--- Log opened Sun Mar 19 00:00:30 2023
10:48 < Warcop> i get my certs from VanDownByTheRiver
14:29 <@Dagmar> Later tonight I'm going to go test and see whether or not Hulu support _lied_ (like I'm pretty fuckin' sure they did)
14:29 <@Dagmar> They _claimed_ they got some developers to fix the problem
14:29 <@Dagmar> On a Saturday
14:29 <@Dagmar> ...and yet, before she went to bed, my wife _again_ had to reset her Hulu password.
14:30 <@Dagmar> I think some malicious actor is actually engaging in ongoing abuse of their bad security practice
14:30 <@Dagmar> Either that or their shit is so broken it's not storing credentials properly at all
14:31 <@Dagmar> Frankly I'm surprised I can logout and log back into the account right now
14:32 <@Dagmar> Just the same, it's fairly shameful that they've done something this dumb
14:32 <@Dagmar> If you get the account password wrong more than a handful of times, it locks the _real_ password
14:47 < Warcop> i'm thinking I've seen that elsewhere too
14:56 <@Dagmar> It's literally the wrong response
14:57 <@Dagmar> The practice fails on Availability, becuase it allows an attacker to change the state of the protected resource and force the legitimate user to go reset their password
14:57 <@Dagmar> If someone has a serious beef with a specific person they can just spin up a script and start slamming auth through ToR and the user won't be able to login at all
14:57 <@Dagmar> It took me less than 30 seconds to force a password lockout yesterday when I tried
14:58 <@Dagmar> That was doing it _by hand_
18:20 <@jb7od> https://en.wikipedia.org/wiki/Skyglobe Neat.. (Graham Hancock uses it lol)
18:20 < PigBot> Skyglobe - Wikipedia (at en.wikipedia.org) https://tinyurl.com/2qrz95jq
18:24 <@Dagmar> There are AR phone apps that do that now
18:34 <@jb7od> Oh I've got a fancy nice one for the android, but I was watching some Graham Hancock flick and caught the name of the program and finally got around to seeing what it was- kinda surprised there was anything around at all back then (and that ol Graham was ever that young). 
18:34 <@jb7od> This was in "Quest for the Lost Civilisation", but might show up in others. 
20:13 <@Mirage> Dagmar: Our VPN works the same way.  If you fail logging in too many times due to either the token or password being wrong then you have to either wait for your account to unlock or go to a self-service page to request an account unlock
20:15 <@Mirage> I disabled mail on my phone because I kept forgetting to update the password for it when I had to update my AD passwd and then it trying to log in w/ the wrong credentials to check email would lock my account.
20:36 <@Dagmar> Don't you have to get _one_ of the credentials right, first?
20:37 <@Dagmar> With Hulu it doesn't require you know anything but the email address, and it's not a temporary lock
--- Log closed Mon Mar 20 00:00:32 2023