|
Well this has all been educational. I was just about to throw in something that would obfuscate the id's in the injected HTML, but using caller.toString() is ... pretty devastating since there would always be some signature. Can't think of a way around that without going into extension territory, yeah. The reason I didn't go with extensions was because of the polymorphic "feature", it would be hard to distribute an extension that's different for every user through standard means. Ah well. Don't roll your own crypto, folks.
|
# ? Sep 5, 2016 03:00 |
|
|
# ? May 13, 2024 10:29 |
|
CLAM DOWN posted:poo poo, I definitely can't make anything this week, then I'm at SANS the following. How often do these happen? On the 2nd Thursday of each month.
|
# ? Sep 5, 2016 03:29 |
|
What are the downsides, apart from signer key compromise, to issuing software licenses as X509 certificates and encoding license capabilities as OIDs in its extended attributes? I'm moving forward with licensing the panel shortly and everything in my head clicks to use X509 to handle panel licensing:
|
# ? Sep 5, 2016 07:38 |
|
Rufus Ping posted:i mean seriously, if there are people out there who don't trust proper password managers but do trust some pile of poo poo w3schools-quality javascript bookmarklet written by local helpdesk janitor Tod McRetard, then your response shouldn't be to indulge their stupidity brutal, but fair
|
# ? Sep 5, 2016 10:29 |
|
Dex posted:brutal, but fair Honest is not brutal. This kind of poo poo is the curse of IT and Info Sec.
|
# ? Sep 5, 2016 13:10 |
|
ming-the-mazdaless posted:Honest is not brutal. It's definitely brutal. It being honest or a curse to IT/InfoSec doesn't change that.
|
# ? Sep 5, 2016 14:28 |
|
ming-the-mazdaless posted:Honest is not brutal. It's literally called "brutal honesty" you dork
|
# ? Sep 5, 2016 14:33 |
|
ming-the-mazdaless posted:Honest is not brutal. I like to think I provided a decent amount of actual feedback and criticism before taking the piss out of him
|
# ? Sep 5, 2016 15:18 |
|
Rufus Ping posted:I like to think I provided a decent amount of actual feedback and criticism before taking the piss out of him Your wind-up was exemplary.
|
# ? Sep 5, 2016 15:19 |
|
ming-the-mazdaless posted:Honest is not brutal. If you unironically post awful home made crypto in a thread with "DONT ROLL YOUR OWN CRYPTO" in the title, you are going to get lit up
|
# ? Sep 5, 2016 22:32 |
|
I think for all the fun I have provided I at least deserve a red text. Also, the project lives on, with hazard warnings, because I am a) a dumbass and b) it's useful for other ideas (no crypto). I'd also like to thank all of you for your mostly helpful and not at all calling me an idiot feedback. Special thanks for the PoC and explanation which I have understood. As my username implies, I do get ideas that are not quite rational from time to time. So. If the bookmarklet calls a secure service to obtain a salt
|
# ? Sep 6, 2016 03:07 |
|
FeloniousDrunk posted:I think for all the fun I have provided I at least deserve a red text. Also, the project lives on, with hazard warnings, because I am a) a dumbass and b) it's useful for other ideas (no crypto). I'd also like to thank all of you for your mostly helpful and not at all calling me an idiot feedback. Special thanks for the PoC and explanation which I have understood. As my username implies, I do get ideas that are not quite rational from time to time. How about you pay for your own red text?
|
# ? Sep 6, 2016 03:24 |
|
FeloniousDrunk posted:I think for all the fun I have provided I at least deserve a red text. Also, the project lives on, with hazard warnings, because I am a) a dumbass and b) it's useful for other ideas (no crypto). I'd also like to thank all of you for your mostly helpful and not at all calling me an idiot feedback. Special thanks for the PoC and explanation which I have understood. As my username implies, I do get ideas that are not quite rational from time to time. Please come out to this sometime: http://vansec.org
|
# ? Sep 6, 2016 03:37 |
|
OSI bean dip posted:Please come out to this sometime: I'll definitely be at the next one, mainly because discussion of CSOX is discouraged.
|
# ? Sep 6, 2016 04:12 |
|
OSI bean dip posted:Please come out to this sometime: Kind of afraid I'm being set up for a huge embarrassment. But hey, I just did this, so how much worse could it be. I shall attempt to be there. I will be likely trying to lurk, unnoticed.
|
# ? Sep 6, 2016 04:29 |
|
FeloniousDrunk posted:Kind of afraid I'm being set up for a huge embarrassment. But hey, I just did this, so how much worse could it be. I shall attempt to be there. I will be likely trying to lurk, unnoticed. You got rightfully poo poo all over in this thread, but if you have a desire to learn more about crypto, don't stop experimenting (just don't pretend you'll publicly release anything) and definitely meet and talk to others in the same industry! Just don't use any open wifi networks in the same meetup spot though.
|
# ? Sep 6, 2016 04:31 |
|
It helps to ask questions. I don't invite people to these events to have them embarrassed as I'd rather see people learn than anything else. That said, I have had to walk away from a conversation at this event because some dimwit tried to talk me up into this idea of rewriting Wi-Fi drivers so he could implement a paywall wireless network solution.
|
# ? Sep 6, 2016 04:40 |
|
OSI bean dip posted:It helps to ask questions. I don't invite people to these events to have them embarrassed as I'd rather see people learn than anything else.
|
# ? Sep 6, 2016 05:22 |
|
Oh. It involved Bitcoin too.
|
# ? Sep 6, 2016 05:58 |
|
FeloniousDrunk posted:Also, the project lives on, with hazard warnings, because I am a) a dumbass and b) it's useful for other ideas (no crypto) Just take it down. You might have realized being wrong, but someone else might get the wrong idea, even if you have a warning on the page.
|
# ? Sep 6, 2016 08:22 |
|
keseph posted:My limited understanding of it is: De-dupe isn't real-time though. New writes in VMware go against free pages and then a background host process generates hashes asynchronously for possible hits and does a final comparison before dropping and remapping the duplicate pages. Write latency is going to be further impacted by large vs small pages being allocated (depending on host load, dedupe only kicks in by default at 80%+ host utilization) and by that threshold you're dipping in to the memory balloon, mem compression, and potentially swapping which would further make write latency a useless metric.
|
# ? Sep 6, 2016 14:26 |
|
FeloniousDrunk posted:Also, the project lives on, with hazard warnings Delete it. It's literally a danger to people's security to have it exist, even with warnings. Hopefully after your experience here you understand why.
|
# ? Sep 6, 2016 15:10 |
|
FeloniousDrunk posted:Kind of afraid I'm being set up for a huge embarrassment. But hey, I just did this, so how much worse could it be. I shall attempt to be there. I will be likely trying to lurk, unnoticed. It's probably hard to believe but security nerds are generally a lot nicer in real life than online.
|
# ? Sep 7, 2016 05:29 |
|
pr0zac posted:It's probably hard to believe but security nerds are generally a lot nicer in real life than online. No way computer geeks talk tougher on the Internet than face-to-face.
|
# ? Sep 7, 2016 09:08 |
|
Squeegy posted:No way computer geeks talk tougher on the Internet than face-to-face. What the gently caress did you just loving say about me, you little bitch? I’ll have you know I graduated top of my class in the Navy Seals, and
|
# ? Sep 7, 2016 16:14 |
|
pr0zac posted:It's probably hard to believe but security nerds are generally a lot nicer in real life than online. At work, I have to deal with certain people who don't see security with any semblance of importance and in turn end up creating barriers that impede me or my team's ability to make improvements or determine problems. This is a common problem with any security operations team, but when it comes up during incident response scenarios, it's incredibly grating. With all of that frustration, it doesn't make things better to go and piss off those individuals so usually you have to build up social capital and then expend it when you run across these things. It's something I have the patience for at work because I get paid enough to not make it a problem. On the Internet I don't need to worry about that. However, I won't chew someone out unless it is deserved.
|
# ? Sep 7, 2016 18:18 |
|
A vendor pitched this 1million bit encryption thingy to us: http://www.cubeitz.com/next-level-security/
|
# ? Sep 7, 2016 21:09 |
|
flosofl posted:
Thank you guys for the info and offering help, it is greatly appreciated!!
|
# ? Sep 7, 2016 21:12 |
|
Cowboy Mark posted:A vendor pitched this 1million bit encryption thingy to us: https://beta.companieshouse.gov.uk/company/08045866 Let's start there And seriously, what vendor decided that is something to try and pitch to their customers? Thanks Ants fucked around with this message at 21:52 on Sep 7, 2016 |
# ? Sep 7, 2016 21:40 |
|
OSI bean dip posted:Please come out to this sometime: Need one of these in Edmonton, yarr.
|
# ? Sep 7, 2016 21:50 |
|
Thanks Ants posted:https://beta.companieshouse.gov.uk/company/08045866 https://securitysnakeoil.org/ It'll likely be posted about here.
|
# ? Sep 7, 2016 21:57 |
|
Quote: "CubeiTz does not use ANY of this underlying technology... " Underneath mentioning vulnerabilities in C. Impressive that they've written a whole secure OS that doesn't use anything from the Windows/NT stack, Linux kernel OR Mac kernel! Way to go, guys.
|
# ? Sep 8, 2016 00:08 |
|
apropos man posted:Quote: It's written in RealBASIC
|
# ? Sep 8, 2016 00:27 |
|
At least I'm not that guy. On another note, "2nd Thursday" being tomorrow? I have trouble with 0 and 1 apparently
|
# ? Sep 8, 2016 04:45 |
|
FeloniousDrunk posted:At least I'm not that guy. Yes.
|
# ? Sep 8, 2016 05:01 |
|
OSI bean dip posted:Yes. Sweet. I'll be the long haired old guy just trying to fit in, you know the type.
|
# ? Sep 8, 2016 05:12 |
|
FeloniousDrunk posted:Sweet. I'll be the long haired old guy just trying to fit in, you know the type. Turns out Felonious is secretly everyone in this thread just immediately super owned.
|
# ? Sep 8, 2016 06:10 |
|
A little more like But less attractive
|
# ? Sep 8, 2016 06:19 |
|
CLAM DOWN posted:This is about Windows 10 though, why would you still be on 8.1 If you're like me, its because even though the automated update process interrupted me doing things several times on two separate machines, it always ended with it automatically rolling back to 8.1 with a failed install Unrelatedly, what's the current best practice for identity verification and encryption for email? I know things like this exist for pgp/gpg https://pgp.mit.edu/ but my takeaway from this thread is that those aren't terribly good anymore? Is that true?
|
# ? Sep 8, 2016 21:21 |
|
|
# ? May 13, 2024 10:29 |
|
big black turnout posted:If you're like me, its because even though the automated update process interrupted me doing things several times on two separate machines, it always ended with it automatically rolling back to 8.1 with a failed install Personally I'm only on 8.1 because my computer's manufacturer doesn't make drivers for 7.
|
# ? Sep 8, 2016 21:27 |