|
flosofl posted:Not sure if I missed this in thread, found it amusing as hell: i'm surprisingly ok with this
|
# ? Apr 7, 2017 22:46 |
|
|
# ? Jun 8, 2024 09:27 |
|
flosofl posted:Not sure if I missed this in thread, found it amusing as hell: i am for this
|
# ? Apr 7, 2017 22:47 |
|
surebet posted:i'm surprisingly ok with this
|
# ? Apr 7, 2017 22:47 |
|
https://twitter.com/A_Mc_Carthy/status/850430589568155649 finally, private browsing
|
# ? Apr 7, 2017 23:02 |
|
Truga posted:https://twitter.com/A_Mc_Carthy/status/850430589568155649 brb testing this out
|
# ? Apr 7, 2017 23:06 |
|
hahah what
|
# ? Apr 7, 2017 23:12 |
|
welp, there goes the planet
|
# ? Apr 7, 2017 23:18 |
|
Security Fuckup Megathread - v13.7 - we broke the internet, how are you even reading this?
|
# ? Apr 7, 2017 23:20 |
|
flosofl posted:Not sure if I missed this in thread, found it amusing as hell: These guys are heroes
|
# ? Apr 7, 2017 23:23 |
|
Kuvo posted:hahah what lol
|
# ? Apr 7, 2017 23:43 |
|
Kuvo posted:hahah what lol
|
# ? Apr 7, 2017 23:51 |
|
Kuvo posted:hahah what good stuff
|
# ? Apr 8, 2017 00:05 |
|
flosofl posted:Not sure if I missed this in thread, found it amusing as hell: Really this is just doing good work.
|
# ? Apr 8, 2017 00:06 |
|
Kuvo posted:hahah what confirming both the feature and the funniness i had a look at my network logs, i can't seem to pinpoint which call returns the auth request, anyone mind enlightening me as to what is happening?
|
# ? Apr 8, 2017 00:10 |
|
Celexi posted:can any win32 read the entire contents of that credential store like all other parts of the system because if so it doesn't sound very safe. weeeeell, does chrome or firefox actually lock their stuff away from the user which is running the application itself, on any platform? if the user is able to launch code (chrome/firefox) which is able to decode the key store, why would other code launched not be able to, beyond pure obfuscation?
|
# ? Apr 8, 2017 00:22 |
|
surebet posted:confirming both the feature and the funniness quote:<span class="notDevkit">
|
# ? Apr 8, 2017 00:47 |
|
quote:Your current User-Agent string appears to be from an automated process, if this is incorrect, please click this link:United States English Microsoft Homepage
|
# ? Apr 8, 2017 00:56 |
|
Truga posted:https://twitter.com/A_Mc_Carthy/status/850430589568155649 Kuvo posted:brb testing this out Kuvo posted:hahah what
|
# ? Apr 8, 2017 02:08 |
|
the two reply all podcast episodes investigating how the one host alex blumberg's uber account got hacked are some seriously perfect security fuckup hilarity https://gimletmedia.com/episode/91-the-russian-passenger/ https://gimletmedia.com/episode/93-beware-all/ poo poo starts really weird cause it seems like the uber account just doesn't exist at all anymore, uber support cant find it etc so assumption becomes login was in a password dump, but they can't find any records of it so they start asking darknet market sellers and eventually troy hunt and turn up nothing associated in any leaks eventually they contact uber to see if they were hacked which they conclude is unlikely and the new assumption becomes that alex's gmail got hacked cause uber confirmed they were sending account access alerts to alex that he never got this seems impossible tho cause alex has 2fa turned on on his gmail theres some investigation into whether theres malware on the one windows machine of his dad's he used, they run windows defender and later malwarebytes (lol) and find nothing they take theories from listeners including a keylogger on a public machine, someone mitming wifi with a wifi pineapple, and serious APT level targeted SMS hijacking through attackers pretending to be a phone company all of these turn out to be dead ends they reach out to google in order to get permanently deleted emails restored as well as use the business account admin to check email history both of which indicates the emails uber claimed to send never reached alex's gmail so they start to think possibly uber is lying and actually got hacked and so go back to uber uber gets security response to do a full forensic investigation turns out what happened: alex had signed up for uber with the now dead email from his old job with a reused password which was in the linkedin, myspace, and dropbox dumps its just such a classic example of what people think happens when accounts gets hacked vs what almost always actually happened
|
# ? Apr 8, 2017 06:49 |
|
pr0zac posted:the two reply all podcast episodes investigating how the one host alex blumberg's uber account got hacked are some seriously perfect security fuckup hilarity kind of wish i'd stopped reading and listened instead because loving lolllll
|
# ? Apr 8, 2017 06:52 |
|
Everybody should follow thegrugq on medium, he posts some good stuff there.
|
# ? Apr 8, 2017 07:44 |
|
pr0zac posted:get permanently deleted emails restored so uh how in the poo poo do you have to be to make this happen because #1 "permanently deleted' lol and #2 google has like no real customer support how the gently caress did they talk them into pulling a tape backup for a podcast?
|
# ? Apr 8, 2017 07:49 |
|
spankmeister posted:Everybody should follow thegrugq on medium, he posts some good stuff there.
|
# ? Apr 8, 2017 08:06 |
|
i'm with Bankwest (AU) and i just logged in to their mobile app and post-logon it asked me if i wanted to enable PIN login so that i can login to my account via the app using only a 4-digit code. currently i login with a sufficiently complex password so why the gently caress are they offering to weaken the security of my account? it's bad enough that for the username they make you use your Personal Access Number (PAN) which is an 8-digit number that's printed on your fuckin debit card (and on your bank statements if you still get them via postal mail)!
|
# ? Apr 8, 2017 08:57 |
|
Rex-Goliath posted:so uh how in the poo poo do you have to be to make this happen because #1 "permanently deleted' lol and #2 google has like no real customer support how the gently caress did they talk them into pulling a tape backup for a podcast? I had an old hotmail email address "hacked" a while ago because of password reuse and I just emailed them asking for all recent permanently deleted emails to be restored so I could work out if any other accounts had their passwords reset via that one. A couple of hours later they'd restored the emails. When I did it I figured it was a long shot but apparently they've got a pretty streamlined process for it. I guess they get asked to do it fairly often and I imagine google is similar.
|
# ? Apr 8, 2017 10:48 |
|
lol if you think there's such a thing as "permanently deleted" in space year 2017 i mean even leaving aside i'm willing to bet that any service provider gets way more "help i ignored the fifteen warning messages saying this would wipe the thing completely and urgently need this restored" calls than they ever do "hey i really, really, really want this thing deleted forever" calls
|
# ? Apr 8, 2017 13:33 |
|
Rex-Goliath posted:so uh how in the poo poo do you have to be to make this happen because #1 "permanently deleted' lol and #2 google has like no real customer support how the gently caress did they talk them into pulling a tape backup for a podcast? you could listen to the episode or read the transcript or look yourself but basically Google has an undo for 25 days after permanently deleting cause customers are idiots, also having a popular podcast helps with getting people on the phone cheese-cube posted:i'm with Bankwest (AU) and i just logged in to their mobile app and post-logon it asked me if i wanted to enable PIN login so that i can login to my account via the app using only a 4-digit code. currently i login with a sufficiently complex password so why the gently caress are they offering to weaken the security of my account? it's bad enough that for the username they make you use your Personal Access Number (PAN) which is an 8-digit number that's printed on your fuckin debit card (and on your bank statements if you still get them via postal mail)! It's not changing your account password to four digits it's encrypting your password on the phone with the pin because typing in a sufficiently complex password on phones is a pain so users don't use apps without this feature
|
# ? Apr 8, 2017 13:41 |
|
pr0zac posted:It's not changing your account password to four digits it's encrypting your password on the phone with the pin because typing in a sufficiently complex password on phones is a pain so users don't use apps without this feature that's so fuckin insane i'd like to read your source on it
|
# ? Apr 8, 2017 13:50 |
|
flosofl posted:Not sure if I missed this in thread, found it amusing as hell:
|
# ? Apr 8, 2017 13:59 |
|
cheese-cube posted:that's so fuckin insane i'd like to read your source on it It's not at all insane if you think about it, how do you think password managers work, or any app that lets you login with the fingerprint scanner? It's a very minor local security reduction on the phone so people don't go and simplify their password or not use the generally more secure mobile app, this isn't to say bankwest implemented it securely I guess, but it's a pretty good security tradeoff in light of real world user behavior source: I do mobile application security for a living
|
# ? Apr 8, 2017 14:01 |
|
pr0zac posted:It's not at all insane if you think about it, how do you think password managers work, or any app that lets you login with the fingerprint scanner? It's a very minor local security reduction on the phone so people don't go and simplify their password or not use the generally more secure mobile app, this isn't to say bankwest implemented it securely I guess, but it's a pretty good security tradeoff in light of real world user behavior presumably the pin is install/device specific then?
|
# ? Apr 8, 2017 14:07 |
|
If they did it properly it doesnt even encrypt the password but the bank gives out a security token (a cookie basically) which gets encrypted with the pin. The token is also only valid for that phone. This is what my bank does anyway. You request authorization from within the app and you have to login through the regular ebanking site and approve the auth before you can use the app. It keeps a list of authorized devices and you can revoke those at any time.
|
# ? Apr 8, 2017 14:09 |
|
pr0zac posted:It's not at all insane if you think about it, how do you think password managers work, or any app that lets you login with the fingerprint scanner? It's a very minor local security reduction on the phone so people don't go and simplify their password or not use the generally more secure mobile app, this isn't to say bankwest implemented it securely I guess, but it's a pretty good security tradeoff in light of real world user behavior yeah i see what you mean. my bad fins posted:presumably the pin is install/device specific then? there was some peripheral mention to that in bankwest's doco
|
# ? Apr 8, 2017 14:10 |
|
spankmeister posted:If they did it properly it doesnt even encrypt the password but the bank gives out a security token (a cookie basically) which gets encrypted with the pin. The token is also only valid for that phone. this is a good addendum of details I forgot about while phone posting at 5am at the airport
|
# ? Apr 8, 2017 14:18 |
|
is there an easy way that i can check to see if they did it properly? i have the facility to do bump-in-the-wire packet capture, amongst other things
|
# ? Apr 8, 2017 14:39 |
|
Shadow Brokers just posted a long whiny piece about Trump that I didn't read but more importantly they released the password for the file they were auctioning off: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 quote:Mr. President Trump theshadowbrokers sincerely is hoping you are being the real deal and that you received this as constructive criticism toward #MAGA. Some American’s consider or maybe considering TheShadowBrokers traitors. We disagreeing. We view this as keeping our oath to protect and defend against enemies foreign and domestic. TheShadowBrokers wishes we could be doing more, but revolutions/civil wars taking money, time, and people. TheShadowBrokers has is having little of each as our auction was an apparent failure. Be considering this our form of protest. The password for the EQGRP-Auction-Files is CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN As always with shadowbrokers i'm the intentionally bad grammar spankmeister fucked around with this message at 15:56 on Apr 8, 2017 |
# ? Apr 8, 2017 15:49 |
|
I just checked and the password is legit.
|
# ? Apr 8, 2017 16:00 |
spankmeister posted:I just checked and the password is legit.
|
|
# ? Apr 8, 2017 16:04 |
|
cinci zoo sniper posted:so what's in the poop code:
|
# ? Apr 8, 2017 16:10 |
|
|
# ? Jun 8, 2024 09:27 |
|
A few new things caught my eye: epicshovel epichero eleganteagle eladedmonkey endlessdonut excelberwick extremeparr shentysdelight yellowspirit
|
# ? Apr 8, 2017 16:10 |