- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Hey! how come you know my PIN?
-tim
Admin
It would have been easier to remember if you'd made it the last three letters of the current day of the week, forwards.[:D]
Admin
Just google
http://www.google.nl/search?l&q=allinurl:backdoor=secret
Admin
Warning: not safe for work (adult content)
Admin
"Oh, come on. What are the odds someone would figure this out? Big deal."
Can I add another vote to the "big deal" pile? Looks like it might just be me and Sean though.
Let's stick another server out there with this hole in it and see how long it takes to get abused. And how come no-one has asked how important the assets behind this are? Maybe it's a 386 with last week's lottery results on? Who gives?
Admin
Well, I figured that if the object types were not the same, it would do a toString() first to compare them.
I looked at the Java source, and Integer can only equal other Integers. Any other object will return false. A BigInteger, Double or Float can not be equal. Not even if they are 0! They are all numbers (minus the string example), but they can not be equal to each other.
I understand the whole numerical precision thing, and maybe they should not be comparable.. but there is something about the java primitive wrappers that bug me.
Admin
*** quote *** Any dictionary hacker who doesnt try "god","backdoor","root" and "admin" as possible usernames deserves a WTF of their own *** quote ***
Careful george, your lack of understanding is showing.
'backdoor' is not a username in this case. Dictionary attacks are not the problem here as someone already tried to explain to you.
Admin
Alex,
Care to provide a link to this guy's "last place"? I'd like to...um...take a look at their website....
-ds
Now THAT IS funny!
Admin
What about
www.domain.com?paula=BRILLANT
[Y]
Admin
Go man!
I am with you!
But, let's not forget the wonderful GOOD that has come from those years and years of Government lies.
I mean, we would not have Velcro if it was not discovered among the wreckage at Roswell!!!!
<tongue in cheek>
Admin
'Hairless Galleries', WTF???
Admin
All I have to say is ... [:S]
Admin
Never happened, but that's why Gnoppix has mount(8) and vim(1)... :)
Admin
Some of us, on the right side of the Atlantic, were fighting the Nazis since 1939; doing all we could to more than 'slow those nazi [sic] maniacs down a little bit.' Maybe if the US had relaxed it's traditional laissez-faire foreign policy earlier some of the horrors of the holocaust could have been avoided.
I'm sorry, it just always annoys me when I hear American's boast about how they 'saved our asses' in WWII. I realise you didn't say that, but just be a bit more careful when you say 'governments didn't do a damn thing'.
Alright, who's up for a rousing chorus of Rule Britania?
Mark
Admin
Well we ship an appliance with a web front end, not have customers loginto out website.. So our customers get hardware, they don't come to our site.
We have had customers call us up and ask why we used a particular OS. Since we disabled the screen they only way to find the OS out is to put the harddrive in a different computer. So we know for a fact that some customers to look at the binaries. Thus we take pains to obscure our binaries (starting by not using Java). We also don't sell to anyone stupid enough to admit they disassembled our box. (Not to mention registering copyrights)
The backdoor does not work from the web frontend. It is a different port (ssh) that is easy to firewall. In our experience most customers do have it firewalled, removing protection only if we need to debug their machine (presumably if they forget their password as well).
Our password will not appear an any dictionary. Even a computer will not guess it. (Too many digits, and the only way to crack it is attempt a log in. Login intentionally uses a non-optimal password checker so that you cannot brute force the password that way)
It is not perfect I will agree, but it isn't that bad, so long as we manage who knows this password carefully.
Admin
Forget your PIN, I want to know how they know the code to my luggage!
Admin
Years ago, I was working as both a sysadmin and doing tech support at a state college. For some reason, I'd been discussing security with one of my non-technical (but quite cute) coworkers, when she interrupted me with, "I have the best password in the world. Wanna know what it is?"
Two conflicting desires: one, to maintain some level of professionalism and say, "No! Don't tell me your password! Ever!" ; two, to satisfy my morbid curiosity. The better angels won out, but I was halfway through my standard "don't ever tell anyone, including me, your password" speech when she cut me off.
"I don't care," she said, cheerily, "I trust you. It's 'peanut.'"
Good on you for the extra credit. Where I was, I had to defend one of my interns when he accidentally discovered that some numbnut in the academic computing department had installed SubSeven on one of Public Safety's computers, and left it running, WITH THE DEFAULT USERNAME AND PASSWORD.
Naturally, that guy is now the head of IT security for the college.
Admin
Also, it should have been "global thermonuclear war." Three words, not four.
Admin
or on his planet's air so nobody can vacuum it out...
Admin
Which guy is now head of IT - the intern or the numbnut? (Do I even need to ask?)
Admin
Better slap a footnote on that post before you get nailed for plagarism there, chief.
http://us.imdb.com/title/tt0086567/quotes
Admin
On 95 & 98 it was the escape key. There's still a workaround on most XP systems. It has you setup an administrator user account with password on first boot, but it leave the password of the user "Administrator" blank. So you just reboot into safe mode (if the system uses the XP Welcome screen that hides Administrator), and XP will normally let you log in as administrator with a blank password unless the user realized it was blank and changed it.
Admin
Forgot to quote
Admin
Why is that interesting? "12345" is a string and new Integer(12345) is an Integer.
Admin
http://www.insecure.org/nmap/nmap-fingerprinting-article.html
Admin
Actually, they're looking for a 5-dot constellation image that's printed on most currency these days. It consists of a center dot, and 4 dots around it. I believe that if you take the two dots opposite each other and the center dot, they're all in a line.
Of course, this page has even more information on the methods as well -
http://www.cl.cam.ac.uk/users/sjm217/projects/currency/
So it's protection built into the design of the currency, plus software used to detect it.
Time to download a copy of SANE. Open-source scanning libraries and apps are going to get banned soon since they can't incorporate this code...
As for detecing the OS, besides using nmap to identify the OS (a perfectly legitimate use of it, after all, sometimes more interesting services are found that way on network appliances), often the general operation can give away the OS. For example, if web pages start having ".asp" extensions, you can be sure the appliance runs some form of Windows, and if you get cgi-bin/someapp.pl, well, it's likely a Unix flavor of some sort (typically BSD or Linux).
Heck, you don't even need to use nmap! Just use Ethereal and your web browser (or other method) to get the HTTP headers. HTTP headers often leak this information (check out Netcraft, if you don't believe me).
Getting the OS is quite easy without "hacking" into the device.
Admin
Okay, I missed something. The real WTF here would be her explanation of why she thought that was "the best password in the world".
Oh, and she was totally hitting on you, dude. :)
Admin
That can tell you linux or FreeBSD or Windows, but it cannot tell mandrake vs RedHat. The customer was interested in why we choose mandrake. They were mad that we choose a motherboard made in Tiawan, instead of one made in Korea (where the customer was from - or I should say ex customer).
While the code was perl, we had setup the web server so that the .pl was not part of the url, and the customer made it clear they were reading our perl code.
Admin
Meh. I usually just rely on keeping an account with privledges to the password file. If you have that, you can go in and 'reset' a password by deleting it, unless a brightboy programmer makes it automatically throw out zero-length passwords.
I once had to go in and hack root on a unix machine, then run a SQL injection on mysql so I could get in and change a password on a system where the "administrator" had managed to lose every single password that would allow him to do anything. Then, when I got done, I ended up doubling the bill because they had the audacity to complain that I'd had to take the system down for 10 minutes while I was removing the root password.
Used to know a guy who always installed a rootkit on all the machines he deployed that would email him the root password everytime it changed. On the one hand, this is bad and evil, on the other hand, when the jokers routinely forget the root password, and you don't live in the same town...What else can you do?
Admin
You mean 1-2-3-4-...5! as a code for your suitcase! ;)
Admin
I see the WTF; it's one that really irritates me:
On the security side: good thing they put a password on their back door. Not sure why they didn't just make it "password", though.Admin
O, come on, what's wrong with this client-side JavaScript?
Admin
Two questions: First, what is "plagarism"? And, second, wouldn't it be the copyright holder that I would get in trouble with, and not the IMDB? (Although, of course, I did look the exact quote up on IMDB. Anyway, fair use and all that.)
Admin
He also used a pet peeve of mine: redundant null checks. Reverse the equals() and the condition is reduced to
Admin
Look at the code, of course!
Admin
Isn't the first three letters of the day of the week backwards always going to be 'yad' ?
Admin
Please, please, please tell me it wasn't Diebold
Admin
I recently started using CBD oil to avoid manage my dread and https://organicbodyessentials.com/blogs/skincare-blog/what-does-toner-do-for-your-face emend my log a few zees z's quality. I be compelled say, it's been a game-changer for me. The lubricator is undemanding to practise, with just a few drops protection the in fun, and it has a mild, harmonious taste. Within a occasional minutes, I can deem a nous of calm washing beyond me, which lasts representing hours. My snooze has improved significantly; I perish asleep faster and wake up instinct more rested. There's no grogginess or side effects, neutral a candid, quieting effect. Highly praise quest of anyone looking to manage forcefulness or update their sleep.
Admin
Trying https://www.nothingbuthemp.net/online-store/THC-Tinctures-c142300582 has been perfectly the journey. As someone fervent on spontaneous remedies, delving into the to the max of hemp has been eye-opening. From THC tinctures to hemp seeds and protein puissance, I've explored a miscellany of goods. Teeth of the disarray adjoining hemp, researching and consulting experts receive helped journey this burgeoning field. Entire, my sophistication with hemp has been favourable, gift holistic well-being solutions and sustainable choices.