|
Jonad posted:if you're talking about 'dingus.com' i'm afraid your name is already on it no it's not that one, but also NICE!
|
# ? Mar 16, 2015 14:39 |
|
|
# ? Jun 2, 2024 00:05 |
|
hi tanya!
|
# ? Mar 16, 2015 16:24 |
|
https://yvrctf.ctfd.io/ we're live if you're interested in playing
|
# ? Mar 16, 2015 17:20 |
|
how Tanya get domain ???
|
# ? Mar 16, 2015 17:50 |
|
OSI bean dip posted:https://yvrctf.ctfd.io/ how does the difficulty of this compare to the difficulty of the yospos crypto challenge
|
# ? Mar 16, 2015 17:59 |
|
Bloody posted:how does the difficulty of this compare to the difficulty of the yospos crypto challenge depends on your skillset
|
# ? Mar 16, 2015 19:56 |
|
OSI bean dip posted:depends on your skillset
|
# ? Mar 16, 2015 22:55 |
|
Matthew Garrett @mjg59 · Mar 13 Impressive. Oracle have released a signed kernel that implements none of the features that make a signed kernel in any way worthwhile. Matthew Garrett @mjg59 · Mar 13 eg, kexec_load() is still enabled Matthew Garrett @mjg59 · Mar 13 Basically the Oracle Unbreakable Enterprise Kernel is not a kernel that you should let near any Secure Boot systems Matthew Garrett @mjg59 · Mar 13 The only kernel Oracle supply with any meaningful security is the one that's just a direct copy of the Red Hat kernel source Matthew Garrett @mjg59 · Mar 13 Both the broken UEK kernel and the good Red Hat clone kernel are signed with the same key Matthew Garrett @mjg59 · Mar 13 So you can just replace the good kernel with the broken kernel, own the system and then kexec() into a backdoored good kernel Matthew Garrett @mjg59 · Mar 13 Basically https://blogs.oracle.com/wim/entry/secure_boot_support_with_oracle is loving pointless Matthew Garrett @mjg59 · Mar 13 .@Oracle delete your signing key Matthew Garrett @mjg59 · Mar 13 The really fun thing is that Oracle called their signing key "oracle301". Because the RH one ends 301. Because that was its serial number. Matthew Garrett @mjg59 · Mar 13 Security implemented by running sed without understanding what's actually going on. Matthew Garrett @mjg59 · Mar 13 Also, only releasing this with 7.1 is kind of admitting "we didn't even try to solve this problem until we could just copy Red Hat" Matthew Garrett @mjg59 · Mar 13 With respect to the lovely people I know at Oracle: Unbreakable Linux is a bad product and you should feel bad Matthew Garrett @mjg59 · 27m Of course my first attempt to download OEL 7.1 ends up with a corrupt ISO Matthew Garrett @mjg59 · 22m Deeply impressed to discover that Oracle Linux installs its bootloader in EFI/redhat Matthew Garrett @mjg59 · 19m I mean to be fair who would want to install RHEL and Oracle Linux on the same computer anyway Matthew Garrett @mjg59 · 19m But how lovely is your sed job of a Linux distribution if you can't even find all the places to sed? Matthew Garrett @mjg59 · 12m Booted Oracle Linux 7 on a Secure Boot system, RH-derived kernel has appropriate lockdowns. Installed UEK kernel, rebooted, no lockdowns. Matthew Garrett @mjg59 · 10m Describing this as a cargo cult version of a Secure Boot implementation is an insult to actual cargo cults
|
# ? Mar 17, 2015 00:35 |
|
pseudorandom name posted:Matthew Garrett @mjg59 · Mar 13 Matt Garrett owns, oracle is lol
|
# ? Mar 17, 2015 00:46 |
|
pseudorandom name posted:Matthew Garrett @mjg59 · 10m
|
# ? Mar 17, 2015 02:26 |
|
pseudorandom name posted:Matthew Garrett @mjg59 · Mar 13 lol
|
# ? Mar 17, 2015 02:50 |
|
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "high" severity. OpenSSL Security Policy posted:high severity issues. This includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS, a significant leak of server memory, and remote code execution.
|
# ? Mar 17, 2015 02:51 |
|
now let's see who can be the first to find and exploit them before we actually release the fix, off to the races Also jfc Oracle
|
# ? Mar 17, 2015 03:05 |
|
loving oracle, i hate them so much also Shaggar posted:lol @ people still using scrub teir frameworks and languages. shaggar is right
|
# ? Mar 17, 2015 03:21 |
|
Aleksei Vasiliev posted:The OpenSSL project team would like to announce the forthcoming release
|
# ? Mar 17, 2015 05:03 |
|
the bsd version is libressl, the google version is boringssl
|
# ? Mar 17, 2015 05:06 |
|
some finnish guy figured that he could make a email address "Hostmaster@live.fi" he was then able to request the domain's certificate from comodo, no questions asked. microsoft has revoked the certificate and as thanks, they closed the guys microsoft account, locking him out of his email, lumia phone and xbox. i haven't found an english story yet.
|
# ? Mar 17, 2015 14:29 |
|
apparently he did try to contact the finnish communications regulatory authority and microsoft through several email addresses
|
# ? Mar 17, 2015 14:31 |
|
gently caress oracle and gently caress openssl god drat
|
# ? Mar 17, 2015 15:28 |
|
Wheany posted:some finnish guy figured that he could make a email address "Hostmaster@live.fi" http://arstechnica.com/security/2015/03/man-who-obtained-windows-live-cert-said-his-warnings-went-unanswered/ quote:"I noticed the other day that Microsoft's new e-mail service allows to make a number of aliases, or alternate email addresses to the same account," he says. "I tried, just for fun, I could create a similar domain [unintelligible translation] address." lol
|
# ? Mar 17, 2015 16:13 |
|
http://colin.keigher.ca/2010/04/who-letting-me-become-ssladmin.html been there done that (it was lol as gently caress when i did it)
|
# ? Mar 17, 2015 16:28 |
|
Wheany posted:apparently he did try to contact the finnish communications regulatory authority and microsoft through several email addresses unfortunately he only ever got through to other bozos who'd managed to snag reserved localparts (my employers list of reserved usernames is over 30k entries long after someone managed to have quite a lot of fun with addresses like biIIing@)
|
# ? Mar 17, 2015 16:59 |
|
goddamnedtwisto posted:unfortunately he only ever got through to other bozos who'd managed to snag reserved localparts lol please tell me that list was manually built by some poor fuckign intern
|
# ? Mar 17, 2015 17:02 |
|
duTrieux. posted:lol please tell me that list was manually built by some poor fuckign intern it was a committee there were conference calls so many conference calls (i think the actual list decided on was only about 200 long, then they had a script to cover all the likely typos and intentional deceptions, plus they added in all the names from the staff directory and a bunch of other names associated with the company because the coprorate and customer domain names are so similar)
|
# ? Mar 17, 2015 17:10 |
|
i should dig up that private key i had for ovi.com, nokia's failed attempt at an app store environment for symbian
|
# ? Mar 17, 2015 17:11 |
|
OSI bean dip posted:i should dig up that private key i had for ovi.com, nokia's failed attempt at an app store environment for symbian nokia, you had the best phones and this shittest os(es) now you have poo poo phones on a poo poo os and even your new corporate overlords love your competitors more than you
|
# ? Mar 17, 2015 17:13 |
|
goddamnedtwisto posted:unfortunately he only ever got through to other bozos who'd managed to snag reserved localparts biIIing upy our rear end
|
# ? Mar 17, 2015 17:16 |
|
4cc0unts_r3c31vabl3
|
# ? Mar 17, 2015 17:18 |
|
biIIing and its done
|
# ? Mar 17, 2015 17:20 |
|
JawnV6 posted:4cc0unts_r3c31vabl3 kornfeld in the hizzy
|
# ? Mar 17, 2015 17:28 |
|
Chris Knight posted:kornfeld in the hizzy
|
# ? Mar 17, 2015 17:30 |
|
I just gave someone an API Key with write access to my service and they also went and just posted it publicly. This is the second time this has happened in a couple months.
|
# ? Mar 17, 2015 19:22 |
|
hmm. i would recommend not doing that again
|
# ? Mar 17, 2015 19:29 |
|
EAT THE EGGS RICOLA posted:I just gave someone an API Key with write access to my service and they also went and just posted it publicly. This is the second time this has happened in a couple months. tell their boss
|
# ? Mar 17, 2015 19:46 |
|
ChickenOfTomorrow posted:tell their boss They cc'ed their boss on the email sending everyone a link to the API key.
|
# ? Mar 17, 2015 19:51 |
|
EAT THE EGGS RICOLA posted:They cc'ed their boss on the email sending everyone a link to the API key. did you follow up to that thread announcing the revocation of said key
|
# ? Mar 17, 2015 19:56 |
|
duTrieux. posted:did you follow up to that thread announcing the revocation of said key
|
# ? Mar 17, 2015 19:57 |
|
duTrieux. posted:did you follow up to that thread announcing the revocation of said key Yes, yes I did.
|
# ? Mar 17, 2015 20:00 |
|
Here's my private GPG key for sending encrypted e-mail (as me).
|
# ? Mar 17, 2015 20:04 |
|
|
# ? Jun 2, 2024 00:05 |
|
EAT THE EGGS RICOLA posted:Yes, yes I did. Good man.
|
# ? Mar 17, 2015 20:05 |