infernal machines posted:

well the other option is gateway filtering through an appliance or dedicated server, whether that's better or worse depends on your budget and key-management policies.

Winkle-Daddy posted:

can you give some examples? our research team had fun with some endpoints protection stuff recently and I'd love to throw them some suggestions of things to look at next

infernal machines posted:

nothing i can show being exploited, although i'll see if i can find something.

Winkle-Daddy posted:

can you give some examples? our research team had fun with some endpoints protection stuff recently and I'd love to throw them some suggestions of things to look at next

Winkle-Daddy posted:

I think F5 is one of the companies to stay away from. We reported some tls issues to them and they were huge cocks about how they know what they're doing (despite providing a poc exploit)

Winkle-Daddy posted:

my post was more directed at trying to find out what alternative to mitm'ing ssl that poster might be suggesting, obviously there are poo poo vendors (F5 *cough*) and better ones. There are poo poo deployments and good deployments. but your packets are getting inspected in corporate america.

quote:

Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher.

cinci zoo sniper posted:

http://www.guru3d.com/news-story/anti-virus-vendors-are-intercepting-and-analyzing-your-https-traffic.html

Truga posted:

https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/

owns

Powerful Two-Hander posted:

oh great now we're gonna have to do mandatory reboots every 1 hour to 'fix' the problem

Edit: also

Wiggly Wayne DDS posted:

speaking of: https://isc.sans.edu/diary/Ticketbleed+vulnerability+affects+some+f5+appliances/22051

WrenP-Complete posted:

polytopolis (eripsa's new thing) is going to roll its own crypto.

Powaqoatse posted:

out of poo, like a scarab

Powaqoatse posted:

out of poo, like a scarab

Powerful Two-Hander posted:

oh great now we're gonna have to do mandatory reboots every 1 hour to 'fix' the problem

LeftistMuslimObama posted:

given they explicitly call out banks and such, i'm going to guess that these things rely pretty heavily on the infrastructure being outdated and they wouldn't work as well on modern hardware that has all the fun virtual memory protection that modern operating systems offer.

Deep Dish Fuckfest posted:

power companies should start making inroads in infosec by triggering random power outages and charging customers for it

WrenP-Complete posted:

polytopolis (eripsa's new thing) is going to roll its own crypto.

Deep Dish Fuckfest posted:

power companies should start making inroads in infosec by triggering random power outages and charging customers for it

OSI bean dip posted:

link to details please

flakeloaf posted:

brownsomeware

WrenP-Complete posted:

If you start a few pages back you'll get the gist: https://forums.somethingawful.com/showthread.php?threadid=3804685&userid=0&perpage=40&pagenumber=88

Eripsa posted:

Two factor means two distinct and independent pieces of information. I have my password, and I have my phone to receive texts. To get past two factor authentication, I need access to both, which is harder than just compromising one.

Group A requires showing a passport or DL for verification. Group B requires an extensive background check of one's criminal record and police files. Groups C requires showing up in person and taking an oath in front of a judge. These groups have trustworthy verification procedures and secure logos, and they are all independent of each other.

Group D is an activist organization with political goals. They need a secretary to run their finances. They also need someone they can trust. Group A is politically neutral, and Group D trusts their verification process. So D accepts proof of membership in A as a confirmation of identity. It can use the A logo as verification without asking for the ID directly. So Group D would have Group A's logo as a subnorm on their own logo. If you're already part of A and then join D, you now have two copies of A's logo on your bubble.

If D wants more protection, they can ask for verification of membership in both A and B. Since these logos are independently verified, this constitutes a kind of two-factor authentication. You can only have both logos by having completed both handshakes independently.

Eripsa posted:

So an ID card or passport is something you have, and not something you know?

If the logo is something I can only have a copy of upon becoming a ring member, while still being verifiable as authentic by the general public-- in other words, if the logo is a private key that I obtain upon membership that can be verified by a public key -- could it count as "something I have", and not just something I know?

My original thought was the logo would have space for verifying the identity, and so each logo would be partly unique to the user so it could work as a private key in this way. I only obtain this combination of symbols as a result of the identification handshake, so it's something I couldn't have had (or known?) before becoming a member of the ring.



edit: if I copy the logo and then the ring sends me a charm bracelet, showing the bracelet would constitute a second factor?

Eripsa posted:

Verification, identification, and authentication are all different problems from encryption. They are related, but theoretically you can solve each independently. jre was right to scold us on this, and I've found the resulting discussion very constructive.

I've been arguing that the Polytopolis offers a method of authentication or identification. I can show logos to prove who I am. As proposed, that's just a thing I know, the security equivalent of a password. Which is not, itself, a bad thing, it just means you need some other form besides a password (think you have, thing you are) to have it count as a second factor if this is to be secure.

The Polytopolis is not a security design. It is an identity management/social organization design. If you don't care about security, you could play the whole thing as a game with pure data and not worry about the security questions at all. But if the Polytopolis is actually going to be a useful tool, it better be able to address the security questions directly.

So fine. The slow, tedious D&D character sheet way of doing this for the Polytopolis is for each ring to give you a logo (password), and then send you a charm bracelet (a physical object). To prove your identity, you have to show the logo and the charm bracelet together: thing you know + thing you have. Having each ring send you different charm bracelets would be very annoying. But you can see, intuitively, how each bracelet might be laced with individual charms which stand for various norms. And the norms let you hook bracelets up together where they share norms (kernels) to be long strings of beads connecting all the bracelets together. That weaving of charm bracelets with each other and selectively showing them to interested parties would effectively accomplish both the mechanics and the security procedures for the Polytopolis. "Look, I know the password and I have the charm bracelet to prove it!"

The fancy cyberpunk 2017 way to do this is with computer chips like on your credit card. The chip is something you have, and is equipped with a bunch of security features to authenticate the transaction along with passwords and pin numbers. Having all your rings send you different chips would be annoying too, and there's not really any way to link chips to each other. Question: if two different EMV chips are on the same card (one at opposite ends), is that itself a security risk? Say the chips are configured for different banks, with their own distinct security procedures and passwords, and you use different sides of the card in different machines, depending on which bank you are accessing. Is the fact that both "things you have" are on the same physical object itself a security risk, apart from it simply being easier to lose both? Is it more secure if they are each different objects? Would it be stupid to want two different chips sitting on the same card?

Because you could do the Polytopolis with a fob that contained a stack of EMV chips, and could extend and retract the desired ones on demand like a pez dispenser, and had some operating system for linking the chips together in secure ways to manage rings and kernels. Internet tells me that an EMV chip costs about $4. An 8x8 grid of EMV chips would run about 250 dollars, the price of a cheap smart phone. 8x8 would allow for 64 different norms to be expressed. That's not very much, but it seems like a reasonable starting point for a design that could operate the Polytopolis as a secure system in the real world. In this kind of implementation, the identification process would still be about mapping ring norms, in this case by configuring a selection of the EMV chips to operate in conjunction. This fob would then be a perpetual "thing I have" that can demonstrate my identity and relative social status without necessarily revealing my name/address/DOB, and I can carry it around like a digital ID. It could even have a screen for displaying and interacting with the bubble. If the only interactions are for interfacing with the chip array inside, the device could be operated totally offline and securely, with all operations done on the machine itself.

I don't think it's plausible to imagine people carrying around a separate device for their bitcoin wallet. But a fob that could work as a secure digital identity for managing social identity and organization, up through the scales of international politics? I don't have as much trouble imagining such a device taking off. ESPECIALLY if the protocol allows people to make devices however they like and still be interoperable? Yes please.

OSI bean dip posted:

apseudonym posted:

What did I just read?

apseudonym posted:

What did I just read?

OSI bean dip posted:

a seemingly ill person who thinks that they can remake the world with bitcoin and poo poo crypto

he should come here to explain why his crypto will work and give us a real technical explanation of things

anthonypants posted:

you will never get this because it does not exist