|
the only downside is modern drives have tiny magnets compared to the old ide drives. real old school mfm drives had magnets that could break fingers.
|
#
?
Sep 1, 2017 03:41
|
|
|
|
| # ? May 14, 2024 17:48 |
|
|
Lain Iwakura posted:i plan to plastidip the magnets so i figured this was going to be fun. i'll probably keep the platters for something later. the rest can be trashed if you're scrounging for components this is fine, but doing this kind of work at scale is going to be crazy labor intensive i forget who i did business with in montreal (maybe shred-it or iron mountain, not sure), but they had a big ol' truck that would show up a couple times a year and destroy documents and media on site (because i didn't want to trust a third party chain of custody for client financial info and also chucking whole banker boxes in a gently caress off huge shredder is kinda fun) and they absolutely destroyed hard drives might not make sense just to dispose of small assets like only hard drives, but i'm sure your buddies down in accounting have a bunch of stuff to destroy that they're probably just putting in their recycling bins pretty much any medium sized office or above generates enough confidential crap to justify the $10/box or $100/bin they charge and it's a great talking point to open up a conversation about larger physical sec issues
|
|
#
?
Sep 1, 2017 04:13
|
|
|
comedy option: download some dank leaks and gchq will do it for you https://www.theguardian.com/uk-news/2014/jan/31/footage-released-guardian-editors-snowden-hard-drives-gchq?CMP=Share_iOSApp_Other
|
|
#
?
Sep 1, 2017 04:20
|
|
|
maskenfreiheit posted:would this even count as insider trading? does a vuln count as publicly available information if anyone can find it? 🤔 There was a guy who thought "hmmm Lumber Liquidators is probably so cheap they're buying their product from China where they cut corners", bought a bunch, had it tested, found it was way over the legal limit for formaldehyde, shorted it, and then made an article about it on Motley Fool. Completely legal.
|
|
#
?
Sep 1, 2017 04:39
|
|
|
the first thing i had to do working helldesk was find a vendor to dispose of hard drives i think my boss was expecting a shredder, but whichever company came had a little electronic press that would just bend the platter in one spot. works for me. vOv
|
|
#
?
Sep 1, 2017 04:54
|
|
|
Phone posted:the first thing i had to do working helldesk was find a vendor to dispose of hard drives just use this famous youtube machine https://www.youtube.com/watch?v=ibEdgQJEdTA
|
|
#
?
Sep 1, 2017 05:01
|
|
|
ate all the Oreos posted:just use this famous youtube machine but what if the auditors or whatever your threat is have one of these? https://www.youtube.com/watch?v=OHyygU1cU0k
|
|
#
?
Sep 1, 2017 05:03
|
|
|
also re: harddrive magnets, the ones i got out of some old hard drives had convenient holes in the mounting brackets on either side of them so i used some screws to attach them to the side of my workbench and i can hang small to medium size tools from them now, it's real handy
|
|
#
?
Sep 1, 2017 05:06
|
|
|
while we're on the subject, is ram disposal still a thing? we try to donate our old towers (which aren't overly powerful but are still miles ahead of the usual stuff they'd get from gov't surplus, i think we're surplussing gen 2/3 i5 boxes now) to local orgs and we're pulling drives and memory; drives i get but memory?
|
|
#
?
Sep 1, 2017 05:36
|
|
|
Jimmy Carter posted:There was a guy who thought "hmmm Lumber Liquidators is probably so cheap they're buying their product from China where they cut corners", bought a bunch, had it tested, found it was way over the legal limit for formaldehyde, shorted it, and then made an article about it on Motley Fool. Completely legal. now that's a hack 👍
|
|
#
?
Sep 1, 2017 05:45
|
|
|
surebet posted:while we're on the subject, is ram disposal still a thing? we try to donate our old towers (which aren't overly powerful but are still miles ahead of the usual stuff they'd get from gov't surplus, i think we're surplussing gen 2/3 i5 boxes now) to local orgs and we're pulling drives and memory; drives i get but memory? isn't the whole freezing ram thing related to a ram behavior that allows what it holds most of the time to influence the state it defaults to?
|
|
#
?
Sep 1, 2017 06:22
|
|
|
counterpoint: our surplus stuff spends at least a few months in a locker somewhere, powered off i'm like 90% sure there's a pretty short window where which data can be recovered via freezing, iirc you need to dunk the chips while the system is on or very recently powered off
|
|
#
?
Sep 1, 2017 06:29
|
|
|
i seem to remember hearing about some company or government agency requiring that even ethernet cables be destroyed
|
|
#
?
Sep 1, 2017 06:39
|
|
|
https://www.nomotion.net/blog/sharknatto/ Who wants to play secfuck bingo? ssh open to 0.0.0.0/0 & hardcoded super user creds more hard coded, emtpy, admin creds GET requests for information chained to cgi exploits
|
|
#
?
Sep 1, 2017 07:18
|
|
|
vOv posted:i seem to remember hearing about some company or government agency requiring that even ethernet cables be destroyed i believe this is true if they have ever passed classified data. anything that touches classified stuff gets destroyed
|
|
#
?
Sep 1, 2017 09:21
|
|
|
Raluek posted:i believe this is true if they have ever passed classified data. anything that touches classified stuff gets destroyed yeah and in that case it's just because destroying all of it is an easy policy even if it seems wasteful
|
|
#
?
Sep 1, 2017 13:16
|
|
|
https://twitter.com/bcrypt/status/903477987214950401
|
|
#
?
Sep 1, 2017 14:38
|
|
|
These online coding interview or playground things are great. I got poked by someone today how Skype's new "interview" feature runs any and all code you throw in. including Python's os.system.. is there a way at all to protect yourself from abuse there? or whats the idea
|
|
#
?
Sep 1, 2017 15:09
|
|
|
geonetix posted:These online coding interview or playground things are great. I got poked by someone today how Skype's new "interview" feature runs any and all code you throw in. including Python's os.system.. 
|
|
#
?
Sep 1, 2017 15:20
|
|
|
the urge to touch poop is high, but I suggest you don't
|
|
#
?
Sep 1, 2017 15:29
|
|
|
why are phones even allowed inside the viewing stations
|
|
#
?
Sep 1, 2017 15:31
|
|
|
geonetix posted:These online coding interview or playground things are great. I got poked by someone today how Skype's new "interview" feature runs any and all code you throw in. including Python's os.system.. Every one I've looked into has run on spun up then destroyed vm instances with locked down settings in dmzed network areas. You'd need a hypervisor escape to exploit and would still basically be outside the network after that.
|
|
#
?
Sep 1, 2017 15:42
|
|
|
pr0zac posted:Every one I've looked into has run on spun up then destroyed vm instances with locked down settings in dmzed network areas. You'd need a hypervisor escape to exploit and would still basically be outside the network after that. i have a feeling these are running in containers rather than vms though, and those are probably (still) easier to escape from if you can do syscalls on the hosting kernel... but again I'm not going to try and prove any of that
|
|
#
?
Sep 1, 2017 16:01
|
|
|
geonetix posted:i have a feeling these are running in containers rather than vms though, and those are probably (still) easier to escape from if you can do syscalls on the hosting kernel... but again I'm not going to try and prove any of that I was going to say "why not, it's not like they're going to crack down on you for testing against yourself, and they have a bug bounty program", but while the former is true, weirdly skype isn't on their bug bounty software list so leave them to wallow I guess.
|
|
#
?
Sep 1, 2017 16:14
|
|
|
Jimmy Carter posted:There was a guy who thought "hmmm Lumber Liquidators is probably so cheap they're buying their product from China where they cut corners", bought a bunch, had it tested, found it was way over the legal limit for formaldehyde, shorted it, and then made an article about it on Motley Fool. Completely legal. fuckin nice
|
|
#
?
Sep 1, 2017 18:06
|
|
|
Jimmy Carter posted:There was a guy who thought "hmmm Lumber Liquidators is probably so cheap they're buying their product from China where they cut corners", bought a bunch, had it tested, found it was way over the legal limit for formaldehyde, shorted it, and then made an article about it on Motley Fool. Completely legal. https://www.fool.com/investing/general/2013/06/25/why-im-selling-my-lumber-liquidators-shares.aspx Article for anyone that cares
|
|
#
?
Sep 1, 2017 18:55
|
|
|
yet another wide open s3 bucket fuckup http://gizmodo.com/millions-of-time-warner-customer-records-exposed-in-thi-1798701579 quote:Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month. lol
|
|
#
?
Sep 1, 2017 22:51
|
|
|
s3 bucket? more like, s3 fuckit! 
|
|
#
?
Sep 1, 2017 22:54
|
|
|
has someone made some sort of tool to look for that sort of thing? i smell a defcon talk!
|
|
#
?
Sep 1, 2017 22:59
|
|
|
as fun as randomly poking at s3 buckets is i want to say you don't want to incur liability by providing tools to make processing them in bulk easier doesn't make the target painted on multiple researchers backs any smaller when they publicly disclose them mind you
|
|
#
?
Sep 1, 2017 23:23
|
|
|
Wiggly Wayne DDS posted:as fun as randomly poking at s3 buckets is i want to say you don't want to incur liability by providing tools to make processing them in bulk easier uh there's zero liability for creating a tool if someone uses hydra to brute force a pw that's on them. similar logic
|
|
#
?
Sep 1, 2017 23:30
|
|
|
Wiggly Wayne DDS posted:as fun as randomly poking at s3 buckets is i want to say you don't want to incur liability by providing tools to make processing them in bulk easier partly the reason why i have never really released canario's tools out to the public
|
|
#
?
Sep 1, 2017 23:32
|
|
|
maskenfreiheit posted:uh there's zero liability for creating a tool Didn't malware_researcher or whatever his handle is get arrested by the FBI for ostensibly that very reason?
|
|
#
?
Sep 1, 2017 23:42
|
|
|
the jury's still out i will note that liability is also on the ability of clientele of s3 buckets for large data storage to swamp you in legal docs
|
|
#
?
Sep 1, 2017 23:44
|
|
|
Wiggly Wayne DDS posted:the jury's still out that's why god invented tor
|
|
#
?
Sep 1, 2017 23:45
|
|
|
and yet look at all those s3 bucket disclosures with the named researcher behind a company that is v unlikely to be able to handle such a reaction
|
|
#
?
Sep 1, 2017 23:47
|
|
|
Cocoa Crispies posted:isn't the whole freezing ram thing related to a ram behavior that allows what it holds most of the time to influence the state it defaults to? DRAM stores data as charges in tiny capacitors, representing a 1 as a charge and a 0 as no charge or vice-versa; this charge is used to hold a field-effect transistor open or closed to represent the data. in a perfect world the capacitors will hold their charge forever (theoretically the FETs don't draw any current) but in real life they leak over time due to various imperfections in real materials and lose their charge. DRAM periodically "refreshes" the capacitors by writing the stored data back to itself to prevent this loss of charge and thus a loss of data the leakage is great enough that without refresh the data will be lost in a fraction of a second, so the refreshing normally happens many times per second to prevent lost data cooling the DRAM ICs reduces the leakage enough that it will last several seconds without refresh so you can quickly swap the RAM stick into another computer without losing data, so when the second computer begins refreshing the data it will maintain whatever was in it however regardless of cooling the capacitors will still leak enough that within more than a several seconds the data will be lost forever because at that point the charge in capacitors representing a 1 will be indistinguishable from the charge representing a 0 there's no point to shredding RAM edit: no point unless there's a policy that just shreds everything to be safe, but definitely no point to pulling out the ram specifically to shred it alongside the drives and nothing else BattleMaster fucked around with this message at 00:15 on Sep 2, 2017 |
|
#
?
Sep 1, 2017 23:48
|
|
|
maskenfreiheit posted:that's why god invented tor strange idea of god there (torpedo is still the best name for a sting though)
|
|
#
?
Sep 1, 2017 23:57
|
|
|
i prefer 10m as my rule of thumb for lab-prepped recovery of ram data in an ideal scenario
|
|
#
?
Sep 2, 2017 00:03
|
|
|
|
| # ? May 14, 2024 17:48 |
|
|
syscall girl posted:
|
|
#
?
Sep 2, 2017 00:20
|
|