IPv4 space is far too small not to use this. Often times if an attacker has determined your provider in the past, they may be able to leverage that information and scan only nearby ranges.
Other common anti-DDoS proxy bypass tactics:
- direct.* subdomain used to be used by default on CloudFlare for a direct route to the server
- Check headers in outgoing emails for an origin IP (this one gets way too many sites)
- CloudFlare only recently got websocket support - check if their websocket servers are secured or not
- Check for an MX record
- Use DNS bruteforcing tools to attempt to find other services
I fail to see how it'd be good for this use - do they require a number of friends or something? I have 4 Facebook accounts for faking out exactly this kind of stuff, but none with any real information.
Presumably most people are not like you and have only one account. The site can make sure you have had an account for at least a year and your sex is female. Otherwise you may want to fake it to get in.
It's the most reliable "easy" way I know to determine this info. I remember an app called Lulu which did the same.
So they didn't bother to check if the add to group message was from someone in the group?
I mean no offense to the developers, but this seems like a fairly basic oversight and quite concerning that respected and popular products didn't get this level of review until now.
No crazy cryptographic mess involving improper ordering of authentication or weird random number generation, this is a simple logic bug. One that I'm sure many of us would have considered if we were implementing it, things like this do get missed too of course, but enough eyes on the design could have caught this.
> One that I'm sure many of us would have considered if we were implementing it, things like this do get missed too of course, but enough eyes on the design could have caught this.
It wasn't a design flaw, it was an insecure-direct-object-reference implementation flaw. IDORs are extremely common, but since the group id is an unguessable 128 bits, the bug can only be used by someone who was already in the group previously to rejoin the group. I'm sure it'll get patched shortly, if it hasn't been already.
For the WhatsApp case, a malicious WhatsApp server could add someone to your group, but everyone in the group would see it.
These bugs are not big deals. The real harm comes from regular people reading articles like the Wired one or the famously wrong Guardian one and switching to much worse alternatives, like SMS or Telegram.
> The real harm comes from regular people reading articles like the Wired one or the famously wrong Guardian one and switching to much worse alternatives, like SMS or Telegram.
I can understand why you give SMS as an example, because it is just plaintext. But why Telegram? As far as I know Telegram is probably better secured over a service like Whatsapp.
Edit: the latter is an assumption from me, I do not have any claims to back this up. Thats why I'm asking.
People are in jail because they felt secure using Telegram. It's the kind of people who should be in jail, but nonetheless it is beyond me how anyone could still use it.
Nice method, but for future record you don't really need to mess with mains to hook up Sense or OpenEnergyMonitor, they use inductive current clamps which work by detecting the field around the a single terminal of your incoming mains. Pretty much as safe as it gets with this stuff.
30 Rock also pushed Obama a bit if I recall correctly and before the election - but they also cracked a joke about how Tina Fey's character would tell everyone she was voting for Obama but then secretly vote Republican.
And stuff like Wikipedia which runs ad free off donations.
Honestly, I'm okay with that, most info I get is from Wikipedia, scientific papers or tiny random blogs. What sites are you afraid of it killing? Junk news sites? Reddit? I can live without them. I struggle to think of any with significant value.
What makes you think they're unsigned? Surely there's at least some basic checksumming if not cryptographic signatures inside of that blob? There's no reason to even bother with delivering it over https if you put a good signature on the blob itself.
I would assume it does not do those things, or else creating/flashing custom firmware like DD-WRT would presumably be impossible. They could be doing some verification in the firmware itself, but obviously that only saves you from bad downloads - anybody serving you up a malicious firmware can easily just serve one up without the verification checks inside.
Their firmwares for newer devices do indeed include signature support. A malicious firmware on their server will fail the signature check and not be flashed. Signature checks occur only in the flasher, not in the bootloader, but that would require physical access to the device, at which point all bets are off anyways.
Yeah, exactly. And it will be certainly much easier to terraform Mars into a habitable environment, populate it and use it as a starting platform to reach new, fresh, habitable planets in deep space, lightyears away – than to agree upon an earthly effort to limit a temperature rise to 1,5 to 2 degrees Celsius by means of some modifications to industrial production and eliminating bad habits.
Maybe earth becomes a better place, when the people who think so, have all left for new unearthly frontiers! The sooner the better. I am all in for the new space program!
https://www.wired.com/2014/02/happens-body-mars/ read up something on this topic. It's nice to imagine that we will soon be able to colonize Mars, but we are far from doing so and making the planet habitable for humans would take much more effort than to fix the one we already have, if the presents issues can be fixed we could lower defense spending and spending in other areas and then we could focus all that money into space exploration, but as things currently stand by multi-tasking we aren't exactly moving forward a whole lot.
Sorry English isn't my native tongue so I misinterpreted the second part, although it could be just because I'm a little slow on the pick up :v either was it's totally my fault.
Maybe, but remember IPFS nodes can elect to blacklist any given channel, so any given static C&C site here is just as vulnerable as a DNS point or a given static IP address.
There's no blocking functionality in IPFS yet - the plan is to have customizable opt-in blocklists (and allowlists) for content and peers, though, so communities can govern themselves regarding what content is desired and what's not.
https://www.cloudflare.com/ips/
IPv4 space is far too small not to use this. Often times if an attacker has determined your provider in the past, they may be able to leverage that information and scan only nearby ranges.
Other common anti-DDoS proxy bypass tactics:
- direct.* subdomain used to be used by default on CloudFlare for a direct route to the server
- Check headers in outgoing emails for an origin IP (this one gets way too many sites)
- CloudFlare only recently got websocket support - check if their websocket servers are secured or not
- Check for an MX record
- Use DNS bruteforcing tools to attempt to find other services