|
https://wycd.net/posts/2017-02-21-ibm-whole-cluster-privilege-escalation-disclosure.htmlquote:This is a disclosure of a privilege escalation vulnerability I found in the IBM Data Science Experience product, which was patched on Feb 15th, 2017. It was a misconfiguration vulnerability with very severe consequences. In short, they left all the Docker TLS keys in the container ayyyy lmao
|
# ? Feb 22, 2017 10:00 |
|
|
# ? Jun 8, 2024 07:12 |
|
Truga posted:https://wycd.net/posts/2017-02-21-ibm-whole-cluster-privilege-escalation-disclosure.html i actually like and use docker all the time and i'm pretty sure it's still a net negative on the world because it seems like nobody in the loving world but me knows how not to gently caress it up in laughably terrible ways
|
# ? Feb 22, 2017 14:17 |
|
i'm currently in the process of deploying openshift through our infrastructure and butts and it's going to own and be the best thing ever, but yes, i agree
|
# ? Feb 22, 2017 14:26 |
|
another quote from the ibm thingquote:Customers should have received a security bulletin for this. I was told that a security bulletin would not be posted for this incident or cloud security incidents in general, but if I were a paying customer, I would absolutely want to hear it from the company itself and not some stupid tech blog.
|
# ? Feb 22, 2017 14:30 |
|
were his previous reports any good? lots of reporters are super noisy, and never produce anything of value
|
# ? Feb 22, 2017 14:36 |
|
Security Fuckup Megathread - v13.3 - not some stupid tech blog
|
# ? Feb 22, 2017 14:51 |
|
ate all the Oreos posted:i actually like and use docker all the time and i'm pretty sure it's still a net negative on the world because it seems like nobody in the loving world but me knows how not to gently caress it up in laughably terrible ways i know what docker is but i've never actually used it. however whenever i hear colleagues mention it i quietly lol because of exactly that. it seems like one of those things which is easy to get into but easy to fuckup.
|
# ? Feb 22, 2017 15:09 |
so, i was brosing startups... http://www.authbase.net/
|
|
# ? Feb 22, 2017 15:20 |
|
cinci zoo sniper posted:so, i was brosing startups... quote:SECURITY IS NOT AN OPTION! except for HTTPS i guess which their website doesnt support... e: copyright date in the footer is 2016, site is prolly long ded
|
# ? Feb 22, 2017 15:24 |
|
Subjunctive posted:were his previous reports any good? lots of reporters are super noisy, and never produce anything of value one of the reasons I haven't really looked into bug bounties at all is because the way i imagine them working is you have 2000 indian guys running metasploit or w/e and auto-generating reports on literally everything their tools spit out and then probably 100 actually competent people finding the neat bugs who are much better at it than me and it just seems like i'd be lost in the sea of piss that is the first group since i don't think i'm cool hacker guy enough to be in the second group
|
# ? Feb 22, 2017 15:27 |
|
cinci zoo sniper posted:so, i was brosing startups... code:
|
# ? Feb 22, 2017 15:28 |
|
also im the 2016 copyright
|
# ? Feb 22, 2017 15:30 |
|
Subjunctive posted:were his previous reports any good? lots of reporters are super noisy, and never produce anything of value his website has a rant about it, basically he's angry that their bug bounty doesn't cover ie
|
# ? Feb 22, 2017 15:38 |
|
the main problem of docker is the ease of access i bet. you click or paste a few things and are developing the app in a production like environment! another few clicks and it's running on production in a ha cluster! it's like magic you're supposed to have a sysadmin and/or devops guys handling all the configuration poo poo, but lol if a manager will hire a dude he doesn't explicitly need to push his project into production, when he could raise his own salary by pushing out more project faster, cheaper if a secfuck happens, the dev will be the one getting hosed anyway
|
# ? Feb 22, 2017 15:47 |
|
ate all the Oreos posted:2000 indian guys running metasploit or w/e and auto-generating reports on literally everything their tools spit out and then probably 100 actually competent people lol the ratios aren't even that good signal/noise and the bad reporters aren't skilled enough to use metasploit, also india isn't actually the worst country reporter wise quote:i'd be lost in the sea of piss that is the first group since i don't think i'm cool hacker guy enough to be in the second group maybe you're not good enough to be in the second group (then again neither am I), but theres a lot of stuff you can do to not be in the first group either, for instance: don't be an rear end in a top hat and give reasonable risk assessments instead of insisting your IE8 only reflected XSS in a unauthenticated marketing microsite is a severe vulnerability
|
# ? Feb 22, 2017 15:53 |
|
rjmccall posted:his website has a rant about it, basically he's angry that their bug bounty doesn't cover ie i for one am shocked that microsoft isn't actively patching their officially deprecated browser
|
# ? Feb 22, 2017 16:22 |
|
fishmech posted:i for one am shocked that microsoft isn't actively patching their officially deprecated browser internet explorer 11 is still supported https://www.microsoft.com/en-ca/WindowsForBusiness/End-of-IE-support quote:Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10. https://support.microsoft.com/en-us/help/17454/lifecycle-support-policy-faq-internet-explorer quote:Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the support lifecycle of the version of Windows on which it is installed.
|
# ? Feb 22, 2017 16:25 |
|
mod saas posted:Security Fuckup Megathread - v13.3 - not some stupid tech blog
|
# ? Feb 22, 2017 16:41 |
|
OSI bean dip posted:internet explorer 11 is still supported
|
# ? Feb 22, 2017 17:42 |
|
i don't know much about docker but i'm still convinced it's bad let's have a complex god process that runs as root managing everything and it also has some sort of http interface, what could possibly go wrong
|
# ? Feb 22, 2017 18:53 |
|
anthonypants posted:not only is it still supported, it's the only browser in the windows 10 long-term servicing branch, indicating that there are no long-term plans or goals for microsoft edge this is one of those posts where i genuinely can't decide if it's sarcasm or not
|
# ? Feb 22, 2017 20:39 |
|
Lutha Mahtin posted:this is one of those posts where i genuinely can't decide if it's sarcasm or not
|
# ? Feb 22, 2017 20:44 |
|
anthonypants posted:they named the third xbox the xbox one does it still have the wrong ram
|
# ? Feb 22, 2017 20:58 |
|
rjmccall posted:his website has a rant about it, basically he's angry that their bug bounty doesn't cover ie lol, the anarcho-capitalistic endgame of security research is here
|
# ? Feb 22, 2017 20:59 |
|
Sapozhnik posted:i don't know much about docker but i'm still convinced it's bad Yeah you should be using rkt instead
|
# ? Feb 22, 2017 21:06 |
|
PCjr sidecar posted:does it still have the wrong ram
|
# ? Feb 22, 2017 21:10 |
Wiggly Wayne DDS posted:the wrong ram?! xbone has ddr3, ps4 - gddr5
|
|
# ? Feb 22, 2017 21:14 |
|
PCjr sidecar posted:does it still have the wrong ram
|
# ? Feb 22, 2017 21:18 |
|
anthonypants posted:project scorpio will have six teraflops of power https://www.youtube.com/watch?v=9QEsjd1WZuY
|
# ? Feb 22, 2017 21:32 |
|
cinci zoo sniper posted:xbone has ddr3, ps4 - gddr5
|
# ? Feb 22, 2017 22:02 |
|
my favorite episode
|
# ? Feb 22, 2017 22:11 |
|
lomarf https://twitter.com/ressym/status/834458698563145728
|
# ? Feb 22, 2017 22:42 |
|
I was staring at that for ages going, what's wrong with a minimum of 8 chars, mix of caps , small and numbers? wtf ?
|
# ? Feb 22, 2017 22:45 |
|
Eripsa posted:You aren't "hammering" me, you are showing off. In academic talks, there's always the guy who asks the question that goes "I don't know anything about what you're talking about, and I don't care. But here's what I do, and I'm really great at it. Really really great! What do you have to say to that?" You are that guy. You are explaining in detail how poor our existing security systems are, and how easy they are to compromise. Boy, you sure are right about that! Great comment. Here's your gold sticker.
|
# ? Feb 22, 2017 22:46 |
|
Wiggly Wayne DDS posted:32mb of esram disagrees
|
# ? Feb 22, 2017 22:53 |
|
if the security experts are the ones installing nsa backdoors, then who are the ones detecting them?
|
# ? Feb 22, 2017 23:01 |
|
OSI bean dip posted:It doesn't matter to me if you're "rich", you're as white as many other posters in this thread and unlike many people who are not white, you've had the ability to get a degree that enabled you to teach at two post-secondary institutions. Like many other white males such as yourself, you've also attempted to go into business in a white male-dominated field--we're talking about your failed cryptocurrency nonsense. quote:Sorry for bursting your tender white male bubble, Eripsa, but no matter what you say you're as white as they come. I'm Irish and by that definition I am not technically "white" but guess what? I am and so are you. Where you were raised, what level of education your parents have, or where you were born are completely irrelevant to me. You have the privilege of being white and just like most people with attitudes like yours, you don't understand it. I enjoyed the posts where you told the hispanic guy that he wasn't dark enough to be an ethnic minority, that was good. I'm surprised you didn't quote these brutal owns yourself.
|
# ? Feb 22, 2017 23:08 |
|
quit derailing the wizardsec thread with canuckistani insanity and the ravings of the mentally ill
|
# ? Feb 22, 2017 23:12 |
|
Cocoa Crispies posted:quit derailing the wizardsec thread with canuckistani insanity and the ravings of the mentally ill
|
# ? Feb 22, 2017 23:13 |
|
|
# ? Jun 8, 2024 07:12 |
|
Wiggly Wayne DDS posted:we've been trying to get osi to stop posting for years to no effect
|
# ? Feb 22, 2017 23:18 |