|
Cybernetic Vermin posted:kind of uncomfortable sounding that microsoft scans things like that, but seems obviously a not-secfuck in almost every case. i mean, i certainly understand them doing this for malware. the problem for me is that they're brute-forcing passworded archives by scanning emails for passwords and that probably, idk, 95%+ of them are not malicious i also understand that other services do it too, that doesn't make it any more palatable imo
|
#
?
May 16, 2023 18:03
|
|
|
|
| # ? Jun 9, 2024 12:38 |
|
|
1. make a file that compromises the antivirus scanner when scanned. 2. stuff it in a zip file. 3. upload it to onedrive. 4. ??????? 5. microsoft burns down your house
|
|
#
?
May 16, 2023 18:42
|
|
|
Beeftweeter posted:i mean, i certainly understand them doing this for malware. the problem for me is that they're brute-forcing passworded archives by scanning emails for passwords and that probably, idk, 95%+ of them are not malicious If it was for security you would send the password separately, at least in an email. If you're saying "here's a zip file and the password is 1234" you're 100% just trying to prevent the email from being blocked mystes fucked around with this message at 19:03 on May 16, 2023 |
|
#
?
May 16, 2023 19:01
|
|
|
I think if it's just limited to a per email basis it seems fine, they're really just scanning the email taken as a whole
|
|
#
?
May 16, 2023 19:08
|
|
|
mystes posted:On the other hand there is literally no reason to password a protect a zip file with a password written in the email the zip file is attached to other than to specifically bypass virus scanning lol maybe to you and me, but i'd bet business people do that all the time simply because they don't know how to recompress something without the password
|
|
#
?
May 16, 2023 19:36
|
|
|
https://twitter.com/_MG_/status/1658528430588317696?s=20 time to put this to bed
|
|
#
?
May 16, 2023 22:03
|
|
|
is there anything in recent times that compares to the level of footguns the .zip TLD created, because good lord
|
|
#
?
May 16, 2023 22:20
|
|
|
what was the legitimate purpose of the .zip tld did they have an application in mind or did someone just think it sounded cool
|
|
#
?
May 16, 2023 22:21
|
|
|
it's for fast websites, when you want some "zip" for your javascript
|
|
#
?
May 16, 2023 22:22
|
|
|
haveblue posted:what was the legitimate purpose of the .zip tld
|
|
#
?
May 16, 2023 22:48
|
|
|
Lain Iwakura posted:https://twitter.com/_MG_/status/1658528430588317696?s=20 thanks for posting this. it’s a much better show of why .zip is a terrible idea than other things I’ve seen posted. an actual poc that I’m sure we’ll see exercised in the wild with how trivial it is.
|
|
#
?
May 17, 2023 00:23
|
|
|
Zamujasa posted:is there anything in recent times that compares to the level of footguns the .zip TLD created, because good lord non ascii characters in url which leads to endless substitutions with google dot com but instead of the l being a capital i it's a turkish double lemna sans serif but i'll admit that one earlier is a damnable trick, the very first parts of the url are lying, that's delicious
|
|
#
?
May 17, 2023 01:25
|
|
|
Lain Iwakura posted:https://twitter.com/_MG_/status/1658528430588317696?s=20 is the implication that this would attempt http basic auth and load v1271.zip, which could be malicious? if so, time to put to bed the suggestion that this is exploitable because 1) it doesn't parse that way - look how userinfo is defined in https://datatracker.ietf.org/doc/html/rfc3986#appendix-A or try it yourself 2) even if it did parse that way, browsers have had warnings when this is attempted for years if you look at the original blog post, the only reason it appears to work is because the author has actually correctly percent encoded the userinfo component (as is required if you want to send the user to v1271.zip) but misleadingly, the author didn't percent encode the clickable link text, which would rather spoil the illusion. funny that! 
|
|
#
?
May 17, 2023 01:26
|
|
|
even if it did work, ∕ doesn't really look like /, particularly in a url with other slashes but i realize that it's "close enough"
|
|
#
?
May 17, 2023 01:34
|
|
|
Rufus Ping posted:is the implication that this would attempt http basic auth and load v1271.zip, which could be malicious?
|
|
#
?
May 17, 2023 01:38
|
|
|
mystes posted:since they're using different slashes does it still have to be url encoded? yes because it's not in the specifically allowed subset of ascii code:
|
|
#
?
May 17, 2023 01:51
|
|
|
I hope they release a tld for .Ian (capital i) to really gently caress things up gotta be a lot of ians out there who would benefit
|
|
#
?
May 17, 2023 15:43
|
|
|
lol who made this ad (it doesn't even link to a nu-QCS thread or anything, just the forums main page): to whomever wasted $30 on this: it's either the standard $20 or $200/mo plan with maybe some addon features that don't matter for blocking people. lowtax dowgraded to the cheaper one at some point; idk what jeffrey has. in practice the main reason for SA to use the more expensive one was for PCI-DSS compliance IIRC there was historically some plan-based limit to IP/region firewall rules that realistically doesn't matter, since those are effectively useless at blocking individuals, and mods/admins (hopefully) wouldn't have access to the SA cloudflare account. they just use mod tools same as always. it's possible there are some boneheaded rules in the list to the effect of "challenge every client coming from Turkmenistan" or "block any client coming from an AWS IP range" in a ham-fisted attempt to mitigate some attack, but those aren't targeted at individuals anyway, i am again annoyed at people not understanding firewalls and treating them like some sort of lizard person conspiracy instead of maybe less than ideal use of blunt instruments
|
|
#
?
May 17, 2023 15:44
|
|
|
help, ive been shadowbanned by cloudflare! MY POSTS AREN'T GOING THROUGH!!! JEFF!? JEFFREY!?!?!?
|
|
#
?
May 17, 2023 15:52
|
|
|
post the cloudflare ban list after banning whoever bought that ad so they can't see it
|
|
#
?
May 17, 2023 17:31
|
|
|
Qtotonibudinibudet posted:lol who made this ad (it doesn't even link to a nu-QCS thread or anything, just the forums main page): elon musk, aka stymie, probably
|
|
#
?
May 17, 2023 19:14
|
|
|
Qtotonibudinibudet posted:lol who made this ad (it doesn't even link to a nu-QCS thread or anything, just the forums main page):
|
|
#
?
May 17, 2023 19:24
|
|
|
that guy who is using webtv finally got $30 and spent it on an ad instead of something better, tragic
|
|
#
?
May 17, 2023 19:29
|
|
|
https://github.com/vdohney/keepass-password-dumper Another keepAss CVE.
|
|
#
?
May 17, 2023 20:22
|
|
|
SeaborneClink posted:https://github.com/vdohney/keepass-password-dumper devs already said they're patching it and will push a release by july but someone wanted some cred, at least it wasn't a serious vuln they threw into the wild
|
|
#
?
May 17, 2023 21:31
|
|
|
breaking: debuggers exist
|
|
#
?
May 17, 2023 21:52
|
|
|
Subjunctive posted:breaking: debuggers exist severely hosed up if true
|
|
#
?
May 17, 2023 22:00
|
|
|
Lain Iwakura posted:impressive that this is worse than cryptocat https://www.theregister.com/2023/05/17/converso_e2ee_app/ it's been pulled temporarily while it gets fixe
|
|
#
?
May 17, 2023 22:14
|
|
|
anyways, signal is a good cross platform messaging app for anyone who is looking to get off of sms and can push their contacts to do the same
|
|
#
?
May 17, 2023 22:15
|
|
|
Wiggly Wayne DDS posted:it's a memory dump cve, really embarassing that it's taking up cve space if i'm being honest. i'd put this on the same level as that 1password vuln of calling the export function... Your laptop getting stolen might mean your keepass master password is lost because you didn't encrypt your disk. I feel that's serious. Your password manager having a chance of writing the plain text master password to disk is not an unimportant detail.
|
|
#
?
May 17, 2023 22:35
|
|
|
KeepassXC supports multifactor authentication with yubikey and password files and etc. The yubikey support is actually really good. This would be a much better mitigation of this CVE.
|
|
#
?
May 17, 2023 22:41
|
|
|
karoshi posted:Your laptop getting stolen might mean your keepass master password is lost because you didn't encrypt your disk. I feel that's serious. Your password manager having a chance of writing the plain text master password to disk is not an unimportant detail. we're getting to the point where not encrypting your disk is a dumb idea both bitlocker (with windows pro and enterprise) and modern LUKS support TPM encryption, although backing up your keys is essential (because apparently windows loses them and sometimes poo poo happens), so there is no user interaction needed to keep things secure also, I think some Linux distributions use a swapfile with a temporary encryption key, so attacks like those are even less useful on Linux
|
|
#
?
May 17, 2023 22:46
|
|
|
just run keepAss in it's own appVM in QubesOS with no network access, obviously
|
|
#
?
May 17, 2023 23:04
|
|
|
karoshi posted:Your laptop getting stolen might mean your keepass master password is lost because you didn't encrypt your disk. I feel that's serious. Your password manager having a chance of writing the plain text master password to disk is not an unimportant detail.
|
|
#
?
May 17, 2023 23:59
|
|
|
I guess in that instance it would maybe be in the pagefile but otherwise it sounds like the data doesn't persist on reboot (if I'm understanding it correctly) and is only transiently in RAM this is why I use a full tower desktop: it's too heavy to easily steal
|
|
#
?
May 18, 2023 00:10
|
|
|
90s nerds were well built to move laser printers and 17 inch CRTs, one in each arm these modern gamers just use their smartphones or macbooks what happened to the good old days of turbo buttons and an actual power switch? (and don't get me started on modern cases that don't even have external 5.25" bays)
|
|
#
?
May 18, 2023 00:14
|
|
|
it's true, carting those printers to and from your crush's house gave you serious definition
|
|
#
?
May 18, 2023 00:16
|
|
|
sb hermit posted:90s nerds were well built to move laser printers and 17 inch CRTs, one in each arm I was on the Trinitron weightlifting plan.
|
|
#
?
May 18, 2023 00:17
|
|
|
sb hermit posted:KeepassXC supports multifactor authentication with yubikey and password files and etc. The yubikey support is actually really good. how does keepassxc's mfa support actually secure the data though? is the yubikey being used for a cryptographic operations, or is it keepassxc just "lol, yeah, you got the static yubikey and master password, take what you need"
|
|
#
?
May 18, 2023 00:22
|
|
|
|
| # ? Jun 9, 2024 12:38 |
|
|
Subjunctive posted:I was on the Trinitron weightlifting plan.  the color was just right but it sure made lan games a workout
|
|
#
?
May 18, 2023 00:23
|
|