|
yes, my bad. here's another to make up for it: Graham blames "Twitter Counter". https://twitter.com/gcluley/status/841938707603161088
|
# ? Mar 15, 2017 10:23 |
|
|
# ? Jun 8, 2024 09:03 |
|
i'm the third party services able to post on users accounts without any badge or label to identify their posts
|
# ? Mar 15, 2017 10:33 |
|
bicycle posted:yes, my bad. here's another to make up for it: it's true: http://blog.twittercounter.com/2016/11/twitter-counter-accounts-secured-following-a-hack/ e: oh wait that was 3 months ago
|
# ? Mar 15, 2017 10:57 |
|
twitter statistics is something I care about enough to give a third-party access to my accounts
|
# ? Mar 15, 2017 11:04 |
|
bicycle posted:twitter statistics is something I care about enough to give a third-party access to my accounts understandable for read access, but write access ???
|
# ? Mar 15, 2017 11:18 |
|
Shinku ABOOKEN posted:understandable for read access, but write access ??? when we were doing Twitter integration experiments in Firefox, we wanted a token that was write only so that people could post from the browser but we couldn't leak tweets and DMs if there were a bug. twitter, at least then, had only very coarse permissions
|
# ? Mar 15, 2017 11:50 |
|
infernal machines posted:i don't know exactly how enforcement works, to my knowledge there are some basic requirements for electrical devices sold in the united states, things like requiring UL and CE marks, so in theory something similar to that I don't know about CE (though lol at the companies just shoving it in there and claiming "but it means China Export!"), but UL certification just means that you paid UL to test your product and it passed their tests well enough to be certified by them. It's not regulated by law, and you can sell an electrical product without it. You might have trouble finding a retailer who will do it, but it's not a government agency and it's not mandatory. Recalls are generally voluntary and only exist to reduce your liability from a civil suit. You have to really gently caress up to an almost impossible degree to get the government involved, like the guy at GM who caused hundreds of people to die due to hubris and incompetence, and GM's failure to act on this knowledge for a decade, and even that ended with mere fines.
|
# ? Mar 15, 2017 12:35 |
|
endlessmonotony posted:If your glucose monitor fails in those conditions it's not legal to begin with. that would lead to deliberately coding IN the flaws so they could make a show of patching them back OUT again, the way china does with getting credits for destroying the cfcs they create so they can destroy them
|
# ? Mar 15, 2017 13:23 |
|
flakeloaf posted:that would lead to deliberately coding IN the flaws so they could make a show of patching them back OUT again, the way china does with getting credits for destroying the cfcs they create so they can destroy them http://dilbert.com/strip/1995-11-13
|
# ? Mar 15, 2017 13:35 |
|
flakeloaf posted:that would lead to deliberately coding IN the flaws so they could make a show of patching them back OUT again, the way china does with getting credits for destroying the cfcs they create so they can destroy them If there were no known flaws they'd automatically be able to claim their money back under a sane system. It's not "money returned based on number of bugs patched", it's "money returned after a certain period* of a device having its security flaws patched as soon** as they're discovered***". * The EU would probably pick two years, being the only entity even somewhat likely to implement something like this. ** Within a reasonable time frame, like two weeks. *** It would obviously lead to companies trying their very best to keep people from publishing security flaws. No change from today.
|
# ? Mar 15, 2017 14:05 |
|
can someone explain to me what fortinet is doing here using a weird CN for the cert of their UTM sig update service? also lol trying to run SSL Labs against update.fortiguard.net returns internal errors
|
# ? Mar 15, 2017 14:26 |
|
more like fartinet
|
# ? Mar 15, 2017 14:39 |
|
Subjunctive posted:yeah, that's a good one. I just don't think anyone is going to make a case stick against Amazon the AWS SLA is nowhere near close enough for critical medical usage and I wouldn't be surprised if the use agreement specifically forbids the use in emergency services.
|
# ? Mar 15, 2017 15:03 |
|
infernal machines posted:the botnet doesn't matter, it's a convenient example of compromised devices. who's liable if your smoke alarm doesn't go off while your house burns down because someone hacked it for lulz? the liability should be on the manufacturer (up to a point), but mandating coding standards (and enforcing them) is a fools errand.
|
# ? Mar 15, 2017 15:05 |
|
so what's the solution? mandating isps monitor botnet-like traffic won't work because it'll just lead to cleverer traffic shaping and false positives and grandma not being able to facetweet her poopsie because the smart couch cushion her grandnephew bought her is phoning home mandatory remote-brick codes for misbehaving devices their mfrs can't fix? lol when that one gets out and someone shuts off a few hundred thousand smoke detectors by sending them 00000000
|
# ? Mar 15, 2017 15:17 |
|
ISPs killing traffic for known botnets is a good solution for stopping those botnets. they already quarantine people for known virus traffic and grandmas have to call in to get it fixed every day. less so now w/ things like mandatory updates in win10. but in systemic terms the solution is the manufacturer would have to issue a recall and make sure everything is returned or fixed.
|
# ? Mar 15, 2017 15:23 |
|
obviously we need to install backdoors in everything so the helpful FBI man can come in and sweep for terrorist viruses once a month
|
# ? Mar 15, 2017 15:23 |
|
from pretty much everything i've read so far and from what smart people in this thread keep saying, the main reason IoT botnets are so powerful is because pretty much every manufacturer contracts their poo poo out to the lowest possible tier developer who shits out the cheapest, most outdated hardware, running unaudited, outdated code, with either hardcoded credentials (or no credentials), and undocumented root shells exposed straight to the internet. this makes the cost-per-unit-hacked extremely low for the people that are creating the botnets and allows them to grow to gigantic sizes, and also to be distributed all around the world. so maybe before looking at extreme solutions like killswitches, maybe we can incentivize the industry to step up the bare minimum quality of their products? at the very least you make it substantially more expensive for these botnets to be created and run. dpkg chopra fucked around with this message at 15:31 on Mar 15, 2017 |
# ? Mar 15, 2017 15:28 |
|
I don't think it even needs to be contracted out for it to suck
|
# ? Mar 15, 2017 15:30 |
|
corporations shouldn't need to be encouraged to do the right thing. maybe governments could implement stricter auditing regimens in conjunction with enhanced whistleblowing protections and setup federal bug-bounty programs which encourage security conscious developers to come-forward and report secfucks in the products they're developing? kinda like what the FDA does i guess
|
# ? Mar 15, 2017 15:36 |
|
infernal machines posted:to be more succinct, i think iot security is a consumer safety issue as long as things like smoke/co alarms, stoves, and fridges are being connected to the internet. webcams in a botnet are a bit of a red herring, it's just a convenient example since it's been in the news well that'll depend on what the "internet" functionality of the devices is. one of those stupid fridges with a display and a browser shoved on one of the doors is an iot fridge, but the internet part has no control over the temperature or anything like that, and the silly little tablet component can be removed without impairing the important functionality. there's ultimately very little safety issue you can get from that. meanwhile a smoke alarm that requires the internet to detect when there's smoke obviously can't have that functionality removed, and in fact should probably be outright illegal because there's no way to ensure a reliable enough internet connection regardless. similarly that one ~smart oven~ thing that couldn't be shut off when the servers got hosed up should also be illegal.
|
# ? Mar 15, 2017 15:38 |
|
Ur Getting Fatter posted:incentivize the industry to step up the bare minimum quality of their products that just creates space for an unethical person in a less-regulated place to step up and occupy the niche. like when you shoot all the skunks in your garden and raccoons move in and you say "man do i wish i had the skunks back" the isp as the gatekeeper is probably the easiest approach to implement but i shudder to think of what their phone drones would have to endure as a result
|
# ? Mar 15, 2017 15:38 |
|
flakeloaf posted:that just creates space for an unethical person in a less-regulated place to step up and occupy the niche. like when you shoot all the skunks in your garden and raccoons move in and you say "man do i wish i had the skunks back" imo carrier-level blocking sets a dangerous precedent and would not be effective. sure you could block the majority of layer 4 C&C traffic but what about layer 7 C&C which is piggybacking off a legit service like twitter? unless you want SSL intercept with deep-packet inspection then holy pisssss
|
# ? Mar 15, 2017 15:43 |
|
it already happens and already is highly effective at getting outdated computers off the ISP network. if something is using twitter for c&c then twitter can look at it. either way this isn't the final solution to the botnet problem this is a way to hit the low hanging fruit thats easy to find. you cant stop single user targeted attacks this way but you could stop ddos
|
# ? Mar 15, 2017 15:46 |
|
flakeloaf posted:that just creates space for an unethical person in a less-regulated place to step up and occupy the niche. like when you shoot all the skunks in your garden and raccoons move in and you say "man do i wish i had the skunks back" it's already been mentioned but the us is the main tech market, and people usually buy their poo poo at big brands. if those stores stop buying those products, you can bet your rear end D-link, TP-Link, Netgear and all those low-cost, china-based manufacturers are going to step up their game. both approaches involve "regulations" but by going against sellers in the US you basically use market forces against itself and you can still use a more direct approach of auditing and testing devices like the FDA does. the isp as a gatekeeper means that you're going to get a lot of false-positives, getting into a discussion about how much should ISPs bee looking into private traffic, and eventually botnets will adapt by encrypting their traffic
|
# ? Mar 15, 2017 15:50 |
|
there's no silver bullet, I think. a coordinated, multipronged approach by the leading world economies could work to a point but lol at that happening under the current climate. I honestly think shifting civil liability to everyone in the supply chain has the highest ROI
|
# ? Mar 15, 2017 15:51 |
|
Ur Getting Fatter posted:from pretty much everything i've read so far and from what smart people in this thread keep saying, the main reason IoT botnets are so powerful is because pretty much every manufacturer contracts their poo poo out to the lowest possible tier developer who shits out the cheapest, most outdated hardware, running unaudited, outdated code, with either hardcoded credentials (or no credentials), and undocumented root shells exposed straight to the internet. It's also that there's just so much more of them the last few years. IoT has always been crap, they haven't been getting crappier, just more numerous.
|
# ? Mar 15, 2017 15:53 |
|
there's been zero motivation from governments to even form a somewhat rudimentary framework of standards and oversight for the industry. as the public cannot mentally attribute damages from criminal enterprise to their fridge or smart TV there is no mass public outcry calling for change. unless someone actually dies horribly from an IoT toaster/lawnmower then we more than likely will not see much movement in the space. and if someone does die then lookout here cum the lobbyists.
|
# ? Mar 15, 2017 16:01 |
|
via secureworks:quote:It is important to note that the SSL cert relating to this incident is in fact a true positive. However, we have received unconfirmed information that suggests the cause of this activity may be the app from "Zillow" making requests to hxxps://zillow.app-test.link.
|
# ? Mar 15, 2017 16:04 |
|
lmao, a classic sec-gently caress. all internal test-domains should be registered publicly, period. edit: actually do you have a link to that post afreak? i'd like to use it to harass a client who isn't doing the needful
|
# ? Mar 15, 2017 16:07 |
|
zillowned
|
# ? Mar 15, 2017 16:07 |
|
man, i can't wait until they make .local a public tld
|
# ? Mar 15, 2017 16:11 |
|
infernal machines posted:man, i can't wait until they make .local a public tld they'll probably embargo it it like what they did with example.com and the other IETF documentation domains. but if it does become available i'll be contoso.local
|
# ? Mar 15, 2017 16:16 |
|
infernal machines posted:man, i can't wait until they make .local a public tld its already reserved
|
# ? Mar 15, 2017 16:16 |
|
Wiggly Wayne DDS posted:nice paper: https://spqr.eecs.umich.edu/papers/trippel-IEEE-oaklawn-walnut-2017.pdf In our self-stimulating attack, we play a malicious music file from a smartphone’s speaker to control the on-board MEMS accelerometer trusted by a local app to pilot a toy RC car.
|
# ? Mar 15, 2017 16:35 |
|
cheese-cube posted:lmao, a classic sec-gently caress. all internal test-domains should be registered publicly, period. sadly no link
|
# ? Mar 15, 2017 16:40 |
|
pretty major remote account vulnerability in whatsapp and telegram due to lovely attachment handling
|
# ? Mar 15, 2017 17:09 |
|
infernal machines posted:pretty major remote account vulnerability in whatsapp and telegram due to lovely attachment handling the shady dude w/ the hoodie on really helps me understand this one
|
# ? Mar 15, 2017 17:58 |
|
Pictured: A hacker coming for your Whatsapp* *now that you've viewed this image we own your whatsapp
|
# ? Mar 15, 2017 18:00 |
|
|
# ? Jun 8, 2024 09:03 |
|
http://www.cbc.ca/news/technology/russia-hackers-charged-yahoo-breach-1.4026006quote:The United States announced charges Wednesday against a dual Canadian-Kazakh national, two Russian intelligence officers and a fourth man, who lives in the U.S. but has ties to Russia, accusing them of a massive data breach at Yahoo that affected at least a half billion user accounts. here's the canadian's facebook: https://www.facebook.com/mrkarrrim seems to match up
|
# ? Mar 15, 2017 18:10 |