|
Yeah, i figured. Be dope tho for someone there to be like "i'm that guy" and go through the trouble of obliterating his reputation. Bonus if equifax is contractually protect him in court.
|
# ? Oct 4, 2017 03:01 |
|
|
# ? May 28, 2024 16:24 |
|
Shaggar posted:background checks are required for doing business with any government entities. so you are saying professional bureaucrats would get hosed? seems like win/win to me.
|
# ? Oct 4, 2017 03:12 |
|
yeah I wouldn't entirely be upset about totally eliminating the federal government.
|
# ? Oct 4, 2017 03:13 |
|
Shaggar posted:yeah I wouldn't entirely be upset about totally eliminating the federal government. the federal government can do great things, but much like cops, the people attracted to that life are the people you don't want in those positions.
|
# ? Oct 4, 2017 03:23 |
|
i just had a idea and i dont know how bad/dumb it is lets say you have a website with a TLS certificate which only supports modern protocols and ciphers (like TLS 1.2, ECDHE ciphers), and you have some clients connecting to some API endpoints over plain HTTP, and having those clients update their poo poo to use HTTPS is unfeasible for various reasons (their ancient environments may not support TLS 1.2 or modern ciphers, etc. etc.) but you want to use HTTPS as much as possible for everyone else, including people who view the site in a normal web browser how bad a idea is it to send HSTS headers in HTTPS replies, without redirecting all HTTP traffic to HTTPS? those API endpints will still work over HTTP, but if you connect over HTTPS, then you get HTTPS from then on (and also going to http://thesite.com redirects to HTTPS, so a lot of users might get a HSTS enablement reply pretty quickly)
|
# ? Oct 4, 2017 13:31 |
|
https://www.youtube.com/watch?v=4pgg2LCY8iE&feature=youtu.be&t=2h5m20s in which the ceo of equifax explains to congress that while they had a fancy ssl cert and ran https on their forward facing stuff, nothing was encrypted at rest because not exactly sure how something so massive could be the fault of one guy and a missed patch
|
# ? Oct 4, 2017 14:49 |
|
Lysidas posted:i just had a idea and i dont know how bad/dumb it is This is not really my wheelhouse, but what are you worried about here? That the clients too old and lazy to do HTTPS somehow see the HSTS headers by accident and actually obey it? AIUI HSTS just tells the browser or whatever "don't ever use http for this domain, even if 'me' tells you not to, ya dingus". It doesn't make your ciphers stronger and I have a hard time thinking of how it could impact a client who thinks HTTPS is "too hard" in tyool 2017.
|
# ? Oct 4, 2017 14:53 |
surebet posted:https://www.youtube.com/watch?v=4pgg2LCY8iE&feature=youtu.be&t=2h5m20s man you just got to shift to blame to one maintenance tech not manually patching apache struts b/c your automatic verification failed
|
|
# ? Oct 4, 2017 14:56 |
|
it seems fine the more I think about it, HSTS headers are only supposed to be sent or recognized over HTTPS, so if you can successfully connect over HTTPS then it becomes mandatory from then on, if you cant, then fine, you can keep using HTTP
|
# ? Oct 4, 2017 14:58 |
|
its me, the one it guy responsible for carryig apache struts + ibm into the second decade of the 21st millennium I'm definitely the guy at fault, pay no attention to the managers and executives who probably never approved budget requests or took security posture seriously in the headwind of user complaints
|
# ? Oct 4, 2017 15:03 |
|
Potato Salad posted:its me, the one it guy responsible for carryig apache struts + ibm into the second decade of the 21st millennium How much you wanna bet the "lone engineer" is the guy who whined about terrible poo poo being broken and unpatched forever, was ignored, and finally quit in disgust? See we have this paper trail about him mentioning all this broken poo poo he never fixed, and he's not here to defend himself, so...
|
# ? Oct 4, 2017 15:18 |
|
Lysidas posted:lets say you have a website with a TLS certificate which only supports modern protocols and ciphers (like TLS 1.2, ECDHE ciphers), and you have some clients connecting to some API endpoints over plain HTTP, and having those clients update their poo poo to use HTTPS is unfeasible for various reasons (their ancient environments may not support TLS 1.2 or modern ciphers, etc. etc.) get a signed contract (like, lawyers) from those responsible for the non-modern-tls clients that specifies a private endpoint (probably a different url) for them and shifts liability for damages caused by their use of and your support of plaintext to them, and make their private plaintext endpoint restricted to those particular clients
|
# ? Oct 4, 2017 15:41 |
|
Lysidas posted:it seems fine the more I think about it, HSTS headers are only supposed to be sent or recognized over HTTPS, so if you can successfully connect over HTTPS then it becomes mandatory from then on, if you cant, then fine, you can keep using HTTP if your clients have "http://whatever" bookmarked and hit the HSTS page at all then their bookmark will show up as that big angry SOMETHING IS HORRIBLY WRONG page or does HSTS cause the browser to internally automatically redirect? I know it didn't when i was first playing around with it a long time ago but i haven't actually had to check in a while...
|
# ? Oct 4, 2017 16:38 |
|
ate all the Oreos posted:or does HSTS cause the browser to internally automatically redirect? yeah that e: Cocoa Crispies posted:get a signed contract (like, lawyers) from those responsible for the non-modern-tls clients that specifies a private endpoint (probably a different url) for them and shifts liability for damages caused by their use of and your support of plaintext to them, and make their private plaintext endpoint restricted to those particular clients that sounds like probably a lot more effort than getting these clients to update their poo poo, and that HTTP API isnt broken, just suboptimal (messages are still cryptographically authenticated, but anyone can see what you are doing, which isnt catastrophic here) Lysidas fucked around with this message at 16:48 on Oct 4, 2017 |
# ? Oct 4, 2017 16:46 |
|
Cocoa Crispies posted:get a signed contract (like, lawyers) from those responsible for the non-modern-tls clients that specifies a private endpoint (probably a different url) for them and shifts liability for damages caused by their use of and your support of plaintext to them, and make their private plaintext endpoint restricted to those particular clients No gat dangit we needed this yesterday, as in pronto, I am meeting with shareholders in fifteen minutes and I don't have time to deal with you obstructive guys trying to hold my company hostage with your ridiculous requests, seriously you're making me consider dropping you as a client!
|
# ? Oct 4, 2017 16:50 |
|
saying "no" and communicating risks of bad security to management is an important part of securityLysidas posted:that sounds like probably a lot more effort than getting these clients to update their poo poo, and that HTTP API isnt broken, just suboptimal (messages are still cryptographically authenticated, but anyone can see what you are doing, which isnt catastrophic here) working as intended, won't fix Potato Salad posted:No gat dangit we needed this yesterday, as in pronto, I am meeting with shareholders in fifteen minutes and I don't have time to deal with you obstructive guys trying to hold my company hostage with your ridiculous requests, seriously you're making me consider dropping you as a client! working as intended, won't fix
|
# ? Oct 4, 2017 16:53 |
|
Cocoa Crispies posted:working as intended, won't fix yeah literally this, my intention is "how can i push HTTPS and HSTS as much as possible for people viewing the website, while not having to contact our API clients in any way, let alone breaking their implementations which are probably cobbled togehter in vbscript or classic ASP running on windows server 2003"
|
# ? Oct 4, 2017 17:09 |
|
deprecate their endpoint and create a new https one that will be updated for everyone else
|
# ? Oct 4, 2017 18:30 |
|
Powaqoatse posted:deprecate their endpoint and create a new https one that will be updated for everyone else Or do an extreme depreciate like those web hosts did in the late 90s after the bubble and consolidated all cheap tier sites to one box and choke them out.
|
# ? Oct 4, 2017 21:04 |
|
ate all the Oreos posted:if your clients have "http://whatever" bookmarked and hit the HSTS page at all then their bookmark will show up as that big angry SOMETHING IS HORRIBLY WRONG page
|
# ? Oct 4, 2017 21:15 |
|
Lysidas posted:i just had a idea and i dont know how bad/dumb it is you should run https only and tell them to get hosed they should run a vm with a reverse proxy to dumb down https to http on their end, or you know not suck
|
# ? Oct 4, 2017 22:02 |
|
anthonypants posted:we put HSTS on one of our IIS servers to test, and it doesn't have an HTTPS redirect set up, and if you go to http://that website, it doesn't work, but if you go to https://that website, it does work, and every subsequent connection to http://that website will automatically redirect to https://that website, and i'm assuming that'll remain true until the max age is expired or the browser is told to forget about that header on that domain ah ok, all my stuff is setup to auto-redirect on the server anyway and has been for... years, so i couldn't ever really tell the difference i guess
|
# ? Oct 5, 2017 00:49 |
|
https://twitter.com/malpedia/status/915261404919287809
|
# ? Oct 5, 2017 16:17 |
|
LOL
|
# ? Oct 5, 2017 16:30 |
|
YOSPOS > Security Fuckup Megathread - v14.0 - DO NOT OPEN THE FUCKIN RANSOMWARE
|
# ? Oct 5, 2017 17:13 |
|
https://twitter.com/NatashaBertrand/status/915984644746735616quote:WASHINGTON—Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.
|
# ? Oct 5, 2017 18:07 |
|
i'm the nsa contractor taking home classified material and having their av set to upload unknown samples for analysis
|
# ? Oct 5, 2017 18:11 |
|
McGlockenshire posted:https://twitter.com/NatashaBertrand/status/915984644746735616 of course MS won't have the same problem, they're american and the NSA are here to make sure software is secure! why else would they review and test things??
|
# ? Oct 5, 2017 18:12 |
|
on a more serious note i'm not sure to attribute that to kaspersky being strongarmed to work with russian intel, or just a lucky find when their sigint arm trawls all av unknown sample uploads for interesting phrases/targets
|
# ? Oct 5, 2017 18:13 |
|
did that happen post Snowden? because it seems insane that people can still exfiltrate data that easily
|
# ? Oct 5, 2017 19:32 |
|
was this posted? because goddamn https://arstechnica.com/information-technology/2017/10/yahoo-says-all-3-billion-accounts-were-compromised-in-2013-hack/ quote:
|
# ? Oct 5, 2017 20:49 |
|
Just-In-Timeberlake posted:was this posted? because goddamn WAR DOGS OF SOCHI posted:lol oops
|
# ? Oct 5, 2017 20:53 |
|
anthonypants posted:yeah, kinda, but the wsj article is paywalled dump the url in outline.com https://outline.com/AY7c9G
|
# ? Oct 5, 2017 20:56 |
|
Jenny Agutter posted:did that happen post Snowden? because it seems insane that people can still exfiltrate data that easily reality winner was post snowden as well
|
# ? Oct 5, 2017 20:59 |
|
McGlockenshire posted:https://twitter.com/NatashaBertrand/status/915984644746735616 beautiful the guy took NSA viruses home and put them on his home computer, where his antivirus detected them as potentially malicious files and sent them to the antivirus company. and since the company was Russian, the NSA couldn't just demand that the company delete it and forget it ever happened
|
# ? Oct 5, 2017 21:53 |
|
McGlockenshire posted:https://twitter.com/NatashaBertrand/status/915984644746735616 remember that early yospos thing where cozpop malware took a screenshot of kaspersky not doing it's job on a computer downloading a ton of german porn? lol
|
# ? Oct 5, 2017 22:05 |
|
the biggest risk in infosec is your self-important fuckhead users who won't report when something is wrong until months later http://www.politico.com/story/2017/10/05/john-kelly-cell-phone-compromised-243514
|
# ? Oct 5, 2017 22:42 |
|
akadajet posted:remember that early yospos thing where cozpop malware took a screenshot of kaspersky not doing it's job on a computer downloading a ton of german porn? lol No but now I'd like to know more
|
# ? Oct 5, 2017 22:56 |
|
Volmarias posted:No but now I'd like to know more
|
# ? Oct 5, 2017 23:19 |
|
|
# ? May 28, 2024 16:24 |
|
Of course there are multiple "cleaning" and "tune-up" desktop icons.
|
# ? Oct 5, 2017 23:22 |