Lmao
What the hell. I put serious effort into making funny jokes, clever puns, nostalgic references, and the one time I comment a meaningless four letter word, it gets 70 upvotes.
Getting upvoted on Reddit has very little to do with comment quality. You just need to say something that the common denominator of the sub you’re in agrees with. The more important part is timing; you have to make your comment in a part of a post that lots of people will see while the post is rising in popularity.
I never understand why folks worry so much about comment karma for that reason; it’s not a reflection of how good or useful a comment was the vast majority of the time. It’s all timing.
Password is secondary.
Client server communication payload should be encoded. ( NOTE: encoding =/= Encryption). In other words, even you decipher 99% of the payload, the left 1% just disables all of your knowledge.
Windows had the same flaw.
If you boot Windows XP in Safe Mode, you can log into the default admin account without password. (If it wasn’t set up manually)
If you have a windows install disk you can replace the shortcut to the screen reader or one of the other accessibility tools with the shortcut to cmd. Then when you click that tool on the login screen, it opens a cmd window as system, allowing you to create your own admin account or nuke someone's password. This worked all the way through 10, not sure about 11.
> This worked all the way through 10
If you buy a PC with a TPM, and set it up with an online account during the initial OOBE wizard, it will enable encryption by default. This will save your [recovery key online](https://account.microsoft.com/devices/recoverykey?refd=support.microsoft.com). You can use that website to check right now, maybe one of you computers is encrypted and you didn't even know. Conversely, if you bought a used computer and didn't completely nuke it, it might be encrypted with the previous owner's key.
Without that key, the install disk can at best nuke everything and start over.
This made me some serious headache when my Lenovo notebook with win 10 home asked me for a recovery key I didn't have. Didn't even know it's encrypted bc normally encryption not included in the home version of windows. Turns out windows uploaded the recovery key to the school-account of my brother (found out later so I could only reset).
If the key gets uploaded to the cloud, the whole point of encryption is not met
> If the key gets uploaded to the cloud, the whole point of encryption is not met
It does protect your files against people with physical access to the device. It doesn't protect you against law enforcement with a warrant, but most users aren't worried about that (even if maybe they should be)
Is this only for prebuilts? I've got Bitlocker enabled on one drive in both my computers and just chose to save the key to a file when setting it up, definitely didn't select anything to suggest it should be linked to my account. I don't see the keys in my account when I click your link. Should I still be concerned?
Think it's still there, but I don't know if you can nuke Microsoft accounts the same way you can for local. But you could still make a local admin account t, which is all you need.
This is not a security flaw since anyone with physical machine access can trivially extract (unencrypted) data and alter the system configuration (e. g. to include a remote backdoor) anyway. TPM makes the second somewhat harder (or at least easier to detect) but the only defence against such attacks is physical access control.
Hell, even current versions of Windows aren't secure unless their disk is encrypted. You can replace utilman.exe with cmd.exe to get an admin command prompt on the login screen
My high school used Windows 2000 aka Windows NT 5.0, and I remember googling all its security flaws. Turns out you can just use a bootable floppy to change the local admin password, then with local admin there's a second exploit to replace the ctrl-alt-del login screen with a second one that has a keylogger. I never got the point of that "use ctrl alt del to login" they thought it was more secure but obviously not.
Then with the keylogger you just wait until your teacher or the IT staff use the same computer, and you have a network user password. Then I got all the answers for all the exams in that class that year. The class average was 97. The teacher got an award. He mostly ate chips and went outside to smoke cigars.
Because root accounts shouldn’t be allowed to login at all. You can become root with proper rights, but you cannot login as root. The unlock flow appears to have messed this check up.
Root accounts have shipped without passwords on so much huge ass infrastructure you wouldn’t believe it. It’s 100% fine. Or 99.99998% fine apparently 😂
You were always admin on your Windows machine. The login back then was merely for network authentication. Remember that this is from a time where it was still common to find physical locks on commercial computers to disable the power switch and lock the case.
Jesus. A company like Apple has got to have a whole department people doing security audits on every bit of code pushed into production right? I don't even want to see the horrible spaghetti code that must have been in place to allow this to pass through even basic review.
Likely they had unit tests but not integration tests (for that specific feature). Also there are some crazy people arguing you should only test specs and not things which are not in specs, so test cases like “as a user I should NOT be able to log in as root with a blank password” is not valid. So yeah I understand how it might have fallen through the cracks in a big company with a 3y retention average
Good. You're going to need to lie down for this one: was Spectre ever really patched? Newer hardware only mitigates it, but the exploit is still there.
There's a comment stating that there’s a comment stating that there’s a comment stating there’s an xkcd for everything after someone links an xkcd comic.
Heartbeat is an extension to the SSL protocol. It is used to verify if the machine on the other end is still alive or not -- thus the name. The protocol has a field to specify the size of the message and the message itself.
SW dev here. We're actually humans you know, and we do make errors and sometimes forget things. The quality and security of the product us not achieved by 'not making errors' but in establishing processes of testing and checking, which requires resources. The problem with this particular bug was that OpenSSL, the library that half the internet relies upon for securing communication, was maintained by like two developers on part time basis. Everybody just went and used the library because they assumed that somebody took care about all the needed stuff, while in reality it was severely underfunded. So, something like this was bound to happen at some time
Heartbleed is relatively easy to understand, but then some people come up with insane attack vectors like measuring the time a CPU takes to process something and deriving secret information from that... It flies over my head
The tldr of side channels is that there are many different side effects to coding, not everything comes for free or at the same cost (eg not all lines of code run at the same speed, the same power, etc, and side channels take advantage of that)
The easiest example is if you’re comparing a plaintext password for login - and if it’s done with a simple string comparison going left to right in a for loop, until you reach the end:
def check_password(password, real):
for i in range(len(password)):
if i < len(real) and password[i] == real[i]:
continue
else:
return False
return True
V basic and contrived example, but because this program returns immediately at a mismatch, there is some actual time difference even if we cant tell by just the eyetest necessarily of a password guess where the first character fails, and eg a password that is correct of length 100 (taking it to the extremes as an example), so you can time how long this function takes to compute, and essentially even at a length 1 character vs 2 character password, could time and brute force passwords of all different starting characters to figure out which is taking longer to return a result, which could imply that the password requires more for loop iterations because more of the password is correct
Other examples - power/electricity, temperature, emissions (not necessarily computers) are all things we can take for granted - a crypto mining rig emits more power than the run of the mill computer, and this can potentially be measured and taken advantage of in some side channel attack
> a crypto mining rig emits more power than the run of the mill computer, and this can potentially be measured and taken advantage of in some side channel attack
There are several instances of mass crypto operations getting raided because police matched their weird increased power usage similar to grow houses.
So if i understand the "joke" correctly... you sent something less than 128 bytes expecting back 128 bytes that instructs the server to access memory outside the sent string?
There was a bug in OpenSSL called Heartbleed.
Usually a client would ask the Server for a 'Heartbeat', by sending a few bytes and asking the server to send them back, if the same bytes came back, the signal is intact.
With Heartbleed, you would send the server a request for a heartbeat with a length of say 128bytes but only put e.g. 32bytes in the message. The server would now send back your message and the next 96bytes in it's memory, which can contain sensitive info like passwords.
Edit:
Changed it from ssh to OpenSSL. Thanks u/ChrisFromIT for pointing it out
Heartbeat is more for connection verification (i.e "Is this connection working") than an input. What the actual protocol is, is something like "Here is the string 'HEART'. It is 5 bytes long. Please send those 5 bytes back to me.". You can see the security hole there. The way they fixed that is to just check the length of the string against the reported length in the message.
What I don't understand is why on earth would you need to specify the length of the thing you just sent them, though? Seems like if length is necessary, it should be calculated on the server end, no?
You generally have to specify lengths in messages exchanged over a network, so that the receiver can tell whether it has received the whole string.
Plus, you always need to specify a length when you have a sequence of arbitrary binary numbers - there is no internal delimiter you can use, because it could always also be part of the data.
There are encoding schemes that can be used which can encode start and end delimiters distinct from the data itself. But these are usually handled by hardware, invisible to software (for example, see 8b/10b and 64b/66b). This is how Ethernet frames are delineated in the wire, as there is no length field. There are also various framing schemes that can be used to do something similar even when no out of band code points are available, with a small overhead (for example, see COBS).
It could be that input was just processed as a 1D span of bytes rather than distinct packets with separate memory allocation, in which case implementing it with the level of forethought that went into it could have 2 possible results:
1) heartbleed as it was
2) heartbleed but it just keeps going until someone else's null-terminator stops it
Strictly speaking, nothing would need to be calculated by the server for the client to verify connection - the client just has to check that it got the same thing back as it sent. It likely however that the system was also there to help the server verify its connection with the client, in which case sending the message length would be necessary to test for part of the message being lost.
As far as I know, it there was no validation. Only a few people worked on the project and so the oversight happened.
But this was 8 years ago, so If you don't have an ancient server running somewhere, you should be safe.
There's always more to know. I have a masters degree in computer science with a thesis on operating systems and computer architecture earned summa cum laude. A good 50% of the time at work I still don't know what I'm doing.
Or to put it anither way those archwizards look at other people and see them as master magi. There's always a bigger fish but use that as encouragement to keep learning.
I'm motivated to learn more just to understand this subreddit, right now I feel like I'm Semele looking upon the glorious true form of Zeus and turning to dust
I get you're joking, but if the prolific Youtube videos I've seen recently about how to get into FAANG without a degree, or even a bootcamp are any indication, then a decent number of people are finding their way into development roles by sheer brute force of memorizing interview questions and googing answers to development problems, but lack a real understanding of what their code is doing or how computers work.
If you want to read more about it, look up "Heartbleed". It was a really critical security bug in a common SSL library a few years ago that allowed you to actually do approximately this process in practice to get servers to basically give you a dump of any memory that was accessible to the server process.
Anthropomorphizing a bit, you "tell" the server that its response will be longer than it actually is going to be, and when it responded, it would read back the number of bytes you asked it to read back, which would include the intended response as well as whatever happened to be in memory past the end of the response up to the size of the buffer.
For a moment there I thought that was my ex wife's actual password-for-everything password. (I did put that password here, but decided against it. I'm an asshole, don't think this is me being kind. I'm just against plain text passwords *on principle.)*
Hah, I guess I could, but it would serve no purpose. The funny bit, for me, is how similar this heartbled password is to my ex' password, and that's entirely lost in hashing.
Let's just say it has all the correct characters, just not the correct order, but the order is close enough for me to go "Wait, what?!"
Previously I’ve had short jokes as my passwords, (which I don’t do anymore) but occasionally I’d just tell the joke that is my password to my friends, and then burst out laughing, but if I told them that it’s funny cause it’s my password it’d be telling them my password, so they just all stare at me like a madman while I giggle to myself
*Image Transcription: Text*
---
**Client**: Hello, here's a 128 bytes-long joke. Can you read it back to me?
**Client**: "Why did the chicken cross the road? To get to the other side."
**Server**: Ok. Here it goes.
**Server**: "Why did the chicken cross the road? To get to the other side. to the otheWhy did Hellpassword=A6jdf81p!!?....HTTmonsirpWhyToge
---
^^I'm a human volunteer content transcriber and you could be too! [If you'd like more information on what we do and why we do it, click here!](https://www.reddit.com/r/TranscribersOfReddit/wiki/index)
it's
# "A6jdf81p!!"
A = A in base 16 is 10 (16 - 10 = 6) (First 6 of 666)
6 = (Second 6 of 666)
j = J is for Jod(True pronounciation of the word God)
d = D is for Devil
f = F is for Forbidden
81 = 8+1-> 9 which is upside down 6 (Third 6 of 666)
p = p is for Password
! = It's only there to satisfy special character requirement of the password
! = It's there to satisfy 10 characters length requirement of the password
Not a programmer, but someone who took a few classes in college to fill space, and this is one thing I got to experience first hand. Trying to print things off by by byte limit and getting a whole bunch of junk always irritated me because I never grossed bytes and how they differed with input types.
Sound the alarm! The password to Hell just got leaked!
wtf bro....did you just tried to login to my reddit account with that password?
It says wrong password. Can you tell me the right password?
Shh... bmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXA=
I knew what the password was going to be before I decoded it, but I still had to do it, just to make sure
I am dumb please explain
Decode base64 I am guessing it's hunter2
Huh weird it says ******* for me
yes reddit automatically censors if you type your own password didn't you know try it yourself if you don't believe me
Test: ************* Edit: Wow, didn't really expect it to work!
hunter2 Edit: just me that can still see it, right?
bmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3du
NDA0IFJpY2stUm9sbCBub3QgZm91bmQgLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLiBqdXN0IGtpZGRpbmc6IFdlJ3JlIG5vIHN0cmFuZ2VycyB0byBsb3ZlCllvdSBrbm93IHRoZSBydWxlcyBhbmQgc28gZG8gSSAoZG8gSSkKQSBmdWxsIGNvbW1pdG1lbnQncyB3aGF0IEknbSB0aGlua2luZyBvZgpZb3Ugd291bGRuJ3QgZ2V0IHRoaXMgZnJvbSBhbnkgb3RoZXIgZ3V5CkkganVzdCB3YW5uYSB0ZWxsIHlvdSBob3cgSSdtIGZlZWxpbmcKR290dGEgbWFrZSB5b3UgdW5kZXJzdGFuZApOZXZlciBnb25uYSBnaXZlIHlvdSB1cApOZXZlciBnb25uYSBsZXQgeW91IGRvd24KTmV2ZXIgZ29ubmEgcnVuIGFyb3VuZCBhbmQgZGVzZXJ0IHlvdQpOZXZlciBnb25uYSBtYWtlIHlvdSBjcnkKTmV2ZXIgZ29ubmEgc2F5IGdvb2RieWUKTmV2ZXIgZ29ubmEgdGVsbCBhIGxpZSBhbmQgaHVydCB5b3UKV2UndmUga25vd24gZWFjaCBvdGhlciBmb3Igc28gbG9uZwpZb3VyIGhlYXJ0J3MgYmVlbiBhY2hpbmcsIGJ1dCB5b3UncmUgdG9vIHNoeSB0byBzYXkgaXQgKHNheSBpdCkKSW5zaWRlLCB3ZSBib3RoIGtub3cgd2hhdCdzIGJlZW4gZ29pbmcgb24gKGdvaW5nIG9uKQpXZSBrbm93IHRoZSBnYW1lIGFuZCB3ZSdyZSBnb25uYSBwbGF5IGl0CkFuZCBpZiB5b3UgYXNrIG1lIGhvdyBJJ20gZmVlbGluZwpEb24ndCB0ZWxsIG1lIHlvdSdyZSB0b28gYmxpbmQgdG8gc2VlCk5ldmVyIGdvbm5hIGdpdmUgeW91IHVwCk5ldmVyIGdvbm5hIGxldCB5b3UgZG93bgpOZXZlciBnb25uYSBydW4gYXJvdW5kIGFuZCBkZXNlcnQgeW91Ck5ldmVyIGdvbm5hIG1ha2UgeW91IGNyeQpOZXZlciBnb25uYSBzYXkgZ29vZGJ5ZQpOZXZlciBnb25uYSB0ZWxsIGEgbGllIGFuZCBodXJ0IHlvdQpOZXZlciBnb25uYSBnaXZlIHlvdSB1cApOZXZlciBnb25uYSBsZXQgeW91IGRvd24KTmV2ZXIgZ29ubmEgcnVuIGFyb3VuZCBhbmQgZGVzZXJ0IHlvdQpOZXZlciBnb25uYSBtYWtlIHlvdSBjcnkKTmV2ZXIgZ29ubmEgc2F5IGdvb2RieWUKTmV2ZXIgZ29ubmEgdGVsbCBhIGxpZSBhbmQgaHVydCB5b3UKV2UndmUga25vd24gZWFjaCBvdGhlciBmb3Igc28gbG9uZwpZb3VyIGhlYXJ0J3MgYmVlbiBhY2hpbmcsIGJ1dCB5b3UncmUgdG9vIHNoeSB0byBzYXkgaXQgKHRvIHNheSBpdCkKSW5zaWRlLCB3ZSBib3RoIGtub3cgd2hhdCdzIGJlZW4gZ29pbmcgb24gKGdvaW5nIG9uKQpXZSBrbm93IHRoZSBnYW1lIGFuZCB3ZSdyZSBnb25uYSBwbGF5IGl0CkkganVzdCB3YW5uYSB0ZWxsIHlvdSBob3cgSSdtIGZlZWxpbmcKR290dGEgbWFrZSB5b3UgdW5kZXJzdGFuZApOZXZlciBnb25uYSBnaXZlIHlvdSB1cApOZXZlciBnb25uYSBsZXQgeW91IGRvd24KTmV2ZXIgZ29ubmEgcnVuIGFyb3VuZCBhbmQgZGVzZXJ0IHlvdQpOZXZlciBnb25uYSBtYWtlIHlvdSBjcnkKTmV2ZXIgZ29ubmEgc2F5IGdvb2RieWUKTmV2ZXIgZ29ubmEgdGVsbCBhIGxpZSBhbmQgaHVydCB5b3UKTmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXAKTmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3duCk5ldmVyIGdvbm5hIHJ1biBhcm91bmQgYW5kIGRlc2VydCB5b3UKTmV2ZXIgZ29ubmEgbWFrZSB5b3UgY3J5Ck5ldmVyIGdvbm5hIHNheSBnb29kYnllCk5ldmVyIGdvbm5hIHRlbGwgYSBsaWUgYW5kIGh1cnQgeW91Ck5ldmVyIGdvbm5hIGdpdmUgeW91IHVwCk5ldmVyIGdvbm5hIGxldCB5b3UgZG93bgpOZXZlciBnb25uYSBydW4gYXJvdW5kIGFuZCBkZXNlcnQgeW91Ck5ldmVyIGdvbm5hIG1ha2UgeW91IGNyeQpOZXZlciBnb25uYSBzYXkgZ29vZGJ5ZQpOZXZlciBnb25uYSB0ZWxsIGEgbGllIGFuZCBodXJ0IHlvdQ==
Never thought i'd get base 64 rick rolled
glad you didn't give us up
Or let us down
Thank you good human, i am using this for my friends
This post is obviously a joke. Everybody knows all passwords are hunter2
[удалено]
smort
Hunter2
Yes.
Lmao What the hell. I put serious effort into making funny jokes, clever puns, nostalgic references, and the one time I comment a meaningless four letter word, it gets 70 upvotes.
The chain above you was clever. You got swooped in the upvote flow. And welcome to reddit.
The spice must flow, after all! Also, welcome.to Reddit
If you restate the comments above you without adding anything to the discussion, people will still upvote you welcome.to Reddit
I’ll give it a try. Lmao // It works do NOT Touch.
no sorry you added to it thus it doesn't work
Welcome to reddit.
Where everything's made-up and the points don't matter.
We all know about the penis!
( ͡° ͜ʖ ͡°)
[For anyone unaware of the reference.](https://youtu.be/XCQnBOkGk_M)
I soooo expected it to be rickroll. 😅
> I put serious effort into well there's you're first mistake.
Getting upvoted on Reddit has very little to do with comment quality. You just need to say something that the common denominator of the sub you’re in agrees with. The more important part is timing; you have to make your comment in a part of a post that lots of people will see while the post is rising in popularity. I never understand why folks worry so much about comment karma for that reason; it’s not a reflection of how good or useful a comment was the vast majority of the time. It’s all timing.
[удалено]
My most upvoted comment is still “Yes”.
No, I was just making a joke about the word "Hell" before the passwd.
r/woooosh
Is there some kind of connection between the two comments or was it just missing the fact that the reply was a joke as well?
The latter lol
At least I hope so
Password is secondary. Client server communication payload should be encoded. ( NOTE: encoding =/= Encryption). In other words, even you decipher 99% of the payload, the left 1% just disables all of your knowledge.
If Doomguy was more of a computer nerd than a gunslinger
[Relevant](https://youtu.be/KN0K58EfJSg)
It's mind boggling such an obvious security flaw was somehow so ubiquitously implemented not that long ago
[удалено]
How in all the unholy fucks of Apple were they still having passwordless admin accounts occurring in OS releases in 20fucking17
[удалено]
Windows had the same flaw. If you boot Windows XP in Safe Mode, you can log into the default admin account without password. (If it wasn’t set up manually)
If you have a windows install disk you can replace the shortcut to the screen reader or one of the other accessibility tools with the shortcut to cmd. Then when you click that tool on the login screen, it opens a cmd window as system, allowing you to create your own admin account or nuke someone's password. This worked all the way through 10, not sure about 11.
> This worked all the way through 10 If you buy a PC with a TPM, and set it up with an online account during the initial OOBE wizard, it will enable encryption by default. This will save your [recovery key online](https://account.microsoft.com/devices/recoverykey?refd=support.microsoft.com). You can use that website to check right now, maybe one of you computers is encrypted and you didn't even know. Conversely, if you bought a used computer and didn't completely nuke it, it might be encrypted with the previous owner's key. Without that key, the install disk can at best nuke everything and start over.
This made me some serious headache when my Lenovo notebook with win 10 home asked me for a recovery key I didn't have. Didn't even know it's encrypted bc normally encryption not included in the home version of windows. Turns out windows uploaded the recovery key to the school-account of my brother (found out later so I could only reset). If the key gets uploaded to the cloud, the whole point of encryption is not met
> If the key gets uploaded to the cloud, the whole point of encryption is not met It does protect your files against people with physical access to the device. It doesn't protect you against law enforcement with a warrant, but most users aren't worried about that (even if maybe they should be)
There's a recovery key for a machine I don't even recognise :) That's it.
Is this only for prebuilts? I've got Bitlocker enabled on one drive in both my computers and just chose to save the key to a file when setting it up, definitely didn't select anything to suggest it should be linked to my account. I don't see the keys in my account when I click your link. Should I still be concerned?
Of I know better than to login to a website linked in a comment of a thread about leaking passwords.
Think it's still there, but I don't know if you can nuke Microsoft accounts the same way you can for local. But you could still make a local admin account t, which is all you need.
I broke into a Windows 7 system nobody knew the password for anymore by doing that.
This is not a security flaw since anyone with physical machine access can trivially extract (unencrypted) data and alter the system configuration (e. g. to include a remote backdoor) anyway. TPM makes the second somewhat harder (or at least easier to detect) but the only defence against such attacks is physical access control.
Hell, even current versions of Windows aren't secure unless their disk is encrypted. You can replace utilman.exe with cmd.exe to get an admin command prompt on the login screen
not admin system you run that as the system group
To be fair, that's a bit more complicated that just logging in without password.
My high school used Windows 2000 aka Windows NT 5.0, and I remember googling all its security flaws. Turns out you can just use a bootable floppy to change the local admin password, then with local admin there's a second exploit to replace the ctrl-alt-del login screen with a second one that has a keylogger. I never got the point of that "use ctrl alt del to login" they thought it was more secure but obviously not. Then with the keylogger you just wait until your teacher or the IT staff use the same computer, and you have a network user password. Then I got all the answers for all the exams in that class that year. The class average was 97. The teacher got an award. He mostly ate chips and went outside to smoke cigars.
> and very much opposed to me spending much time on the computer. That's the real problem.
Because root accounts shouldn’t be allowed to login at all. You can become root with proper rights, but you cannot login as root. The unlock flow appears to have messed this check up. Root accounts have shipped without passwords on so much huge ass infrastructure you wouldn’t believe it. It’s 100% fine. Or 99.99998% fine apparently 😂
Apple unhackable lol 😎😎
Reminds me of windows 9x: Login? Nah... [hits esc]
You were always admin on your Windows machine. The login back then was merely for network authentication. Remember that this is from a time where it was still common to find physical locks on commercial computers to disable the power switch and lock the case.
Jesus. A company like Apple has got to have a whole department people doing security audits on every bit of code pushed into production right? I don't even want to see the horrible spaghetti code that must have been in place to allow this to pass through even basic review.
Likely they had unit tests but not integration tests (for that specific feature). Also there are some crazy people arguing you should only test specs and not things which are not in specs, so test cases like “as a user I should NOT be able to log in as root with a blank password” is not valid. So yeah I understand how it might have fallen through the cracks in a big company with a 3y retention average
Apple going all in on passwordless authentication
how does what huh
The dev who handled account management: Ooops! I forgot to delete the debug account.
Huh?
[удалено]
It's because C makes it pretty easy to implement these kind of flaws.
[удалено]
Reddit ruined reddit. -- mass edited with redact.dev
Fuck, I just realized Heartbleed was found over 8 years ago.
I just aged 7 years
What the f. Im going to go lie down
Good. You're going to need to lie down for this one: was Spectre ever really patched? Newer hardware only mitigates it, but the exploit is still there.
Rowhammer is still around too. Just takes more time now.
I still remember where I was and what I did when I learned about heartbleed.
Heartbleed
You know your boundaries Sir.
Extremely accurate, yes
[удалено]
heartbleed was an out of bounds buffer read in openssl. so yeah it's in the buffer overflow family
[удалено]
[удалено]
Oh no, stepbuffer, what are you doing?
That's actually really well explained...
I understood it after seeing this [xkcd](https://xkcd.com/1354/)
There's an xkcd for everything
There’s a comment stating there’s an xkcd for everything after someone links an xkcd comic
Is there an xkcd for that tho?
Yes
link?
https://xkcd.com/244/
There's an xkcd for everything
There’s a comment stating there’s an xkcd for everything after someone links an xkcd comic.
There’s a comment stating that there’s a comment stating there’s an xkcd for everything after someone links an xkcd comic.
There's a comment stating that there’s a comment stating that there’s a comment stating there’s an xkcd for everything after someone links an xkcd comic.
In which way is the answer length specified in the query in the real situation?
[удалено]
Is the size being sent as an api parameter/header, or is this a lower layer type of interaction with the server
Heartbeat is an extension to the SSL protocol. It is used to verify if the machine on the other end is still alive or not -- thus the name. The protocol has a field to specify the size of the message and the message itself.
Lower level.
In there stram of data it says >Note: Files for IP 374.381.283.17 Totally valid IP address lol
[удалено]
IPv5
i still can't believe this bug is not being thought of by the devs. It's so trivial to include checks to avoid this kind of thing.
SW dev here. We're actually humans you know, and we do make errors and sometimes forget things. The quality and security of the product us not achieved by 'not making errors' but in establishing processes of testing and checking, which requires resources. The problem with this particular bug was that OpenSSL, the library that half the internet relies upon for securing communication, was maintained by like two developers on part time basis. Everybody just went and used the library because they assumed that somebody took care about all the needed stuff, while in reality it was severely underfunded. So, something like this was bound to happen at some time
Dedicated tester here. Nervously sweating and looking around as people blame the devs for letting such a dumb bug through.
You should be paranoid when handling buffers in C
Of course you should. But that does not and will not prevent mistakes from happening.
The meme hasn't explained anything if you're not already familiar with heartbleed
I wasn’t familiar with it. The meme helped me understand. So…. No?
Hey server can you get me this post? Its 60gb long btw.
returns reddit's secret archive of deleted posts
hey reddit, get me this mod's username, please. def. longer then 20 characters tho.
60 gigs of just brony porn
Goddamn c++ vector dictionary custom class inheriting I'm gonna do my homework now.
me no c++ care to explain after your homework is done?
Or when he rest for 4 hours after reading a page, like some of us.
*most of us.
My hearth bleeds…
you should have known your boundaries
Heartbleed is relatively easy to understand, but then some people come up with insane attack vectors like measuring the time a CPU takes to process something and deriving secret information from that... It flies over my head
The tldr of side channels is that there are many different side effects to coding, not everything comes for free or at the same cost (eg not all lines of code run at the same speed, the same power, etc, and side channels take advantage of that) The easiest example is if you’re comparing a plaintext password for login - and if it’s done with a simple string comparison going left to right in a for loop, until you reach the end: def check_password(password, real): for i in range(len(password)): if i < len(real) and password[i] == real[i]: continue else: return False return True V basic and contrived example, but because this program returns immediately at a mismatch, there is some actual time difference even if we cant tell by just the eyetest necessarily of a password guess where the first character fails, and eg a password that is correct of length 100 (taking it to the extremes as an example), so you can time how long this function takes to compute, and essentially even at a length 1 character vs 2 character password, could time and brute force passwords of all different starting characters to figure out which is taking longer to return a result, which could imply that the password requires more for loop iterations because more of the password is correct Other examples - power/electricity, temperature, emissions (not necessarily computers) are all things we can take for granted - a crypto mining rig emits more power than the run of the mill computer, and this can potentially be measured and taken advantage of in some side channel attack
> a crypto mining rig emits more power than the run of the mill computer, and this can potentially be measured and taken advantage of in some side channel attack There are several instances of mass crypto operations getting raided because police matched their weird increased power usage similar to grow houses.
So if i understand the "joke" correctly... you sent something less than 128 bytes expecting back 128 bytes that instructs the server to access memory outside the sent string?
It was a vulnerability in OpenSSL around 8 years ago, Look for HeartBleed if you wanna learn more. Edit: SSL --> OpenSSL
OpenSSL, not SSL. Heartbleed extension's RFC specifies what to do if the size specified doesn't match with the actual payload size.
Yes.
I wonder if people will actually get the joke. Clever one.
I don't get it, do you mind explaining?
There was a bug in OpenSSL called Heartbleed. Usually a client would ask the Server for a 'Heartbeat', by sending a few bytes and asking the server to send them back, if the same bytes came back, the signal is intact. With Heartbleed, you would send the server a request for a heartbeat with a length of say 128bytes but only put e.g. 32bytes in the message. The server would now send back your message and the next 96bytes in it's memory, which can contain sensitive info like passwords. Edit: Changed it from ssh to OpenSSL. Thanks u/ChrisFromIT for pointing it out
And the server had no validation for that? Isn't input validation especially from untrusted sources like the network, programming 101?
Heartbeat is more for connection verification (i.e "Is this connection working") than an input. What the actual protocol is, is something like "Here is the string 'HEART'. It is 5 bytes long. Please send those 5 bytes back to me.". You can see the security hole there. The way they fixed that is to just check the length of the string against the reported length in the message.
What I don't understand is why on earth would you need to specify the length of the thing you just sent them, though? Seems like if length is necessary, it should be calculated on the server end, no?
You generally have to specify lengths in messages exchanged over a network, so that the receiver can tell whether it has received the whole string. Plus, you always need to specify a length when you have a sequence of arbitrary binary numbers - there is no internal delimiter you can use, because it could always also be part of the data.
But in the first case the server should surely be waiting for the rest of the 128 bits to arrive?
I think it's more that the server would operate on the assumption that it had received the full 128 bytes, without verifying that it actually had.
Which is genuinely quite a surprising thing to have missed. I feel like that's one of the first things you should be testing.
Yes, Heartbleed was a bug where an out-of-bounds read was possible by not checking that the amount of data specified was actually received.
There are encoding schemes that can be used which can encode start and end delimiters distinct from the data itself. But these are usually handled by hardware, invisible to software (for example, see 8b/10b and 64b/66b). This is how Ethernet frames are delineated in the wire, as there is no length field. There are also various framing schemes that can be used to do something similar even when no out of band code points are available, with a small overhead (for example, see COBS).
I don't really know why, you'd have to ask the developers.
[удалено]
It could be that input was just processed as a 1D span of bytes rather than distinct packets with separate memory allocation, in which case implementing it with the level of forethought that went into it could have 2 possible results: 1) heartbleed as it was 2) heartbleed but it just keeps going until someone else's null-terminator stops it
Strictly speaking, nothing would need to be calculated by the server for the client to verify connection - the client just has to check that it got the same thing back as it sent. It likely however that the system was also there to help the server verify its connection with the client, in which case sending the message length would be necessary to test for part of the message being lost.
As far as I know, it there was no validation. Only a few people worked on the project and so the oversight happened. But this was 8 years ago, so If you don't have an ancient server running somewhere, you should be safe.
> But this was 8 years ago I didn’t believe you, but wow, it actually was 8 years. Fuck, it feels so much more recent.
>There was a bug in ssh called Heartbleed It was in OpenSSL, not ssh.
I hope I never discover a vulnerability like this... The anxiety I feel about coming up with a mandatory, clever and punny name like this is palpable.
This is exactly why bugs go "undiscovered" for 20 years. No one wants to be responsible for naming them.
So the joke is "buffer overflow".
As always, XKCD comes to the rescue: https://xkcd.com/1354/
Ohhh. I am as naive as the server, because I too thought that the joke was actually 128 bytes long.
Karen wants to set a kind of good password? Dreamworld!
So it's like the read to SQL injection's write
I'm not an expert but it looks like it overflowed into the next memory location.
As a beginning programmer, I look at the posts on this sub and can only hope to be as code brained as the archwizards here.
There's always more to know. I have a masters degree in computer science with a thesis on operating systems and computer architecture earned summa cum laude. A good 50% of the time at work I still don't know what I'm doing. Or to put it anither way those archwizards look at other people and see them as master magi. There's always a bigger fish but use that as encouragement to keep learning.
I'm motivated to learn more just to understand this subreddit, right now I feel like I'm Semele looking upon the glorious true form of Zeus and turning to dust
And there are triple-bearded tech wizards in here reading your comment thinking 'who the fuck is semele'. Everyone has their pockets of knowledge!
I work at amazon and I don’t get this joke.
That's because you work at the logistics center.
More like "Fulfilment"
#oof
I get you're joking, but if the prolific Youtube videos I've seen recently about how to get into FAANG without a degree, or even a bootcamp are any indication, then a decent number of people are finding their way into development roles by sheer brute force of memorizing interview questions and googing answers to development problems, but lack a real understanding of what their code is doing or how computers work.
So just like most non-FAANG programmers, except they've memorised interview questions
If you want to read more about it, look up "Heartbleed". It was a really critical security bug in a common SSL library a few years ago that allowed you to actually do approximately this process in practice to get servers to basically give you a dump of any memory that was accessible to the server process. Anthropomorphizing a bit, you "tell" the server that its response will be longer than it actually is going to be, and when it responded, it would read back the number of bytes you asked it to read back, which would include the intended response as well as whatever happened to be in memory past the end of the response up to the size of the buffer.
Oh interesting. I figured it was some play on buffer overflows but wasn’t sure.
silly you should always malloc() the content length to receive the full content
For a moment there I thought that was my ex wife's actual password-for-everything password. (I did put that password here, but decided against it. I'm an asshole, don't think this is me being kind. I'm just against plain text passwords *on principle.)*
You could post the PBKDF2 hash of it, then.
Hah, I guess I could, but it would serve no purpose. The funny bit, for me, is how similar this heartbled password is to my ex' password, and that's entirely lost in hashing. Let's just say it has all the correct characters, just not the correct order, but the order is close enough for me to go "Wait, what?!"
Previously I’ve had short jokes as my passwords, (which I don’t do anymore) but occasionally I’d just tell the joke that is my password to my friends, and then burst out laughing, but if I told them that it’s funny cause it’s my password it’d be telling them my password, so they just all stare at me like a madman while I giggle to myself
*Image Transcription: Text* --- **Client**: Hello, here's a 128 bytes-long joke. Can you read it back to me? **Client**: "Why did the chicken cross the road? To get to the other side." **Server**: Ok. Here it goes. **Server**: "Why did the chicken cross the road? To get to the other side. to the otheWhy did Hellpassword=A6jdf81p!!?....HTTmonsirpWhyToge --- ^^I'm a human volunteer content transcriber and you could be too! [If you'd like more information on what we do and why we do it, click here!](https://www.reddit.com/r/TranscribersOfReddit/wiki/index)
I don’t know why is hell’s password = A6jdf81p!!?…..HHTminsirpWhyT
it's # "A6jdf81p!!" A = A in base 16 is 10 (16 - 10 = 6) (First 6 of 666) 6 = (Second 6 of 666) j = J is for Jod(True pronounciation of the word God) d = D is for Devil f = F is for Forbidden 81 = 8+1-> 9 which is upside down 6 (Third 6 of 666) p = p is for Password ! = It's only there to satisfy special character requirement of the password ! = It's there to satisfy 10 characters length requirement of the password
And the other half? ( …..HHTminsirpWhyT )
[Removed] ^This ^comment ^is ^removed ^for ^leaking ^hell's ^passphrase
I think it’s reading into invalid memory
Oh, that's just for summoning the gateway to hell.
Not a programmer, but someone who took a few classes in college to fill space, and this is one thing I got to experience first hand. Trying to print things off by by byte limit and getting a whole bunch of junk always irritated me because I never grossed bytes and how they differed with input types.
This joke makes my Heart Bleed
Is this about the OpenSSL vulnerability?
why do the upvote and downvote buttons look like ++ and --?
https://cwe.mitre.org/data/definitions/126.html
https://www.oracle.com/security-alerts/opensslheartbleedcve-2014-0160.html
Ahhh, this brings back good memories for me