|
Subjunctive posted:
e: whoops new page
|
#
?
Jan 11, 2017 23:07
|
|
|
|
| # ? May 17, 2024 19:59 |
|
|
LeftistMuslimObama posted:medical devices are some of the most deeply, troublingly flawed pieces of computer you will ever encounter. companies go to extreme lengths to define the domain the device covers just so to avoid fda regulation (which, lol if that still even exists in 2 years) and will always do the bare minimum required by the loosest interpretation of the regs then fight it out in court. they don't give a poo poo at all about the patient's safety at all because they have the patient over a barrel (you need the device or you die). the worst timeline. at least in deus ex it's part of a massive conspiracy
|
|
#
?
Jan 11, 2017 23:08
|
|
|
more ssl fuckery: https://groups.google.com/forum/?hl=en#!msg/mozilla.dev.security.policy/Htujoyq-pO8/uRBcS2TmBQAJ quote:Since many web servers are configured to include the URL of the request in the body of a 404 (not found) response, and the URL also contained the random code, any web server configured this way caused domain control verification to complete successfully. at least it didn't involve some random chinese outfit
|
|
#
?
Jan 12, 2017 00:06
|
|
|
darkforce898 posted:How would you go about issuing valid certificates on hundreds of devices that change their public IP address daily? this is the kind of thing letsencrypt is designed to make feasible: hundreds of uniquely keyed certs valid for short enough time scales that you can fire and forget them, when before it'd be an expensive UCC with a poo poo ton of names or a wildcard that was somehow even more expensive if they're externally accessible devices like you say they are, run the letsencrypt client on them, as configured by the configuration management you surely must have with hundreds of things that change their public IPs daily if they can't be externally accessible split-horizon your dns, map the external *.thingyouwouldgetawildcardfor.fleetofsquirrels.edu view to point at a machine running letsencrypt, and write scripts to automatically generate the certs and then put the certs into the right places using the configuration management you surely must have with hundreds of things that change their IPs daily also, in terms of CAs/registrars with decent prices and decent humans, gandi is up there.
|
|
#
?
Jan 12, 2017 00:07
|
|
|
there's not a terribly compelling to use PKI-trusted certs for that application if you're just phoning back to your own stuff. stand up your ca, load your certs on them and in to the root trusts, do what you need to from there. PKI certs are only going to be good for 3 years max out of box, with your own certs you can do something arbitrary to match the expected service life of the equipment + a year or two to give yourself wiggle room. device gets a new cert when its replaced or hits the end of the service life.
|
|
#
?
Jan 12, 2017 00:56
|
|
|
ate all the Oreos posted:i think it's funny that cuba has advanced cancer treatments because surprise when there's not an overriding profit motive to spend $20bn developing and marketing the next big dick pill you actually get useful poo poo done depends what you mean by 'advanced', radiotherapy and common chemo drugs have been around for ages so if you can get a relatively modern (i.e. not raw cobalt source or whatever they used to use) linear accelerator you're basically up to date with the rest of the world and then it's technique not technology for most common cancers.
|
|
#
?
Jan 12, 2017 01:16
|
|
|
Powerful Two-Hander posted:depends what you mean by 'advanced', radiotherapy and common chemo drugs have been around for ages so if you can get a relatively modern (i.e. not raw cobalt source or whatever they used to use) linear accelerator you're basically up to date with the rest of the world and then it's technique not technology for most common cancers. yeah they're not doing anything special there
|
|
#
?
Jan 12, 2017 01:19
|
|
|
Just finished up that Where in the world is Carmen Sandiego? from 33c3. Now I'm wondering if you declare a firearm for checked baggage if that information goes in the PNRs talked about for the booking system or if it's just in the airline's flight information.
|
|
#
?
Jan 12, 2017 01:43
|
|
|
This is old stuff (May 2015) but I just stumbled upon it; a fairly informal introduction to how ECC / ECDH / ECDSA works in 4 posts, and that seems to be understandable without being too good at maths:
|
|
#
?
Jan 12, 2017 04:41
|
|
|
 https://github.com/rapid7/metasploit-framework/pull/7815 
|
|
#
?
Jan 12, 2017 05:59
|
|
|
ate all the Oreos posted:i assume in this case you'd actually need to access the specific transmitter etc but i guarantee that some time in the near future there will be a life-critical device that will allow some 15 year old who just discovered what a metasploit is to kill someone and you bet your rear end they will do it ... and it'll go on undetected for years until someone kills a rich old white man whos family has the money and legal motivation to finance a really thorough private autopsy because most people will assume that it was just gran's time because of the bad ticker and all - they even had an implant it was so bad!
|
|
#
?
Jan 12, 2017 06:55
|
|
|
actually no some total loving dipshit will brag about doing it and be taken seriously enough for someone to pull logs and tens of other cases will be discovered one of those
|
|
#
?
Jan 12, 2017 06:58
|
|
|
they should go back to nuclear powered pacemakers
|
|
#
?
Jan 12, 2017 07:14
|
|
|
Munkeymon posted:actually no some total loving dipshit will brag about doing it and be taken seriously enough for someone to pull logs and tens of other cases will be discovered
|
|
#
?
Jan 12, 2017 07:16
|
|
|
Munkeymon posted:pull logs im the /var/log folder on a pacemaker 2017, the year of Linux everywhere but the loving desktop apparently
|
|
#
?
Jan 12, 2017 07:28
|
|
|
ErIog posted:im the /var/log folder on a pacemaker https://msdn.microsoft.com/en-us/commandline/wsl/about
|
|
#
?
Jan 12, 2017 07:51
|
|
|
MononcQc posted:This is old stuff (May 2015) but I just stumbled upon it; a fairly informal introduction to how ECC / ECDH / ECDSA works in 4 posts, and that seems to be understandable without being too good at maths: yeah this looks like my dumb rear end can understand it, thanks!
|
|
#
?
Jan 12, 2017 07:55
|
|
|
abraham linkedin posted:i was so close to becoming computer Also, a senior dev left a friend's workplace a while ago and they couldn't find the source code for a major product he was working on (although there are already several beta units with various builds already in the field). After a day of panic and coming up empty-handed from searching server backups, they found it: in the trash folder on a disconnected, unlabeled hdd lying under a pile of papers on the guy's old desk. I'm not sure if this is the worst security or the best security, because on one hand there's no way that poo poo was going to get cyberstolen or cryptolockered
|
|
#
?
Jan 12, 2017 11:05
|
|
|
Hed posted:Just finished up that Where in the world is Carmen Sandiego? from 33c3. what does your heart tell you
|
|
#
?
Jan 12, 2017 12:56
|
|
|
has anyone got any pointers on what to look for when hiring a firm/consultant to do penetration testing? it seems there's a ton of charlatans in the industry. im currently looking at ones that publish their own research and show up at cons rather than simply blogging about things, but would be interested to hear about how this is usually approached.
|
|
#
?
Jan 12, 2017 14:25
|
|
|
https://twitter.com/CiPHPerCoder/status/819418588582965248 This guy...
|
|
#
?
Jan 12, 2017 15:51
|
|
|
Thanks Ants posted:has anyone got any pointers on what to look for when hiring a firm/consultant to do penetration testing? it seems there's a ton of charlatans in the industry. Usually a warning sign for me is when there are more marketing people than actual technical people.
|
|
#
?
Jan 12, 2017 15:52
|
|
|
so... "i don't know how to do anything else" basically?
|
|
#
?
Jan 12, 2017 15:56
|
|
|
OSI bean dip posted:Usually a warning sign for me is when there are more marketing people than actual technical people. "do they employ at least one videographer?" is a pretty good test too
|
|
#
?
Jan 12, 2017 15:56
|
|
|
in non-piss news cellebrite was hacked sometime last year and 900GB of data has been handed to at least motherboard https://motherboard.vice.com/read/cellebrite-sold-phone-hacking-tech-to-repressive-regimes-data-suggests
|
|
#
?
Jan 12, 2017 18:40
|
|
|
"...is absolutely correct" is how i assume that sentence ends
|
|
#
?
Jan 12, 2017 18:46
|
|
|
he's nuts, but he's also one of the only loud voices in the PHP community talking about security he's also the kind of nuts that ports libsodium to pure PHP
|
|
#
?
Jan 12, 2017 18:55
|
|
|
Wiggly Wayne DDS posted:in non-piss news cellebrite was hacked sometime last year and 900GB of data has been handed to at least motherboard https://motherboard.vice.com/read/cellebrite-sold-phone-hacking-tech-to-repressive-regimes-data-suggests i've been asking about for the data to no avail McGlockenshire posted:he's nuts, but he's also one of the only loud voices in the PHP community talking about security i admire him for trying but i agree that he's insane for trying to fix the turd that is php
|
|
#
?
Jan 12, 2017 19:00
|
|
|
OSI bean dip posted:i admire him for trying but i agree that he's insane for trying to fix the turd that is php yeah i'm not sure what to think accessible security is important, and while php is accessible, that accessibility has made it a complete shitshow for doing things securely
|
|
#
?
Jan 12, 2017 19:04
|
|
|
google releases key transparency prototype: https://security.googleblog.com/2017/01/security-through-transparency.html good first step towards improving non-browser comms
|
|
#
?
Jan 12, 2017 19:11
|
|
|
Cocoa Crispies posted:yeah i'm not sure what to think https://twitter.com/CiPHPerCoder/status/794587430108168194
|
|
#
?
Jan 12, 2017 19:38
|
|
|
remember, always feel free to roll your own crypto
|
|
#
?
Jan 12, 2017 20:38
|
|
|
redleader posted:remember, always feel free to roll your own crypto
|
|
#
?
Jan 12, 2017 20:47
|
|
|
anthonypants posted:here is his pinned tweet hello sir yes i would like to speak to you about openbsd and its offspring
|
|
#
?
Jan 12, 2017 20:58
|
|
|
Kazinsal posted:hello sir yes i would like to speak to you about openbsd and its offspring you can't hack something that nobody uses
|
|
#
?
Jan 12, 2017 21:56
|
|
|
The_Franz posted:you can't hack something that nobody uses
|
|
#
?
Jan 12, 2017 22:11
|
|
|
The_Franz posted:you can't hack something that nobody uses openbsd begat openssh and if youre still using telnet in tyool 2017 then the secfuck is coming from inside the thread
|
|
#
?
Jan 12, 2017 22:12
|
|
|
I use OpenBSD for a lot of things, actually.. I really also like their new pledge() restricted-service operating mode option for stuff.
|
|
#
?
Jan 12, 2017 22:54
|
|
|
Rooney McNibnug posted:I use OpenBSD for a lot of things, actually.. I really also like their new pledge() restricted-service operating mode option for stuff. https://www.youtube.com/watch?v=F_7S1eqKsFk
|
|
#
?
Jan 12, 2017 23:00
|
|
|
|
| # ? May 17, 2024 19:59 |
|
|
pledge and friends should be a compiler pass tbh
|
|
#
?
Jan 12, 2017 23:02
|
|
