|
anthonypants posted:i saw theo de raadt's talk on pledge() and what they're trying to accomplish sounds really cool Yeah, this is a really good talk and Theo owns. Theowns.
|
# ? Jan 12, 2017 23:07 |
|
|
# ? May 17, 2024 15:11 |
|
quote:Hello,
|
# ? Jan 13, 2017 00:14 |
|
openbsd wrote it's own httpd so that's pretty cool
|
# ? Jan 13, 2017 00:15 |
|
https://twitter.com/andryou/status/818946765684670468
|
# ? Jan 13, 2017 00:18 |
|
Rooney McNibnug posted:Yeah, this is a really good talk and Theo owns. Theowns. Theo is annoying
|
# ? Jan 13, 2017 00:20 |
|
spankmeister posted:Theo is annoying i threw an egg at his house once
|
# ? Jan 13, 2017 00:21 |
|
OSI bean dip posted:i threw an egg at his house once I reported a vulnerability in openssh once it went as well as you would expect
|
# ? Jan 13, 2017 00:42 |
|
https://twitter.com/Viss/status/819685780247298048 https://twitter.com/Viss/status/819686452002861056
|
# ? Jan 13, 2017 01:21 |
|
OSI bean dip posted:https://twitter.com/Viss/status/819685780247298048 hope he likes gitmo
|
# ? Jan 13, 2017 01:29 |
|
OSI bean dip posted:https://twitter.com/Viss/status/819685780247298048
|
# ? Jan 13, 2017 02:02 |
|
Thanks Ants posted:has anyone got any pointers on what to look for when hiring a firm/consultant to do penetration testing? it seems there's a ton of charlatans in the industry. Here's a non-exhaustive list of things I would ask: 1. What they bring to the table other than pointing a bunch of off-the-shelf tools at servers. 2. If they have options for physical consultation/testing(even if you don't need it) 3. How much face time you will be able to get with an actual infosec wizard person in charge of your penetration testing (as opposed to "account representatives.") 4. If you can get a timeline along with a quote. Be wary of vague salesman speak that exposes the fact that their company does nothing like if they say dumb poo poo like, "we work so quickly we don't think providing a timeline will really be necessary!" without knowing anything about your infrastructure. Just think of all the ways you'd run a charlatan security company on the cheap and ask questions that would expose that charade.
|
# ? Jan 13, 2017 02:35 |
OSI bean dip posted:https://twitter.com/Viss/status/819685780247298048 get brain fuckler'd
|
|
# ? Jan 13, 2017 02:59 |
|
Malcolm XML posted:pledge and friends should be a compiler pass tbh it's usefult o have it not be one, because even p-langers would benefit from it
|
# ? Jan 13, 2017 03:02 |
|
trump's obercybergrandpa
|
# ? Jan 13, 2017 03:03 |
|
ErIog posted:charlatan security dont infringe my trademarks tia
|
# ? Jan 13, 2017 03:38 |
|
Why did whoever got the data sit on it for a few years?
|
# ? Jan 13, 2017 04:39 |
|
it gets better https://twitter.com/ErrataRob/status/819740885504192512 https://twitter.com/ErrataRob/status/819741399465816064
|
# ? Jan 13, 2017 04:55 |
|
are there any non poo poo consumer wifi routers?
|
# ? Jan 13, 2017 06:05 |
|
i got a tp-link ac3200 and it's needs-suiting, do you care about custom firmware or anythingBhodi posted:it gets better
|
# ? Jan 13, 2017 06:45 |
|
A Pinball Wizard posted:are there any non poo poo consumer wifi routers? it's more SMB than consumer but i've got a cisco rv130w and it's been pretty solid (i mainly got it for the SSID-to-VLAN mapping). however i'm running it in AP-mode with routing disabled so i guess this isn't really helpful is it
|
# ? Jan 13, 2017 07:10 |
|
https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messagesquote:WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman. However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. quote:Boelter said: “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.” Here's the 2016 blog post which this article is based on. if I'm understanding correctly, the problem boils down to whatsapp automatically resending undelivered messages without first asking for user-input if the recipient's key has changed (like Signal does). further, whatsapp doesn't warn you of a changed key by default, you have to enable the warning (probably to prevent confused users from freaking out whenever someone changes their phone or reinstalls the app). the only thing that I think the article gets wrong, or at least misrepresents, is that whatsapp is supposedly re-encoding messages that have already been delivered to the server. those messages are encrypted, you can't decrypt them without the recipient's key, which Whatsapp supposedly doesn't have. ie: if my phone is offline, or if I've cleared my chat history, whatsapp would theoretically be unable to re-encrypt the message and re-send it. in theory, the only way would be for the sender's app to re-send the messages with the new encryption key, right? so on whatsapp's side this would be easily solvable by adding a second switch that says "ask before resending messages if recipient's key has changed?", to which Whatsapp has responded: quote:"[...] We were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing.[...]" ofc there's also the question of if you can actually trust an unaudited closed-source app but that's moot, really edit: for what it's worth, there's precedent of Facebook literally going "we really can't decrypt these messages, even if we wanted", while a Brazilian judge was threatening to throw it's Latin America CEO in jail for contempt in a murder case. dpkg chopra fucked around with this message at 15:32 on Jan 13, 2017 |
# ? Jan 13, 2017 15:27 |
|
gonna just quote myself on twitter here then go rock climbing instead of arguing cause the people who want to assume facebook is mustache twirlingly evil will never be convinced otherwise https://twitter.com/pr0zac/status/819917881899155456
|
# ? Jan 13, 2017 15:47 |
|
A Pinball Wizard posted:are there any non poo poo consumer wifi routers? just get a dedicated wifi access point and connect it to a decent router
|
# ? Jan 13, 2017 16:14 |
|
last night i had a dream that i clicked a random link in this thread and it zero-day'd my browser and changed my user avatar to pepe the frog and started automatically making a bunch of bad posts and i couldn't close the browser
|
# ? Jan 13, 2017 16:19 |
|
A Pinball Wizard posted:are there any non poo poo consumer wifi routers? get a NETGEAR AC1750
|
# ? Jan 13, 2017 16:25 |
|
ate all the Oreos posted:last night i had a dream that i clicked a random link in this thread and it zero-day'd my browser and changed my user avatar to pepe the frog and started automatically making a bunch of bad posts and i couldn't close the browser that was no dream (check ur post history)
|
# ? Jan 13, 2017 17:28 |
|
Shadowbrokers taking their toys and going home: https://onlyzero.net/theshadowbrokers.bit/post/messagefinale/
|
# ? Jan 13, 2017 18:22 |
|
fins posted:Shadowbrokers taking their toys and going home: quote:So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and bullshit, not many bitcoins. TheShadowBrokers is deleting accounts and moving on so don’t be trying communications. Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and bullshit political talk was being for marketing attention. There being no bitcoins in free dumps and giveaways. You are being disappointed? Nobody is being more disappointed than TheShadowBrokers. But TheShadowBrokers is leaving door open. You having TheShadowBrokers public bitcoin address 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK TheShadowBrokers offer is still being good, no expiration. If TheShadowBrokers receiving 10,000 btc in bitcoin address then coming out of hiding and dumping password for Linux + Windows. Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files. Password is FuckTheWorld Is being final gently caress you, you should have been believing TheShadowBrokers. lol so whiny
|
# ? Jan 13, 2017 18:25 |
|
OSI bean dip posted:lol so whiny wait, what group posted that message i didn't catch their name
|
# ? Jan 13, 2017 18:30 |
|
ate all the Oreos posted:last night i had a dream that i clicked a random link in this thread and it zero-day'd my browser and changed my user avatar to pepe the frog and started automatically making a bunch of bad posts and i couldn't close the browser quoting this so once i quit my job and have freetime again i can go ahead and implement it
|
# ? Jan 13, 2017 18:46 |
|
pr0zac posted:gonna just quote myself on twitter here then go rock climbing instead of arguing cause the people who want to assume facebook is mustache twirlingly evil will never be convinced otherwise The security community is dumb and people running around shouting "WhatsApp can't read your messages even if they want to" was dumb and primed this freakout. People thinking it's a backdoor and not an obvious feature (omg I switched phones and didn't get your messages ) are just silly. End to end doesn't mean you don't have to trust the people building your messaging app, but it seems like a lot of people missed that.
|
# ? Jan 13, 2017 19:11 |
|
apseudonym posted:The security community is dumb and people running around shouting "WhatsApp can't read your messages even if they want to" was dumb and primed this freakout. People thinking it's a backdoor and not an obvious feature (omg I switched phones and didn't get your messages ) are just silly. yeah basically only very few sec people get that the only way to make encryption and privacy protections universal is to make them useable by regular people, sometimes this means trading off perfect security to a degree in favor of usability in order to make adoption possible and advance the norm this isn't a backdoor, its automating key exchange and verification because normal people don't understand what that is and wouldn't use it as a result, doing this means one billion people now have access to 90% of the benefit of e2e encryption, calling it a malicious backdoor is counter-productive to improving security for everyone the even more ridiculous paranoia version of this is people who refuse to use Signal because it integrates Google Play services to send notifications (not the messages) so much for my not talking about this more!
|
# ? Jan 13, 2017 19:21 |
|
pr0zac posted:the even more ridiculous paranoia version of this is people who refuse to use Signal because it integrates Google Play services to send notifications (not the messages) are you talking about my dumb friend that i brought up in this thread before or do you also know someone who's that dumb
|
# ? Jan 13, 2017 19:36 |
|
it is not an uncommon opinion among dumb people in security
|
# ? Jan 13, 2017 19:38 |
I'd like to think that you two have the same dumb friend
|
|
# ? Jan 13, 2017 19:43 |
|
ate all the Oreos posted:are you talking about my dumb friend that i brought up in this thread before or do you also know someone who's that dumb go read the hn comments for the guardian whatsapp article, its filled with these idiots
|
# ? Jan 13, 2017 20:00 |
|
pr0zac posted:yeah basically only very few sec people get that the only way to make encryption and privacy protections universal is to make them useable by regular people, sometimes this means trading off perfect security to a degree in favor of usability in order to make adoption possible and advance the norm i posted an example in my op but fwiw pretty much everyone i've talked to in law enforcement has told me that they are basically hosed w/r/t reading whatsapp messages unless they have access to the phone itself (ie: access to the app), and i've read quite a few articles touting it as the messaging app of choice when it comes to encryption, right below Signal, so you're definitely above most everything else when it comes to public perception. i still think a setting that asks you to reverify a contact before resending messages when the key has changed, would pretty much fix this problem. it doesn't have to be on by default, like with signal
|
# ? Jan 13, 2017 20:07 |
|
Ah yes, the good ol' "I don't trust my OS but somehow don't think Im completely hosed"
|
# ? Jan 13, 2017 20:08 |
|
Ur Getting Fatter posted:i still think a setting that asks you to reverify a contact before resending messages when the key has changed, would pretty much fix this problem. it doesn't have to be on by default, like with signal
|
# ? Jan 13, 2017 20:36 |
|
|
# ? May 17, 2024 15:11 |
|
Wiggly Wayne DDS posted:it already exists ??
|
# ? Jan 13, 2017 20:45 |