Security quotes of the week [LWN.net]

On the other hand, increasingly difficult CAPTCHA practices can drive humans crazy. "Which pictures do NOT contain traffic signs?" "Confirm this statement, 'there are no images or partial images of automobiles in this set of pictures.'"

Humans may justifiably want to throw their computers through the nearest window when poorly executed CAPTCHAs prevent them from legitimately accessing online services.

— Vinton G. Cerf

With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis of the codes Vingcard electronically writes to its keycards, they found a method to vastly narrow down a hotel's possible master key code. They can use that handheld Proxmark device to cycle through all the remaining possible codes on any lock at the hotel, identify the correct one in about 20 tries, and then write that master code to a card that gives the hacker free reign to roam any room in the building. The whole process takes about a minute.

— Andy Greenberg in Wired

Samsung Smart TV. During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create accounts with any of them.

— The Center for Information Technology Policy at Princeton announces its IoT Inspector project

to post comments

Security quotes of the week

Posted May 3, 2018 12:10 UTC (Thu) by mattdm (subscriber, #18) [Link] (4 responses)

Hmmmm. That's definitely a pickup truck. Is it a "car", though?

Okay, road signs. That one's a rogue advertisement someone has put up. Not a road sign. Next. Well, this one is in Chinese. It looks road-sign-ish, but not much more than the ad I just rejected....

Find the rivers? That was *definitely* an ocean or sea shore. That's not a river! Why can't I get in? Fine. I'll mark all the things that look moist. Happy now?

Security quotes of the week

Posted May 3, 2018 13:45 UTC (Thu) by fenncruz (subscriber, #81417) [Link]

And should you mark the box if a tiny sliver of a road sign it crossed into the box from the next box over?

Security quotes of the week

Posted May 10, 2018 13:57 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

Just had a thread on one of the Pick email lists.

The guy felt forced into using a captcha because it was the only way he could be confident that it was a real human and not an email client at the other end of his confirmation email requests ...

When he sent a confirmation email saying "please click on this link to confirm", a whole bunch of intermediaries - even before the email got the the client - would download the page. And quite often download what any clickable buttons pointed at, so a two-stage "weblink with 'click here' button" didn't work.

As usual, people trying to be clever make it hell for people just wishing things would "work as designed".

Cheers,
Wol

Security quotes of the week

Posted May 10, 2018 14:21 UTC (Thu) by excors (subscriber, #95769) [Link]

I think a button that sends a POST request should usually be safe - the usual convention is that GETs should never have side effects, so various tools will happily send arbitrary GETs to any URL they can find (Googlebot even parses Javascript to find strings that look vaguely like URLs and then requests them), but it would be bad manners if they sent an unsolicited POST.

(Of course there are also spam bots that don't care about manners and will happily POST their spammy messages to any URL they can find, in the hope that it gets published as a comment. But they really shouldn't be finding URLs from an innocent user's emails.)

Security quotes of the week

Posted May 11, 2018 6:24 UTC (Fri) by micka (subscriber, #38720) [Link]

Well no, on post case bots have a better rate of succes on captchas than I do.
Soon captcha will ne the perfect way to make sure that it was _not_ a human.

Security quotes of the week

Posted May 3, 2018 19:08 UTC (Thu) by flussence (guest, #85566) [Link]

“Select all squares containing the logo of a tech company complicit in nation-state human rights abuses”...