|
I don't know if this counts as a security fuckup, but I was talking to an Uber engineer today who told me a couple of interesting scams they encountered the past couple of years. Apparently Uber got heavily scammed in China by people exploiting the subsidies used to incentivize drivers to cruise around waiting for fares. The first scam involved phone emulators and fake GPS units to organize fake trips. When scammers tried to parallelize the system with multiple fake driver accounts, Uber caught on when they saw "snakes" of cars moving around the map. The second scam involved the drivers deliberately putting up scary profile pictures, making the driver look like a vampire or a ghost. The hope was that the customer would be so put off that they'd cancel the ride before pickup, which would give the driver a few yuan as compensation for the cancelled ride. Uber had to implement a facial recognition system that ensured profile pictures closely matched their owner. edit: minato fucked around with this message at 03:48 on Nov 5, 2017 |
# ? Nov 5, 2017 03:45 |
|
|
# ? May 16, 2024 03:30 |
|
minato posted:I don't know if this counts as a security fuckup, but I was talking to an Uber engineer today who told me a couple of interesting scams they encountered the past couple of years. I'd be more likely to go on a trip if my drivers looked cool like that
|
# ? Nov 5, 2017 04:52 |
|
Bulgogi Hoagie posted:thinking about FIDO tokens but instead of a FIDO key it’s touchid like for u2f? i think https://github.com/github/SoftU2F lets you do this
|
# ? Nov 5, 2017 05:25 |
|
minato posted:I don't know if this counts as a security fuckup, but I was talking to an Uber engineer today who told me a couple of interesting scams they encountered the past couple of years. ahhh... the entrepreneur spirit
|
# ? Nov 5, 2017 06:27 |
|
Raere posted:I'd be more likely to go on a trip if my drivers looked cool like that
|
# ? Nov 5, 2017 07:06 |
|
minato posted:I don't know if this counts as a security fuckup, but I was talking to an Uber engineer today who told me a couple of interesting scams they encountered the past couple of years. razor and blade spotted
|
# ? Nov 5, 2017 07:15 |
|
imagine i photoshopped the uber app onto that screen
|
# ? Nov 5, 2017 07:16 |
|
Rufus Ping posted:razor and blade spotted razor and blade? they're flakes!
|
# ? Nov 5, 2017 07:27 |
|
infernal machines posted:razor and blade? they're flakes!
|
# ? Nov 5, 2017 08:31 |
|
minato posted:I don't know if this counts as a security fuckup, but I was talking to an Uber engineer today who told me a couple of interesting scams they encountered the past couple of years. Ride sharing with Chinese characteristics.
|
# ? Nov 5, 2017 08:42 |
|
anthonypants posted:wasn't there an account that screencapped tweets from politicians and would repost them when they got deleted? and then that account got shut down yeah. a couple years ago, Twitter changed their API terms to ban saving deleted tweets in any way. and every site that did that kind of thing got banned from the Twitter API they reversed course and let those sites back on a few months later after various transparency orgs kicked up a fuss and sent angry letters
|
# ? Nov 5, 2017 22:35 |
|
Main Paineframe posted:and every site that did that kind of thing got banned from the Twitter API they went further, and looked up all the api keys created by the same person as the offending one, then looked at the accounts using those keys to tweet i had a couple of private accounts with 0 followers keeping tabs on people's deleted tweets and they got shut down at the same time as a big public one i ran
|
# ? Nov 5, 2017 23:10 |
|
well yeah. i mean in this day and age lol if you think you're more than a few joins away from a twitter ban/gitmo/death camps
|
# ? Nov 5, 2017 23:15 |
|
what prevents watchdogs from using a non-api scraper to save deleted tweets
|
# ? Nov 6, 2017 01:37 |
|
haveblue posted:what prevents watchdogs from using a non-api scraper to save deleted tweets Probably nothing, but they would scrape a poo poo ton more tweets and be a lot more efficient in general using the API
|
# ? Nov 6, 2017 01:47 |
|
nothing but the streaming api gives you notifications about deleted tweets (their ID only, not the text itself) in real time which is very appealing
|
# ? Nov 6, 2017 01:48 |
|
haveblue posted:what prevents watchdogs from using a non-api scraper to save deleted tweets Or just not publishing that you've seen a deleted tweet using an account tied in any way to the API keys collecting the data
|
# ? Nov 6, 2017 01:49 |
|
this was probably posted months ago but i found this post by troy hunt about EV certs interesting https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/ https://twitter.com/troyhunt/status...lets-encrypt%2F
|
# ? Nov 6, 2017 14:47 |
|
Bulgogi Hoagie posted:this was probably posted months ago but i found this post by troy hunt about EV certs interesting tbf most of the people i know would at least know what "https" is if you didn't call it "a cert." like my mom knows what HTTPS is and has a basic grasp of what it does but if i asked her if she looked for "EV certs" she'd be all "what like the mints?"
|
# ? Nov 6, 2017 15:36 |
|
like if you phrase it as "what do you think about when the URL bar turns green and has the company name next to it" instead i think it would be more applicable
|
# ? Nov 6, 2017 15:38 |
|
in https vs ssl vs tls vs certs I think https is the most clear in my experience. everything is advertised as SSL even though its all actually TLS which most people aren't gonna understand and then certificates and trust are just way beyond most people. its always http or https tho and telling them they want the one with the s is easy
|
# ? Nov 6, 2017 15:43 |
|
ate all the Oreos posted:like if you phrase it as "what do you think about when the URL bar turns green and has the company name next to it" instead i think it would be more applicable anthonypants fucked around with this message at 17:37 on Nov 6, 2017 |
# ? Nov 6, 2017 17:32 |
|
Just found out my company has SMBv1 turned on. This is after WannaCry, and after upgrading to server 2016.
|
# ? Nov 6, 2017 18:23 |
|
ratbert90 posted:Just found out my company has SMBv1 turned on. I wanna bet the domain functional level is 2003 or 2008 at the most
|
# ? Nov 6, 2017 18:26 |
|
spankmeister posted:I wanna bet the domain functional level is 2003 or 2008 at the most All the corporate servers were updated to 2016. There isn't a corporate server that's lower than that.
|
# ? Nov 6, 2017 18:27 |
ratbert90 posted:All the corporate servers were updated to 2016. There isn't a corporate server that's lower than that. i think what he is saying is that your modern servers are configured like it was fashionable s decade ago
|
|
# ? Nov 6, 2017 18:30 |
|
cinci zoo sniper posted:i think what he is saying is that your modern servers are configured like it was fashionable s decade ago Oh, well yeah probably, as the guy the CEO hired to do it was a blithering idiot who refused to accept that poo poo changes over time.
|
# ? Nov 6, 2017 18:31 |
|
ad domain function level doesn't change unless you manually change it
|
# ? Nov 6, 2017 18:32 |
|
You can have an all-server 2016 domain but still have a DFL of 2008 or 2012 or w/e https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
|
# ? Nov 6, 2017 18:32 |
|
spankmeister posted:You can have an all-server 2016 domain but still have a DFL of 2008 or 2012 or w/e
|
# ? Nov 6, 2017 19:35 |
|
You have now, or had at some point and no one changed the documentation, a printer that required it.
|
# ? Nov 6, 2017 19:54 |
|
anthonypants posted:domain/forest functional level also doesn't impact smb but using smbv1 in tyool 2017 is a good indicator that your it department is dumb That would indicate we have an IT department. Corporate has its own network that has a single Trunk going to the engineering network. Corporate runs WS2k16, engineering runs CentOS7. Engineering is 100% in charge of the engineering network. I set it up where every server runs yum-cron, SELinux is set to enforcing, and firewalld is setup as well. Corporate I have no loving clue, but they updated a few months ago from WS2003 to WS2016. Apparently, they don't give nearly as much of a poo poo about infosec as I do.
|
# ? Nov 6, 2017 19:57 |
|
why the gently caress are you running firewalld put an ASA or something in there instead
|
# ? Nov 6, 2017 20:27 |
|
some more android vulnerabilities: https://pleasestopnamingvulnerabilities.com
|
# ? Nov 6, 2017 20:34 |
|
Wiggly Wayne DDS posted:some more android vulnerabilities: https://pleasestopnamingvulnerabilities.com so this will be named PSNV?
|
# ? Nov 6, 2017 20:38 |
|
Wiggly Wayne DDS posted:some more android vulnerabilities: https://pleasestopnamingvulnerabilities.com Scotty is a super cool dude, I'm glad he didn't totally burn out. hobbesmaster posted:so this will be named PSNV? Doubt it, they don't get traction these days without dedicated PR people being involved and he isn't trying to sell you anything. Its too complicated and doesn't have a clever name and so wont be noticed compared to a lot of the far less interesting bugs that have lit up the press this year.
|
# ? Nov 6, 2017 20:46 |
|
Wiggly Wayne DDS posted:some more android vulnerabilities: https://pleasestopnamingvulnerabilities.com Pls
|
# ? Nov 6, 2017 20:48 |
|
RISCy Business posted:why the gently caress are you running firewalld
|
# ? Nov 6, 2017 20:51 |
|
Bulgogi Hoagie posted:https://twitter.com/lukasstefanko/status/926084558273044481 Wiggly Wayne DDS posted:some more android vulnerabilities: https://pleasestopnamingvulnerabilities.com
|
# ? Nov 6, 2017 20:52 |
|
|
# ? May 16, 2024 03:30 |
|
the real joke is that's just a normal month of andorid vulns but on a webpage people will read rather than the security bulletin
|
# ? Nov 6, 2017 20:54 |