|
actual security research question: i'm getting curious about how those free flashlight apps & ad infested games on android work and i've started to pull a couple apart with apktool, sniffing traffic with wireshark & even had some limited success loving around with ida one thing that i'm still struggling with is a bunch of files with an xml extension; androidmanifest.xml files get extracted correctly by apktool, but a bunch of other xml files (if they're even xml, but in the case of the app i'm having issues with nothing else seems obfuscated so v0v) are coming out as complete gibberish i seem to be lacking the correct words to google my way through this issue as usual. pretty much anything i try to describe as "apktool * broken xml" refers back to axmlprinter, which apparently only works on manifest files. i gave dex2jar a go, but i'm not interested in the code of the app as much as those resource files any ideas how i should hit this next?
|
#
?
Jul 15, 2017 10:57
|
|
|
|
| # ? May 14, 2024 23:06 |
|
|
surebet posted:actual security research question: i'm getting curious about how those free flashlight apps & ad infested games on android work and i've started to pull a couple apart with apktool, sniffing traffic with wireshark & even had some limited success loving around with ida https://github.com/google/android-classyshark
|
|
#
?
Jul 15, 2017 11:03
|
|
|
surebet posted:actual security research question: i'm getting curious about how those free flashlight apps & ad infested games on android work and i've started to pull a couple apart with apktool, sniffing traffic with wireshark & even had some limited success loving around with ida android uses xml files for the manifest (which tells android what permissions the app needs, what it will sort of look like wrt screen position, and a few other things the rest of the xml files are layout files that are never really very well decompiled in my experience but all of the tools that i've used at work dont decompile to the java code for various reasons but yeah best success ive had is with classyshark
|
|
#
?
Jul 15, 2017 11:09
|
|
|
spankmeister posted:Hey I happen to know which country you're from and by far the most companies respond fairly well to responsible disclosures. The culture and legal climate are very very different from the US. If you're in the US and it's related to anything involving embedded hardware or infrastructure, give ICS-CERT a call and they'll take care of everything for you. I'm inadvertently on a CVE with a score of 10 because my friend told them about the hardcoded root password on a box that's used in TV stations for playout and control, and they took care of the 'hassle the company' problem
|
|
#
?
Jul 15, 2017 17:36
|
|
|
FAT32 SHAMER posted:but yeah best success ive had is with classyshark oh man, that hits the spot perfectly. thanks guys!
|
|
#
?
Jul 15, 2017 19:16
|
|
|
In non-security fuckup news: - I was able to get LibreSSL into mainline Buildroot. - I converted all of my projects over to using LibreSSL. 
|
|
#
?
Jul 15, 2017 21:16
|
|
|
OH HEY The OPENSSL people IGNORED Tavis. https://github.com/libressl-portable/openbsd/commit/91744d3deae1b0a448f936d107d1934c12510fee You can't ignore Tavis! You will regret this!
|
|
#
?
Jul 16, 2017 18:11
|
|
|
im the tyool 2017 infosec-related product person typing out loud "Some dude named Travis Ormandy"
|
|
#
?
Jul 16, 2017 18:16
|
|
|
cinci zoo sniper posted:im the tyool 2017 infosec-related product person typing out loud "Some dude named Travis Ormandy" Oh they know who he is. 
|
|
#
?
Jul 16, 2017 18:16
|
|
|
ratbert90 posted:Oh they know who he is. right, i missed the whole "jump openssl for libressl" thing so i figure someone got owned
|
|
#
?
Jul 16, 2017 18:19
|
|
|
ratbert90 posted:OH HEY I'm the guy who tries to argue it's a documentation bug because there's some sort of use case where I want to parse a new cert into previously used memory but reuse the validation states because ... ???
|
|
#
?
Jul 16, 2017 18:46
|
|
|
"I mean we clearly state at the bottom of the man page that calling do_thing() without first calling dont_shoot_own_dick() will result in the users dick getting shot off. We can't be expected to handhold every single user of our library." --a C programmer, probably.
|
|
#
?
Jul 16, 2017 19:09
|
|
|
mrmcd posted:"I mean we clearly state at the bottom of the man page that calling do_thing() without first calling dont_shoot_own_dick() will result in the users dick getting shot off. We can't be expected to handhold every single user of our library." --a C programmer, probably. read this in bunk's voice
|
|
#
?
Jul 16, 2017 19:48
|
|
|
the "avoid an unnecessary allocation" behavior is reasonable. the "we don't clear all the state with the old thing" is obviously a bug which "gently caress it just don't bother" is i guess a reasonable reaction to if your software architecture is garbage
|
|
#
?
Jul 16, 2017 19:52
|
|
|
ratbert90 posted:OH HEY 
|
|
#
?
Jul 16, 2017 20:02
|
|
|
|
|
#
?
Jul 16, 2017 20:31
|
|
|
|
|
#
?
Jul 16, 2017 20:32
|
|
|
When I make a product I want it to be endorsed by Tavis.
|
|
#
?
Jul 16, 2017 20:38
|
|
|
|
|
#
?
Jul 16, 2017 20:38
|
|
|
|
|
#
?
Jul 16, 2017 20:40
|
|
|
|
|
#
?
Jul 16, 2017 20:46
|
|
|
|
|
#
?
Jul 16, 2017 21:04
|
|
|
|
|
#
?
Jul 16, 2017 21:18
|
|
|
|
|
#
?
Jul 16, 2017 21:33
|
|
|
|
|
#
?
Jul 16, 2017 21:40
|
|
|
|
|
#
?
Jul 16, 2017 21:42
|
|
|
|
|
#
?
Jul 16, 2017 22:08
|
|
|
|
|
#
?
Jul 16, 2017 23:02
|
|
|
|
|
#
?
Jul 16, 2017 23:55
|
|
|
amazing
|
|
#
?
Jul 16, 2017 23:56
|
|
|
imo we should still acknowledgemaskenfreiheit posted:read this in bunk's voice
|
|
#
?
Jul 17, 2017 00:44
|
|
|
ok back to
|
|
#
?
Jul 17, 2017 00:46
|
|
|
|
|
#
?
Jul 17, 2017 00:46
|
|
|
cruel idea: call up a random security person and claim that you're brian krebs crueler idea: call up said random security person at 4:30 pm on a friday claiming to be krebs cruelest idea: call up said security person at 4:30 pm on a friday, claim you're krebs, and also introduce someone claiming to be tavis ormandy
|
|
#
?
Jul 17, 2017 01:08
|
|
|
Call up Brian Krebs claiming to be Brian Krebs from a terrible future where Bitcoin is the world currency but the security situation hasn't improved. Say that Tavis is the ruler of the world and ask whether this is actually pretty ok all things considered.
|
|
#
?
Jul 17, 2017 01:44
|
|
|
maskenfreiheit posted:read this in bunk's voice Krebs: You know why I respect you so much, Tavis? Tavis: Mm-mmm. Krebs: It’s not ’cause you’re good security engineer, ’cause, y’know, gently caress that, right? Tavis: Mm. gently caress that, yeah. Krebs: It’s not ’cause when I came to cybercrime, you taught me all kinds of cool poo poo about . . . well, whatever. Tavis: Mm. Whatever. Krebs: It’s ’cause when it came time for you to pentest me . . . you were very gentle. Tavis: You drat right. Krebs: See, ’cause you could have hauled me out of the server room and just bent me over the rack of a unpatched firewall, and . . . no, you were, you were very gentle. Tavis: I knew it was your first time. I wanted to make that poo poo special. Krebs: It was, man. It loving was.
|
|
#
?
Jul 17, 2017 02:01
|
|
|
mrmcd posted:Krebs: You know why I respect you so much, Tavis?
|
|
#
?
Jul 17, 2017 02:26
|
|
|
Security Fuckup Meathead - v14.1 - Security City 2000, Mayor Name: Tavis
|
|
#
?
Jul 17, 2017 03:27
|
|
|
ratbert90 posted:Security Fuckup Meathead - v14.1 - Security City 2000, Mayor Name: Tavis
|
|
#
?
Jul 17, 2017 06:57
|
|
|
|
| # ? May 14, 2024 23:06 |
|
|
ratbert90 posted:Security Fuckup Meathead - v14.1 - Security City 2000, Mayor Name: Tavis
|
|
#
?
Jul 17, 2017 08:41
|
|