Security Fuckup Megathread - v13.1 - $10 for SA's customer CC info
|
|
# ? Jan 10, 2017 22:33 |
|
|
# ? May 17, 2024 02:14 |
|
Segmentation Fault posted:Security Fuckup Megathread - v13.1 - $10 for SA's customer CC info i got one better
|
# ? Jan 10, 2017 22:44 |
OSI bean dip posted:i got one better
|
|
# ? Jan 10, 2017 22:45 |
|
OSI bean dip posted:i got one better
|
# ? Jan 10, 2017 22:49 |
|
i have proof
|
# ? Jan 10, 2017 23:01 |
|
OSI bean dip posted:i have proof
|
# ? Jan 10, 2017 23:03 |
|
Tiny Brontosaurus cool and good. <3
|
# ? Jan 10, 2017 23:08 |
|
zen death robot posted:that drive is way too new thats the one that has the location of this one: e: it's no longer as new as in that picture.
|
# ? Jan 10, 2017 23:33 |
|
moving the conversation from Bad With Money: cc data is sent to sa's store then ??? processing happens and a payment processor is involved in some manner yes yes old terrible implementation from years ago but it isn't doing any favours towards allegations of cc misused
|
# ? Jan 10, 2017 23:36 |
|
Once on the SA servers it's saved to /tmp/Wiggly Wayne DDS.details until the folder is cleared out at midnight.
|
# ? Jan 10, 2017 23:39 |
|
Tesseraction posted:Once on the SA servers it's saved to /tmp/Wiggly Wayne DDS.details until the folder is cleared out at midnight. also pls never ever use the term "military grade" thx
|
# ? Jan 10, 2017 23:40 |
|
Tesseraction posted:Once on the SA servers it's saved to /tmp/Wiggly Wayne DDS.details until the folder is cleared out at midnight.
|
# ? Jan 10, 2017 23:42 |
|
OSI bean dip posted:also pls never ever use the term "military grade" thx you mean you aren't awed by AES256?
|
# ? Jan 10, 2017 23:43 |
|
the point is that we can only go on your word given the setup zdr, any allegation of misconduct can't be conclusively cleared given the fundamentally flawed system to begin with there's better ways to implement this in 2017 but whether that's in your hands is another matter
|
# ? Jan 10, 2017 23:47 |
|
im sorry i refuse to believe anything but it being piped to an old line printer and lowtax sitting next to it with a dialup credit card machine furiously typing numbers in
|
# ? Jan 10, 2017 23:48 |
|
zen death robot posted:make things less secure live a little
|
# ? Jan 10, 2017 23:48 |
|
zen death robot posted:I don't know enough about webdev to fix the lovely way the cookie info is handled. That's why lowtax got an actual webdev guy to recode things, but if anyone can point me to some resouces I'll do what I can to fix that poo poo too. just use Stripe?
|
# ? Jan 10, 2017 23:49 |
|
zen death robot posted:I don't know enough about webdev to fix the lovely way the cookie info is handled. That's why lowtax got an actual webdev guy to recode things, but if anyone can point me to some resouces I'll do what I can to fix that poo poo too. this is why i mentioned the payment processor handling a pubkey to the client to handle in the other thread, keep as far away from passing over data you should never be looking at or modifying in the first place. that way no one can make up stories that are technically implausible
|
# ? Jan 10, 2017 23:50 |
|
oaky let's start again you know how oauth fundamentally works? imagine that but instead of user credentials it's credit card details really this should be your payment processor who has this all ready to go and you should be on a legacy system to be EoLed
|
# ? Jan 10, 2017 23:52 |
|
just use paypal
|
# ? Jan 10, 2017 23:53 |
|
Subjunctive posted:just use Stripe? i imagine the codebase makes this more than a "just"
|
# ? Jan 10, 2017 23:54 |
|
Maybe if you get the block chain involved somehow that'll help
|
# ? Jan 10, 2017 23:56 |
|
zen death robot posted:Here's the rub. While I might be able to do it, I do not feel comfortable in doing so because that's not my area of expertise. That's why Lowtax has someone else working on site code. I don't know what all he is doing I can only explain how things currently are, but no radium code will be kept around in the long term. If I put my stamp on the code then I feel as if I'm accepting responsibility with all that goes with it, and I'm not comfortable with that. I have my areas of expertise and handling payment transactions across is not that area. I will describe how it's currently done though and do what I am comfortable with to make things better. seems reasonable. prepare for war.
|
# ? Jan 10, 2017 23:57 |
|
making you understand the issue isn't quite the same as pressing you to change a system you aren't comfortable with touching on that note turns out the payment provider sa uses does support sane methods of handling cc data http://developer.authorize.net/api/reference/features/acceptjs.html
|
# ? Jan 11, 2017 00:01 |
|
how are the sa gift certificates generated? if you care not to divulge, can you tell us if they're generated in an idiotic manner? is "kjs500" used as a seed anywhere in the code or have you seen it anywhere else?
|
# ? Jan 11, 2017 00:06 |
|
love you zdr keep up the good work
|
# ? Jan 11, 2017 00:06 |
|
well that escalated quickly zen death robot posted:Here's the rub. While I might be able to do it, I do not feel comfortable in doing so because that's not my area of expertise. Absolutely the correct answer.
|
# ? Jan 11, 2017 00:07 |
|
i don't have anything more to add other than "here's the problem that gives vague complaints a level of validity and what could be done to stop it", sure as hell don't expect you to resolve it as a first priority
|
# ? Jan 11, 2017 00:07 |
|
how many indefinitely valid 'test' certs are active, and may i borrow one
|
# ? Jan 11, 2017 00:13 |
|
much like the store going opensource i didn't hear no so will patiently check my inbox
|
# ? Jan 11, 2017 00:18 |
|
zen death robot posted:ugh you're gonna make me dig into radium code so i can remember how this poo poo works, hang on no don't that is not dead which can eternal lie
|
# ? Jan 11, 2017 00:28 |
|
it's kinda amazing that sa has gone as long as it has without getting completely owned in some fashion
|
# ? Jan 11, 2017 00:33 |
|
Or maybe it does on a weekly basis and I never listen
|
# ? Jan 11, 2017 00:33 |
|
someone was dumb enough to use heartbleed
|
# ? Jan 11, 2017 00:37 |
|
Tayter Swift posted:it's kinda amazing that sa has gone as long as it has without getting completely owned in some fashion SA has been owned. There's a username and password dump floating about from 2004/2005 Wiggly Wayne DDS posted:someone was dumb enough to use heartbleed Not a big deal though!
|
# ? Jan 11, 2017 00:41 |
|
OSI bean dip posted:SA has been owned. There's a username and password dump floating about from 2004/2005 that was twelve years ago
|
# ? Jan 11, 2017 00:43 |
|
Tayter Swift posted:that was twelve years ago that may be but you didn't specify a time frame either also search has had stored xss issues as of last year
|
# ? Jan 11, 2017 00:45 |
|
zen death robot posted:look the NRC is gonna come down on my rear end if i expose the public to that much radium lmao
|
# ? Jan 11, 2017 00:45 |
|
zen death robot posted:I even fixed all the idiotic word-based SQL passwords first read this as a winword.exe-based authentication system, thanks radium
|
# ? Jan 11, 2017 01:23 |
|
|
# ? May 17, 2024 02:14 |
|
zen death robot posted:look the NRC is gonna come down on my rear end if i expose the public to that much radium
|
# ? Jan 11, 2017 01:42 |