|
D. Ebdrup posted:what's cool about it is that the US law-enforcement and three-letter agencies never attack tor itself, and every single idiot who's been busted for doing illegal poo poo on tor has been tracked down by very well-established and -known attacks which show how terrible at OPSEC they are (or how hard OPSEC is) https://bugzilla.mozilla.org/show_bug.cgi?id=857883 Using JavaScript was the opsec fuckup in this case tho E: I'm hella slow, guess it wasn't a zero day. Rufus Ping posted:this isn't true dougdrums fucked around with this message at 17:08 on Dec 14, 2019 |
# ? Dec 14, 2019 17:06 |
|
|
# ? Jun 9, 2024 18:48 |
Rufus Ping posted:this isn't true dougdrums posted:Not quite the Tor network, but said three letter agencies have been known to use zero days targeting Firefox/the Tor browser, for the better.
|
|
# ? Dec 14, 2019 17:12 |
|
D. Ebdrup posted:would secure boot loader functionality, which the freebsd standard loader has, help with preserving signed-pointer relocations? no it’s kindof an independent thing. it’s not really security engineering, it’s just basic toolchain engineering: somebody has to design a way to represent a signed pointer in global memory in elf and then write patches to elf assemblers, linkers, loaders, etc. to honor them D. Ebdrup posted:did you see https://www.eetimes.com/document.asp?doc_id=1335237 ? CheriBSD, a fork of FreeBSD consisting of about ~100 commits worth of diffs to make it run on CHERI, will hopefully not end up being that i am something of a cheri skeptic; there’s a lot of hardware/memory overhead and it still doesn’t protect against certain kinds of vulnerability
|
# ? Dec 14, 2019 19:03 |
rjmccall posted:no it’s kindof an independent thing. it’s not really security engineering, it’s just basic toolchain engineering: somebody has to design a way to represent a signed pointer in global memory in elf and then write patches to elf assemblers, linkers, loaders, etc. to honor them rjmccall posted:i am something of a cheri skeptic; there’s a lot of hardware/memory overhead and it still doesn’t protect against certain kinds of vulnerability
|
|
# ? Dec 14, 2019 19:42 |
|
yeah the nsa to dea parallel construction pipeline has been known about for yearsquote:Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin - not only from defense lawyers but also sometimes from prosecutors and judges.
|
# ? Dec 14, 2019 20:16 |
|
double post because I was reminded of this absurd example where the dea fake a car crash and a car theft just so they could lie and hide the real reason they wanted to search the car:quote:An egregious example of this law enforcement tactic occurred in 2004 when, through intercepted phone calls and their own subsequent surveillance, the DEA discovered that Ascension Alverez-Tejeda was transporting drugs from Los Angeles to Washington state in his car. To search the vehicle without revealing the phone calls as their original source, DEA agents set up an elaborate ruse.
|
# ? Dec 14, 2019 20:22 |
|
jfc I hadn’t read of that example
|
# ? Dec 14, 2019 20:38 |
|
Trabisnikof posted:Other than Alverez-Tejeda and his girlfriend, every person involved in this piece of theater was a DEA agent or local police officer: the person driving the car in front of Alverez-Tejeda’s, the “drunk” truck driver, even the supposed car thief. While a federal judge ruled that the DEA hoax violated Fourth Amendment protections against unreasonable search and seizure, an appeals court overturned the ruling and described this abuse of Alverez-Tejeda’s constitutional rights as “relatively mild.”
|
# ? Dec 14, 2019 20:44 |
|
you don't have to blackmail Republicans into ignoring the law, they'll eagerly do it for you
|
# ? Dec 14, 2019 21:17 |
|
the dude was guilty so clearly it was fine to violate his constitutional rights. maybe you should try not being a criminal if you want due process
|
# ? Dec 14, 2019 21:23 |
|
i like that journalists talking about infosec ask good questions https://twitter.com/ShadowBankerCEO/status/1205603083415379974
|
# ? Dec 14, 2019 21:29 |
|
Soricidus posted:the dude was guilty so clearly it was fine to violate his constitutional rights. maybe you should try not being a hispanic if you want due process
|
# ? Dec 14, 2019 21:31 |
Lain Iwakura posted:i like that journalists talking about infosec ask good questions
|
|
# ? Dec 14, 2019 21:36 |
|
Lain Iwakura posted:i like that journalists talking about infosec ask good questions but does he know what #include is?
|
# ? Dec 14, 2019 21:46 |
|
Trabisnikof posted:double post because I was reminded of this absurd example where the dea fake a car crash and a car theft just so they could lie and hide the real reason they wanted to search the car: ocean's 11 but it's the police
|
# ? Dec 14, 2019 21:50 |
|
Lain Iwakura posted:i like that journalists talking about infosec ask good questions smh, they have so much to learn from next gen hacker https://www.youtube.com/watch?v=SXmv8quf_xM
|
# ? Dec 14, 2019 21:52 |
|
In the general case I think it's more successful to attack the hidden service, and pivot to the clients with some browser exploit than to deanonimize Tor as a whole.
|
# ? Dec 15, 2019 00:40 |
|
rjmccall posted:ptrauth includes some builtin functions for sign/auth, but for the most part you don't use them as a programmer; what you generally do is use something like the __ptrauth qualifier to opt in to stronger signing than the default abi rule for a particular pointer. like if you have a hand-rolled v-table (incredibly common in c code), you'd put a different __ptrauth qualifier on each function pointer field, and then another qualifier on the v-table pointer field in your object type. the abi instability doesn't affect explicit uses of that qualifier, it just means that if you dig around in the language implementation (e.g. if you cast blocks to struct Block * and read fields out), what you see with the current compiler might not be what you'd see in a future compiler as the abi evolves yeah, handrolled vtables (which we have some of despite being c++...) were what i had in mind, but i guess i'll wait for it to be officially available
|
# ? Dec 15, 2019 01:02 |
|
Lain Iwakura posted:i like that journalists talking about infosec ask good questions it's pronounced tracer-t
|
# ? Dec 15, 2019 02:47 |
|
yes i know someone already posted the video i don't care
|
# ? Dec 15, 2019 02:47 |
|
the next generation will call it trace-retweet
|
# ? Dec 15, 2019 02:52 |
|
Trace-yeet
|
# ? Dec 15, 2019 03:57 |
|
Shame Boy posted:it's pronounced tracer-t
|
# ? Dec 15, 2019 06:05 |
|
Trabisnikof posted:double post because I was reminded of this absurd example where the dea fake a car crash and a car theft just so they could lie and hide the real reason they wanted to search the car: Duh, criminals with foreign sounding names do not have constitutional protections, that's only for the american white-collar criminals.
|
# ? Dec 15, 2019 08:32 |
|
Shame Boy posted:really? my wife was on it (prescribed) for a bit and it was fine. didn't really, like, do anything, but it was fine... is it a long-term use thing? I was on it for years because it worked better for me than adderall, especially in terms of side-effects. the worst part was just switching back and forth between modafinil and ar- when my insurance company got bribed back and forth. I honestly can’t recall any meaningful side-effects until I was well beyond the recommended dose, and even then I was just a bit anxious. I knew a number of people who were on it long term and everyone seemed to agree that it was a pretty perfect medication experience. doesn’t even interfere with sleep for 99% of people. whatever was wrong with dude’s modafinil takers might not have been because of the modafinil
|
# ? Dec 15, 2019 09:14 |
|
Lutha Mahtin posted:absolute garbage and you were a shithead to more than 2 people so you aren't even trying here
|
# ? Dec 16, 2019 19:29 |
|
tong-ed again
|
# ? Dec 16, 2019 19:33 |
|
A couple of secfucks from the local news: https://twitter.com/StribBiz/status/1206374384757346305 https://twitter.com/MPRnews/status/1206754635903574016
|
# ? Dec 17, 2019 04:47 |
|
https://www.reddit.com/r/sysadmin/comments/eaphr8/a_dropbox_account_gave_me_stomach_ulcers/
|
# ? Dec 17, 2019 06:32 |
|
Blockade posted:https://www.reddit.com/r/sysadmin/comments/eaphr8/a_dropbox_account_gave_me_stomach_ulcers/
|
# ? Dec 17, 2019 07:13 |
|
lol at storing data in expensive enterprise dropbox. everyone knows it’s more cost effective to split it across your devs’ personal icloud and onedrive accounts
|
# ? Dec 17, 2019 09:16 |
|
Soricidus posted:lol at storing data in expensive enterprise dropbox. everyone knows it’s more cost effective to split it across your devs’ personal icloud and onedrive accounts I'm legit envisioning someone writing a middleware arbitrator to shard data over arbitrary free-tier storage services.
|
# ? Dec 17, 2019 09:28 |
|
Like the s3 gateway for ceph but free tier onedrive.
|
# ? Dec 17, 2019 09:31 |
|
I like how it's not just the data, which would be one stupid but logical mistake , but rather the entire app including the only VCS, somehow.
|
# ? Dec 17, 2019 09:34 |
|
yeah the source code belongs in sharepoint
|
# ? Dec 17, 2019 09:37 |
|
guys I got it. free onedrive > middleware arbitrator > s3 API > s3-fuse > mongodb eventually consistent as gently caress
|
# ? Dec 17, 2019 09:54 |
|
Methanar posted:guys I got it. This made me twitch so hard I almost broke my neck
|
# ? Dec 17, 2019 09:58 |
|
Proteus Jones posted:This made me twitch so hard I almost broke my neck the beauty of it all is some lazy mongodb config means the database will be open to the public internet at large and after someone on a darknet market forum has downloaded it all and put it up for sale it will still be a bunch cheaper than having bought proper services
|
# ? Dec 17, 2019 10:21 |
|
Bulgakov posted:the beauty of it all is some lazy mongodb config means the database will be open to the public internet at large and after someone on a darknet market forum has downloaded it all and put it up for sale it will still be a bunch cheaper than having bought proper services galaxy brain: at least we have an offsite backup
|
# ? Dec 17, 2019 10:21 |
|
|
# ? Jun 9, 2024 18:48 |
|
Vomik posted:galaxy brain: at least we have an offsite backup
|
# ? Dec 17, 2019 10:22 |