Security Fuckup Megathread - v13.69 - plugins may violate privacy

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v13.69 - plugins may violate privacy

«‹›216 »

Assepoester: Jul 18, 2004; Can't post for 10 years!; Melman v2

OSI bean dip posted:

want to know what scares me the most?

a fully-automated haul truck

combine this with lack luster security in a lot of natural resource companies and you end up with a vehicle that can cause a lot of damage.

https://www.youtube.com/watch?v=2BaJQunoDv8

# ? Jan 18, 2017 12:30

Adbot: ADBOT LOVES YOU

# ? May 17, 2024 01:35

champagne posting: Apr 5, 2006; YOU ARE A BRAIN
IN A BUNKER

cheese-cube posted:

agreedo. also assuming that whatever is on the other end of rj45 jack speaks ethernet is a kind of dumb assumption

It could very well be RJ45 for data collection or fault finding. I've seen a number of, granted scientific equipment, which comes with RJ45 so you can collect the data. Don't know if it's a two way street though.

# ? Jan 18, 2017 12:36

syscall girl: Nov 7, 2009; by FactsAreUseless; Fun Shoe

Cardboard Box A posted:

https://www.youtube.com/watch?v=2BaJQunoDv8

this scene

# ? Jan 18, 2017 13:02

fins: May 31, 2011; Floss Finder

Maybe there have been major advancments and all domestic appliances will be run off PoE

# ? Jan 18, 2017 14:42

Pile Of Garbage: May 28, 2007

just imagined this crazy image of a fully populated 48-port PoE switch and all the cables are plugged into a dryer. hell yeah

# ? Jan 18, 2017 14:58

geonetix: Mar 6, 2011

the PoE switch would generate enough heat to dry your clothes at that point

# ? Jan 18, 2017 15:06

Munkeymon: Aug 14, 2003; Motherfucker's got an
armor-piercing crowbar! Rigoddamndicu𝜆ous.

hackbunny posted:

sorry to disappoint with a relatively lame post and no eyepyramid update, but the opera 12 source code has just been leaked:

https://github.com/prestocore/browser

already dmca'd lol but mirrored here:

https://bitbucket.org/prestocore-fan/presto/

it's out and about! if you're still using opera 12 for some goddamn reason (not even I am) it's time to quit it for good

kinda got lost in the smart meter dustup but I'm kicking myself for missing these because I've been morbidly curious about Presto for a while and hoping something like this would happen

# ? Jan 18, 2017 15:17

BangersInMyKnickers: Nov 3, 2004; I have a thing for courageous dongles

ErIog posted:

I know this thread is for insufferable assholes who think they know better (me included), but please everybody just listen to Fishmech and Shaggar for once. One's good cop, one's bad cop.. they both agree!

I am not shaggar but I will accept the comparison in this case

# ? Jan 18, 2017 15:45

Pile Of Garbage: May 28, 2007

i got into an argument with some colleagues at work recently because they were trying to do some PKI cert stuff and wanted to install openssl on a windows box. i told them to plainly "get to gently caress" but before wandering off i saw them peeping this page which is the top result on google for "openssl windows" and has binaries compiled almost a decade ago lmao http://gnuwin32.sourceforge.net/packages/openssl.htm

# ? Jan 18, 2017 15:58

spankmeister: Jun 15, 2008

i got a question a while ago if we would certify or recommend a precompiled openssl for windows.

lol nope

# ? Jan 18, 2017 17:22

BangersInMyKnickers: Nov 3, 2004; I have a thing for courageous dongles

hey windows comes with the best and easiest to configure crypto stack baked in to the os but lets gently caress that all up with some linux garbage

# ? Jan 18, 2017 17:45

spankmeister: Jun 15, 2008

BangersInMyKnickers posted:

hey windows comes with the best and easiest to configure crypto stack baked in to the os but lets gently caress that all up with some linux garbage

It doesn't do PKI and lol it's not easy to configure at all you gotta be messing with the registry

# ? Jan 18, 2017 17:48

Pile Of Garbage: May 28, 2007

they didn't even want to use it for TLS, they just wanted to generate some keypairs/cert reqs! i told them to use certreq or just hop on one of the many fuckin linux jumphosts we've got.

i'm getting really drat tired of every single person on my contract not integrating sec into their thought processes. maybe i'm asking too much but this kind of bullshit as well as other much more egregious things would be avoided if the person involved just took a moment to think about whether they're doing something that's secure.

edit: the main reason im pissy about it is because these same colleagues of mine hang poo poo on me when i tell them to do poo poo properly. gently caress them though lol

# ? Jan 18, 2017 17:50

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Wheany posted:

on one had, we could separate these two components for security purposes. on the other we could combine them and save fractions of a penny per device.

the appliance that brought this up literally has the communication component separate from the appliance itself, using an external port to communicate to it.

Boiled Water posted:

It could very well be RJ45 for data collection or fault finding. I've seen a number of, granted scientific equipment, which comes with RJ45 so you can collect the data. Don't know if it's a two way street though.

the port's explicitly for a to-be-developed external device to connect it to a smart grid system.

if you wanted to, you could probably rig some sort of homebrew testing and control thing to work with it, i guess though.

# ? Jan 18, 2017 17:52

spankmeister: Jun 15, 2008

The correct answer is to have them request certificates from your internal CA.

# ? Jan 18, 2017 17:52

Pile Of Garbage: May 28, 2007

hilariously that's what they were already doing. it was for generating a new riverbed steelhead client cert or something which uses a custom template but still issued by the CA. dinguses didn't know how to do anything but blah blah this isn't cjs

# ? Jan 18, 2017 17:55

Meat Beat Agent: Aug 5, 2007; felonious assault with a sproinging boner

mods rename this to the washing machine megathread

# ? Jan 18, 2017 18:05

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

pls no more washing machine talk

i had to do a load of laundry last night and this is causing me to have flashbacks

# ? Jan 18, 2017 18:07

Pile Of Garbage: May 28, 2007

same but two loads and yet i don't have PTSD. maybe you should change things up and/or get really drunk?

# ? Jan 18, 2017 18:11

spankmeister: Jun 15, 2008

I fixed my washing machine the other day. The magnetic inlet valve had failed. I temporarily rerouted the main wash water intake thru the pre wash until my $25 part came in, and replaced the part yesterday.

It was easy to diagnose and fix because it doesn't have a computer inside.

ok thanks for reading bye

# ? Jan 18, 2017 18:21

BangersInMyKnickers: Nov 3, 2004; I have a thing for courageous dongles

The drums on Sarnsung washers will fail after 3-5 years because the spider flanges that support it and connect to the motor assembly are made out of raw cast aluminum instead of stainless like everything else in the machine and detergent destroys it. Because what the gently caress do morons at samsung know about making washing machines? they're still shipping units like this to this day, its a known problem and they are not correcting the design.

https://www.youtube.com/watch?v=BAsFb-_k0Hk

good news is if you know what you are doing you can pick up a broken one for cheap/nothing, order the part, get it powder coated, and its a p.good washing machine after that fix

# ? Jan 18, 2017 18:26

Lysidas: Jul 26, 2002; John Diefenbaker is a madman who thinks he's John Diefenbaker.; Pillbug

BangersInMyKnickers posted:

what the gently caress do morons at samsung know about making washing machines?

they seem to have a pretty good grasp on normalizing the idea of treating a large appliance like a disposable piece of consumer electronics that you just repeatedly replace every 3-5 years

BangersInMyKnickers posted:

they're still shipping units like this to this day, its a known problem and they are not correcting the design.

guarantee they do not see it as a "problem" and would not want to "correct" the design

# ? Jan 18, 2017 18:59

Bhodi: Dec 9, 2007; Oh, it's just a cat.; Pillbug

my mom just replaced her washing machine that she's had for almost 20 years with a model that will likely only last a quarter of that

e: poo poo this is the security thread not the tech bubel thread, ignore me

# ? Jan 18, 2017 19:31

Pile Of Garbage: May 28, 2007

my bad osi said to shut the gently caress up about washing machines and i posted about washing but everyone take your whitegoods to the whitegoods thread

# ? Jan 18, 2017 19:40

fisting by many: Dec 25, 2009

krebs released his big expose on the mirai author

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

it's minecraft and anime all the way down

# ? Jan 18, 2017 19:45

Rooney McNibnug: Sep 2, 2008; "Life always hopes. When a definite object cannot be outlined, the indomitable spirit of hope still impels the living mass to move toward something--something that shall somehow be better."

fisting by many posted:

krebs released his big expose on the mirai author

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

it's minecraft and anime all the way down

quote:

For example, Dreadiscool has been an active member of the Minecraft forum spigotmc.org since 2013. This user�s avatar (pictured above) on spigotmc.org is an altered image taken from the 1994 Quentin Tarantino cult hit �Pulp Fiction,� specifically from a scene in which the gangster characters Jules and Vincent are pointing their pistols in the same direction. However, the heads of both actors have been digitally altered to include someone else�s faces.

wowza.

# ? Jan 18, 2017 19:53

spankmeister: Jun 15, 2008

fisting by many posted:

krebs released his big expose on the mirai author

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

it's minecraft and anime all the way down

yeah been reading this, it's a lot of words even for krebs

# ? Jan 18, 2017 19:55

pr0zac: Jan 18, 2004; ~*lukecagefan69*~; Pillbug

fisting by many posted:

krebs released his big expose on the mirai author

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

it's minecraft and anime all the way down

lol anime child so hosed, don't be a wizard if you're over 18 in the usa

# ? Jan 18, 2017 19:57

Bhodi: Dec 9, 2007; Oh, it's just a cat.; Pillbug

quote:

The story noted that vDOS earned its proprietors more than $600,000 and was being run by two 18-year-old Israeli men who went by the hacker aliases �applej4ck� and �p1st0�. Hours after that piece ran, Israeli authorities arrested both men, and vDOS � which had been in operation for four years � was shuttered for good.

history is about to repeat itself, :byewhore:

Paras Jha

# ? Jan 18, 2017 20:14

Wiggly Wayne DDS: Sep 11, 2010

https://bugs.chromium.org/p/project-zero/issues/detail?id=1088

quote:

On January 12th, an automatic Adobe Acrobat update force installed a new chrome extension with ID efaidnbmnnnibpcajpcglclefindmkaj. You can view it on the Chrome Webstore here: https://chrome.google.com/webstore/detail/adobe-acrobat/efaidnbmnnnibpcajpcglclefindmkaj/

I can see from the webstore statistics it's already got ~30M installations.

It didn't take long to notice there's a DOM XSS in data/js/frame.html
code:
531         } else if (request.current_status === "failure") {
532             analytics(events.TREFOIL_HTML_CONVERT_FAILED);
533             if (request.message) {
534                 str_status = request.message;
535             }
536             success = false;
Presumably you can do
code:
window.open("chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/data/js/frame.html?message=" + encodeURIComponent(JSON.stringify({
        panel_op: "status",
        current_status: "failure",
        message: "<h1>hello</h1>"
})));
I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc.

I've also noticed the way they've designed the "to_html" RPC seems racy, the url of a tab might change (because an attacker can do x = window.open(); x.location = "new location"). Right now I don't think you can do very much with it because it doesn't seem to be feature complete...but still, it seems worth noting this so it doesn't introduce a vulnerability when they enable it.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

# ? Jan 18, 2017 20:14

apseudonym: Feb 25, 2011

I got another recruiter email from Uber, at least this one got closer to what I actually do.

# ? Jan 18, 2017 20:32

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

fisting by many posted:

krebs released his big expose on the mirai author

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

it's minecraft and anime all the way down

holy gently caress like i always knew that people into minecraft and anime were emotionally unstable and this just cements it further

# ? Jan 18, 2017 20:47

McGlockenshire: Dec 16, 2005; GOLLOCKS!

fisting by many posted:

krebs released his big expose on the mirai author

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

it's minecraft and anime all the way down

if he can't even figure out that SuperMicro makes servers not routers and that those devices exposing IPMI to the world also has nothing to do with routers being hacked, I'm not really sure I trust anything else in that article to be factually correct

same thing with crediting Microsoft for Minecraft

# ? Jan 18, 2017 22:07

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

McGlockenshire posted:

if he can't even figure out that SuperMicro makes servers not routers and that those devices exposing IPMI to the world also has nothing to do with routers being hacked, I'm not really sure I trust anything else in that article to be factually correct

same thing with crediting Microsoft for Minecraft

Microsoft paid 2.5 Instagrams for Mojang and Minecraft.

Also that's a fuckup on the SuperMicro part but they make more than just servers.

# ? Jan 18, 2017 22:11

spankmeister: Jun 15, 2008

They make L3 switches which are technically routers I suppose but we're splitting hairs here.

# ? Jan 18, 2017 22:14

Luigi Thirty: Apr 30, 2006; Emergency confection port.

spankmeister posted:

p sure the SSL settings already break opera 12

even my lovely Amiga browser from a million years ago can use a modern OpenSSL library port and TLS 1.2

# ? Jan 18, 2017 22:14

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

you can still compile current openssl source for nextstep and beos (well haiku really)

code:

Configuring OpenSSL version 1.1.1-dev (0x10101000L)
BS2000-OSD
BSD-generic32
BSD-generic64
BSD-ia64
BSD-sparc64
BSD-sparcv8
BSD-x86
BSD-x86-elf
BSD-x86_64
Cygwin
Cygwin-i386
Cygwin-i486
Cygwin-i586
Cygwin-i686
Cygwin-x86
Cygwin-x86_64
DJGPP
MPE/iX-gcc
OS390-Unix
QNX6
QNX6-i386
UEFI
UWIN
VC-CE
VC-WIN32
VC-WIN64A
VC-WIN64A-masm
VC-WIN64I
aix-cc
aix-gcc
aix64-cc
aix64-gcc
android
android-armeabi
android-mips
android-x86
android64
android64-aarch64
android64-mips64
android64-x86_64
bsdi-elf-gcc
cc
darwin-i386-cc
darwin-ppc-cc
darwin64-debug-test-64-clang
darwin64-ppc-cc
darwin64-x86_64-cc
debug
debug-erbridge
debug-linux-ia32-aes
debug-linux-pentium
debug-linux-ppro
debug-test-64-clang
dist
gcc
haiku-x86
haiku-x86_64
hpux-ia64-cc
hpux-ia64-gcc
hpux-parisc-cc
hpux-parisc-gcc
hpux-parisc1_1-cc
hpux-parisc1_1-gcc
hpux64-ia64-cc
hpux64-ia64-gcc
hpux64-parisc2-cc
hpux64-parisc2-gcc
hurd-x86
ios-cross
ios64-cross
iphoneos-cross
irix-mips3-cc
irix-mips3-gcc
irix64-mips4-cc
irix64-mips4-gcc
linux-aarch64
linux-alpha-gcc
linux-aout
linux-arm64ilp32
linux-armv4
linux-c64xplus
linux-elf
linux-generic32
linux-generic64
linux-ia64
linux-mips32
linux-mips64
linux-ppc
linux-ppc64
linux-ppc64le
linux-sparcv8
linux-sparcv9
linux-x32
linux-x86
linux-x86-clang
linux-x86_64
linux-x86_64-clang
linux32-s390x
linux64-mips64
linux64-s390x
linux64-sparcv9
mingw
mingw64
nextstep
nextstep3.3
purify
qnx4
sco5-cc
sco5-gcc
solaris-sparcv7-cc
solaris-sparcv7-gcc
solaris-sparcv8-cc
solaris-sparcv8-gcc
solaris-sparcv9-cc
solaris-sparcv9-gcc
solaris-x86-gcc
solaris64-sparcv9-cc
solaris64-sparcv9-gcc
solaris64-x86_64-cc
solaris64-x86_64-gcc
tru64-alpha-cc
tru64-alpha-gcc
uClinux-dist
uClinux-dist64
unixware-2.0
unixware-2.1
unixware-7
unixware-7-gcc
vms-alpha
vms-alpha-p32
vms-alpha-p64
vms-ia64
vms-ia64-p32
vms-ia64-p64
vos-gcc
vxworks-mips
vxworks-ppc405
vxworks-ppc60x
vxworks-ppc750
vxworks-ppc750-debug
vxworks-ppc860
vxworks-ppcgen
vxworks-simlinux

# ? Jan 18, 2017 22:35

spankmeister: Jun 15, 2008

i'm DJGPP

# ? Jan 18, 2017 22:41

Winkle-Daddy: Mar 10, 2007

McGlockenshire posted:

if he can't even figure out that SuperMicro makes servers not routers and that those devices exposing IPMI to the world also has nothing to do with routers being hacked, I'm not really sure I trust anything else in that article to be factually correct

Krebs is actually pro-tier awesome and a very good and reputable info sec journalist (though his areas of expertise tend to be more of the organized cyber crime type). The part you're complaining about to sound so smart and knowledgable to all of us, and to show how much better you are than my man with the giant forehead is pretty silly though since it's a summary from verisign mentioned as a throw away:

quote:

Verisign said the 2014 attack was launched by a botnet of more than 100,000 hacked routers sold by a company called SuperMicro. Days before the huge attack on ProxyPipe, a security researcher published information about a vulnerability in the SuperMicro devices that could allow them to be remotely hacked and commandeered for these sorts of attacks.

quote:

same thing with crediting Microsoft for Minecraft

jesus learn to read

quote:

The most frequent target of the lelddos gang were Web servers used to host Minecraft, a wildly popular computer game sold by Microsoft that can be played from any device and on any Internet connection.

e: sorry, this came off a lot more dickish than I meant.

Winkle-Daddy fucked around with this message at 23:01 on Jan 18, 2017

# ? Jan 18, 2017 22:54

Adbot: ADBOT LOVES YOU

# ? May 17, 2024 01:35

Luigi Thirty: Apr 30, 2006; Emergency confection port.

OSI bean dip posted:

you can still compile current openssl source for nextstep and beos (well haiku really)
code:
Configuring OpenSSL version 1.1.1-dev (0x10101000L)
Literally every architecture in the universe

neat

the Amiga version is a shared library wrapper around a generic GCC 4 build so any program conforming to the library API will work with any version of OpenSSL it uses

# ? Jan 18, 2017 23:12

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v13.69 - plugins may violate privacy

«‹›216 »