• 0 Posts
  • 121 Comments
Joined 3 years ago
cake
Cake day: July 29th, 2023

help-circle
  • Very critical. GNOME and KDE have two very different UX paradigms.

    Usually people used to Windows opt for KDE, and Mac or older Ubuntu users opt for GNOME.

    The thing is though, a golden standard DE can easily be setup to act as both. XFCE is so customizable that I’ve seen both DE types setup as UNIX like or Windows like workflow.

    I’m not sure if KDE or GNOME can do the same because I’m pretty sure they focus on a target audience.

    What are your issues with KDE exactly? I always hated GNOME’s lack of standard window buttons and handling multiple windows in a Mac like fashion. Also the app menu which gives me flashbacks of ChromeOS.


  • I tried protonmail not for the privacy purpose but just to have a normal web email client.

    After wasting an hour before finding out you can’t disable the “sent from protonmail” footer without manually deleting it in each draft you make, I said screw it and deployed my own email server with stalwart lol.

    It’s receive only because outgoing SMTP is a pain to make reliable these days and my ISP blocks outgoing SMTP anyway, but for everything else I now use Thunderbird.












  • This one is funny because it 100% still exists somewhere, but I haven’t had the chance to verify it again.

    Okay so basically its a data recorder box (ex: brainbox) that connects to a bunch of industrial sensors and sends the data over the network with your preferred method.

    Builtin firmware gives you an HTTP webui to login and configure the device, with a user # and password.

    I think the user itself had a builtin default admin which was #0, which everyone uses since there wasn’t really much use for other users.

    Anyway, I was looking at the small JS code for the webui and noticed it had an MD5 hashing code that was very detailed with comments. It carefully laid out each operation, and explained each step to generate a hash, and then even why hashes should be used for passwords.

    Here’s the kicker: It was all client side JS, so the login page would take your password, hash it, and then send the hash over plaintext HTTP POST to the server, where it would be authenticated.

    Meaning you could just mitm the connection to grab the hash, and then login with the hash.

    I sat there for like 10 minutes looking at the request over and over again. Like someone was smart enough to think “hey let’s use password hashing to keep this secure” and then proceeded to use it in the compleltly wrong way. And not even part of like a challenge/handshake where the server gives you a token to hash with. Just straight up MD5(password).

    It was so funny because there were like a hundred of these on a network, so getting a valid hash was laughably easy.

    I never got to check if this was fixed in a newer firmware version.