|
ate all the Oreos posted:on the one hand that's some creepy dystopia stuff, on the other hand we can finally get voice assistants that talk in Majel Roddenberry's voice like proper star trek poo poo gilbert gottfried leap pad
|
#
?
Apr 24, 2017 18:34
|
|
|
|
| # ? Jun 7, 2024 23:15 |
|
|
apseudonym posted:It pains me when shaggar is right but core OS functionality runs with higher privs than a random app, it's not hard to do that correctly. keep in mind the discussion is about stuff from 2014 that hasn't worked since iOS 8, apple's improved a lot
|
|
#
?
Apr 24, 2017 18:41
|
|
|
pr0zac posted:keep in mind the discussion is about stuff from 2014 that hasn't worked since iOS 8, apple's improved a lot Was their OS design terrible security wise pre iOS 8? I'm not an iOS person.
|
|
#
?
Apr 24, 2017 19:03
|
|
|
according to some guy on twitter who disassembled a 2014 build of the Uber app, you used to be able to use private APIs to get at a system configuration dictionary that contained the device serial number, this has since been removed
|
|
#
?
Apr 24, 2017 19:08
|
|
|
they've been gradually closing off information sources that could be used for fingerprinting. like, you can no longer get a real UUID for an iphone, the value you can get will be changed if the user does a factory reset or non-unique if the user turned on an extra privacy setting
|
|
#
?
Apr 24, 2017 19:13
|
|
|
haveblue posted:they've been gradually closing off information sources that could be used for fingerprinting. like, you can no longer get a real UUID for an iphone, the value you can get will be changed if the user does a factory reset or non-unique if the user turned on an extra privacy setting im almost positive the number is application specific and each app will get a different id. it will also change if the user uninstalls/reinstalls the app.
|
|
#
?
Apr 24, 2017 19:19
|
|
|
on that note i took on a contract at one point that was porting some win ce (lol) application that sent application-specific commands to users via intercepting SMS (win ce let you do that). i explained to the old dev that "you cant do that and you also cant get the users phone number from the software" he responded with: "what do you mean? microsoft has had this functionality for years!" finally he said "your responsibility is to find out how to circumvent these restrictions, because we cant implement a messaging system in the application itself, it has to be done via sms" both him and win ce are really loving stupid
|
|
#
?
Apr 24, 2017 19:21
|
|
|
CRIP EATIN BREAD posted:im almost positive the number is application specific and each app will get a different id. identifierForVendor is the same for all apps published by the same vendor but not the same for apps from a different vendor. it will also change if the user wipes all your apps off the device and then reinstalls them advertisingIdentifier is the same for all apps and vendors. it will change if the phone is wiped and the user can choose to withhold it (then you get a string of 0s). there are also additional usage rules associated with it that the review team will want to verify that you're following uniqueIdentifier was deprecated and removed a long time ago source: cmd-tabbed to xcode
|
|
#
?
Apr 24, 2017 19:26
|
|
|
Subjunctive posted:and when caught defrauding the app review process, Uber was too big to fail. the (driver) app should have been pulled for one thing the uber driver/"partner" app isn't distributed via the app store, so they're not gonna get checked unless someone at apple took a special interest also as pr0zac mentioned, post like ios 8.3, things have started to get more and more locked down. they're pushing more and more fine-grained entitlements for the xpc calls to system daemons. like battery info just got locked up in ios 10. basically shaggar is right that this is policy abuse b/c the previous entitlements were too broad, and now most things are behind entitlements apple isn't going to grant to anyone but itself.
|
|
#
?
Apr 24, 2017 19:27
|
|
|
someone recycled a pair of LTE routers that they'd apparently tried to pry either open or out of something with a crowbar, unsuccessfully. they're busted up but they still work. one has a paper logo taped on it that says "Pantry Connectivity Box" each one has a verizon sim and an at&t backup sim in the slots the routers do not have GSM modems or AT&T support, but the verizon sims are still active how much of a security fuckup is this
|
|
#
?
Apr 24, 2017 19:35
|
|
|
Carbon dioxide posted:https://lyrebird.ai/  this sounds like crap compared to Adobe VoCo
|
|
#
?
Apr 24, 2017 20:33
|
|
|
Jabor posted:sometimes libraries intended for application developers use "private" system calls that aren't meant to be used directly. since the library code is embedded in the app, the app's security context has to have access to the api, but the app code itself is not supposed to use it directly. so these libraries doing the private access are ones written by apple but that aren't properly sandboxed?
|
|
#
?
Apr 24, 2017 20:53
|
|
|
also what would be the point of fingerprinting the hardware? So you can try to determine if a user wipes their device and the installs your app under a new user account?
|
|
#
?
Apr 24, 2017 20:56
|
|
|
CRIP EATIN BREAD posted:im almost positive the number is application specific and each app will get a different id. that's not what Apple's documentation says https://developer.apple.com/reference/adsupport/asidentifiermanager posted:An alphanumeric string unique to each device, used only for serving advertisements.
|
|
#
?
Apr 24, 2017 20:56
|
|
|
Shaggar posted:also what would be the point of fingerprinting the hardware? So you can try to determine if a user wipes their device and the installs your app under a new user account? yeah, they would make a new uber account using a free signup code and get 5 free rides or whatever then repeat this over and over to get paid out from uber without putting any money in
|
|
#
?
Apr 24, 2017 21:00
|
|
|
makes sense. my guess then is apple would want uber to do promotions through the user's store account so apple could take a cut
|
|
#
?
Apr 24, 2017 21:01
|
|
|
Shaggar posted:makes sense. my guess then is apple would want uber to do promotions through the user's store account so apple could take a cut nah, apple doesn't take anything for in-kind promotions. only if the user pays for something from the app (ninja: Uber already does promotions and credits through the app)
|
|
#
?
Apr 24, 2017 21:02
|
|
|
does apple handle payment for uber tho? i think the idea would be apple would provide a promotions system as part of their payment processing so the user gets their new user $5 bonus but then if they take a $6 ride that extra $1 is billed to their apple account. ive never used uber so idk how they payment works. if it already goes thru apple idk why uber wouldn't just request apple add some kind of abstracted mechanism for preventing promotion abuse.
|
|
#
?
Apr 24, 2017 21:07
|
|
|
Shaggar posted:does apple handle payment for uber tho? i think the idea would be apple would provide a promotions system as part of their payment processing so the user gets their new user $5 bonus but then if they take a $6 ride that extra $1 is billed to their apple account. ive never used uber so idk how they payment works. if it already goes thru apple idk why uber wouldn't just request apple add some kind of abstracted mechanism for preventing promotion abuse. it doesn't already go through apple, as I tried to say
|
|
#
?
Apr 24, 2017 21:09
|
|
|
so all i was suggesting is that apple might want to push uber and others into apple's payment processing by removing functionality that supports non-apple payment processing. they're perfectly ok with tracking on all other levels so this isn't a privacy thing.
|
|
#
?
Apr 24, 2017 21:14
|
|
|
my boss got a bug up his butt and wants to disable 3des on a webserver. is this pro-rear end BangersInMyKnickers post with the ciphers in it still good or were there updates?
|
|
#
?
Apr 24, 2017 21:20
|
|
|
Shaggar posted:so all i was suggesting is that apple might want to push uber and others into apple's payment processing by removing functionality that supports non-apple payment processing. they're perfectly ok with tracking on all other levels so this isn't a privacy thing. Apple has always permitted in-app purchase of physical things, without taking a cut. Amazon doesn't pay a cut on their app's toilet paper purchases, but they would on Kindle or streaming video purchases (which is why those aren't available from the app). all the app-permitted device IDs can be reset by the user, as of iOS something a few years ago
|
|
#
?
Apr 24, 2017 21:32
|
|
|
not sure how big a fuckup this is yet but it might get pretty entertaining: https://blog.hipchat.com/2017/04/24/hipchat-security-notice/quote:This weekend our Security Intelligence Team detected a security incident affecting a server in the HipChat Cloud web tier. The incident involved a vulnerability in a popular third-party library used by HipChat.com. We have found no evidence of other Atlassian systems or products being affected.
|
|
#
?
Apr 24, 2017 21:35
|
|
|
atomicthumbs posted:someone recycled a pair of LTE routers that they'd apparently tried to pry either open or out of something with a crowbar, unsuccessfully. they're busted up but they still work. one has a paper logo taped on it that says "Pantry Connectivity Box" well you could potentially run up a bunch of data overage charges on those accounts, but otherwise it's not going to tell you much. maybe the router's configuration will tell you a little about any vpn or internal network routing they used, but they could also just be used as normal routers
|
|
#
?
Apr 24, 2017 21:44
|
|
|
also, lol at av vendors again: https://twitter.com/SwiftOnSecurity/status/856603414763110402 https://twitter.com/SwiftOnSecurity/status/764209764133765120
|
|
#
?
Apr 24, 2017 21:46
|
|
|
tbh Microsoft should really be signing all of its system files but lol all the same
|
|
#
?
Apr 24, 2017 22:11
|
|
|
fishmech posted:well you could potentially run up a bunch of data overage charges on those accounts, but otherwise it's not going to tell you much. maybe the router's configuration will tell you a little about any vpn or internal network routing they used, but they could also just be used as normal routers wonder how illegal it is to use them for low-bandwidth sneaky things wonder how well companies keep tabs on their M2M accounts wonder if they can get the modem's (A)GPS position from verizon
|
|
#
?
Apr 24, 2017 22:12
|
|
|
atomicthumbs posted:wonder how illegal it is to use them for low-bandwidth sneaky things they usually charge per active sim for m2m accounts so they should be on top of that but this is the security fuckup thread so...
|
|
#
?
Apr 24, 2017 22:19
|
|
|
atomicthumbs posted:someone recycled a pair of LTE routers that they'd apparently tried to pry either open or out of something with a crowbar, unsuccessfully. they're busted up but they still work. one has a paper logo taped on it that says "Pantry Connectivity Box" instead of touching the poop, wrap the sims in paper towels soaked in cooking oil and set them on fire out behind the dumpster
|
|
#
?
Apr 24, 2017 22:36
|
|
|
They seem to have loaded all their routers with at&t backup sims that can't actually be used so I'm thinking maybe they're not actually on top of it If I do use these routers it'll probably be after I switch to Google fi and can get a bunch of data sims tied into my account
|
|
#
?
Apr 24, 2017 22:37
|
|
|
atomicthumbs posted:wonder how illegal it is to use them for low-bandwidth sneaky things if you don't actively cause them to incur more charges than they would have otherwise received, it's probably not illegal enough for prosecution. they also might already be deactivated in the systems so attempting to use them to connect to the networks will fail unless you take them into a carrier office to get put on a new account they probably don't pay much attention they can absolutely get the cell tower/real gps location (if the routers have gps hardware) from verizon if they need to investigate, like if you start causing them to have 100 gb overages or you use the connection for Crimes. here's my suggestion: rig up a solar panel/battery solution to connect them to, deposit them in the middle of a desert next time you're out there, that you know has appropriate carrier coverage, and maybe attach some small device to make sure a heartbeat signal goes out for as long as the devices can get signal and power. see how long it takes for them to be too damaged by weathering to maintain a connection. buy your own cheap prepaid sims to do this instead with the beat up routers and toss the existing cards because those can totally be tracked. i think that'd be neat.
|
|
#
?
Apr 24, 2017 22:44
|
|
|
fishmech posted:here's my suggestion: rig up a solar panel/battery solution to connect them to, deposit them in the middle of a desert next time you're out there, that you know has appropriate carrier coverage, and maybe attach some small device to make sure a heartbeat signal goes out for as long as the devices can get signal and power. see how long it takes for them to be too damaged by weathering to maintain a connection. buy your own cheap prepaid sims to do this instead with the beat up routers and toss the existing cards because those can totally be tracked. i think that'd be neat. put it on wheels so it drives around like a mars rover and emails you pictures
|
|
#
?
Apr 24, 2017 22:50
|
|
|
do the routers have an at command terminal? no harm in checking if they're registered (at+creg)
|
|
#
?
Apr 24, 2017 22:51
|
|
|
fishmech posted:here's my suggestion: rig up a solar panel/battery solution to connect them to, deposit them in the middle of a desert next time you're out there, that you know has appropriate carrier coverage, and maybe attach some small device to make sure a heartbeat signal goes out for as long as the devices can get signal and power. see how long it takes for them to be too damaged by weathering to maintain a connection. buy your own cheap prepaid sims to do this instead with the beat up routers and toss the existing cards because those can totally be tracked. i think that'd be neat. literally 100% my entire plan already
|
|
#
?
Apr 24, 2017 23:29
|
|
|
hobbesmaster posted:do the routers have an at command terminal? no harm in checking if they're registered (at+creg) i factory reset both of em already and don't remember a facility for that 
|
|
#
?
Apr 24, 2017 23:30
|
|
|
atomicthumbs posted:literally 100% my entire plan already nice
|
|
#
?
Apr 24, 2017 23:34
|
|
|
lol https://twitter.com/fleximinx/status/856604090666803201 (courtesy: rufo)
|
|
#
?
Apr 25, 2017 00:58
|
|
|
the Tor trick in particular is something ive not come across before
|
|
#
?
Apr 25, 2017 01:15
|
|
|
anthonypants posted:lol https://twitter.com/fleximinx/status/856604090666803201 (courtesy: rufo) its like something out of a 90s cyberthriller. beautiful
|
|
#
?
Apr 25, 2017 01:17
|
|
|
|
| # ? Jun 7, 2024 23:15 |
|
|
anthonypants posted:lol https://twitter.com/fleximinx/status/856604090666803201 (courtesy: rufo) Spouseware is disgusting poo poo and people doing things for stuff besides money makes me nostalgic.
|
|
#
?
Apr 25, 2017 01:33
|
|