

It could be an older codebase that’s using an inline encryption algorithm as opposed to a hash. Using an encryption algorithm with a private key would result in varying length outputs.
It could be an older codebase that’s using an inline encryption algorithm as opposed to a hash. Using an encryption algorithm with a private key would result in varying length outputs.
Proper hashing of a password includes a salt that should be kept private. This means the password should definitely be passed to the server in plaintext. The server adds the salt to the password, then hashes it.
This adds more protection should an attacker somehow manage to get access to your hashed passwords. Even if they identify the type of hashing mechanism used it will prevent the use of rainbow tables, dictionary attacks, etc. against the hashes.
I’d be surprised if that worked these days. They do much more than just a cursory check whenever we go. And they also now scan your membership when you enter, and your photo pops up on their tablets. I’d be curious what would happen if the photo didn’t match…
Probably the companies themselves. I work remotely, and our company provides software phones to remote workers as needed. 99% of the time I don’t need one, but there have been a few times where I’ve needed one for various reasons. So I have one temporarily set up for myself, usually for just a few days. Just about every time I have done that I get random voicemails from frustrated customers who are trying anything to just reach a human.
Wary why? I work remotely in IT and manage a ton of Linux systems with it. Because my company has a large number of remote employees they limit us to Windows or Macs only, and have pretty robust MDM, security, etc. installed on them. Since MacOS is built on top of a unix kernel it’s much more intuitive to manage other unix & linux systems with it.
Personally I haven’t used Windows really since before Windows 10 came out, and as the family tech support department I managed to switch my wife, parents, brother, and mother in-law all to Mac’s years ago as well.
Ugh. I didn’t realize that & haven’t checked out their site in ages…
I just searched for their app in the Apple App Store and it looks like there are at least a few competitors out there now, so if you’re interested in something like this then I’d suggest shopping around to see what alternatives are available.
ANI and CallerID serve two very different purposes. Suppose you managed the telephones for something like an insurance company, where you have lots of customers calling in, but also have lots of employees calling out. You want the Caller ID on your customers phones to show the main # for your company whenever you call them, so it would show something like 1-212-555-1000.
Because the company has a lot of employees, it has 100 individual phone lines, so 100 agents can be on calls at the same time. The phone company actually allocates 100 numbers in that case, and those numbers could be very different than the above -1000 number. So the numbers 1-212-555-7000 through 1-212-555-7099 all belong to the company. Each time an employee makes a call their telephone system finds any one of those numbers between -7000 and -7099 that isnt in use and uses it. The call is billed to that specific number, and the bills for all 100 lines are combined & billed to the company at the end of the month.
If the company couldn’t configure its phones to display 1-212-555-1000 as the Caller ID then customers would see random numbers in the range of -7000 to -7099 any time the company called them.
I’ve never personally used it, but https://www.trapcall.com is a service that can reportedly unmask spoofed/blocked numbers and provide you with the actual number a person is calling from.
I did computer telephony work many years ago and have a general understanding of how this works. Caller ID is trivial to spoof, but there’s an underlying protocol called Automatic Number Identification (ANI) that was historically used for long distance billing when those calls were billed by the minute. Since it involves billing it can’t be spoofed by the caller, and the telephone companies are careful to ensure it’s accurate. What Trapcall apparently does is replace the spoofed Caller ID with the ANI.
DigiCert recently was forced to invalidate something like 50,000 of their DNS-challenge based certs because of a bug in their system, and they gave companies like mine only 24 hours to renew them before invalidating the old ones…
My employer had an EV cert for years on our primary domain. The C-suites, etc. thought it was important. Then one of our engineers who focuses on SEO demonstrated how the EV cert slowed down page loads enough that search engines like Google might take notice. Apparently EV certs trigger an additional lookup by the browser to confirm the extended validity.
Once the powers-that-be understood that the EV cert wasn’t offering any additional usefulness, and might be impacting our SEO performance (however small) they had us get rid of it and use a good old OV cert instead.
Back in the 90’s before the days of Windows 3.0 I had to debug a memory manager written by a brilliant but somewhat odd guy. Among other thing I stumbled across:
If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.
Port 22 is the default SSH port and it receives a TON of malicious traffic any time it’s open to the whole internet. 20 years ago I saw a newly installed server with a weak root password get infected by an IP address in China less than an hour after being connected to the open internet.
With all the bots out there these days it would probably take a lot less time if we ran the same experiment again.
Back in the late 90’s I worked for an internet search company, long before Google was a thing. We would regularly physically drive a dozen SCSI drives from a RAID array between two datacenters about 20 miles apart.
I don’t understand why Cloudflare gets bashed so much over this… EVERY CDN out there does exactly the same thing. It’s how CDN’s work. Whether it’s Akamai, AWS, Google Cloud CDN, Fastly, Microsoft Azure CDN, or some other provider, they all do the same thing. In order to operate properly they need access to unencrypted content so that they can determine how to cache it properly and serve it from those caches instead of always going back to your origin server.
My employer uses both Akamai and AWS, and we’re well aware of this fact and what it means.
Some CDNs like Akamai and Cloudflare have options to optimize images. We use the Akamai one where I work. It means our creative teams, customers, etc. don’t need to worry too much about whether an image is properly optimized when they upload it. Akamai will, behind the scenes optimize the quality, color palette, and image type (jpg, web, png, etc) and create a number of different versions of the images. Then when a client requests the image Akamai looks at the client device (mobile vs desktop, screen resolution, browser version, etc) and serves the copy of the image that’s best optimized for that device.
So even if the URL ends with .jpg you might be sent a .webp. If you use the browsers developer tool to inspect the response headers you’ll likely see the Content-Type header says it’s .webp as well.
The company I work for is mainly an internet presence with a valuation in excess of $100 million. The number of emails we get offering somewhere around $5000 for our domain name is absurd…
Came here to say exactly this. Gaff tape is made out of a cotton cloth material. This is clearly plastic, so duct tape, which is very different.
Yeah but then you’re even more stuck because now the truck is stuck as well…
It definitely needs to be private. If an attacker can obtain both the password hashes and the salt(s) (via the same database vulnerability for example) then they have everything they need to run offline attacks against the passwords.