|
pseudorandom name posted:oh, good, that really simplifies the explanation of why grsecurity isn't in the mainline kernel because spender is a tremendous dickhead
|
# ? Apr 26, 2016 16:03 |
|
|
# ? Jun 3, 2024 17:18 |
|
OSI bean dip posted:because spender is a tremendous dickhead This patchset brought to you by a tremendous dickhead!
|
# ? Apr 26, 2016 16:07 |
|
OSI bean dip posted:guys, don't call out grsec/spender on vulnerabilities or he'll block you on twitter and deny your ip from accessing his site he also blocked people that liked / rt'd those tweets
|
# ? Apr 26, 2016 16:11 |
|
Parallel Paraplegic posted:OwnCloud, for your own cloud
|
# ? Apr 26, 2016 16:36 |
|
Lightbulb Out posted:he also blocked people that liked / rt'd those tweets am i the only one who wondered for a second when steve gibson started getting into the open source business?
|
# ? Apr 26, 2016 16:40 |
|
goddamnedtwisto posted:am i the only one who wondered for a second when steve gibson started getting into the open source business? nope, i had to check the tweet for unnecessary capitalization must be really hard to handcraft tweets in 100% pure x86 assembly language
|
# ? Apr 26, 2016 16:42 |
|
goddamnedtwisto posted:am i the only one who wondered for a second when steve gibson started getting into the open source business? *raises paw*
|
# ? Apr 26, 2016 17:04 |
|
OSI bean dip posted:because spender is a tremendous dickhead that is hardly a guaranteed DQ sorry for music derail
|
# ? Apr 26, 2016 17:34 |
|
flakeloaf posted:must be really hard to handcraft tweets in 100% pure x86 assembly language Subjunctive posted:sorry for music derail
|
# ? Apr 26, 2016 17:39 |
|
Ghost Farts posted:i think every synology nas can do that through synology's apps for android or ios. i'm not sure about synology's security track record though
|
# ? Apr 26, 2016 18:06 |
|
Wiggly Wayne DDS posted:i've only saw and heard bad things about synology, doesn't stop everyone recommending them though tbf whenever I look up consumer NAS equipment I only ever find bad things and people declaring that ${brand} is the worst NAS ever made I should have went with ${other brand}
|
# ? Apr 26, 2016 18:12 |
|
QNAP is the worst NAS ever made and you should have gone with ${anything else} their NAS boxes run customized linux kernels with a new LVM segment type they made up, so if you have it set up in a certain way (whole-device iSCSI) good luck accessing your data with standard tools if the storage box's own software is malfunctioning! at least they actually follow the GPL requirements and publish their source code, had to carefully splice some of their kernel storage subsystem changes into a stock 3.4.6 kernel and recompile their tweaked lvm2 command line tools against the distro i was using, to keep my old research group from losing about 22TB gently caress QNAP
|
# ? Apr 26, 2016 18:18 |
|
i am strictly talking about security atm though, not extra features consumers nitpick over
|
# ? Apr 26, 2016 18:18 |
|
extra features irrelevant consumer anklebiters nitpick over like being able to actually recover your data
|
# ? Apr 26, 2016 18:24 |
|
Wiggly Wayne DDS posted:i've only saw and heard bad things about synology, doesn't stop everyone recommending them though synology's actual nas is solid, but all of the things that aren't "store things on a hard drive" that they put out (like the video and music apps) are at best a bit poo poo. in security fuckup/loving news: http://www.bbc.co.uk/news/technology-36139310 quote:Data stolen from a dating website aimed at "beautiful people only" has been traded online. i'm sure i've heard the name chris vickery before, isn't he the guy who just scans for open mongodb instances? also lol at "oh it was just a test server", because apparently that makes it okay
|
# ? Apr 26, 2016 18:26 |
|
jony ive aces posted:extra features irrelevant consumer anklebiters nitpick over like being able to actually recover your data goddamnedtwisto posted:i'm sure i've heard the name chris vickery before, isn't he the guy who just scans for open mongodb instances? also lol at "oh it was just a test server", because apparently that makes it okay
|
# ? Apr 26, 2016 18:33 |
|
Wiggly Wayne DDS posted:lysidas' post wasn't up when i posted, just remember synolocker existed oh yeah that's it - didn't he get that job after telling them that they'd left their db open too?
|
# ? Apr 26, 2016 19:00 |
|
it was just a test server.
|
# ? Apr 26, 2016 19:04 |
|
that we populated with production data
|
# ? Apr 26, 2016 19:04 |
|
it's okay [investors], it was just a test server [so we don't have to have any downtime and can keep accepting money]!
|
# ? Apr 26, 2016 19:11 |
|
I took it to mean that it was just test data but that's me being waaaay too generous
|
# ? Apr 26, 2016 20:05 |
|
Parallel Paraplegic posted:tbf whenever I look up consumer NAS equipment I only ever find bad things and people declaring that ${brand} is the worst NAS ever made I should have went with ${other brand} nases are the opposite of password managers. everyone hates the one they tried the first
|
# ? Apr 26, 2016 20:37 |
|
Munkeymon posted:I took it to mean that it was just test data but that's me being waaaay too generous lol all the "test environments" our customers have set up that we develop against are just copies of the production databases. and it's not like piddly stupid little companies either it's big huge ones full of juicy deets
|
# ? Apr 26, 2016 21:21 |
|
https://twitter.com/Goons_TXT/status/724961256751423489
|
# ? Apr 26, 2016 21:33 |
|
sending credentials in plaintext is what all the cool kids are doing now e: shaggar'd again RISCy Business fucked around with this message at 21:41 on Apr 26, 2016 |
# ? Apr 26, 2016 21:35 |
|
MononcQc posted:Is there any decent material on using AEAD crypto stuff someone knows? Like what the hell do I do with that AAD stuff and whatnot? I can figure out how to use things, but generally "try it and figure it out" is a great way to do stupid poo poo with crypto. the nacl/libsodium stuff should be generally foolproof, except if you repeat the nonce, then you're really really hosed, so don't do that. i don't know why they let you get so hosed, there are safer constructions they could use by default that are just a bit slower use different keys for sending and receiving. use different keys for everything! the additional data you use for things you can't encrypt but still want to verify, for instance sender and receiver addresses if they're needed for routing, but you don't want them to be modified it's usually empty ime because you can't verify the ip stuff because nat, and just encrypt everything else because why not
|
# ? Apr 26, 2016 22:31 |
|
today I discovered a web mail client where the login page is HTTP by default but you can click a link to go to the secure HTTPS login page if you want
|
# ? Apr 26, 2016 22:58 |
|
deep impact on vhs posted:sending credentials in plaintext is what all the cool kids are doing now "yeah it doesn't matter who I'm sending it to, as long as its encrypted!!"
|
# ? Apr 26, 2016 23:05 |
|
qntm posted:today I discovered a web mail client where the login page is HTTP by default but you can click a link to go to the secure HTTPS login page if you want
|
# ? Apr 26, 2016 23:09 |
|
Shaggar posted:"yeah it doesn't matter who I'm sending it to, as long as its encrypted!!" at least only one person can see it that way??? maybe two, I guess, if I'm being mitmed, but at least I'm raising the bar to "you have to actually be able to mitm me to read my traffic" from "you just have to be somewhere on the same network" shaggared again
|
# ? Apr 26, 2016 23:19 |
|
suffix posted:the nacl/libsodium stuff should be generally foolproof, except if you repeat the nonce, then you're really really hosed, so don't do that. Yeah the stuff is mostly for at-rest stuff (so there's no big need for asymmetric keys there?), and I already have native AES-GCM bindings, but not libsodium afaict. I ended up writing this up for fun in a few hours, which seems to do the work -- https://github.com/ferd/hairnet. Mostly I was wondering about the tags and AAD stuff's meaning or purpose, but it seems to generally replace HMAC in more standard works of using CBC-mode + HMAC, so that's what I ended up doing. A kind of nice gotcha is that according to NIST, any non-deterministic nonce generation at any size (incl. 128 bits) apparently is only good for 2^32 calls, after which you should rotate the privkey vv
|
# ? Apr 26, 2016 23:20 |
|
qntm posted:today I discovered a web mail client where the login page is HTTP by default but you can click a link to go to the secure HTTPS login page if you want same but "forums"
|
# ? Apr 26, 2016 23:48 |
|
not necessarily a sec fuckup but it makes me giggle: https://code.google.com/p/android/i...%BC%A9%EF%BC%A4
|
# ? Apr 27, 2016 00:09 |
Sharktopus posted:not necessarily a sec fuckup but it makes me giggle: Chef Boyardee really did do the best remix of Robocop C64 https://www.youtube.com/watch?v=vHo7npmGcHU
|
|
# ? Apr 27, 2016 00:22 |
|
Sharktopus posted:not necessarily a sec fuckup but it makes me giggle: Stealing this
|
# ? Apr 27, 2016 01:04 |
|
MononcQc posted:Yeah the stuff is mostly for at-rest stuff (so there's no big need for asymmetric keys there?), and I already have native AES-GCM bindings, but not libsodium afaict. I ended up writing this up for fun in a few hours, which seems to do the work -- https://github.com/ferd/hairnet. Mostly I was wondering about the tags and AAD stuff's meaning or purpose, but it seems to generally replace HMAC in more standard works of using CBC-mode + HMAC, so that's what I ended up doing. cbc + a hmac tag is a perfectly valid AE construction, tbh i kind of like it since it's simple and behaves a lot better under nonce reuse than aes-gcm quote:A kind of nice gotcha is that according to NIST, any non-deterministic nonce generation at any size (incl. 128 bits) apparently is only good for 2^32 calls, after which you should rotate the privkey vv yeah gcm has some extra limitations it's fast but imo pretty scary your generate_token() and verify_and_decrypt_token() functions claim to take a key() but actually seem to take an encoded_key()? and maybe you don't need to encode the size of the ciphertext in the payload since its implicit from the size of the payload? looks solid otherwise, well done e: * not an official endorsement suffix fucked around with this message at 01:14 on Apr 27, 2016 |
# ? Apr 27, 2016 01:11 |
|
suffix posted:cbc + a hmac tag is a perfectly valid AE construction, tbh i kind of like it since it's simple and behaves a lot better under nonce reuse than aes-gcm Oh yeah, I think at some point I had not yet figured out the tag generated was always 16 bits, and then I did but I left the size prefix there. I can probably flush the whole thing now and save 33 bytes. I'll go fix them idiotic type signatures. E: and done quote:e: * not an official endorsement yeah, that's fine. If it's a thing that seems useful at work I'll get our sec team or an auditor to take a look first. MononcQc fucked around with this message at 01:24 on Apr 27, 2016 |
# ? Apr 27, 2016 01:14 |
|
is this a cool thing microsoft found? i don't understand assembly, but it seems like a cool thing https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/
|
# ? Apr 27, 2016 04:27 |
|
anthonypants posted:is this a cool thing microsoft found? i don't understand assembly, but it seems like a cool thing https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/ microsoft's APT team is so next level they're finding malware in the future using their wizard graph: quote:This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2016, which may indicate PLATINUM pulled the trigger earlier. ultramiraculous fucked around with this message at 05:09 on Apr 27, 2016 |
# ? Apr 27, 2016 04:45 |
|
|
# ? Jun 3, 2024 17:18 |
|
ultramiraculous posted:microsoft's APT is so next level they're finding malware in the future using their wizard graph: we're ~~hunters~~
|
# ? Apr 27, 2016 05:01 |