|
name and shame
|
# ? Aug 18, 2017 04:24 |
|
|
# ? May 14, 2024 21:18 |
|
You know full well it's a government agency who put that policy in place in the 90s.
|
# ? Aug 18, 2017 05:17 |
|
fins posted:Any plans for some more bletchley boffinry any time soon? I want my drat gang tag! There's an unsolved one if you can dig it up.
|
# ? Aug 18, 2017 12:24 |
Volmarias posted:You know full well it's a government agency who put that policy in place in the 90s. Oh man I have two good ones. The web store for one fed agency limits passwords to exactly 8 characters. Only letters and numbers. No more, no less. And the job application site for regional agency has a Forgot your password? Function. But it sends you your existing password in plain text after you also provide them with the ZIP code tied to your account for some reason. iirc this one also stores your full social in plain text tied to the user profile page.
|
|
# ? Aug 18, 2017 13:11 |
|
a financial firm I use lightly has a policy that no password can use more than 5 letters from the previous password, and password changes can take a few minutes to take effect (there's a loading bar)
|
# ? Aug 18, 2017 13:15 |
|
Subjunctive posted:a financial firm I use lightly has a policy that no password can use more than 5 letters from the previous password, and password changes can take a few minutes to take effect (there's a loading bar) active directory is a hellova drug
|
# ? Aug 18, 2017 16:31 |
|
Also, never forgetti mom's spaghetti https://twitter.com/Migishu/status/834567858285854721/photo/1
|
# ? Aug 18, 2017 16:41 |
|
From here : https://github.com/libyal/documentation/blob/master/PFF%20Forensics%20-%20analyzing%20the%20horrible%20reference%20file%20format.pdfquote:Microsoft Outlook allows users to set a password on their PST files. This password is stored in the 'Message Store' PFF item as a weak 32-bit Cyclic Redundancy Check (CRC32).
|
# ? Aug 18, 2017 18:07 |
|
fins posted:From here : https://github.com/libyal/documentation/blob/master/PFF%20Forensics%20-%20analyzing%20the%20horrible%20reference%20file%20format.pdf pretty sure that's been known for years, or at least we knew about it at my last job (as well as a similar thing with PDF's) because it let us generate thumbnails of stuff that was "password protected" without requiring the password (because we could just go in and flip the bit that said it was protected or remove the password entry entirely or whatever)
|
# ? Aug 18, 2017 18:17 |
|
Migishu posted:Also, never forgetti mom's spaghetti
|
# ? Aug 18, 2017 18:38 |
|
fins posted:From here : https://github.com/libyal/documentation/blob/master/PFF%20Forensics%20-%20analyzing%20the%20horrible%20reference%20file%20format.pdf
|
# ? Aug 18, 2017 18:40 |
|
anthonypants posted:does pci/dss have a reporting system because lol https://twitter.com/Place_des_Arts/status/834877518696091648 i'm the double down on whatever the cheapest consultant we could find told us
|
# ? Aug 18, 2017 18:42 |
|
the big thing i learned from that job was that all document/office-y formats (especially old ones) should be assumed to just be storing everything in plain text and any "password" is meaningless (and probably also stored in plain text or at best MD5'd) we had tons of customers (including a lot of banks) and tons of them had password-protected documents and only one actually managed to use some form of real actual encryption on documents (which we made them strip off because we were a bad company lol) e: actually now that i'm thinking of it they had us write a script that looped through every file and tried all of the passwords they gave us (a text file containing about 15 that were all some variation of companyname-year kinda things) to decrypt them
|
# ? Aug 18, 2017 18:44 |
|
maskenfreiheit posted:i'm the double down on whatever the cheapest consultant we could find told us cheapest francophone consultant at that
|
# ? Aug 18, 2017 18:45 |
|
ate all the Oreos posted:the big thing i learned from that job was that all document/office-y formats (especially old ones) should be assumed to just be storing everything in plain text and any "password" is meaningless (and probably also stored in plain text or at best MD5'd) what about .odt? i actually have an old diary i forgot the pw to (pw protected odt) i remember when i switched from openoffice to libreoffice it stopped working, or maybe upgraded oo? iirc when i started it (pre-2011) i think they were using blowfish based on the pw you supply? honestly if i could figure out a way to throw guesses at it i think i could create a wordlist that would crash it...
|
# ? Aug 18, 2017 18:46 |
|
maskenfreiheit posted:what about .odt? i don't know because we had never ever encountered any company who used odt ever i think i uploaded one once just to see what our software would do and it couldn't figure out what the gently caress it was and just put the generic "unknown type" icon on it lol
|
# ? Aug 18, 2017 18:48 |
|
maskenfreiheit posted:what about .odt? run strings on it and see what pops out
|
# ? Aug 18, 2017 20:00 |
|
Cocoa Crispies posted:run strings on it and see what pops out
|
# ? Aug 18, 2017 20:16 |
|
https://github.com/akrennmair/newsbeuter/issues/591quote:An attacker can craft an RSS item with shell code in the title and/or URL. When you bookmark such an item, your shell will execute that code. The vulnerability is triggered when bookmark-cmd is called; if you abort bookmarking before that, you're safe. lol
|
# ? Aug 18, 2017 20:32 |
|
Cocoa Crispies posted:run strings on it and see what pops out done!: code:
|
# ? Aug 18, 2017 20:39 |
|
Wiggly Wayne DDS posted:cve-2014-8485 called 2014 called, they want your unpatched copy of strings back
|
# ? Aug 18, 2017 20:40 |
|
is there some sort of compendium of dumb cve tricks? (not like OWASP top 10, but a step more detailed). poo poo like this makes me lol real good.
|
# ? Aug 18, 2017 20:41 |
|
i'd put grub's 28 backspaces to root bug pretty high in such a list
|
# ? Aug 18, 2017 20:47 |
|
anthonypants posted:does pci/dss have a reporting system because lol https://twitter.com/Place_des_Arts/status/834877518696091648 Even in the thread I was like "Yeah nah your poo poo isn't PCI/DSS compliant mate" but then got massively ignored.
|
# ? Aug 18, 2017 21:05 |
|
is Ticketmaster's fault
|
# ? Aug 18, 2017 21:31 |
|
Migishu posted:Even in the thread I was like "Yeah nah your poo poo isn't PCI/DSS compliant mate" but then got massively ignored.
|
# ? Aug 18, 2017 21:37 |
|
also they're "compliant" in that the auditor stamped the big ol' "compliant!" stamp on their stuff after running a few automated tests and shrugging and that's really all that actually matters
|
# ? Aug 18, 2017 21:40 |
|
maskenfreiheit posted:is there some sort of compendium of dumb cve tricks? (not like OWASP top 10, but a step more detailed). I don't really have a secret, other than my team has automation that scans various feeds for new CVE related patches and then notifies a human intelligence to decide if it's a "meh patch normally" or "gently caress gently caress gently caress gently caress gently caress" situation. If it's my week to look at the robo secfuck vomit I sometimes come across a funny ones. Usually though it's just mozillas weekly 40 CVE related urgent patches.
|
# ? Aug 18, 2017 21:43 |
|
the newsbeuter's came through debian's security mailing list earlier but given it required bookmarking meh go find somewhere vaguely upstream and if they have a decent signal:noise security feed to trawl
|
# ? Aug 18, 2017 21:49 |
|
nice https://sso.godaddy.com expired 14th August 2017 and still not renewed e: and they fixed it between me posting and re-checking, or its one of the servers in rotation
|
# ? Aug 18, 2017 22:30 |
|
anthonypants posted:i promise you that they do not care obviously until someone gets a list of peoples usernames and password hash's, no one will care
|
# ? Aug 18, 2017 23:50 |
|
Migishu posted:obviously
|
# ? Aug 19, 2017 00:03 |
|
speaking of secfucks, someone hacked a nazi merch webstore and handed over their customer db to Swedish antifa theve sent out letters saying "if you can explain why you bought nazi memorabilia, please write back so we can remove your name from the list that will be published in one week" https://twitter.com/NiclasWestlake/status/898195585802620928 closet nazis are freaking the hell out
|
# ? Aug 19, 2017 02:09 |
|
Powaqoatse posted:speaking of secfucks, someone hacked a nazi merch webstore and handed over their customer db to Swedish antifa ahhahahahaaaaa ehheh hee
|
# ? Aug 19, 2017 02:14 |
|
https://twitter.com/afaskane/status/897165104483119105 antifa has data on 8600 orders over 7 years the nazi site has been cleaned up a bit since, but archive.org shows the type of poo poo they sell/sold: https://web.archive.org/web/20160223051112/http://midgaardshop.com:80/kategori/vrigt/klistermarken
|
# ? Aug 19, 2017 02:18 |
|
Powaqoatse posted:speaking of secfucks, someone hacked a nazi merch webstore and handed over their customer db to Swedish antifa 💯
|
# ? Aug 19, 2017 02:39 |
|
https://twitter.com/Geraintmogs/status/898302675057491968
|
# ? Aug 19, 2017 03:03 |
|
jfc this is better than the bitcoin wallet inspector
|
# ? Aug 19, 2017 03:12 |
|
ahahaha this guy got owned
|
# ? Aug 19, 2017 04:27 |
|
|
# ? May 14, 2024 21:18 |
|
infernal machines posted:jfc You don't put your actual password in those, you use something of the same length and characteristics.
|
# ? Aug 19, 2017 04:29 |