Tag: security

The insecurity of security questions

March 14, 2015 / Rowan Rodrik

Another article link from my dusted-over ~jot directory: The Insecurity of Security Questions: Why I met my wife in CWmKryWzuxCSAnMDuIg. [So dusted-over is my ~/jot directory that Tom Moertel, the article’s author, has changed he link schema of his blog without providing redirects. (The slashes in the date turned to dashed.) Cool URLs don’t change, Tom, not according to the W3C and Jacob Nielsen. 😉 ]

Anyway, I am one of those people who randomly generates his (often overly long) passwords, which I store in a strongly encrypted file, but the article provided a great reminder that I should do the same for my answers to ‘security’ questions.

Learning to ‘hack’ with Security Override

March 14, 2015 / Rowan Rodrik

In August 2011, probably while procrastinating learning for my university admission exams, with one mouldy foot still in my IT-past, I signed up for Security Override, an online game designed to turn network security n00bs such as myself into novices.

I’ve never dedicated the 20 hours to learn anything to the game, which I should have spent Josh Kaufman to ascent my n00b-state, but I nevertheless had some solid fun with it. 🙂

Styling visited links for payformystay.com

March 1, 2013 / Rowan Rodrik

I wanted to change the text of visited links on payformystay.com, using CSS. In the offer summary, I wanted to change the link text “Check it out!” with “Check it out again!” after the user had indeed checked out the offer.

An example of a payformystay.com offer where I'd want to replace the 'Check it out!' link text.

I thought I could use something as simple as:

<a href="/offer/34234-title">
  <span class="unvisited-label">Check it out!</span>
  <span class="visited-label">Check it out again!</span>
</a>

together with…

a:link span.visited-label,
a:visited span.unvisited-label {
 :;
}
 
a:link span.unvisited-label,
a:visited span.visited-label {
 :;
}

Or, even simpler:

a:visited {
 : 'Check it out again!';
}

However, I bumped into a glass wall while trying to get this to work. Apparently, browser manufacturers have been removing features to increase security. The problem, apparently, is that as a third party you could find out if somebody has been visiting a particular URL by linking to, styling :visited links and then querying the computed styles of the link. To avoid this, getComputedStyle() in the major browsers now lies and most style rules are ignored within rules applied to the :visited pseudo-class.

I’m still considering a work-around with JavaScript (setting a visited class) on the anchors, because I hate to let a good darling die.

PHP include exploits

November 14, 2010 / Rowan Rodrik

A year ago, my web host thoroughly explained how PHP include vulnerabilities can be exploited, hoping that better user education would leave less member-sites vulnerable to automated attacks by spammer scum.

Gentoo auto-login and startx

June 20, 2010 / Rowan Rodrik

I don’t believe in system passwords if they’re not backup by some type of disk encryption. It’s simply too easy to circumvent by changing a few boot parameters or by inserting a good boot disk. For performance reasons, I’ve decided against using full-disk encryption for my laptop and even against encryption for my home folder. This makes typing in a password to login a mere annoyance. Admittedly, my laptop features a fingerprint reader, but at the time I couldn’t get it to work and it still requires me to type in my username, which I find just as superfluous. Also, fingerprints aren’t that secure either.

For ages now, I’ve just wanted to be automatically logged in and greeted by an X session when I boot, especially since my xdm died after some upgrade about a year ago or so ago. For how much time I spend with this machine, I’m amazed how long it takes me before deciding that logging in in the console and typing startx might be not such a good idea.

(It probably has everything to do with “conditionality”. I tell myself, for example, that before ditching xdm (which is one of the few X login managers which doesn’t support auto login), I first need to get it to work again to make a screenshot of my “cute” configuration. Can’t kill my darlings; never could.)

So fuck all that. I’m too lazy to resurrect my darling, no matter how cute, so I took a look at this and added to following to /etc/conf.d/local.start:

# Start X as user if tty7 is free
! fuser /dev/tty7 >& /dev/null;
    su - bigsmoke -l -c 'exec startx -- vt7 >& ~/.xsession-errors' &

Done. Maybe I’ll also decide to make all my console sessions auto-login, if I can be arsed, that is.

Matriux, a penetration testing and security analysis LiveCD

February 1, 2010 / Rowan Rodrik

Last December, someone pointed me to Matriux. In their own words:

It is a fully featured security distribution consisting of a bunch of powerful, open source and free tools that can be used for various purposes including, but not limited to, penetration testing, ethical hacking, system and network administration, cyber forensics investigations, security testing, vulnerability analysis, and much more. It is a distribution designed for security enthusiasts and professionals, although it can be used normally as your default desktop system.

It comes with a wide arsenal of free software tools to do naughty things to your network. I think I should give it a swing and download it some time.

Tag: security

The insecurity of security questions

Learning to ‘hack’ with Security Override

Styling visited links for payformystay.com

PHP include exploits

Matriux, a penetration testing and security analysis LiveCD

Categories

Tags/Keywords

Recent Posts

Recent Comments