network in my living room that has over fifteen fucking times the bandwidth Japan does. It's called a gigabit LAN, and at this rate it'll take Japan a few millennia to catch up to its "speed." The United States will never catch up, largely because the United States is a big bunch of retarded stupidheads (at least that's the implication in most of these articles). What do we even know about the internet, anyway? Like... nothing. We basically copied it from Japan.
Posted by hogg at 10:12 PM 0 comments
Labels: idiots
Thursday, July 17, 2008
Slippery slope
Today, this.
Tomorrow, kids are downloading and printing handbags, TVs, and cars.
(And yes, I most certainly would steal handbags, TVs, and cars, if they cost 100 times what they should and if I could download them for free with a trivially small chance of getting caught.)
Posted by hogg at 3:26 PM 0 comments
Labels: arrrrrrr
Saturday, July 12, 2008
Failing Windows Updates
After installing Service Pack 3 on a Windows XP Pro machine, I needed to download some security updates. After downloading the updates, Windows Update informs me that it cannot install them. I've had this problem before and just reformatted every time it happened, but this time it was personal. It ends up being a simple fix:
Go to Start/Run/cmd.exe
run the following commands:
net stop wuauserv
Finally, run Windows update again.
Posted by kn1ghtmare at 11:16 PM 0 comments
Labels: Windows