|
LOL, 000webhost http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html?m=1 13 million plaintext user+passes you get what you deserve if you use a free php+mysql host tbh
|
# ? Oct 28, 2015 17:18 |
|
|
# ? May 17, 2024 15:02 |
|
OSI bean dip posted:can one of you with a really garbage computer run this for me I guess my HP ProLiant MicroServer with a AMD Turion(tm) II Neo N54L Dual-Core Processor isn't garbage enough code:
|
# ? Oct 28, 2015 17:28 |
|
Volmarias posted:Paging tiny bug child loooool look at this poo poo quote:3. Fine, it’s me. But I need / Customer Service needs to see the password! get hosed, spergs. i have a legitimate need to store passwords retrievably also of course the passwords are mine. the user gave it to me. if the user didn't want me to have the password he shouldn't have given it to me. if you don't want a company to know something about you, don't give it away
|
# ? Oct 28, 2015 17:37 |
|
man, it's my lucky day. I found a quarter in the street and finally met the guy who has a reason to store passwords retrievably that outweighs the security risks.
|
# ? Oct 28, 2015 17:38 |
|
the reason is that porn subscribers are too stupid to follow a password reset procedure
|
# ? Oct 28, 2015 17:41 |
|
Tiny Bug Child posted:the reason is that porn subscribers are too stupid to follow a password reset procedure oh right, that was you? "we're talking about people too stupid to find free porn"
|
# ? Oct 28, 2015 17:42 |
|
do you at least have a disclaimer at the sign up page? like "for your convenience we store your user info and password in an easily accessible format"
|
# ? Oct 28, 2015 17:48 |
|
hrm yes we definitely have a scary disclaimer about nerd bullshit that isn't legally required on our join page
|
# ? Oct 28, 2015 17:52 |
|
Tiny Bug Child posted:the reason is that porn subscribers are too stupid to follow a password reset procedure you could generate a password for them when they request it, rather than keeping theirs around in plain text
|
# ? Oct 28, 2015 17:54 |
|
Tiny Bug Child posted:hrm yes we definitely have a scary disclaimer about nerd bullshit that isn't legally required on our join page pragmatic bug child
|
# ? Oct 28, 2015 17:55 |
|
Subjunctive posted:yeah, looks like you have to sign up. also, the beta certs are only good for 90 days, so that's probably not what you want (though renewing them is apparently super easy) I think the plan is 90 days post-launch too. they want to encourage people to set up automatic renewal or at least not have a chance to forget how to renew
|
# ? Oct 28, 2015 18:05 |
|
Tiny Bug Child posted:hrm yes we definitely have a scary disclaimer about nerd bullshit that isn't legally required on our join page We did this deliberately. In our experience most of you don’t care about the various technical ‘flavours’ which could have been used. EAP-TLS vs. EAP-TTLS vs. EAP-FAST or 256-bit symmetric key vs. 2048-bit asymmetric key or Broadcom vs. Intel chipsets or why 256Mb is enough instead of 512Mb or Debian vs. OpenBSD vs. openSUSE. Every one of them have pro’s and con’s.
|
# ? Oct 28, 2015 18:06 |
|
Subjunctive posted:you could generate a password for them when they request it, rather than keeping theirs around in plain text "the users are too stupid to handle new passwords"
|
# ? Oct 28, 2015 18:07 |
|
it's not surprising that a lack of empathy for users results in poor security choices
|
# ? Oct 28, 2015 18:15 |
|
porn sites seem like an ideal hacking target, lots of dumb and potentially shameful users along with questionable security practices
|
# ? Oct 28, 2015 18:21 |
|
Bhodi posted:LOL, 000webhost welp that explains all the phishing sites on there also the loving lovely response to complaints about phishing sites
|
# ? Oct 28, 2015 18:25 |
|
Cocoa Crispies posted:it's not surprising that a lack of empathy for users results in poor security choices the paternalistic, condescending nature of the porn industry is one of the greatest problems the world has ever faced
|
# ? Oct 28, 2015 18:27 |
|
wyoak posted:porn sites seem like an ideal hacking target, lots of dumb and potentially shameful users along with questionable security practices the number of porn sites that store credit card numbers is probably absurdly high
|
# ? Oct 28, 2015 18:28 |
|
Heresiarch posted:the number of porn sites that store credit card numbers is probably absurdly high they have to, it's ~too risky~ to not be a fly-by-night that has to change cc processors at the drop of a hat
|
# ? Oct 28, 2015 18:35 |
|
Heresiarch posted:the number of porn sites that store credit card numbers is probably absurdly high Cocoa Crispies posted:they have to, it's ~too risky~ to not be a fly-by-night that has to change cc processors at the drop of a hat A porn site is providing a "service." They don't need to give a poo poo about pci compliance etc. No seriously, they don't.
|
# ? Oct 28, 2015 19:35 |
|
don't know if anyone talked about this yet, but i am going to leave this neat project here: https://github.com/diracdeltas/sniffly heard it was also something talked at mozilla, and with the tor browser is built on top of firefox, something to think about. and: https://twitter.com/Snowden/status/659439847732563968 a loving blimp, best way to remain completely covert. lord of the files fucked around with this message at 19:45 on Oct 28, 2015 |
# ? Oct 28, 2015 19:42 |
|
Yeah there's two of em hovering around the east coast at all times (well, one now) and more along the Mexico border. Ostensibly with look-down radars only and totally no cameras guys, we swear. Also they're not very good at their job. e: they're camouflaged like a cloud duh
|
# ? Oct 28, 2015 19:48 |
|
Nitrocat posted:don't know if anyone talked about this yet, but i am going to leave this neat project here: https://github.com/diracdeltas/sniffly yeah. it was posted a few pages back. it appears to work too
|
# ? Oct 28, 2015 19:56 |
|
flakeloaf posted:We did this deliberately. In our experience most of you don’t care about the various technical ‘flavours’ which could have been used. EAP-TLS vs. EAP-TTLS vs. EAP-FAST or 256-bit symmetric key vs. 2048-bit asymmetric key or Broadcom vs. Intel chipsets or why 256Mb is enough instead of 512Mb or Debian vs. OpenBSD vs. openSUSE. Every one of them have pro’s and con’s. maybe just abbreviate it to read "100% Secure"
|
# ? Oct 28, 2015 19:59 |
|
Can somebody please give me a layman's explanation of password entropy? I understand how you calculate things like key space and maximum number of possible passwords etc but entropy is hurting my brain a bit.
|
# ? Oct 28, 2015 19:59 |
|
thehustler posted:Can somebody please give me a layman's explanation of password entropy? I understand how you calculate things like key space and maximum number of possible passwords etc but entropy is hurting my brain a bit. first page of google results has some good stuff
|
# ? Oct 28, 2015 20:02 |
|
The blimp has crashed in PA, citizens, go about your lives. Also https://twitter.com/wjrue/status/659445157285228544quote:The $2.7B runaway #jlens costs more money than Peru spends annually on defense. It's basically the world's 57th largest military by budget
|
# ? Oct 28, 2015 20:03 |
|
Intel Management Engine is good times. http://blog.invisiblethings.org/2015/10/27/x86_harmful.html
|
# ? Oct 28, 2015 20:14 |
|
Powercrazy posted:A porn site is providing a "service." They don't need to give a poo poo about pci compliance etc. No seriously, they don't. err this is not exactly true. it is true that unless you run a million transactions a year you just have to "self certify" which means you 1) fill out a form where you totally promise that you have keycards on your office and other irrelevant poo poo and 2) pay for a vulnerability scan from an organization who has a financial interest in keeping you happy
|
# ? Oct 28, 2015 20:22 |
|
most pci audits work like this: - before the pci auditor comes in, the software is changed to reflect what the auditor will want to see - auditor comes in to take a look - auditor gives stamp of approval - software is then reverted back it's like clockwork
|
# ? Oct 28, 2015 20:28 |
|
overdesigned posted:Yeah there's two of em hovering around the east coast at all times (well, one now) and more along the Mexico border. Ostensibly with look-down radars only and totally no cameras guys, we swear. are you counting these? my uncle lives on the same island in the keys as the base that flies it and it's been there for so long that i remember being super-excited about seeing the big silly blimp whenever we'd go to visit as a kid
|
# ? Oct 28, 2015 20:39 |
|
anyway i was wondering if i could get some help with the boyfriend's job situation. he's got two years of college experience from RIT's IT Security program (though no degree, ran out of money) and 3 years of experience working at the same lovely old company I complain about all the time as pretty much the only capable IT person there. He's definitely experienced in doing everything even senior IT would need to do (gently caress he's the one that architected and deployed several entire enterprise production server clusters at my last job) yet he's been interviewing here in Tampa for 3 months now and, while he's gotten lots of interviews that he's done alright on as far as i know, we've yet to see a job offer. now i'm thinking, maybe they get through the hiring process and see that he doesn't have any professional certs and automatically disqualify him or pick the other guy for that reason. He knows enough that he could ace the A+/Network+/Security+ with minimal study, but they're like $200+ a try and with him out of work money's a bit tight. so i figured i'd ask you guys - should he get certs? which certs should he prioritize? is there some other glaringly bad red flag we're missing? tyia secfuck friends for helping my cj bf
|
# ? Oct 28, 2015 20:48 |
|
Hit a small conference called Mobility Live today, a general mobility / wearable / internet of things conference. Here's a few of the quotes I picked up."Reed Peterson, GSMA posted:"The Internet of Things is really the most sustainable business model there is." "Edenilson Fleischmann, Indra USA posted:"We have this situation where your TV is recording all your conversations... Security is an issue, but we have to live with it." "Joe Mosele, VP with AT&T Mobility posted:"AT&T has a strong privacy policy and we respect the privacy of our users... when people sign up for Google is when their data gets sold." and this was all in one panel. i left before the free lunch.
|
# ? Oct 28, 2015 20:52 |
|
wyoak posted:porn sites seem like an ideal hacking target, lots of dumb and potentially shameful users along with questionable security practices I haven't checked in a long while, but most porn sites used to use HTTP Basic authentication, which, as you know, requires you to store the credentials in plaintext. it also typically goes straight through Apache to the password file with pretty much no logging or other security (more on this later). now, the really interesting part about HTTP Basic authentication is that not only internet explorer stored the credentials in plaintext, but the URL too. there were passwordz files that were clearly aggregated credential dumps from trojans. if a site had HTTP Basic authentication, you were in and could stay in indefinitely, no question about it. hardest part was finding passwords that weren't behind a paywall/survey (but years ago you could just fill surveys with plausible fake data, nowadays it's all "give me your cellphone number"), but for some reason hip hop forums were a very reliable source if a site had form-based authentication, forget about it. not only they had actual security (blacklisting, account sharing detection, captchas), but most importantly, internet explorer didn't store the URLs of form completion data in plaintext: it stored the hash. dumps of form completion data wouldn't give you an easy URL/username/password combo as in HTTP Basic, you had to do a little more work, or active sniffing, so finding reliable passwords for those sites was impossible, because trojan operators are lazy ignorant pushbutton scum the most secure paysite network apparently used form-based authentication and randomized usernames and it's odd given that it's 100% eastern european fetish porn then you had sites where the whole security was literally "check the referral", or even just "secret hardcoded URL" source: I wgetted several paysites just because I could. also because I used to really like porn
|
# ? Oct 28, 2015 20:56 |
|
hackbunny posted:I haven't checked in a long while, but most porn sites used to use HTTP Basic authentication, which, as you know, requires you to store the credentials in plaintext. Why is that? It requires the password to travel in the clear (within SSL), but you can hash-and-compare just as with a password submitted through a web form, and htpasswd has been storing hashed passwords since forever.
|
# ? Oct 28, 2015 21:00 |
|
hackbunny posted:Also because I used to really like porn I used to like porn. I still do, but I used to too.
|
# ? Oct 28, 2015 21:07 |
|
hackbunny posted:the most secure paysite network apparently used form-based authentication and randomized usernames and it's odd given that it's 100% eastern european fetish porn this bit at least isn't that strange - by their nature fetish porn sites have a much smaller market (that is prepared to spend a lot more money) and so are much more concerned about people getting their content without paying source: one of my very first it security jobs was helping http://www.janusworldwide.com/ (, obviously) set up their certs on their online shop, then helping them set up a basic watermarking system to help them catch people reposting their stuff elsewhere
|
# ? Oct 28, 2015 21:11 |
|
Subjunctive posted:Why is that? It requires the password to travel in the clear (within SSL), but you can hash-and-compare just as with a password submitted through a web form, and htpasswd has been storing hashed passwords since forever. yeah nevermind, terrible wording on my part. passwords were clearly stolen from clients anyway
|
# ? Oct 28, 2015 21:15 |
|
Subjunctive posted:Why is that? It requires the password to travel in the clear (within SSL), but you can hash-and-compare just as with a password submitted through a web form, and htpasswd has been storing hashed passwords since forever. Yeah waaay back when I was first learning to code web stuff as a ~teen~ I was really concerned about passwords being stored in plaintext and being sent unencrypted so I re-invented what is basically hash authentication by myself and felt really proud of it, basically store a salt and hash of password+salt in the DB, then send a nonce and the salt to the client, in JS hash the password+salt, then hash the hash+nonce and send the result to the server, server then only has to get the hash out of the db, hash it with the nonce and compare. The salt was generated when you set your password and the nonce was cleared/regenerated on each page load and after a set timeout so you can't replay attack it. then i found out it's already built into the browser and webserver, and also i used md5 which was A Bad Idea.
|
# ? Oct 28, 2015 21:15 |
|
|
# ? May 17, 2024 15:02 |
|
goddamnedtwisto posted:this bit at least isn't that strange - by their nature fetish porn sites have a much smaller market (that is prepared to spend a lot more money) and so are much more concerned about people getting their content without paying well most fetish sites I got into were small affairs with terrible amateurish sites. the older ones were very secure though, as the full videos were only available as mail order VHS and DVD
|
# ? Oct 28, 2015 21:17 |