Security Fuckup Megathread - v14.1 - Hello, is this a delivery order? - The Something Awful Forums

Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

Pile Of Garbage: May 28, 2007

yeah let's use the premise from a fictional movie as a loose analogy for insider trading instead of the countless irl examples. pop culture plays better with the proles

# ? Sep 21, 2017 15:00

Adbot: ADBOT LOVES YOU

# ? May 14, 2024 04:23

Pile Of Garbage: May 28, 2007

wow gently caress that's a bad snipe

# ? Sep 21, 2017 15:01

Shame Boy: Mar 2, 2010

Optimus_Rhyme posted:

Are those internal domains?

.root seems especially suspect

maybe it was an ~advanced persistent threat~

# ? Sep 21, 2017 15:26

duTrieux.: Oct 9, 2003

Optimus_Rhyme posted:

Are those internal domains?

Yes.

# ? Sep 21, 2017 16:23

Wiggly Wayne DDS: Sep 11, 2010

Optimus_Rhyme posted:

Are those internal domains?

whatever domain was tied to the beacon calling c2. i doubt that's a complete list either since they were altering it over time. worthwhile reading talos' analysis as it has a lot of good data in there. someone handed over the c2 server's contents to them (presumably hacked it going by their initial scepticism)

in other breach news:
https://twitter.com/GossiTheDog/status/910870859245596673

bitdefender's latest security blog post is more concerned over How a data breach left two Equifax executives jobless and eroded public trust overnight

e: turns out these were just api keys that companies had exposed and were brought up during an internal audit

Wiggly Wayne DDS fucked around with this message at 18:22 on Sep 21, 2017

# ? Sep 21, 2017 16:59

Workaday Wizard: Oct 23, 2009; by Pragmatica

hey thread: how does one get in contact with krebs?

e: in a non-invasive manner obviously. dont want his home number thx

# ? Sep 21, 2017 17:01

CommieGIR: Aug 22, 2006; The blue glow is a feature, not a bug; Pillbug

Wiggly Wayne DDS posted:

bitdefender's latest security blog post is more concerned over How a data breach left two Equifax executives jobless and eroded public trust overnight

I guess they know who to address to get funding for security fixed.....

...ahhh, who am I kidding, CIOs are a FYGM of IT decisions.

# ? Sep 21, 2017 17:04

spankmeister: Jun 15, 2008

Shinku ABOOKEN posted:

hey thread: how does one get in contact with krebs?

e: in a non-invasive manner obviously. dont want his home number thx

krebsonsecurity@gmail.com

# ? Sep 21, 2017 17:05

flakeloaf: Feb 26, 2003; Still better than android clock

Shinku ABOOKEN posted:

hey thread: how does one get in contact with krebs?

e: in a non-invasive manner obviously. dont want his home number thx

oxaloacetate and acetyl coa

# ? Sep 21, 2017 17:18

Workaday Wizard: Oct 23, 2009; by Pragmatica

spankmeister posted:

krebsonsecurity@gmail.com

thx

# ? Sep 21, 2017 17:22

Wiggly Wayne DDS: Sep 11, 2010

anyone want a new dom fuzzer? https://github.com/google/domato

https://googleprojectzero.blogspot.co.uk/2017/09/the-great-dom-fuzz-off-of-2017.html

# ? Sep 21, 2017 17:37

Optimus_Rhyme: Apr 15, 2007; are you that mainframe hacker guy?

CommieGIR posted:

CIOs are a FYGM of IT decisions.

# ? Sep 21, 2017 17:42

flakeloaf: Feb 26, 2003; Still better than android clock

CommieGIR posted:

I guess they know who to address to get funding for security fixed.....

...ahhh, who am I kidding, CIOs are a FYGM of IT decisions.

CTOs are the FCKGW

# ? Sep 21, 2017 17:51

CommieGIR: Aug 22, 2006; The blue glow is a feature, not a bug; Pillbug

flakeloaf posted:

CTOs are the FCKGW

"Hey guys, we got hacked, let's sell our stock before making the announcement!"

I worked with a CTO for a Fortune 500 in Georgia, and the guy was immensely clueless on technology other than knowing how to use his phone to check Facebook.

# ? Sep 21, 2017 18:03

AARP LARPer: Feb 19, 2005; THE DARK SIDE OF SCIENCE BREEDS A WEAPON OF WAR; Buglord

lol nothing matters

Bloomberg Law posted:

Equifax Inc. could get away with paying a mere $1 per person after failing to protect almost half of America's credit data.

While the 118-year-old credit-reporting firm has been hit with more than 100 consumer lawsuits over its massive security breach, legal experts say there's room for a deal because neither side has a slam-dunk case.

A global settlement of about $200 million is plausible, said Nathan Taylor, a cybersecurity lawyer with Morrison Foerster LLP in Washington. That's a projection based on the $115 million Anthem Inc. agreed to pay in June -- setting a U.S. record -- to resolve claims that it didn't protect a smaller number of people from a 2015 criminal hack that stole similarly sensitive information, Taylor said.

That's a good deal for the embattled credit reporting company as its exposure theoretically could amount to $143 billion under a federal law that carries damages of as much as $1,000 per violation, plus punitive damages.

# ? Sep 21, 2017 18:17

Farmer Crack-Ass: Jan 2, 2001; this is me posting irl

i mean if eric holder wouldn't prosecute banks for literally laundering money for drug cartels ("it might destabilize the economy if we sent important executives to jail :qq:

:qq:

") then yeah there's no fuckin' hope equifax sees any legal consequences for this poo poo

# ? Sep 21, 2017 18:26

Shaggar: Apr 26, 2006

w/ the cartel stuff it was cause its the CIA's money.

# ? Sep 21, 2017 18:37

CommieGIR: Aug 22, 2006; The blue glow is a feature, not a bug; Pillbug

Shaggar posted:

w/ the cartel stuff it was cause its the CIA's money.

Yeah, but Trump's DOJ isn't going to touch the banks, no way in hell.

# ? Sep 21, 2017 18:50

Shaggar: Apr 26, 2006

nobody is gonna touch their money

unless they collapse and then maybe they'll consider touching it but more likely they'll just give them more.

# ? Sep 21, 2017 19:15

Carbon dioxide: Oct 9, 2012

SAN FRANCISCO (Reuters) - An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.

https://www.reuters.com/article/us-...t-idUSKCN1BW0GV

# ? Sep 21, 2017 20:13

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Carbon dioxide posted:

SAN FRANCISCO (Reuters) - An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.

https://www.reuters.com/article/us-...t-idUSKCN1BW0GV

good

# ? Sep 21, 2017 20:16

Just-In-Timeberlake: Aug 18, 2003

WAR DOGS OF SOCHI posted:

lol nothing matters

lmao how is that not a slam dunk case

# ? Sep 21, 2017 21:54

CommieGIR: Aug 22, 2006; The blue glow is a feature, not a bug; Pillbug

Just-In-Timeberlake posted:

lmao how is that not a slam dunk case

It is a slam dunk case, but they are actively passing measures and laws to protect Equifax.

# ? Sep 21, 2017 22:22

GenericOverusedName: Nov 24, 2009; KUVA TEAM EPIC

flakeloaf posted:

oxaloacetate and acetyl coa

booo

# ? Sep 21, 2017 22:24

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

flakeloaf posted:

oxaloacetate and acetyl coa

Boo this man

E:f;b

# ? Sep 21, 2017 22:28

hackbunny: Jul 22, 2007; I haven't been on SA for years but the person who gave me my previous av as a joke felt guilty for doing so and decided to get me a non-shitty av

Carbon dioxide posted:

SAN FRANCISCO (Reuters) - An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.

https://www.reuters.com/article/us-...t-idUSKCN1BW0GV

the algorithms in question are block ciphers SIMON and SPECK. did we really need two new block ciphers, anyway?

# ? Sep 21, 2017 22:35

spankmeister: Jun 15, 2008

hackbunny posted:

the algorithms in question are block ciphers SIMON and SPECK. did we really need two new block ciphers, anyway?

Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations.

So... Yes?

# ? Sep 21, 2017 22:39

AARP LARPer: Feb 19, 2005; THE DARK SIDE OF SCIENCE BREEDS A WEAPON OF WAR; Buglord

Have I got the basics of this right?

We've got perfectly good encryption methods that are basically uncrackable (without the aid of quantum computing), but the encryption/decryption is too compute heavy to be used in real-time applications; therefore, we need more "light-weight" versions but this in turn makes cracking them possible with current tech.

That sound about right?

# ? Sep 21, 2017 22:44

Trabisnikof: Dec 24, 2005

spankmeister posted:

Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations.

So... Yes?

And yet apparently the Information Assurance Directorate didn't develop those ciphers

# ? Sep 21, 2017 22:46

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

a developer wants to plug a single pgp keypair that i made last year into some global automated process instead of making keypairs for each of our clients. let's see if i can talk him out of it

# ? Sep 21, 2017 22:46

spankmeister: Jun 15, 2008

Trabisnikof posted:

And yet apparently the Information Assurance Directorate didn't develop those ciphers

Yeah I get why they don't trust the NSA.

# ? Sep 21, 2017 22:57

spankmeister: Jun 15, 2008

I took a cursory glance at those ciphers and it's not immediately obvious to me where that backdoor could reside.

With DUAL_EC it was pretty clear where the funny business could take place and the algorithm was suspect even before the whole juniper deal.

# ? Sep 21, 2017 23:00

hackbunny: Jul 22, 2007; I haven't been on SA for years but the person who gave me my previous av as a joke felt guilty for doing so and decided to get me a non-shitty av

spankmeister posted:

Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations.

So... Yes?

and aes rounds are now cpu instructions. so?

# ? Sep 21, 2017 23:17

Hed: Mar 31, 2004; Fun Shoe

Trabisnikof posted:

And yet apparently the Information Assurance Directorate didn't develop those ciphers

that�s not where the crypto people sit though

# ? Sep 21, 2017 23:22

Trabisnikof: Dec 24, 2005

Hed posted:

that’s not where the crypto people sit though

but doesn't iad run the defense side crypto or is that td?

also lol at having to install new root certs to visit https://iad.gov

edit: maybe i just need to enable tls 1.3 but w/e

# ? Sep 21, 2017 23:39

a few DRUNK BONERS: Mar 25, 2016

spankmeister posted:

I took a cursory glance at those ciphers and it's not immediately obvious to me where that backdoor could reside.

With DUAL_EC it was pretty clear where the funny business could take place and the algorithm was suspect even before the whole juniper deal.

thank god you're here to glance at ciphers for 30 seconds and declare them backdoor free

# ? Sep 22, 2017 00:11

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

a few DRUNK BONERS posted:

thank god you're here to glance at ciphers for 30 seconds and declare them backdoor free

did you fail to decrypt his post? that's not what he said

# ? Sep 22, 2017 00:15

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

SVR Tracking leaks thousands of account credentials for vehicle tracking service, via everyone's favourite, unprotected amazon s3 bucket

# ? Sep 22, 2017 00:16

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

WAR DOGS OF SOCHI posted:

Have I got the basics of this right?

We've got perfectly good encryption methods that are basically uncrackable (without the aid of quantum computing), but the encryption/decryption is too compute heavy to be used in real-time applications; therefore, we need more "light-weight" versions but this in turn makes cracking them possible with current tech.

That sound about right?

there's always a need for new ciphers, and in this case there's a need for new symmetric key block ciphers because AES isn't getting any younger and attacks on AES aren't getting any worse

consider SHA-1: having SHA-2 out, well-reviewed, and well-established in most computing environments for like a decade gave most projects on it something to move to quickly

# ? Sep 22, 2017 04:42

Adbot: ADBOT LOVES YOU

# ? May 14, 2024 04:23

vOv: Feb 8, 2014

flakeloaf posted:

oxaloacetate and acetyl coa

had to look this one up, glad i did

# ? Sep 22, 2017 05:02

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

Powered by: vBulletin Version 2.2.9 (SABB-v2.24.05)
Copyright ©2000, 2001, Jelsoft Enterprises Limited.
Copyright ©2024, Jeffrey of YOSPOS