|
Throw away your loving filthy keyboards! A new business keyboard and mouse from Dell or HP is like $10, and you can buy them by the crate. Is it worth $10 of your companys money to not have yourself or your users sit and dig their fingers into other peoples poo poo, spit, snot, nail crud, dead skin and general biological waste? I always cut the USB cables and threw out cruddy keyboard and mice that didn't get clean by just wiping with a microfiber cloth. Laptops I got in for servicing were disassembled and had their fans and insides cleaned with compressed air, and the keyboard, LCD and external chassis were cleaned isopropyl, 3M citrus goo-b-gone and a microfiber cloth before they were returned to the user.
|
#
?
Jul 28, 2016 07:18
|
|
|
|
| # ? Jun 1, 2024 11:36 |
|
|
Tier o1 comes into our office, doesn't talk to me but rather just looks at the monitoring computer. After 5 minutes of standing next to my desk looking at monitoring he tells me to ping the internal interface at remote location x. I proceed to open monitoring and check on the firewall/tunnel state and tell him it is up, and has been for the last few hours. He tells me to ping the interface, so I do it, and there's no reply. He then tells me that he can ping every other remote location's internal firewall interface. I tell him that it's probably just configured differently. 5 minutes later I get an email from him, telling me that remote location X "can't do anything" > total outage. I proceed to check tunnel status on our main firewall and to try and reach one of the admins who has been with the company more than 5 minutes, since I haven't really gotten too familiar with the VPN setup yet. Well, everything claims to be up and working, so I figure I'll check the remote firewall settings. After finding the (undocumented, web) management, I try to log in with the credentials from the password store. They don't work. So I call back the guy and ask him if tier 1 has the password (since they currently have access to way too many systems) and he proceeds to tell me that no one has access to the external firewalls anymore because someone changed them... And then he tells me he just talked with remote location x, and they are experiencing no problems, "guess my hunch was wrong. Still weird that I can't ping X". He literally wrote me an email claiming that they have a full outage because of his backwards thinking that he should be able to ping some random interface. AFTER I told him not to worry about it as long as monitoring says it's a-ok.
|
|
#
?
Jul 28, 2016 07:29
|
|
|
I got 9999 ports but a bitch ain't one.
|
|
#
?
Jul 28, 2016 07:47
|
|
|
evobatman posted:Throw away your loving filthy keyboards! Hahaha $10 keyboards. Throw them out. Good one. We pay $110 for each keyboard because they're application specific and have color coated keys with the key functions printed on them. Yes, every. single. one.
|
|
#
?
Jul 28, 2016 07:52
|
|
|
stubblyhead posted:Is sha1 broken too? It is, but not as broken as md5. It's definitely broken for password storage, and mostly broken for signature verification. Generating SHA-1collisions is still in the "well funded adversary" territory (i.e. nation states) but it's quickly approaching the "decently funded university" stage and within a few years anyone with enough money to spend on gpu's or amazon time can do it. Data Graham posted:As long as it's salted and keystretched it doesn't really matter what algorithm (within reason) you use, right? Not that there's any reason not to just use sha256 anyway. Like others said, not the same thing. What we're talking about is called a chosen prefix attack, where you take two different files (a pdf document, image, iso file etc) and generate a colliding hash by appending stuff to the end of those files to massage the algorithm to converge on a single hash for both files. Due to weaknesses in md5 and computational advances this attack has become practical for almost anyone with some money. (A few grand maybe). Now as for passwore storage; salting and keystretching is nice but HashCat knows all of the common algorithms so all you need is a bunch of gpu's (again a few grand) to start cracking and you can crack a large database (think linkedin) to like 80% within days or hours. The first 50% takes only minutes (because people have terrible passwords.
|
|
#
?
Jul 28, 2016 08:24
|
|
|
Chickenwalker posted:Hahaha $10 keyboards. Throw them out. Good one. So clean them before handing them to a new user. Edit: Strike that. Users are loving pigs. They wouldn't know the difference if you did, and you're not paid to clean. evobatman fucked around with this message at 08:43 on Jul 28, 2016 |
|
#
?
Jul 28, 2016 08:39
|
|
|
spankmeister posted:It is, but not as broken as md5. It's definitely broken for password storage, and mostly broken for signature verification. Generating SHA-1collisions is still in the "well funded adversary" territory (i.e. nation states) but it's quickly approaching the "decently funded university" stage and within a few years anyone with enough money to spend on gpu's or amazon time can do it. Where did you learn this stuff?
|
|
#
?
Jul 28, 2016 08:43
|
|
|
Chickenwalker posted:Where did you learn this stuff? I keep up on the news and research, infosec and crypto are an interest of mine and also my job so it works out.
|
|
#
?
Jul 28, 2016 08:45
|
|
|
If you have $110 keyboards dont let users eat at their desks Otherwise tbh clean the things or buy new ones when you get new workers because starting a job at a company and getting someone's disgusting crumb encrusted keyboard is a huge gently caress-you
|
|
#
?
Jul 28, 2016 10:36
|
|
|
Jewel posted:If you have $110 keyboards dont let users eat at their desks I've got crusty 1280x1024 monitors and a crusty keyboard/mouse combo, but I don't know how to bring this up. I did nudge at it several times but no one seems to think it's their business and I don't feel like talking to the bossman about it would make me look good.
|
|
#
?
Jul 28, 2016 11:22
|
|
|
Jewel posted:If you have $110 keyboards dont let users eat at their desks The only thing worse than users who don't clean up after themselves is posters who don't read.
|
|
#
?
Jul 28, 2016 12:50
|
|
|
Data Graham posted:As long as it's salted and keystretched it doesn't really matter what algorithm (within reason) you use, right? Not that there's any reason not to just use sha256 anyway. It has been mostly explained why its two different things, but I part of the explanation is missing. Passwords are hashed because people are terrible and use the same password everywhere, so if you get registration email address and users password, chances are you have access to his email address.* And then there is a good chance you have access to ~everything, because most sites will happily send you a password reset link to said email address. It doesn't matter if you can find an arbitrarily long string with the same hash, because that string won't be the password and thus other services, with different hash function won't accept that arbitrarily long string. (They probably won't accept arbitrarily long string, period.  ) Salts then serve to A) stop rainbow table attacks (which are no longer used anyway), B) increase attack complexity by differentiating the same password being used by different users ("password" passwords). This also means, that you want password hashes to take long-rear end time, because what you are hashing is pretty much always < 100 bytes.Files on the other hand are hashed so you can quickly detect if it has been changed in transit (whether with malicious intent, or just random bit flips happened doesn't matter). This means that you want to use fastest possible hash, because hashing 1GB file takes quite a lot of time, and the file is public knowledge anyway. However, if you use hash that is susceptible to (second) preimage attack, then you can no longer detect malicious changes, because an attacker can create his own malicious file, and then in reasonable time, massage it so that it has the same hash. MD5 preimage attacks are currently within the reach of home user grade hardware, so its straight out. SHA-1 is slowly getting within the reach of well-funded and motivated entities, SHA-2 is currently thought of as secure. ------ * I actually had a break-in to my gmail account secured using 20 random characters, because I was dumb and used that password in TWO places. Lesson learned, also don't trust people that they are even remotely competent and don't store password in friggin plaintext in TYOOL 2014.
|
|
#
?
Jul 28, 2016 12:50
|
|
|
Chickenwalker posted:Where did you learn this stuff? Go do these challenges: https://cryptopals.com/ Then go read about slightly more modern algorithms on Wikipedia or some place else. This stuff isn't rocket science. You can teach yourself* *for the love of god don't try to roll or even implement your own loving crypto. You will gently caress it up, and those challenges will put the fear of god into you about how little you need to gently caress up to undermine your own cryptography.
|
|
#
?
Jul 28, 2016 13:08
|
|
|
There's a reason the InfoSec thread has the tagline DON'T ROLL YOUR OWN CRYPTO Keeping the algorithm of your crypto secret doesn't make it any more secure. Using a public algorithm on the other hand means that when/if it gets broken, you'll hear about it and can adapt.
|
|
#
?
Jul 28, 2016 13:15
|
|
|
For what it's worth, KeePass is getting a full code audit by the EU https://joinup.ec.europa.eu/community/eu-fossa/news/results-eu-fossa-survey
|
|
#
?
Jul 28, 2016 13:50
|
|
|
Wilford Cutlery posted:Odd question I know, but where can I download Windows 8.0? I own a license but need the installer or the .iso file. 8.0 is EoL, please don't use it. 8.1 is basically 8SP1.
|
|
#
?
Jul 28, 2016 14:05
|
|
|
Thanks Ants posted:For what it's worth, KeePass is getting a full code audit by the EU
|
|
#
?
Jul 28, 2016 14:31
|
|
|
Xarn posted:It has been mostly explained why its two different things, but I part of the explanation is missing. Thanks, I appreciate these explanations.
|
|
#
?
Jul 28, 2016 14:45
|
|
|
Welp my boss, big boss, came into the scrum and talked to me and my manager and well basically I get to play a dramatic role for a cyber exercise and basically get to do this. Im going to be on camera, in silhouette probably reading some hacker poo poo about how I crpytoed and stole all their info for a big bank or hospital or something I should go crawl amazon for dumb computer poo poo to stick on my head while I'm shadowed on camera. goons, what should I wear? PM me any suggestions. Please help me make this goony
|
|
#
?
Jul 28, 2016 15:05
|
|
|
Is this something where everyone is in on the joke, or will you be perpetuating the stereotype for C levels who think that actual intruders won't be wearing suits or coveralls?
|
|
#
?
Jul 28, 2016 15:09
|
|
|
Lets perpetuate a stereotype. I dont have enough time to grow out a pony tail unfortunately. they probably want something like an annonymous video like this https://youtu.be/OTMaIX_JPE4?t=47s but I want to give them something more like this https://www.youtube.com/watch?v=fQGbXmkSArs e: def need a powerglove lookin thing, and some commander overlay eye piece thing https://www.youtube.com/watch?v=KEkrWRHCDQU KoRMaK fucked around with this message at 15:15 on Jul 28, 2016 |
|
#
?
Jul 28, 2016 15:12
|
|
|
Be hip and with it: http://www.nbcuniversalstore.com/mr-robot-fsociety-mask/detail.php?p=989222
|
|
#
?
Jul 28, 2016 15:14
|
|
|
evobatman posted:Throw away your loving filthy keyboards! I have a bunch of sacrificial dell keyboards I picked up from goodwill for $2 each. They make perfect garage keyboards, I can get them covered in grease and dirt and paint thinner, and when I'm done I just toss it in the dishwasher.
|
|
#
?
Jul 28, 2016 15:17
|
|
|
Inspector_666 posted:Be hip and with it: http://www.nbcuniversalstore.com/mr-robot-fsociety-mask/detail.php?p=989222 Hell yea so glad I posted here - I can't beelieve I blanked on mr robot That mask is perfect, thanks for the tip.
|
|
#
?
Jul 28, 2016 15:23
|
|
|
Another client complaining of bad audio. This time it is due to them having just an ADSL line in nowheresville Australia. They used to have T1's to a GSM gateway, but storms took out all the infrastructure for the T1's so SIP was their idea to move to. We put them on g.729 to try and get it to work, but lo and behold
|
|
#
?
Jul 28, 2016 16:40
|
|
|
If they have ADSL then they have POTS, surely? I think they need to abandon their SIP dreams.
|
|
#
?
Jul 28, 2016 16:41
|
|
|
Chickenwalker posted:Where did you learn this stuff? If you want to stay reasonably current on what is broken and what is not you can subscribe to Schneier's CRYPTO-GRAM and just skim it once a month.
|
|
#
?
Jul 28, 2016 16:45
|
|
|
Thanks Ants posted:If they have ADSL then they have POTS, surely? I think they need to abandon their SIP dreams. The whole reason they went SIP was cost. It costs a lot cheaper for us to deploy SIP to them instead of having to ship them a whole new server + cards for POTS. The ADSL line is shared with their entire office and telephony equipment so they are looking at getting a second line delivered for dedicate telephony, which might help, but not sure how much. In the end my opinion does not really matter, it's all sales, I just have to make it work.
|
|
#
?
Jul 28, 2016 16:45
|
|
|
pubic void nullo posted:If you want to stay reasonably current on what is broken and what is not you can subscribe to Schneier's CRYPTO-GRAM and just skim it once a month. drat, I even used to get that, years and years ago. But it was to my work email, and welp.
|
|
#
?
Jul 28, 2016 16:48
|
|
|
KoRMaK posted:Lets perpetuate a stereotype. Uh, you need a lot more than that sir. https://www.youtube.com/watch?v=KEkrWRHCDQU
|
|
#
?
Jul 28, 2016 16:54
|
|
|
Where's the annotated photo of the goon with the pistol, flash drives, cap, torch etc? Dress like that.
|
|
#
?
Jul 28, 2016 16:55
|
|
|
pixaal posted:8.0 is EoL, please don't use it. 8.1 is basically 8SP1. Wilford Cutlery posted:Thanks, I did get a working 8.0 iso and got it installed. My ultimate goal is to move to 10 while it's still free, or failing that 8.1, but I have to get around the CompareExchange128 obstacle first. Tick tock!
|
|
#
?
Jul 28, 2016 17:00
|
|
|
Time Warner give my midwest office back their IP address you broke my tunnel you jerks.
|
|
#
?
Jul 28, 2016 17:53
|
|
|
who uses time warner in the midwest?? This is comcast territory son
|
|
#
?
Jul 28, 2016 18:02
|
|
|
Judge Schnoopy posted:who uses time warner in the midwest?? This is comcast territory son texass
|
|
#
?
Jul 28, 2016 18:03
|
|
|
MF_James posted:texass Texas is the south.
|
|
#
?
Jul 28, 2016 18:18
|
|
|
touche, yeah I couldn't really thing of anywhere in the midwest that I've heard of using TWC.
|
|
#
?
Jul 28, 2016 18:19
|
|
|
MF_James posted:touche, yeah I couldn't really thing of anywhere in the midwest that I've heard of using TWC. This is where the big cable cos were ~5 years ago. Most of it's still the same now: 
|
|
#
?
Jul 28, 2016 18:28
|
|
|
fishmech posted:This is where the big cable cos were ~5 years ago. Most of it's still the same now: I had no idea that Cablevision was out in the Rockies.
|
|
#
?
Jul 28, 2016 18:34
|
|
|
|
| # ? Jun 1, 2024 11:36 |
|
|
pubic void nullo posted:If you want to stay reasonably current on what is broken and what is not you can subscribe to Schneier's CRYPTO-GRAM and just skim it once a month. Just bear in mind that it comes with Schneier's bias.
|
|
#
?
Jul 28, 2016 18:39
|
|