• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

All your WiFi devices are broken, Android/Linux devices particularly devastated

KaoteK

KaoteK

Member
So my one plus 3t was updated at the end of last month. I should be ok right? (Googling doesn't seem to give me any answers)
 
EviLore

EviLore

Expansive Ellipses
Staff Member
Somnid said:
It did, but the ad network Evilore does business with had issues with it. Gotta pay the bills, but I wish he would dump them for someone else.
Click to expand...

I did in fact ditch that prohibitive ad partnership back in spring 2016 instead of paying the bills, haha, in large part so that site-wide HTTPS could be viable for all NeoGAF visitors by default. Without parting ways with our ad partners there, full HTTPS browsing would've only been possible for ad-free premium subscribers, and the notion of paywalling HTTPS *really* bothered me (especially after we put in all the work to deploy it as a standard feature and I announced it as such).

You must've missed those few straight months of me being completely delirious from sleep deprivation while I rebuilt our in-house ad solutions from the ground up...live...in the middle of an emerging adblock crisis. ;b

Anyway, long story long, our current ad pipeline *is* HTTPS-compliant and hypothetically ready for action on that front, but this pain-in-the-balls EoL forum platform is teetering precariously on a pile of duct tape and custom mods and isn't viable to update anymore. We'll be migrating to a new forum architecture pretty soon, though, so HTTPS is still en route.
 
J

jellies_two

Member
You can at least change the login post to be https ?
Only takes a bit more duct tape?
I know the cookie is still http after login so could be hijacked but you can at least say the password isn't ttansmitted in the clear (even if its actually vbulletin hashed now).
 
S

sangreal

Member
jellies_two said:
You can at least change the login post to be https ?
Only takes a bit more duct tape?
I know the cookie is still http after login so could be hijacked but you can at least say the password isn't ttansmitted in the clear (even if its actually vbulletin hashed now).
Click to expand...

the password is hashed before being submitted to the login page (not sure if that is what you meant, or just the cookie)
 
M

M3d10n

Member
EviLore said:
I did in fact ditch that prohibitive ad partnership back in spring 2016 instead of paying the bills, haha, in large part so that site-wide HTTPS could be viable for all NeoGAF visitors by default. Without parting ways with our ad partners there, full HTTPS browsing would've only been possible for ad-free premium subscribers, and the notion of paywalling HTTPS *really* bothered me (especially after we put in all the work to deploy it as a standard feature and I announced it as such).

You must've missed those few straight months of me being completely delirious from sleep deprivation while I rebuilt our in-house ad solutions from the ground up...live...in the middle of an emerging adblock crisis. ;b

Anyway, long story long, our current ad pipeline *is* HTTPS-compliant and hypothetically ready for action on that front, but this pain-in-the-balls EoL forum platform is teetering precariously on a pile of duct tape and custom mods and isn't viable to update anymore. We'll be migrating to a new forum architecture pretty soon, though, so HTTPS is still en route.
Click to expand...

STOP THE PRESSES! BIG SCOOP!!!
 
Blam

Blam

Member
EviLore said:
I did in fact ditch that prohibitive ad partnership back in spring 2016 instead of paying the bills, haha, in large part so that site-wide HTTPS could be viable for all NeoGAF visitors by default. Without parting ways with our ad partners there, full HTTPS browsing would've only been possible for ad-free premium subscribers, and the notion of paywalling HTTPS *really* bothered me (especially after we put in all the work to deploy it as a standard feature and I announced it as such).

You must've missed those few straight months of me being completely delirious from sleep deprivation while I rebuilt our in-house ad solutions from the ground up...live...in the middle of an emerging adblock crisis. ;b

Anyway, long story long, our current ad pipeline *is* HTTPS-compliant and hypothetically ready for action on that front, but this pain-in-the-balls EoL forum platform is teetering precariously on a pile of duct tape and custom mods and isn't viable to update anymore. We'll be migrating to a new forum architecture pretty soon, though, so HTTPS is still en route.
Click to expand...

I will be waiting for that new forum arch very eagerly
 
I

Izayoi

Banned
As long as we still get the sweet mobile mode, I'm a happy camper.

On topic: I'm glad I have 4G until my phone gets a patch, but the size of this vulnerability is just immense.
 
F

FLAguy954

Junior Member
Somnid said:
It did, but the ad network Evilore does business with had issues with it. Gotta pay the bills, but I wish he would dump them for someone else.
Click to expand...

This. I can't even login/post on GAF at work because it is deemed as 'not secure' since it's HTTP instead of HTTPS.

On topic - I'm happy software like LineageOS (14.1) exist for those of us with phones that don't get updates past the first year. Having a 10/5/2017 security patch on my Axon 7 just shows one of the many advantages of rooting a phone.
 
J

jellies_two

Member
sangreal said:
the password is hashed before being submitted to the login page (not sure if that is what you meant, or just the cookie)
Click to expand...
It's hashed via a standard vb function then transmitted in clear which is bad because vbulletin hashes suck:

https://www.troyhunt.com/data-breaches-vbulletin-and-weak/

I think It should be sent via https just for the login form, then that URL redirects back to http if that's what the site must stick with. That way the post action is encrypted, but the ads remain http.

It is unclear to me why, if ad serving is bad over https, then a rewritten forum would help. Ad networks that plug ads into boxes on a page are either working well over https or not?
 
R

Random Human

They were trying to grab your prize. They work for the mercenary. The masked man.
I just got a notification for an iOS update - will that address this?
 
R

Random Human

They were trying to grab your prize. They work for the mercenary. The masked man.
Primus said:
Negative. That update is most likely 11.0.3, and the fix will be in 11.1 (currently in beta, release due in the next couple weeks).
Click to expand...
Gotcha, thanks! Guess I’ll just keep waiting.
 
B

Big Green Anus

Member
Do we need to get new routers? I have Fios internet, which uses Verizon's routers, so I'm not sure if they would update them. I wish buy any wireless router for Fios, but I think you have to use Verizon's router to the Moca or something like that :(
 
B

Brian Griffin

Member
From what I'm reading it says Android 6.0+ is affected. Sooo since I've been declining the update install every day for 2 years now (because Lolipop would have broken Puzzle and Dragons and then I just kept doing it after they updated the game) and I'm still on Android 4.4.4, is my phone safe?
 
S

sangreal

Member
Big Green Anus said:
Do we need to get new routers? I have Fios internet, which uses Verizon's routers, so I'm not sure if they would update them. I wish buy any wireless router for Fios, but I think you have to use Verizon's router to the Moca or something like that :(
Click to expand...

1) You definitely don't need to use Verizon's router. You can use any MoCa bridge. You lose some features like remote DVR though
2) I don't think their routers support the features that need to be patched on the AP side, but they do put out pretty regular (automatic) updates so I wouldn't worry about it
 
A

Alphahawk

Member
Brian Griffin said:
From what I'm reading it says Android 6.0+ is affected. Sooo since I've been declining the update install every day for 2 years now (because Lolipop would have broken Puzzle and Dragons and then I just kept doing it after they updated the game) and I'm still on Android 4.4.4, is my phone safe?
Click to expand...

No, it's easier to exploit on higher level Androids but all Androids are affected.
 
G

Grimm Fandango

Member
So what information exactly is available to these hacks? If I'm already logged into GAF on my phone and sign into the network, will they see my password? Or is it only if I log in and have to enter my password? Are viruses and Trojans able to get into my phone much easier?
 
You must log in or register to reply here.

Similar threads

PlayStation’s first Remote Play dedicated device, PlayStation Portal remote player, to launch later this year at $199.99
13 14 15 16 17
846
36K
mckmas8808 replied
How Nacon, The Publisher of The Sinking City, Cracked and Pirated The Game
32
5K
ManaByte replied
  • Locked
Hide yo Wifi, new wireless Android/iOS exploit allows for fatal phone hijacks
14
4K
Coreda replied
RetroArch 1.8.2 (and onwards)
2 3 4
192
39K
Teslerum replied
  • Locked
O-MG, It's time for Android O (Dev Preview)
2
73
7K
Pyrokai replied
Top Bottom