|
Aleksei Vasiliev posted:http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html someone tried to pull a trustwave and now they're waving goodbye to their very
|
# ? Apr 2, 2015 06:14 |
|
|
# ? Jun 7, 2024 00:32 |
|
CNNIC response here: http://www1.cnnic.cn/AU/MediaC/Announcement/201504/t20150402_52049.htmpre:1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.
|
# ? Apr 2, 2015 06:29 |
|
my moneys on goog
|
# ? Apr 2, 2015 06:33 |
|
The decision that Google has made is unacceptable and unintelligible to CNNIC unintelligible? e: this is apparently a valid use that i just can't remember ever seeing
|
# ? Apr 2, 2015 06:40 |
|
All of their announcements are actually pretty good http://www1.cnnic.cn/AU/MediaC/Announcement/201503/t20150325_52019.htm quote:On March 24th, some media reported Google's accusation that CNNIC has issued certificates for the Man-in-the-Middle (MITM) attack. In response to this report, CNNIC has the following Clarification. They aren't mitm certs, they're improperly issued certs.
|
# ? Apr 2, 2015 06:56 |
|
uncurable mlady posted:this sold me on cyber to wizard please also substitute hacking -> wizardy and cloud -> magic
|
# ? Apr 2, 2015 08:34 |
|
Rahu posted:All of their announcements are actually pretty good
|
# ? Apr 2, 2015 10:16 |
|
anthonypants posted:is there a legitimate need for a CA to issue *.google.com in an internal environment against their external CA chain "China Internet Network Information Center"
|
# ? Apr 2, 2015 11:06 |
|
anthonypants posted:is there a legitimate need for a CA to issue *.google.com in an internal environment against their external CA chain yes they need to test their mitm in a near-production environment.
|
# ? Apr 2, 2015 14:08 |
|
yeah i'm p sure goog is in the right here
|
# ? Apr 2, 2015 14:33 |
|
ok so I'm working on some research for NJE and wanted to share before i write some long rear end blog post NJE basically lets mainframes 'trust' each other to send jobs/commands between them. You setup the same configuration with node names and IP addresses on all your mainframes and they all talk to each other. In all the examples in the documentation there's no security enabled, despite there being lots of options. So, in the config you declare systems like: Node 1: YOSPOS1, 10.10.0.10 Node 2: YOSPOS2, 10.10.0.11 Node 3: YOSPOS3, 10.10.0.12 etc When using TCPIP (some places may still use SNA, whatever) you send an initialization record like so: Notice the RIP and OIP. Those are supposed to be the IP addresses above. So you would send something like: OPEN YOSPOS1 10.10.0.10 YOSPOS2 10.10.0.11 meaning 'open a connection between me (yospos1) and you (yospos2)'. Once it connects you can send jobs, run console commands, etc, as a system account. In testing I've discovered that those IP addresses don't mean dick. So long as I can figure out the names of your nodes (hint: it's probably the LPAR names) I can gently caress with your system. So basically, in python, i craft a packet that says "OPEN YOSPOS1 1.2.3.4 YOSPOS2 4.3.2.1' and it connects me just fine. Why? Because despite the config implying it will only accept connections from those IP addresses, those IP addresses are for outgoing connections and any IP address can use a node name for incoming NJE connections. There's also hilarity like no error recovery. If I make a packet with your IP address and send it in with the wrong sequence number it just disconnects the whole thing. Mainframes: The most secure platform in your enterprise (tm)
|
# ? Apr 2, 2015 14:49 |
|
Optimus_Rhyme posted:ok so I'm working on some research for NJE and wanted to share before i write some long rear end blog post do the security options defeat this attack, or are you demonstrating that the insecure mode is in fact insecure
|
# ? Apr 2, 2015 14:58 |
|
Captain Foo posted:do the security options defeat this attack, or are you demonstrating that the insecure mode is in fact insecure Well, the security options are - ssl (not certs for auth but just to encrypt the data over tcpip) - a shared, 8 digit max, password, stored in the config file - a hash of a shared 8 digit max password, the password is stored in the config with the option like so: token(password) Still doing testing on this mind you. So, not really this attack, but the password would buy you time, unless I read the config file on one system.
|
# ? Apr 2, 2015 15:51 |
|
Truecrypt "Phase II" Audit has been completed, and you can read the full report here: https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf (PDF warning) Matthew Green has a new blog post with a TL;DR of the whole thing: http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html quote:The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.
|
# ? Apr 2, 2015 16:32 |
|
i'm the OHOST, someone else can be
|
# ? Apr 2, 2015 16:37 |
|
Progressive JPEG posted:i'm the OHOST, someone else can be i drink a lot of water, and OIP
|
# ? Apr 2, 2015 17:06 |
|
I P a lot, i fyou catch my drift
|
# ? Apr 2, 2015 17:06 |
|
I think that leaves me with TYPE
|
# ? Apr 2, 2015 17:08 |
|
im R
|
# ? Apr 2, 2015 17:08 |
|
Captain Foo posted:yeah i'm p sure goog is in the right here it's crazy because CCNIC is apparently a state-affiliated regulatory agency. maybe beijing's new censorship tactic is to make the country's network infrastructure so malware-laden and corrosive to the infrastructure of the internet that the whole country gets blacklisted lol
|
# ? Apr 2, 2015 17:09 |
|
Jonad posted:it's crazy because CCNIC is apparently a state-affiliated regulatory agency. maybe beijing's new censorship tactic is to make the country's network infrastructure so malware-laden and corrosive to the infrastructure of the internet that the whole country gets blacklisted lol I'm pretty sure that prefix blocking most of china is already standard practice for most businesses. My bank blocks China/Iran/Russia and some others. Of course ip->Location was a flawed concept to begin with, but w/e.
|
# ? Apr 2, 2015 17:45 |
|
Jonad posted:it's crazy because CCNIC is apparently a state-affiliated regulatory agency. everything in China is state-affiliated
|
# ? Apr 2, 2015 17:58 |
|
Rooney McNibnug posted:barf and catch fire season two rebrand coming along
|
# ? Apr 2, 2015 18:07 |
|
what happens if a wizard attack occurs in your butt???
|
# ? Apr 2, 2015 18:28 |
|
mozilla cutting cnnic too: https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/ actually, it's not quite the same Subjunctive fucked around with this message at 19:05 on Apr 2, 2015 |
# ? Apr 2, 2015 18:56 |
|
type R!?
|
# ? Apr 2, 2015 19:21 |
|
Jonad posted:it's crazy because CCNIC is apparently a state-affiliated regulatory agency. maybe beijing's new censorship tactic is to make the country's network infrastructure so malware-laden and corrosive to the infrastructure of the internet that the whole country gets blacklisted lol http://en.m.wikipedia.org/wiki/Google_China
|
# ? Apr 2, 2015 19:24 |
|
Subjunctive posted:everything in China is state-affiliated even the criminals, lol
|
# ? Apr 2, 2015 22:27 |
|
Luigi Thirty posted:type R!? R-Type
|
# ? Apr 3, 2015 00:54 |
|
Stay safe, security OHOST
|
# ? Apr 3, 2015 01:25 |
|
r kelly
|
# ? Apr 3, 2015 01:57 |
|
Wild EEPROM posted:r kelly badass
|
# ? Apr 3, 2015 02:40 |
|
Captain Foo posted:badass lol
|
# ? Apr 3, 2015 02:49 |
|
Captain Foo posted:badass lol
|
# ? Apr 3, 2015 03:09 |
|
Wild EEPROM posted:r kelly welp, this is the name of the tool i'm writting now, thanks. r.kelli.py remote . killer of enhanced lpar to lpar intercommunication
|
# ? Apr 3, 2015 04:25 |
|
Jonad posted:lol
|
# ? Apr 3, 2015 04:33 |
|
the r stands for rilo
|
# ? Apr 3, 2015 07:10 |
|
http://kamil.hism.ru/posts/about-vrg-and-delete-any-youtube-video-issue.html posted:In YouTube Creator Studio I investigated how live_events/broadcasting systems works. I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one following request:
|
# ? Apr 3, 2015 11:43 |
|
holy poo poo
|
# ? Apr 3, 2015 12:00 |
|
|
# ? Jun 7, 2024 00:32 |
|
|
# ? Apr 3, 2015 13:21 |