|
Yes, if only there were some way in a web browser to only run trusted JavaScript.
|
#
?
Feb 15, 2017 19:59
|
|
|
|
| # ? May 18, 2024 21:53 |
|
|
Doom Mathematic posted:Yes, if only there were some way in a web browser to only run trusted JavaScript. yeah you just gotta install my special Secure Browser (tm) with Security Enhanced Trusted Javascript and Automatic Virus Reductions
|
|
#
?
Feb 15, 2017 20:06
|
|
|
ate all the Oreos posted:yeah you just gotta install my special Secure Browser (tm) with Security Enhanced Trusted Javascript and Automatic Virus Reductions IBM Trusteer ?
|
|
#
?
Feb 15, 2017 20:09
|
|
|
Just use lynx, op
|
|
#
?
Feb 15, 2017 20:09
|
|
|
In good transparency news: http://www.montrealgazette.com/news/canada/canada+will+soon+force+companies+disclose+hacking/12922450/story.html quote:The federal government is in the final stages of enacting legislation that will require all businesses in Canada to report any cyber security breach as soon as they become aware of it. It's a step meant to close what critics say has been a major gap in this country's protection of personal and financial data.
|
|
#
?
Feb 15, 2017 20:29
|
|
|
quote:The federal government is in the final stages of enacting legislation that will require all businesses  quote:in Canada 
|
|
#
?
Feb 15, 2017 20:45
|
|
|
good, the aftermath of the tjmaxx and home depot breaches were kinda bullshit
|
|
#
?
Feb 15, 2017 20:46
|
|
|
Now you'll just get your free year of credit monitoring sooner.
|
|
#
?
Feb 15, 2017 21:27
|
|
|
Volmarias posted:Now you'll just get your free year of credit monitoring sooner. you can also cancel cards/freeze credit and whatever else you need to do sooner if you're affected
|
|
#
?
Feb 15, 2017 21:49
|
|
|
Doom Mathematic posted:Yes, if only there were some way in a web browser to only run trusted JavaScript. the problem is theres no solution. theres no mechanism for trusted javascript so you have to run all javascript, and remain at risk, or run no javascript, and not use the web.
|
|
#
?
Feb 15, 2017 22:08
|
|
|
Migishu posted:In good transparency news: aware that there might have been a breach or gone through the 2 year process to identify that yes it was a breach?
|
|
#
?
Feb 15, 2017 22:09
|
|
|
Shaggar posted:the problem is theres no solution. theres no mechanism for trusted javascript so you have to run all javascript, and remain at risk, or run no javascript, and not use the web. is there not a noscript for IE
|
|
#
?
Feb 15, 2017 22:15
|
|
|
ate all the Oreos posted:is there not a noscript for IE don't encourage him
|
|
#
?
Feb 15, 2017 22:17
|
|
|
i've never heard of wickr before but they just went open sores https://github.com/WickrInc/wickr-crypto-c
|
|
#
?
Feb 15, 2017 22:21
|
|
|
ate all the Oreos posted:is there not a noscript for IE disabling javascript or whitelisting urls isn't the same thing as trust
|
|
#
?
Feb 15, 2017 22:22
|
|
|
altho it is funny to see self proclaimed "security experts" poo-pooing the idea of code signing and promoting arbitrary javascript execution which is the single greatest security hazard for most users.
|
|
#
?
Feb 15, 2017 22:25
|
|
|
new proposed law in italy will regulate forensically sound "implants" (ie. trojan horses) for lawful client-side "wiretapping": https://boingboing.net/2017/02/15/title-italy-unveils-a-law-pro.html
|
|
#
?
Feb 15, 2017 22:27
|
|
|
Shaggar posted:disabling javascript or whitelisting urls isn't the same thing as trust how is this distinction significant, in terms of implementation and appearance to end users? how would code signing in the absence of both whitelisting and js-disabling bring any benefit to the user, beyond the ability to know if the JS files have been tampered with server-side?
|
|
#
?
Feb 15, 2017 22:34
|
|
|
Code signing and whitelisting of signers or specific files is more granular than url based trust and is more flexible since its transport/url independent. tamper proofing becomes critical if you're talking about transport independence and its a good idea anyways since who knows whats in between the client and the server. code signing provides protection against things like AV that sticks the same root cert into the trust store of every installed computer or china mitm your traffic while you're visiting.
|
|
#
?
Feb 15, 2017 22:44
|
|
|
anthonypants posted:i've never heard of wickr before but they just went open sores https://github.com/WickrInc/wickr-crypto-c they're yet another secure messaging thing that does who knows what with your data
|
|
#
?
Feb 15, 2017 23:05
|
|
|
Shaggar posted:Code signing and whitelisting of signers or specific files is more granular than url based trust and is more flexible since its transport/url independent. tamper proofing becomes critical if you're talking about transport independence and its a good idea anyways since who knows whats in between the client and the server. code signing provides protection against things like AV that sticks the same root cert into the trust store of every installed computer or china mitm your traffic while you're visiting. i mean i guess if you've solved the halting problem
|
|
#
?
Feb 16, 2017 01:48
|
|
|
yes, code signing based on chaining to roots defends against AV software installing roots. riotous applause.
|
|
#
?
Feb 16, 2017 01:49
|
|
|
my wife's hr department got phished and sent the entire company's W2s to someone. tonight I went through the rigamarole of putting freezes on our credit repots. Experian: pretty nice and straightforward Equifax: didn't verify my identify beyond name, address, and SSN. also didn't give me a receipt for what I had to pay, but overall not horrible. TransUnion: requires you to create an account. I had to recover my account I set up like 10 years ago to buy a credit report. when I went to pay for the freeze, they defaulted the credit card number and expiration to the card number I used 10 years ago. like, not the last 4 digits. the full card number. 
Pendragon fucked around with this message at 04:04 on Feb 16, 2017 |
|
#
?
Feb 16, 2017 04:01
|
|
|
Subjunctive posted:yes, code signing based on chaining to roots defends against AV software installing roots. riotous applause. I'm talking about whitelists for signers and specific files, not chaining back to roots which would be pointless for code signing.
|
|
#
?
Feb 16, 2017 04:03
|
|
|
Shaggar posted:I'm talking about whitelists for signers and specific files, not chaining back to roots which would be pointless for code signing. is that not how code signing works on Windows?
|
|
#
?
Feb 16, 2017 04:06
|
|
|
Shaggar posted:I'm talking about whitelists for signers and specific files, not chaining back to roots which would be pointless for code signing. so every site is going to have one+ unique code signing cert? hang on, get the chrome team on the phone, i'm sure they'll start on this first thing tomorrow
|
|
#
?
Feb 16, 2017 04:10
|
|
|
Lutha Mahtin posted:so every site is going to have one+ unique code signing cert? hang on, get the chrome team on the phone, i'm sure they'll start on this first thing tomorrow every site has a unique TLS cert, today signed scripts used to exist in Netscape and IE; I presume Shaggar is familiar with the drawbacks of those approaches
|
|
#
?
Feb 16, 2017 04:14
|
|
|
Shaggar posted:I'm talking about whitelists for signers and specific files, not chaining back to roots which would be pointless for code signing. signed scrips will still contain eval( $unsafe_variable ) the real solution is to make a sandbox that works, which probably require new cpus seeing how leaky mmu's are
|
|
#
?
Feb 16, 2017 04:30
|
|
|
Subjunctive posted:every site has a unique TLS cert, today nah but shaggz is talking about ones that don't chain to an authority. so the browser would then need zillions of certs for it to be useful, right?
|
|
#
?
Feb 16, 2017 04:51
|
|
|
Lutha Mahtin posted:nah but shaggz is talking about ones that don't chain to an authority. so the browser would then need zillions of certs for it to be useful, right? no amount of certs could make that useful
|
|
#
?
Feb 16, 2017 05:16
|
|
|
Applebees posted:Has anyone heard of IBM Security Trusteer Rapport? Multiple Canadian banks are recommending it. They must have some sort of deal. A couple of years ago I saw Banks For Rich People/Rich People Divisions Of Banks offer to give people like $20/mo for people to install it on their computers and it just hosed EVERYTHING up on OS X.
|
|
#
?
Feb 16, 2017 06:56
|
|
|
Jimmy Carter posted:A couple of years ago I saw Banks For Rich People/Rich People Divisions Of Banks offer to give people like $20/mo for people to install it on their computers and it just hosed EVERYTHING up on OS X. first republic offered/nagged-about this at some point to me. if memory serves, it was a one-time thing for them and i got the  for just clicking the download button to see if it would make them leave me alone.
|
|
#
?
Feb 16, 2017 07:03
|
|
|
ultramiraculous posted:first republic offered/nagged-about this at some point to me. if memory serves, it was a one-time thing for them and i got the did you check to see if clicking the button again gave you another because lol
|
|
#
?
Feb 16, 2017 07:43
|
|
|
also iirc the only thing i was ever able to get by installing shady bank software was one of my banks "offered" me the "feature" of not having to use my password to log in if it was installed (I think it was the same IBM thing but i don't remember)
|
|
#
?
Feb 16, 2017 07:45
|
|
|
caught a trojan in librecad sourceforge installation
|
|
#
?
Feb 16, 2017 12:52
|
|
|
cinci zoo sniper posted:caught a trojan in librecad sourceforge installation what is the hash
|
|
#
?
Feb 16, 2017 12:54
|
|
|
Crime on a Dime posted:what is the hash
|
|
#
?
Feb 16, 2017 12:57
|
|
|
cinci zoo sniper posted:gone already, thanks shaggar defender more like daggar 
|
|
#
?
Feb 16, 2017 13:01
|
|
|
incoming cache virtualization extensions I guess
|
|
#
?
Feb 16, 2017 13:05
|
|
|
|
| # ? May 18, 2024 21:53 |
|
|
ate all the Oreos posted:did you check to see if clicking the button again gave you another
|
|
#
?
Feb 16, 2017 15:14
|
|