|
Thanks Ants posted:if you develop static pages then fair enough, but if your employer can't see the value in attending presentations from people who have exposed weaknesses in web services and being able to network with other people in the industry for less than the price of a weeklong classroom for a vendor cert then welp Yes, take a look at the agenda of papers/presentations for the event you want to attend. A lot of these are wide ranging, so you should be able to make some of them apply to your current job somehow. Some are relatively inexpensive, like DefCon. Others are expensive like Black Hat. There's a whole range in between, so you can probably sell it budget-wise unless you work for a real skin-flint. E: Added quote for context because new page
|
#
?
Dec 29, 2016 14:19
|
|
|
|
| # ? Jun 3, 2024 18:07 |
|
|
Jimmy Carter posted:so what's the over/under on someone already having a 0day for Amazon Echo that constantly records ambient audio and dumps it to a server (which is a relatively easy option given that you have guaranteed constant power and network with Echo and Echo Dot)? What's the attack vector? I can't imagine Amazon running some dumb local webserver like other IoT garbage, and it's not like you can talk it into going to some hostile webpage either. Volmarias fucked around with this message at 14:30 on Dec 29, 2016 |
|
#
?
Dec 29, 2016 14:26
|
|
|
Volmarias posted:What's the attack vector? a subpoena/court order
|
|
#
?
Dec 29, 2016 14:39
|
|
|
Volmarias posted:I can't imagine Amazon running some dumb local webserver like other IoT garbage lol that's more your lack of imagination mate
|
|
#
?
Dec 29, 2016 14:49
|
|
|
im sure if you crack it open theres a JTAG or ICSP header
|
|
#
?
Dec 29, 2016 15:00
|
|
|
BiohazrD posted:im sure if you crack it open theres a JTAG or ICSP header https://github.com/echohacking/wiki/wiki
|
|
#
?
Dec 29, 2016 15:09
|
|
|
the nintendo talk is painful to watch, jesus christ take a public speaking course or something you can randomly pick a point in the video and theres about a 75% chance the first words you will here are "uh" or "um"
|
|
#
?
Dec 29, 2016 15:32
|
|
|
spankmeister posted:lol that's more your lack of imagination mate Fair enough, I just remember Amazon having a reasonable (albeit overworked) security team when I worked there several years ago so the typical garbage vendor routes probably don't exist. BiohazrD posted:im sure if you crack it open theres a JTAG or ICSP header If you can crack it open you can just shove in a piece of hardware that does what you want anyway. Jimmy Carter posted:there's UART connections fairly easily exposed for your soldering pleasure Or that, I guess. It still requires physical access in which case you're hosed anyway. Volmarias fucked around with this message at 15:47 on Dec 29, 2016 |
|
#
?
Dec 29, 2016 15:38
|
|
|
BiohazrD posted:the nintendo talk is painful to watch, jesus christ take a public speaking course or something
|
|
#
?
Dec 29, 2016 15:50
|
|
|
I'm sure based Wiggly Wayne DDS, curator of CCC talks will agree, that this year's Karsten Nohl talk is worth watching. https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego
|
|
#
?
Dec 29, 2016 16:14
|
|
|
spankmeister posted:I'm sure based Wiggly Wayne DDS, curator of CCC talks will agree, that this year's Karsten Nohl talk is worth watching.
|
|
#
?
Dec 29, 2016 16:45
|
|
|
anthonypants posted:they called it a "must watch" so yes i think they agree ah missed that, thanks :tip shat:
|
|
#
?
Dec 29, 2016 16:47
|
|
|
https://twitter.com/marcan42/status/814497640599658496
|
|
#
?
Dec 29, 2016 16:48
|
|
|
goddamn i watched the PS4 Linux video yesterday and goddamn that's amazing
|
|
#
?
Dec 29, 2016 16:51
|
|
|
I guess ps4 finally has some good games   
|
|
#
?
Dec 29, 2016 17:18
|
|
|
Wheany posted:I guess ps4 finally has some good games you're fired
|
|
#
?
Dec 29, 2016 17:19
|
|
|
Thanks Ants posted:if you develop static pages then fair enough, but if your employer can't see the value in attending presentations from people who have exposed weaknesses in web services and being able to network with other people in the industry for less than the price of a weeklong classroom for a vendor cert then welp "there are videos you can watch on the online webinar training system we bought which are good enough"
|
|
#
?
Dec 29, 2016 17:36
|
|
|
Migishu posted:you're fired i wish
|
|
#
?
Dec 29, 2016 17:42
|
|
|
actually i just asked my boss (who's also been watching the vids) if we could go to c3 next year and he was like "lol we can't even get the company to pay for local conferences that are actually about app development" 
|
|
#
?
Dec 29, 2016 17:47
|
|
|
is there a secfuck thread approved, not-poo poo, consumer-grade networking hardware list floating around?
|
|
#
?
Dec 29, 2016 18:08
|
|
Blinkz0rz posted:is there a secfuck thread approved, not-poo poo, consumer-grade networking hardware list floating around? Decent Security recommends the lists at the bottom of this page. Secfuck thread likes Infosec Taylor Swift so it's one degree of separation
|
|
|
#
?
Dec 29, 2016 18:10
|
|
|
ate all the Oreos posted:"there are videos you can watch on the online webinar training system we bought which are good enough" "The information security one is quite good. You'll need to install Flash and JRE 1.6 to watch it"
|
|
#
?
Dec 29, 2016 18:15
|
|
|
ate all the Oreos posted:actually i just asked my boss (who's also been watching the vids) if we could go to c3 next year and he was like "lol we can't even get the company to pay for local conferences that are actually about app development" https://forums.somethingawful.com/showthread.php?threadid=3800676
|
|
#
?
Dec 29, 2016 18:27
|
|
|
Segmentation Fault posted:Secfuck thread likes Infosec Taylor Swift
|
|
#
?
Dec 29, 2016 18:47
|
|
|
Blinkz0rz posted:is there a secfuck thread approved, not-poo poo, consumer-grade networking hardware list floating around?
|
|
#
?
Dec 29, 2016 18:58
|
|
|
I've seen her referenced before and the secfuck thread doesn't seem to mind her
|
|
|
#
?
Dec 29, 2016 18:58
|
|
|
i for one love vaguely creepy twitter furry "infosec taylor swift"
|
|
#
?
Dec 29, 2016 19:08
|
|
|
vaguely creepy? Twitter furry? I'm definitely missing something here
|
|
|
#
?
Dec 29, 2016 19:20
|
|
|
Segmentation Fault posted:vaguely creepy? Twitter furry? I'm definitely missing something here
|
|
#
?
Dec 29, 2016 19:33
|
|
|
You know how I said I like Ubiquiti products. My EdgeRouter wouldn't let me log in today. I held the reset button down for 10 seconds as per the instructions, and then it never came back up. I yanked the cover off and connected a USB->Uart adapter to the pins, and saw that it's now kernel panicking because they were dumb enough to use NAND instead of EMMC. Uboot has an option for TFTP boot though, so that's good right? Oh wait, Ubiquiti doesn't offer recovery firmware for the EdgeRouter X; fantastic. So now I am making an OpenWRT initramfs image that I can hopefully use to format the NAND and put the stock firmware back on. JFC Ubiquiti.
|
|
#
?
Dec 29, 2016 19:42
|
|
|
Rufus Ping posted:i for one love vaguely creepy twitter furry "infosec taylor swift" that account sucks because they picked a name that should be a gimmick but then their tweets are just normal infosec people tweets and what the hell is the point
|
|
#
?
Dec 29, 2016 19:50
|
|
|
weren't they originally a gimmick and then they slowly morphed into being normal
|
|
#
?
Dec 29, 2016 19:54
|
|
|
ratbert90 posted:You know how I said I like Ubiquiti products. Just to add another anecdote, a several month old EdgeRouterX that I was using for work died on me last month. I didn't investigate but I wonder if something similar happened.
|
|
#
?
Dec 29, 2016 19:54
|
|
|
now that you know Ubiquiti is cheap crap, just buy one of these and you'll be fine. 
|
|
#
?
Dec 29, 2016 19:59
|
|
|
counterpoint, ubiquiti is cool and good
|
|
#
?
Dec 29, 2016 20:00
|
|
|
There's the community-provided rescue kit, but that's for the ERL, not the X. I had to use this when the thumb drive failed in one of mine.
|
|
#
?
Dec 29, 2016 20:03
|
|
|
meatpotato posted:kills nerves in apparently a non-painful way so you don't realize you got it all over your hands until it seeps into your bloodstream and kills the nerves in your heart, killing you dead Yea there are a lot of dangerous things out there, and as long as you use them properly whats the big deal? I mean you can buy hydrochloric acid, sodium hydroxide, liquid nitrogen, nitroglycerin etc. But for a free and functional society we assume a basic level of competency and responsibility for people, who have the desire to purchase dangerous things.
|
|
#
?
Dec 29, 2016 20:09
|
|
|
Fergus Mac Roich posted:now that you know Ubiquiti is cheap crap, just buy one of these and you'll be fine.
|
|
#
?
Dec 29, 2016 20:27
|
|
|
Fergus Mac Roich posted:now that you know Ubiquiti is cheap crap, just buy one of these and you'll be fine. True story I got this from one of our providers a few days ago: quote:Reason for Outage Summary: Nortel Switch SCHLNLACHG1 Line Interface Module (LIM) 1-13 failed causing multiple backbone trunks to fail in Amsterdam. Field Engineer was dispatched to replace the LIM on switch to restored service.
|
|
#
?
Dec 29, 2016 20:31
|
|
|
|
| # ? Jun 3, 2024 18:07 |
|
|
leftovers from day 2: On the Security and Privacy of Modern Single Sign-On in the Web by Guido Schmitz (gtrs) and dfett - analysis of a couple of SSO systems with explained flaws. good talk to watch, bit slow and shows off overly complex examples though Build your own NSA by Andreas Dewes and @sveckert - interesting talk on analysing 'sample' data from online tracking companies, includes a segment on de-anonymising datasets, and extensions used to improve data collection. live translated from german, with regular audio issues so probably best if you watch the original. good talk in any case Downgrading iOS: From past to present by tihmstar - thorough talk on prior ios downgrade attacks and presents some interesting research. good watch Intercoms Hacking by Sebastien Dudek - gsm attacks on modern intercoms. good watch but speaker is a bit nervous Shining some light on the Amazon Dash button by hunz - thorough reverse engineering on the Amazon Dash button - single button hardware to allow easy re-ordering of products. what can go wrong? great talk with proof of concept ATMs how to break them to stop the fraud by Olga Kochetova and Alexey Osipov - atm security talk, covers a lot of ground just takes a bit to get going. plenty of proof of concepts with real world attacks. great watch Code BROWN in the Air by miaoski - ham talk focusing on pagers, analysis of data across months. interesting talk that's worth watching day 3 so far: Million Dollar Dissidents and the Rest of Us by Bill Marczak and John Scott-Railton - citizenlab talk on how they got the pegasus malware previously talked about. obviously well researched talk that's a great watch radare demystified by pancake - overview of radare, analysis tool originally designed for forensics. good watch, and alright intro that's dense with examples and has no time for q&a How do we know our PRNGs work properly? by Vladimir Klebanov and Felix Dörre - analysing prngs with a very limited scope, focusing on entropy loss in common implementations. good watch that takes a while to get going and has some sketchy explanations 33c3 stopped uploading to youtube nearing 6h ago, then again there's not a lot of potentially great talks left (barring the memory dedup talk which i'm sure is great)
|
|
#
?
Dec 29, 2016 20:38
|
|