Andreas Bartels
I compute, therefore I am.
I compute, therefore I am.
Communities and Collections
Posts
Post has attachment
Jean-Luc Picard... is back!
When I first read about this two days ago, I was afraid more than anything. I'm absolutely no fan of the recent movies, and Discovery is nice, but... different in not always a good way. I was afraid that they would take the Jean-Luc Picard character I grew up with and turn it into a farce, just like they did with so many other things.
Seeing Patrick Stewart on stage, announcing the news himself, convinces me that this might still be a good thing. I'm now looking forward to this.
When I first read about this two days ago, I was afraid more than anything. I'm absolutely no fan of the recent movies, and Discovery is nice, but... different in not always a good way. I was afraid that they would take the Jean-Luc Picard character I grew up with and turn it into a farce, just like they did with so many other things.
Seeing Patrick Stewart on stage, announcing the news himself, convinces me that this might still be a good thing. I'm now looking forward to this.
Add a comment...
Post has attachment
Nutella
Serving a Nutella-flavored milkshake in a Nutella jar. Sometimes, good ideas can be so simple. :)
Serving a Nutella-flavored milkshake in a Nutella jar. Sometimes, good ideas can be so simple. :)
Add a comment...
Post has attachment
1986
A disastrous year in human history. First there was Challenger. Then there was Chernobyl. Finally, there was... the Cleveland Balloonfest?!?
A disastrous year in human history. First there was Challenger. Then there was Chernobyl. Finally, there was... the Cleveland Balloonfest?!?
Add a comment...
Post has attachment
Add a comment...
Post has attachment
Everything is better with a bit of salt
I recently posted about a broken email verification process that allowed anyone to opt-in random mail addresses that they themselves don't control to receiving unsolicited marketing emails: https://plus.google.com/+AndreasBartels/posts/Rxqp9A4jCan
I notified the company about their use of a broken process - and they replied, thanked me for the information, and told me that "someone is already working on changing the process (MD5 hash)".
Wondering about the explicit mention of MD5, I tried signing up with a different mail address. The verification URL now contains the query string email=<hexadecimal_string> - and, as expected, the string used there is simply the hash of the unsalted mail address string.
Exploiting the process is still possible, because it contains no secrets - the only difference is that an attacker now needs to generate the MD5 hash of an address before plugging that value instead of the address itself into the verification URL.
Now, this isn't actually a security problem - it isn't possible to log in or reset some password using that URL - but it still is a problem for that company, because they can't prove that someone who receives marketing emails actually opted in to that. Even just salting the address string (putting additional characters only known to the company at the end of the string) would have helped here.
I recently posted about a broken email verification process that allowed anyone to opt-in random mail addresses that they themselves don't control to receiving unsolicited marketing emails: https://plus.google.com/+AndreasBartels/posts/Rxqp9A4jCan
I notified the company about their use of a broken process - and they replied, thanked me for the information, and told me that "someone is already working on changing the process (MD5 hash)".
Wondering about the explicit mention of MD5, I tried signing up with a different mail address. The verification URL now contains the query string email=<hexadecimal_string> - and, as expected, the string used there is simply the hash of the unsalted mail address string.
Exploiting the process is still possible, because it contains no secrets - the only difference is that an attacker now needs to generate the MD5 hash of an address before plugging that value instead of the address itself into the verification URL.
Now, this isn't actually a security problem - it isn't possible to log in or reset some password using that URL - but it still is a problem for that company, because they can't prove that someone who receives marketing emails actually opted in to that. Even just salting the address string (putting additional characters only known to the company at the end of the string) would have helped here.
Add a comment...
Post has attachment
Post has attachment
Post has attachment
It's been a while...
I haven't posted to this collection for quite some time now, but I think I'm giving it another try. I hope some of you are still with me? :)
With some diagonals coming together, here's a photo of the cupola of the Reichstag building in #Berlin I took last year.
#PhoebusWeeklyInspiration
#PhoebusWeeklyInspiration-158
#Phoebus
I haven't posted to this collection for quite some time now, but I think I'm giving it another try. I hope some of you are still with me? :)
With some diagonals coming together, here's a photo of the cupola of the Reichstag building in #Berlin I took last year.
#PhoebusWeeklyInspiration
#PhoebusWeeklyInspiration-158
#Phoebus
Kuppel – Photos@bocops
photos.bocops.org
Add a comment...
Post has attachment
Celsius? Fahrenheit?
Forget about that! - Google News finally offers a third option. :D
Forget about that! - Google News finally offers a third option. :D
Add a comment...
Post has attachment
Creative Naming 101
This lake is called the Middle Lake - obviously, it is located between the Southern Lake to the south-west, and a third one which might or might not be called the Old Lake.
In any case, it's a beautiful location. ;)
This lake is called the Middle Lake - obviously, it is located between the Southern Lake to the south-west, and a third one which might or might not be called the Old Lake.
In any case, it's a beautiful location. ;)
Add a comment...
Wait while more posts are being loaded