|
lol
|
# ? May 26, 2017 21:41 |
|
|
# ? May 22, 2024 05:50 |
|
BangersInMyKnickers posted:I am sure all those storage appliances that companies are dependent on will be issued prompt patches that will be installed by IT staff BangersInMyKnickers posted:Synology's will autoupdate and restart with a 1 hour warning which is kinda nice but also you can't configure a maintenance interval last I checked so its probably getting turned off my the small business segment. I get an email notification at like 5am a few times a month yeah we replaced a old as gently caress and very expensive netapp with a $5k synology at work and its been excellent if you just need some network shares and snapshotting. they patch really reliably as well
|
# ? May 26, 2017 21:46 |
|
it's pretty tricky actually! I implemented something like that once, and I used both a monotonic clock timer (which technically doesn't even exist on iOS but there are ways) and a "remaining block time" setting that was updated every second, so that it would be unaffected by changes to the device clock both while the app was running and while it was dead or sleeping (I should have used a keychain item or a private file instead of a setting, because settings can be altered through itunes/icloud backups). I also pessimistically incremented the failed attempts counter before even checking the pin, so that you couldn't terminate the app at just the right time to get free infinite tries
|
# ? May 26, 2017 22:10 |
|
chipotle got hacked lol https://www.google.com/amp/amp.timeinc.net/fortune/2017/04/25/chipotles-restaurants-hacked/%3Fsource%3Ddam suddenly I know why my bank just sent me a new card
|
# ? May 26, 2017 22:21 |
|
i looked at my credit card statement and it's just a bunch of dumb bullshit
|
# ? May 27, 2017 00:33 |
|
Phone posted:i looked at my credit card statement and it's just a bunch of dumb bullshit spankmeister posted:don't sign
|
# ? May 27, 2017 01:16 |
|
hackbunny posted:it's pretty tricky actually! I implemented something like that once, and I used both a monotonic clock timer (which technically doesn't even exist on iOS but there are ways) and a "remaining block time" setting that was updated every second, so that it would be unaffected by changes to the device clock both while the app was running and while it was dead or sleeping (I should have used a keychain item or a private file instead of a setting, because settings can be altered through itunes/icloud backups). I also pessimistically incremented the failed attempts counter before even checking the pin, so that you couldn't terminate the app at just the right time to get free infinite tries that's actually really interesting and brings up the question of why modern phones/oses let you set up a custom date. why not just set a hard limit at the date the firmware was signed and/or the last known good date as established by the an https connection to trusted ntp server? it just seems to invite trouble every time
|
# ? May 27, 2017 04:32 |
|
cis autodrag posted:epic hides all description of security bugs in a secret folder they only the person fixing has access to. they never disclose them to customers until they're patched. most of them are straight up code injection due to heavy use of the x and d @ operators in their code. which epic and what are x/d operators?
|
# ? May 27, 2017 04:49 |
|
Ur Getting Fatter posted:that's actually really interesting and brings up the question of why modern phones/oses let you set up a custom date. For Use off a working internet/wireless in general connection
|
# ? May 27, 2017 04:50 |
|
do people do ntp over https now?
|
# ? May 27, 2017 05:26 |
|
ultramiraculous posted:which epic and what are x/d operators? MUMPS is a pos prerequisite perhaps you have arrived prematurely
|
# ? May 27, 2017 05:37 |
|
Subjunctive posted:do people do ntp over https now? no but there's jacob appelbaum's tlsdate (lol)
|
# ? May 27, 2017 05:54 |
|
the x and d operators make your code funnier
|
# ? May 27, 2017 06:02 |
|
BangersInMyKnickers posted:I am sure all those storage appliances that companies are dependent on will be issued prompt patches that will be installed by IT staff
|
# ? May 27, 2017 06:03 |
|
ultramiraculous posted:which epic and what are x/d operators? look at cis autodrag's posting history in the terrible programmers thread. it's so worth it. e: maybe it's actually the pl thread, poo poo i forget
|
# ? May 27, 2017 08:33 |
|
Shaggar posted:I would like to see what someone like tavis would do to an EHR. they'd probably try to sue him into the dirt. I'm getting hard just thinking about the idea of a lovely EHR company trying to sue Tavis and unexpectedly slamming into a wall of Google lawyers, then furiously trying to back pedal out of danger. ratbert90 posted:It's for our embedded product. We don't have an established security bug bounty program, but his worry is that other companies in our industry might go: "See, THEY have bugs, so don't buy them. " "We find and fix our bugs, and provide patches for our customers. TurdCo just leaves you flapping in the breeze because they'll never admit they make a mistake. Do you want to have uncorrectable liabilities in your company starting the day you buy their product, leaving YOU vulnerable? Or do you want to go with someone that will keep an eye and an ear open, and make it right?" Your sales people are garbage if they don't know how to frame this.
|
# ? May 27, 2017 13:09 |
|
heathrow is having major computer problem, wouldn't be surprised if it's related to the wannacry stuff https://twitter.com/bbcbreaking/status/868404776790306817
|
# ? May 27, 2017 13:15 |
|
those shades of red go well with the digital 9/11 graphic
|
# ? May 27, 2017 14:07 |
|
gonadic io posted:look at cis autodrag's posting history it's so worth it.
|
# ? May 27, 2017 14:18 |
|
invlwhen posted:MUMPS is a pos prerequisite ur mama arrived prematurely, :regd12:
|
# ? May 27, 2017 14:23 |
|
Volmarias posted:I'm getting hard just thinking about the idea of a lovely EHR company trying to sue Tavis and unexpectedly slamming into a wall of Google lawyers, then furiously trying to back pedal out of danger. they have the money and connections to take google on and i'd love to see it happen
|
# ? May 27, 2017 15:48 |
|
Volmarias posted:I'm getting hard just thinking about the idea of a lovely EHR company trying to sue Tavis and unexpectedly slamming into a wall of Google lawyers, then furiously trying to back pedal out of danger. I love the idea, but EHR has so much low hanging fruit that it's almost not worth someone like Tavis' time. See this for example: https://www.youtube.com/watch?v=BKarNH_wp0g
|
# ? May 27, 2017 16:54 |
|
wolrah posted:I love the idea, but EHR has so much low hanging fruit that it's almost not worth someone like Tavis' time. wait is that query only returning a single row based on some os/ugly packard bell shitware app authentication that already happened or does that example only have one provider?
|
# ? May 27, 2017 17:29 |
|
After looking at posts like this I assume that the bar is on the ground, but given that this is highly sensitive information you could make the argument that it would serve the public good even if it's the security version of dunking in the special Olympics
|
# ? May 27, 2017 18:12 |
|
Cocoa Crispies posted:wait is that query only returning a single row based on some os/ugly packard bell shitware app authentication that already happened or does that example only have one provider? look to your heart for the answers you are looking for
|
# ? May 27, 2017 18:23 |
|
Phone posted:look to your heart for the answers you are looking for speaking of... tl;dr: there is effectively no device security on remotely programmable pacemakers and it's not especially difficult to acquire the vendor specific programmers. the software itself is swiss cheese and the platforms are often ancient and unsupported
|
# ? May 27, 2017 18:39 |
|
Cocoa Crispies posted:wait is that query only returning a single row based on some os/ugly packard bell shitware app authentication that already happened or does that example only have one provider? The example has only one provider, it's a dummy install the person making the video whipped up. I can personally confirm it works as demonstrated though. Eaglesoft is a joke in a lot of ways (search "Beaglesoft" on DailyWTF and note the age of the article, then realize that problem also still affects at least as far as version 17), but the competition isn't much better unfortunately. Dental software is a sea of poo poo, and basically we get to pick which piece of corn to ride on.
|
# ? May 27, 2017 18:52 |
|
infernal machines posted:speaking of... Worth mentioning is that the programmers are the hardware equipment for pacemakers, not the people that developed the firmware. Though I imagine that they wouldn't be especially difficult to acquire either.
|
# ? May 27, 2017 18:56 |
|
It is a bit of a hard problem, though. You want the pacemaker to be easy to program, without network downtime or a central point of failure making it impossible to reprogram the device of a patient, a patient that theoretically might come from the other side of the globe and with no previous contact with your hospital. Maybe they could make some two-tier system, where skin contact programming requires no auth, but wireless programming requires some kind of authentication. edit: Reading the article, it seems like programmers already do something like this - requires skin contact programming to read a device key which is then used for wireless programming. The whole article smells a bit of FUD - that 8000 vulnerabilities number makes me suspect they just enumerated third party components used, then summed up all CERT issues for those components, regardless of whether the device in question used a vulnerable version of the component or not. Also, as long as the device isn't connected to a network, I don't see the issue with unencrypted patient data on a device. After all, it's not like physical paper with patient data has any form of encryption either. ymgve fucked around with this message at 21:12 on May 27, 2017 |
# ? May 27, 2017 21:03 |
|
they should just go back to nuclear powered pacemakers
|
# ? May 27, 2017 21:19 |
|
I read the argument a while ago that if someone wants to kill you by reprogramming the pacemaker, and they have to get close enough to do it that they'd be able to stab you to death anyway, extra authentication and poo poo on the pacemaker isn't gonna save your life
|
# ? May 27, 2017 21:26 |
|
Just read their paper and it's even more stupid there. Oh no, the devices didn't obfuscate the firmware! They didn't strip symbols out of the firmware! They used standard microcontroller CPUs! They point out some real flaws (like hardcoded passwords when the home monitoring devices call home) but it's all buried under a ton of unneccessary fearmongering.
|
# ? May 27, 2017 21:27 |
|
they don't require signed binaries either, so it's not impossible that a compromised binary could end up on a legitimate system and affect multiple patients
|
# ? May 27, 2017 21:30 |
|
Instant Grat posted:I read the argument a while ago that if someone wants to kill you by reprogramming the pacemaker, and they have to get close enough to do it that they'd be able to stab you to death anyway, extra authentication and poo poo on the pacemaker isn't gonna save your life isn't that just a question of transmitter power though, or is there a distance-bounding protocol somewhere? also my favorite part of that eaglesoft video is the godawful ui that looks like a desk
|
# ? May 27, 2017 21:40 |
|
Instant Grat posted:I read the argument a while ago that if someone wants to kill you by reprogramming the pacemaker, and they have to get close enough to do it that they'd be able to stab you to death anyway, extra authentication and poo poo on the pacemaker isn't gonna save your life this is mega retarded. giga retarded even. think about what you just wrote and then throw your computer in the trash. what an idiotic thing to say, I'm not even attempting to refute this ridiculous assertion. what is it about security that makes people into the smartest idiots on earth
|
# ? May 27, 2017 21:52 |
|
i thing they just read that somewhere and are posting it as comedy here, rather than agreeing with it
|
# ? May 27, 2017 21:56 |
|
hackbunny posted:this is mega retarded. giga retarded even. think about what you just wrote and then throw your computer in the trash. what an idiotic thing to say, I'm not even attempting to refute this ridiculous assertion. what is it about security that makes people into the smartest idiots on earth Dunning Krueger and makes it people the loving worst case in point the AV thread in grey forums
|
# ? May 27, 2017 23:03 |
|
Truga posted:i thing they just read that somewhere and are posting it as comedy here, rather than agreeing with it yeah i have spent like 0 microseconds considering the implications of pacemaker security and even i am not dumb enough to think "you can strangle someone to death so preventing randos from beaming kill signals to our customers is pointless"
|
# ? May 27, 2017 23:09 |
|
BangersInMyKnickers posted:So is Microsoft dropping EMET because they're rolling all the features in to the base OS at some point or because they have some idiotic dream that all apps in a year will come through the Windows store and enforce opt-in for all the security features that EMET enforces? Because there's still going to be decades of legacy applications that could benefit from it There are a lot of features in EMET that aren't being rolled into Win10: https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html e: I guess they extended EOL into 2018 at least. Rooney McNibnug fucked around with this message at 00:13 on May 28, 2017 |
# ? May 27, 2017 23:58 |
|
|
# ? May 22, 2024 05:50 |
|
anthonypants posted:don't forget multi-function printers hahah oh god I forgot that "functionality"
|
# ? May 28, 2017 00:24 |