|
Sleeper Pimp posted:I deal mostly with bug bounty submissions. Am I allowed to drink with all you folks? (I need a drink.) You weren't issued a bottle of hard alcohol for your desk during orientation?
|
#
?
Sep 26, 2016 21:08
|
|
|
|
| # ? May 12, 2024 16:37 |
|
|
Maneki Neko posted:You weren't issued a bottle of hard alcohol for your desk during orientation? That was probably more than 10 days ago, so he or she is due for a refill. I used to administer a high-visibility bug bounty program ~10 years ago, and I would have given my left pinky to throw the whole mess at HackerOne.
|
|
#
?
Sep 26, 2016 22:42
|
|
|
Sleeper Pimp posted:I deal mostly with bug bounty submissions. Am I allowed to drink with all you folks? (I need a drink.) Yes.
|
|
#
?
Sep 26, 2016 22:58
|
|
|
Sleeper Pimp posted:I deal mostly with bug bounty submissions. Am I allowed to drink with all you folks? (I need a drink.) can I answer this in the form of a 40 minute screencast where I highlight broken English in notepad word by word then alt-tab to something too small to read in Burp Suite
|
|
#
?
Sep 26, 2016 23:38
|
|
|
I sat in a meeting today, as I have done for many months, asking that 2fa be put on O365. One of the development directors told me today that her team could make their own 2fa solution that could do what the parade of companies my team had brought on were offering. I stood up, yelled "DON'T ROLL YOUR OWN CRYPTO" and walked out. Can I drink with you guys too? Mustache Ride fucked around with this message at 01:04 on Sep 27, 2016 |
|
#
?
Sep 27, 2016 01:01
|
|
|
Mustache Ride posted:I sat in a meeting today, as I have done for many months, asking that 2fa be put on O365. One of the development directors told me today that her team could make their own 2fa solution that could do what the parade of companies my team had brought on were offering. I'll buy the first round.
|
|
#
?
Sep 27, 2016 01:18
|
|
|
Is there a standard data format for encrypting a blob of binary data? I know of XML encryption for encrypting XML and of JWE but they both require binary data to be base64-encoded for representation (or some custom enveloping mechanism to stick the data "off to the side"). All I want is to encrypt some bytes and stick a binary header in front and to do it in a standard way that does not require any reinvention of wheels.
|
|
#
?
Sep 27, 2016 07:40
|
|
|
Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands. I hope this is a sign of things to come! CAs have gotten away with ridiculous poo poo for far too long.
|
|
#
?
Sep 27, 2016 10:07
|
|
|
Are SIEM solutions on the same level as AV in this threads eyes? Anyone used Alien Vault and does anyone have an opinion on it?
|
|
|
#
?
Sep 27, 2016 12:43
|
|
|
Alien Vault looks like a very scaled down SIEM, mainly it looks like a Nessus knock off with some network hardware stuff built in, and an endpoint agent that doesn't really do much. If that's what you're looking for, great, but I'd rather be able to put my own data streams into a SIEM, or even forget the whole SIEM thing and do something like FIDO
|
|
#
?
Sep 27, 2016 13:02
|
|
|
I fell in on a deployment, so yeehaw for half baked aquisitions I had nothing to do with.
|
|
|
#
?
Sep 27, 2016 13:14
|
|
|
Fudge posted:Are SIEM solutions on the same level as AV in this threads eyes? Anyone used Alien Vault and does anyone have an opinion on it? I used QRadar in the past after evaluating a handful. It was really good (in '07, not sure about now). It all depends on what you're looking to do. SIEMs are expensive, but roll-your-own log consolidation and querying/alerting with open source tools is cheap but takes a lot of work.
|
|
#
?
Sep 27, 2016 16:51
|
|
|
EssOEss posted:Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands. This is excellent.
|
|
#
?
Sep 27, 2016 16:57
|
|
|
read the m.d.s.policy mailing list posts when you have an hour or two, they are amazingquote:On 01/09/16 04:04, Richard Wang wrote: ceo of wosign posted:This is the standard way in China Internet, if a west company say something to China company, all will support the west company. quote:WoSign claimed foreign CA might revoke certs to Chinese orgs due to politics and claimed that foreign CA will collect all users information. This is a typical marketing email they sent. https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:large Translated below.
|
|
#
?
Sep 27, 2016 19:28
|
|
|
Ah, the "have cake and eat it" approach to discussions
|
|
#
?
Sep 27, 2016 19:39
|
|
|
Thanks Ants posted:Ah, the "have cake and eat it" approach to discussions The ever classic.
|
|
#
?
Sep 27, 2016 20:27
|
|
|
 at the Chinese taking the "don't make it political" angle.I'm surprised they failed to mention something about hurting the feelings of the Chinese people.
|
|
#
?
Sep 27, 2016 21:23
|
|
|
The trust is already broken. It shouldn't be a proposal at this point, they should already be distrusting WoSign's entire root. IMHO. They should be made an example of. May give others pause before carrying out shady practices in the future.
|
|
#
?
Sep 27, 2016 21:53
|
|
|
Mainland Chinese business strategy with outside nations appears to be: literally say anything that works to win the conversation and by the power of face ignore the consequences. It's quite uncanny.
|
|
#
?
Sep 27, 2016 23:23
|
|
|
MrMoo posted:Mainland Chinese business strategy with outside nations appears to be: literally say anything that works to win the conversation and by the power of face ignore the consequences. It's quite uncanny. So they learned well from American businesses.
|
|
#
?
Sep 28, 2016 00:27
|
|
|
Maneki Neko posted:You weren't issued a bottle of hard alcohol for your desk during orientation? I had a bottle of scotch on my desk when I worked at WhiteHat security, didn't think I'd need it. Rufus Ping posted:can I answer this in the form of a 40 minute screencast where I highlight broken English in notepad word by word then alt-tab to something too small to read in Burp Suite Is that copy of Burp Suite Pro licensed to Larry Lau by any chance?
|
|
#
?
Sep 28, 2016 03:56
|
|
|
milk milk lemonade posted:Are SIEM solutions on the same level as AV in this threads eyes? Anyone used Alien Vault and does anyone have an opinion on it? It's garbage in, garbage out. You should always be doing some level of log collection within your enterprise but a lot of SIEM solutions are no better than IDS/IPS. You can use something like ELK if you have no budget to collect things and then use it to hunt for threats--be careful to remember that ELK, Splunk, and SumoLogic for example are (sort of) not SIEMs. https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations https://www.sans.org/reading-room/whitepapers/detection/scalable-methods-conducting-cyber-threat-hunt-operations-37090 You need eyes on your SIEM at all times and these eyes need to know what is crap and what is not--and it really is more going to be the former, which is why I say "garbage in, garbage out". So the above links may be useful because it's a good approach to determine what is going on your network.
|
|
#
?
Sep 28, 2016 04:05
|
|
|
OSI bean dip posted:It's garbage in, garbage out. You should always be doing some level of log collection within your enterprise but a lot of SIEM solutions are no better than IDS/IPS. You can use something like ELK if you have no budget to collect things and then use it to hunt for threats--be careful to remember that ELK, Splunk, and SumoLogic for example are (sort of) not SIEMs. Any opinions on MozDef?
|
|
#
?
Sep 28, 2016 04:35
|
|
|
DumbWhiteGuy posted:Any opinions on MozDef? I have none but Jeff Bryner is pretty good at what he does so it's likely worth checking out.
|
|
#
?
Sep 28, 2016 04:50
|
|
|
The majority of the work with SIEM products is normalising the data coming in so that it can actually be correlated. Any product which makes that simpler would be good, McAfee SIEM is terrible from what I've seen.
|
|
#
?
Sep 28, 2016 08:26
|
|
|
stevewm posted:The trust is already broken. It shouldn't be a proposal at this point, they should already be distrusting WoSign's entire root. IMHO.
|
|
#
?
Sep 28, 2016 12:14
|
|
|
SIEM talk: I inherited a decade old implementation of ArcSight that has been abused and flogged worse than a rented mule, we are going to shitcan it most likely and shift to Splunk ES.
|
|
#
?
Sep 28, 2016 13:40
|
|
|
ES is poo poo, don't pay for that crap.
|
|
#
?
Sep 28, 2016 13:54
|
|
|
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/lWJ1zdUJPLI
|
|
#
?
Oct 1, 2016 15:26
|
|
|
I finally sat down and read through the entire WoSign fiasco on the Mozilla group and just ... wow. Was definitely worth the four hours it took to sort it all. Anyways this is a really good summary by the Mozilla leads on it.
|
|
#
?
Oct 2, 2016 01:03
|
|
|
I made a fairly simple PRNG for the CHIP-8 virtual machine architecture (for OctoJam 3). It is a 64-bit LFSR using 'maximum period taps' I took from a table. For each byte of output, I advance state once and XOR the 8 bytes of state together. Can I improve the output by doing something smarter when creating the output byte? I don't need/want to make this have output suitable for crypto, but I would like it to work well, especially if I can improve it without too much performance impact. Note that CHIP8 can only shift 1 bit at a time and doesn't have multiply or divide, so some things are slower/take more code than you might expect. github link I figured people watching this thread would know about this kind of thing, I can take it to CoC general programming questions thread if it isn't appropriate here. taqueso fucked around with this message at 19:58 on Oct 3, 2016 |
|
#
?
Oct 3, 2016 19:54
|
|
|
taqueso posted:I made a fairly simple PRNG for the CHIP-8 virtual machine architecture (for OctoJam 3). It is a 64-bit LFSR using 'maximum period taps' I took from a table. For each byte of output, I advance state once and XOR the 8 bytes of state together. Can I improve the output by doing something smarter when creating the output byte? I don't need/want to make this have output suitable for crypto, but I would like it to work well, especially if I can improve it without too much performance impact. It depends on what properties you need of the numbers, the rate at which you need the numbers generated, and the amount of cycles you're willing to burn. For a game where you're creating enemies at (random%x, random%y) for a bullet hell shooter or something, an LCG is usually "good enough", but there are certain properties (ease of prediction given observation of existing state and auto-correlation, for instance) that make it bad for most other things. You'll also probably want to make the library more careful about seed selection to avoid fixed points. At a glance, without knowing the language, your 'mixing' of the bytes of state is... well, it's better than taking the lower bytes themselves, at least. Just make sure that it's not used for anything important.
|
|
#
?
Oct 3, 2016 21:46
|
|
|
I decided not to use an LCG because multiplication is so expensive. It's for a game, on an architecture almost no-one cares about, nothing bad will happen if someone determines the state or predicts the output. In order of importance, I would like it to be fast (less than a couple hundred instructions to advance state and get an output value should be OK), have low correlation between successive outputs, and have good dimensional distribution. The output will be used to generate levels, where I expect to use a few thousand random values. During gameplay, it will be used for attack rolls, etc. The game is turn based so it isn't the end of the world to delay things a bit, but I would rather avoid that. What would I do to improve seed selection? What is a 'fixed point' in this context? As far as I know, the LFSR should have a 2^64-1 period, and state 0 is unreachable. Could you recommend a better way of mixing the state to obtain the output? Should I include something non-linear (I think I could use addition)?
|
|
#
?
Oct 3, 2016 22:15
|
|
|
The fallout of the recent hack of the DNC by Russia (widely believed to be Russia) is fascinating. Does this house think that we should all be wary Russian hackers now, or is it a case of high profile targets attracting the most determined and expert attention? If the Russian's are feeding Assange, then what do his tweets that look like hashes mean?
|
|
#
?
Oct 19, 2016 10:17
|
|
|
The US hasn't presented any real evidence that it was Russian state sponsored and I'm not exactly willing to accept their claims at face value with the amount of baseless fearmongering and recent attempts to restart the cold war. With that said, we definitely should be concerned with the capabilities of any state actor with a moderate budget (let alone ones we are actively antagonizing) because our infrastructure is hilariously vulnerable and it wouldn't be that difficult to cause large scale disruptions in the energy sector and heavy industry/manufacturing.
|
|
#
?
Oct 19, 2016 17:56
|
|
|
apropos man posted:The fallout of the recent hack of the DNC by Russia (widely believed to be Russia) is fascinating. Does this house think that we should all be wary Russian hackers now, or is it a case of high profile targets attracting the most determined and expert attention? Those were deadman tweets. They probably triggered because Ecuador cut his Internet access in the embassy. They also lead to hilarious accusations that Pamela Anderson poisoned him, because she visited him right before that all happened. I imagine they are the passphrases to unlock specific files that are on the wiki but still encrypted.
|
|
#
?
Oct 19, 2016 20:14
|
|
|
flosofl posted:They also lead to hilarious accusations that Pamela Anderson poisoned him  for real?
|
|
#
?
Oct 19, 2016 20:20
|
|
|
CLAM DOWN posted:
You fuckin' know it.
|
|
#
?
Oct 19, 2016 20:22
|
|
|
Ahahaha what the gently caress is this world we live in
|
|
#
?
Oct 19, 2016 20:26
|
|
|
|
| # ? May 12, 2024 16:37 |
|
|
CLAM DOWN posted:Ahahaha what the gently caress is this world we live in When I first saw this, the article I found had waaay more amazing tweets, but I forget where it was from.
|
|
#
?
Oct 19, 2016 20:30
|
|