infernal machines posted:

mainframe of theseus

Number19 posted:

have some more atlassian fuckups while we're at it: https://confluence.atlassian.com/doc/confluence-security-advisory-2017-04-19-887071137.html

haveblue posted:

grandfather's exe

infernal machines posted:

mainframe of theseus

haveblue posted:

grandfather's exe

COACHS SPORT BAR posted:

NICE!


lol atlassian

My company switched to hipchat a while ago, and I noticed that whenever someone sends a picture (which is frequently a screenshot of something proprietary, or at least not meant for disclosure), it ends up hosted on an s3 instance with absolutely no authentication. URL is something like s3.amazonaws.com/uploads.hipchat.com/[comany's unique ID]/[some other id]/[upload.png]

I'd been meaning to do some prodding and see if [some other id] is predictable, maybe I should take that off the back burner

COACHS SPORT BAR posted:

NICE!


lol atlassian

My company switched to hipchat a while ago, and I noticed that whenever someone sends a picture (which is frequently a screenshot of something proprietary, or at least not meant for disclosure), it ends up hosted on an s3 instance with absolutely no authentication. URL is something like s3.amazonaws.com/uploads.hipchat.com/[comany's unique ID]/[some other id]/[upload.png]

I'd been meaning to do some prodding and see if [some other id] is predictable, maybe I should take that off the back burner

Subjunctive posted:

just stick a UUID in there and it's basically as good as authentication over https.

Wheany posted:

I get this reference

I get this reference

quote:

14:26:20 warrshrike | I need some help from you geniuses
14:27:25 warrshrike | So I had this idea for a side project
14:27:56 warrshrike | I'm thinking if a nearly totally safe messenger service is possible
14:28:14 warrshrike | Here is my rationale for it
14:29:12 warrshrike | recently, many end to end services have been known to be insecure to certain 3 letter agencies as well as criminals
14:29:27 warrshrike | this is almost always due to the OS running the sw getting breached
14:29:44 warrshrike | rather than the encryption or key app getting compromised
14:30:34 warrshrike | so what we cut the OS out of it? Make a messenger which runs directly on bare metal (say an opensource linux board) ala unikernel style

OSI bean dip posted:

COACHS SPORT BAR posted:

Good writeup on the security dumpster fire that is SugarCRM:

http://karmainsecurity.com/tales-of-sugarcrm-security-horrors

quote:

SugarCRM is a pretty popular Customer Relationship Management (CRM) application written in PHP code. It was born in 2004 as an open source project hosted on SourceForge, a development repository for free software.

quote:

SugarCRM is a pretty popular Customer Relationship Management (CRM) application written in PHP code. It was born in 2004 as an open source project hosted on SourceForge, a development repository for free software. By June of the same year, the rapid success of the project allowed the original developers to found SugarCRM Inc. and raise $2 million in venture capital. A month later, on July 3, Sugar Open Source version 1.0 was released. In October 200 .........

Volmarias posted:

Loaded fine for me


Etc

Cocoa Crispies posted:

article just ends right there

Volmarias posted:

I've only changed the language twice and the OS three times

OSI bean dip posted:

quote:

Moreover, in contrast to the executive branch's widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip.

rafikki posted:

https://arstechnica.com/information-technology/2017/04/picture-this-senate-staffers-id-cards-have-photo-of-smart-chip-no-security/

rafikki posted:

https://arstechnica.com/information-technology/2017/04/picture-this-senate-staffers-id-cards-have-photo-of-smart-chip-no-security/

A Pinball Wizard posted:

my brain automatically converted piv to penis in vagina

quote:

Antbleed is a backdoor introduced by Bitmain into the firmware of their bitcoin mining hardware Antminer.

The firmware checks-in with a central service randomly every 1 to 11 minutes. Each check-in transmits the Antminer serial number, MAC address and IP address. Bitmain can use this check-in data to cross check against customer sales and delivery records making it personally identifiable. The remote service can then return "false" which will stop the miner from mining.

quote:

At worst, this firmware backdoor allows Bitmain to shut off a large section of the global hashrate (estimated to be at up to 70% of all mining equipment). It can also be used to directly target specific machines or customers. Standard inbound firewall rules will not protect against this because the Antminer makes outbound connections.

Even without Bitmain being malicious, the API is unauthenticated and would allow any MITM, DNS or domain hijack to shutdown Antminers globally. Additionally the domain in question DNS is hosted by Cloudflare making it trivially subjected to government orders and state control.

OSI bean dip posted:

http://www.antbleed.com/

anthonypants posted:

https://twitter.com/SDLerner/status/857339715577663489
https://twitter.com/petertoddbtc/status/857341376245182464

fishmech posted:

someone should do the last bit

fishmech posted:

someone should do the last bit

fishmech posted:

someone should do the last bit

fishmech posted:

someone should do the last bit

quote:

The last bit was mined for the first time, half in jest, on April 20, 2140, at a time when humanity first stepped into the light.

Carbon dioxide posted:

With the way bitcoins work, the amount of bitcoins mined per period of time cannot change, I think.

So if you were to kill a majority of bitcoin miners, those who are left over would suddenly get way more bitcoins way faster.

Cocoa Crispies posted:

whoosh

Carbon dioxide posted:

With the way bitcoins work, the amount of bitcoins mined per period of time cannot change, I think.

So if you were to kill a majority of bitcoin miners, those who are left over would suddenly get way more bitcoins way faster.

Mr. Nice! posted:

the difficulty would balance out so that the speed would end up around the same (average 10 minutes iirc) after a short burst period, but the thing is they would lock out anyone not using the best asics if they shut off all the antminers outside of the chinese pools.

vOv posted:

the difficulty adjustment isn't instant but i don't remember how often it happens, i want to say twice a month or something g