Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v13.69 - plugins may violate privacy
«216 »
 
  • Locked thread
Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

URL grey tea posted:

i just started at cylance at the beginning of this year. socal is gr8. fake news

why is your engine coded in unobfuscated c#?

* # ? Apr 6, 2017 00:37
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 18, 2024 14:32
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 it took them until 2017

https://twitter.com/fdfalcon/status/849771267259498498

* # ? Apr 6, 2017 01:52
  • Quote
MononcQc
May 29, 2007

 some people at work have cylance running on their workstations and it quarantined both git and powershell as suspicious software. Happy devs.

* # ? Apr 6, 2017 02:14
  • Quote
atomicthumbs
Dec 26, 2010


We're in the business of extending man's senses.

Truga posted:

i mean, i'm all for people not clicking on random popups, but how do you propose a browser implement a new feature like this?

make it so that if you log into an http page despite the warning the computer shuts itself off

* # ? Apr 6, 2017 02:19
  • Quote
URL grey tea
Jun 1, 2004

IT'S A SAD THING THAT YOUR ADVENTURES HAVE ENDED HERE!!

OSI bean dip posted:

why is your engine coded in unobfuscated c#?

i am a mere tier 3 mortal and cannot really provide any valuable response here. insert "it's free software" gif here if true

MononcQc posted:

some people at work have cylance running on their workstations and it quarantined both git and powershell as suspicious software. Happy devs.

i haven't heard of those being quarantined, but if they have memory protection or script control enabled git is known to flag stack pivots iirc. admin just needs to make an exclusion. the normal process is to train on a test box in alert mode before pushing to the general population for the first time.

URL grey tea fucked around with this message at 03:17 on Apr 6, 2017

* # ? Apr 6, 2017 02:29
  • Quote
anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum

Wiggly Wayne DDS posted:

it took them until 2017

https://twitter.com/fdfalcon/status/849771267259498498
how quickly will this be reverted

* # ? Apr 6, 2017 03:30
  • Quote
Mr.Radar
Nov 5, 2005

You guys aren't going to believe this, but that guy is our games teacher.
 surprised this hasnt been posted here yet: security researcher finds 40 0days in samsung's tizen os.

quote:

But the operating system is riddled with serious security vulnerabilities that make it easy for a hacker to take control of Tizen-powered devices, according to Israeli researcher Amihai Neiderman.

"It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."

...

He also found that the programmers failed to use SSL encryption for secure connection when transmitting certain data. They use it on some data transmissions but not others, and usually not on ones that need it most.

"They made a lot of wrong assumptions about where they needed encryption," he says, noting that "it's extra work to move between secure connections and unsecure connections." This indicates that they didn't do it inadvertently but were making conscious decisions not to use SSL in those places, he says.

this software is used in their smart tvs and smart watches and some smart phones in certain markets. the slashdot comments for this story shockingly had a few good posts. first this user was asked by their boss to investigate porting an app they were working on to tizen:

quote:

I was once asked by my boss to tinker with Tizen, see if it was usable, since a client was soliciting bids for an app they wanted to run on Samsung's smartwatch.

After a few day's experimentation, I reported that the Tizen SDK was basically unusable to write any app except the ones Samsung already wrote, and that the specific app the client was hoping for was literally impossible. The SDK itself was one of the worst programs I've used in many years - horrendously slow, crash-prone and cluttered in the way typical of early-00s Windows apps.

Needless to say, I am not surprised on multiple levels. First, that Tizen is insecure in addition to being slow and useless. Second, that nobody's taken a serious look at its security, since most people stop looking at it far before security starts to matter.

a user who replied to that post dug up a user post on the daily wtf about "EFL," tizen's native ui toolkit (borrowed from the enlightenment wm of all places, and, yes, samsung employs the author of enlightenment to work on tizen).

quote:

I work for a certain corporation which uses a certain product. This is its story. To put the quality of this product into perspective, let me say it’s been in development for about 20 years and has pretty much no users (besides my corp and some “hey - let’s make our own Linux crappy distro, which no one will ever use” fanatics) and no community. It was written by a C programmer who “doesn’t like the notion of ‘type’ in programming”. Let that be a prelude of what’s to follow. Envy those who don’t know it; pity those who use it.

...

But let’s go into some details. Remember the quote about types? EFL takes that philosophy seriously. Everything is a pointer to something called Evas_Object, which translates to void *. Those knowledgeable in the horrible language of C know it’s a pointer to anything. And so it is. Everything you create is an Evas_Object and every function takes an Evas_Object as the subject to work on. But why throw away type safety? Because gently caress you, that’s why! If you wonder how to know which functions can be called on a given Evas_Object, the answer is simple – you don’t. It’s all about experimenting, hacking and debugging. Calling an invalid function on an object can result in:

  • Nothing, leaving you wondering WTF.
  • An extremely helpful console message: “SPANK! SPANK! SPANK! Naughty programmer!”. Really, I’m not joking about that one.
  • Another extremely helpful message: “You bitch!”. And I’m not joking about that one either – it was discovered by a female coworker while trying to hack layouts to work. Perfect timing on EFL side here.
  • A crash, if you’re lucky, so you can debug the issue.

another slashdotter shared a run-in they had with the developers of enlightenment at an open source developers conference:

quote:

Actually, the Daily WTF article is not particularly educational when it comes to EFL. It covers the obvious surface detail of what the developers do dangerously wrong. There are far worse things under the surface.

I had a chat to some of the Enlightenment devs at FOSDEM a few years ago. They were very proud of their new object system and IDL, which they thought would make it easy to bridge higher-level languages with their libraries. Unfortunately, their IDL exposed C types and nothing but C types as arguments. Their example had a char* parameter and a char* return. I asked them a few questions:

How do I know if it's and input or output (or both) parameter?

Is its length another argument (and, if so, in what units) or is it NULL-terminated?

Is there ownership transfer involved (i.e. is the caller still responsible for freeing the argument or does the callee take that responsibility? Is the caller responsible for freeing the return value and if so must they call free() or some other cleanup function)?

Is this an array of bytes or a string (i.e. should I map it to a string or data object in another language), if it's a string, what encoding does it expect and is that a global property or specified explicitly?

Apparently none of these questions had occurred to them and they didn't even understand why you'd want to know the answers to about half of them. The worst thing for me is that not only are these all important for bridging with higher-level languages, you need to know most of this information to be able to correctly use a C API, and they weren't putting it in the documentation and didn't even have consistent conventions (and therefore only need to document the exceptions). That was when I learned to avoid EFL like the plague. It may have improved since then, but I doubt it - good developers only reinvent the wheel after they've looked at existing ones and understood their flaws. The EFL developers are vaguely aware of square wheels and decided to try triangular ones as a replacement.

Mr.Radar fucked around with this message at 04:23 on Apr 6, 2017

* # ? Apr 6, 2017 04:13
  • Quote
atomicthumbs
Dec 26, 2010


We're in the business of extending man's senses.

Mr.Radar posted:

"EFL," tizen's native ui toolkit (borrowed from the enlightenment wm of all places, and, yes, samsung employs the author of enlightenment to work on tizen).

What the gently caress

* # ? Apr 6, 2017 05:19
  • Quote
apseudonym
Feb 25, 2011

Mr.Radar posted:

surprised this hasnt been posted here yet: security researcher finds 40 0days in samsung's tizen os.


this software is used in their smart tvs and smart watches and some smart phones in certain markets. the slashdot comments for this story shockingly had a few good posts. first this user was asked by their boss to investigate porting an app they were working on to tizen:


a user who replied to that post dug up a user post on the daily wtf about "EFL," tizen's native ui toolkit (borrowed from the enlightenment wm of all places, and, yes, samsung employs the author of enlightenment to work on tizen).


another slashdotter shared a run-in they had with the developers of enlightenment at an open source developers conference:

wat

* # ? Apr 6, 2017 05:21
  • Quote
minivanmegafun
Jul 27, 2004

 yeah sarnsung threw a few million dollars at the e17 team a few years back. everyone assumed it was going to go into their smart tvs and such but no one knew why they picked enlightenment.


wikipedia posted:

Version 0.17, also referred to as E17, was in development for 12 years starting in December 2000[6] until 21 December 2012 when it was officially released as stable.

12 years :stare:

* # ? Apr 6, 2017 05:45
  • Quote
CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

atomicthumbs posted:

What the gently caress

e17 was a loving unicorn

* # ? Apr 6, 2017 05:59
  • Quote
Shame Boy
Mar 2, 2010

Instant Grat posted:

Choice extract from the motherboard article:

im the weird reporter telling a guy about how i was bullied in elementary school and laughing out loud

* # ? Apr 6, 2017 06:11
  • Quote
Progressive JPEG
Feb 19, 2003
code:
$ dig google.com CAA
...
google.com.        86381    IN    CAA    0 issue "pki.goog"
google.com.        86381    IN    CAA    0 issue "symantec.com"
UH OH

* # ? Apr 6, 2017 08:30
  • Quote
Truga
May 4, 2014
Lipstick Apathy
perfect

* # ? Apr 6, 2017 08:34
  • Quote
Loving Africa Chaps
Dec 3, 2007


We had not left it yet, but when I would wake in the night, I would lie, listening, homesick for it already.

 My current NHS trust thinks 3 monthly password resets are for loosers and so makes you change every drat month. As a result every computer has a username and password helpfully written down on a sticker on the machine, single sign on is enabled so when you log in it signs into the radiology and pathology systems with the deets of the last person who went to the trouble of logging in to those with their own creds

* # ? Apr 6, 2017 09:19
  • Quote
yoloer420
May 19, 2006

Progressive JPEG posted:

code:
$ dig google.com CAA
...
google.com.        86381    IN    CAA    0 issue "pki.goog"
google.com.        86381    IN    CAA    0 issue "symantec.com"
UH OH

You're doing it wrong. Try: dig google.com type257

* # ? Apr 6, 2017 11:48
  • Quote
bobfather
Sep 20, 2001

I will analyze your nervous system for beer money
Ugh. 1Password just removed built-in cloud sync from their v6 Windows client update released April 5. They're blaming Dropbox for switching to their new v2 API, but on the forums it's very apparent that they would like everyone to move to their subscription model.

They've confirmed that v4 for Windows is dead, and they will no longer sell you a v4 license through their commercial site.

WLAN syncing from v4 will not make it to v6, in order to promote their subscription model.

You can still do cloud syncing with v6, but you'll need to have Dropbox / Onedrive / Google Drive / BT Sync / whatever installed to sync the vault, which v6 can just talk to. v6 now has local vault capability.

Finally, in their zeal to remove features from the v6 app, they've made it so that if you remove all your previously-functional, but now non-functional cloud-synced-through-the-v6-app vaults, the only option to add a new vault is to log into or sign up for a 1password.com account. I assume this is just an oversight and in the next new version you'll be able to either choose to use a 1password.com account, OR sync to a local vault. But for now, make sure you add your new local sync before removing all your old, non-functional sync accounts!

Not a sec gently caress at all, but given how this thread seems to like Agilebits, this might be the start of some people changing their mind about them.

bobfather fucked around with this message at 14:01 on Apr 6, 2017

* # ? Apr 6, 2017 13:48
  • Quote
minivanmegafun
Jul 27, 2004

 I just use iCloud, sorry about your online cloud thinger with a war criminal on the board

* # ? Apr 6, 2017 13:52
  • Quote
Cybernetic Vermin
Apr 18, 2005

 had to google a bit to figure out that the guy is probably talking about 1password, somehow did not make a lot of sense that dropbox would drop dropbox sync from their client

* # ? Apr 6, 2017 14:00
  • Quote
bobfather
Sep 20, 2001

I will analyze your nervous system for beer money

minivanmegafun posted:

I just use iCloud, sorry about your online cloud thinger with a war criminal on the board

The Windows clients have never had / will never have iCloud support, and neither will the Android version of 1Pass. Also, AES-256 + a good password is pretty solid, no matter how crappy the security on Dropbox's backend may or may not be.

* # ? Apr 6, 2017 14:01
  • Quote
bobfather
Sep 20, 2001

I will analyze your nervous system for beer money

Cybernetic Vermin posted:

had to google a bit to figure out that the guy is probably talking about 1password, somehow did not make a lot of sense that dropbox would drop dropbox sync from their client

Yeah, sorry, edited.

* # ? Apr 6, 2017 14:02
  • Quote
flakeloaf
Feb 26, 2003

Still better than android clock

bobfather posted:

Ugh. 1Password just removed built-in cloud sync from their v6 Windows client update released April 5. They're blaming Dropbox for switching to their new v2 API, but on the forums it's very apparent that they would like everyone to move to their subscription model.

You can still do cloud syncing with v6, but you'll need to have Dropbox / Onedrive / Google Drive / BT Sync / whatever installed to sync the vault, which v6 can just talk to. v6 now has local vault capability.

nifty beans

how long until tavis writes a program that impersonates one app to the other and gets either your whole password store or your whole dropbox dumped into notepad

* # ? Apr 6, 2017 14:06
  • Quote
Truga
May 4, 2014
Lipstick Apathy
boxdrop.io

* # ? Apr 6, 2017 14:09
  • Quote
Shame Boy
Mar 2, 2010

 lol i got that plex VPN email the other day and just this morning i checked my junk mail and found
* # ? Apr 6, 2017 14:28
  • Quote
Shame Boy
Mar 2, 2010

 there's an address at the bottom of the email that i didn't catch, it goes to here:

https://www.google.com/maps/place/3...2483571!6m1!1e1

trust your VPN service to FOX rent-a-car!

* # ? Apr 6, 2017 14:32
  • Quote
Babies Getting Rabies
Apr 21, 2007

Sugartime Jones

Mr.Radar posted:

surprised this hasnt been posted here yet: security researcher finds 40 0days in samsung's tizen os.


this software is used in their smart tvs and smart watches and some smart phones in certain markets. the slashdot comments for this story shockingly had a few good posts. first this user was asked by their boss to investigate porting an app they were working on to tizen:


a user who replied to that post dug up a user post on the daily wtf about "EFL," tizen's native ui toolkit (borrowed from the enlightenment wm of all places, and, yes, samsung employs the author of enlightenment to work on tizen).


another slashdotter shared a run-in they had with the developers of enlightenment at an open source developers conference:

every single part of that slashdot post is quote-worthy. jesus h christ.

quote:

Another interesting design related to callbacks is key handling. You can register your callback for keydown events and get all the info in a neat structure named Evas_Event_Key_Down. What would you expect from such structure? Maybe a key code? Ha! EFL gives you something more – a key name. Instead of comparing integer code to some universal key number, you are forced to do a string comparison against system-dependent key name. To find if your key was A, compare the name to string “A”; to check for return key, compare to “[Return]”; to check for play button, compare to “XF86AudioPlay” and pray your application will never be ported to something else than a Linux with X.org. In short – you want to react to 20 key presses, make 20 string comparisons against names which are listed somewhere in you OS/window system documentation.
what

i imagine all enlightenment docs to read like that "the missile knows where it is at all times. it knows this because it knows where it isn't." video sounds

* # ? Apr 6, 2017 15:17
  • Quote
Instant Grat
Jul 31, 2009

Just add
NERD RAAAAAAGE

ate all the Oreos posted:

there's an address at the bottom of the email that i didn't catch, it goes to here:

https://www.google.com/maps/place/3...2483571!6m1!1e1

trust your VPN service to FOX rent-a-car!

Troy Hunt did a write-up of the whole dumbass MySafeVPN affair: https://www.troyhunt.com/the-importance-of-trust-and-integrity-in-a-vpn-provider-and-how-mysafevpn-blew-it/

"MyVPNHouse" is just an alias for the same exact scam - it literally just 301s you to MySafeVPN

The address of the "headquarters" listed on their contact page is a Vietnamese restaurant in Ontario

Instant Grat fucked around with this message at 16:23 on Apr 6, 2017

* # ? Apr 6, 2017 16:17
  • Quote
flakeloaf
Feb 26, 2003

Still better than android clock

 pho bo ga vlan

* # ? Apr 6, 2017 16:23
  • Quote
Instant Grat
Jul 31, 2009

Just add
NERD RAAAAAAGE

flakeloaf posted:

pho bo ga vlan

ia ia nsa fhtagn

* # ? Apr 6, 2017 16:24
  • Quote
Storysmith
Dec 31, 2006

 interesting tool: https://github.com/huntergregal/mimipenguin
mimikatz-style memory dumping and searching for linux passwords. requires root, seems focused on linux desktop users, so all three of us should be careful.

* # ? Apr 6, 2017 16:26
  • Quote
ate shit on live tv
Feb 15, 2004

by Azathoth

OSI bean dip posted:

why is your engine coded in unobfuscated c#?

What's wrong with code being unobfuscated? Or is this just a coding holy-war comment?

* # ? Apr 6, 2017 16:34
  • Quote
cinci zoo sniper
Mar 15, 2013

ate poo poo on live tv posted:

What's wrong with code being unobfuscated? Or is this just a coding holy-war comment?
is this a serious "what are the security implications for an unprotected security product"

* # ? Apr 6, 2017 16:36
  • Quote
Diva Cupcake
Aug 15, 2005

Storysmith posted:

interesting tool: https://github.com/huntergregal/mimipenguin
mimikatz-style memory dumping and searching for linux passwords. requires root, seems focused on linux desktop users, so all three of us should be careful.
This will come in handy in 2018, the year of linux on the desktop.

* # ? Apr 6, 2017 16:53
  • Quote
wolrah
May 8, 2006
what?

cinci zoo sniper posted:

is this a serious "what are the security implications for an unprotected security product"

Is this a serious "obfuscation provides meaningful security"?

* # ? Apr 6, 2017 17:12
  • Quote
cinci zoo sniper
Mar 15, 2013

wolrah posted:

Is this a serious "obfuscation provides meaningful security"?
no

* # ? Apr 6, 2017 17:19
  • Quote
Shame Boy
Mar 2, 2010

Instant Grat posted:

Troy Hunt did a write-up of the whole dumbass MySafeVPN affair: https://www.troyhunt.com/the-importance-of-trust-and-integrity-in-a-vpn-provider-and-how-mysafevpn-blew-it/

"MyVPNHouse" is just an alias for the same exact scam - it literally just 301s you to MySafeVPN

The address of the "headquarters" listed on their contact page is a Vietnamese restaurant in Ontario



yeah i know, which is why i posted this email that i got after that article went up

* # ? Apr 6, 2017 17:29
  • Quote
Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

cinci zoo sniper posted:

is this a serious "what are the security implications for an unprotected security product"

no

* # ? Apr 6, 2017 17:42
  • Quote
Shame Boy
Mar 2, 2010

 i would like to know the serious reason why you should obfuscate your code though without the snark, like i thought that feature only existed to attempt to prevent other companies from ripping your stuff off easily

* # ? Apr 6, 2017 17:44
  • Quote
Carbon dioxide
Oct 9, 2012

* # ? Apr 6, 2017 17:49
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 18, 2024 14:32
  • Quote
Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

ate all the Oreos posted:

i would like to know the serious reason why you should obfuscate your code though without the snark, like i thought that feature only existed to attempt to prevent other companies from ripping your stuff off easily

i'm more taking a jab at how they wrote their software and not the fact that they didn't obfuscate. they make it a real pain in the rear end to get ahold of a copy

* # ? Apr 6, 2017 17:51
  • Quote
  • Locked thread
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v13.69 - plugins may violate privacy
«216 »