|
Optimus_Rhyme posted:I was gonna reply to a link to his awesome DEFCON talk but NOOOOOPE youtube took it down https://archive.org/details/youtube-PfbMZJsb1cQ
|
#
?
Dec 11, 2017 13:25
|
|
|
|
| # ? May 15, 2024 18:22 |
|
|
SeaborneClink posted:you forgot the part of enterprise-grade security where there's only two groups that have access, one of them is read-only with a symbol-for-char substituted password and the elevated credentials are admin:admin. sounds accurate
|
|
#
?
Dec 11, 2017 14:35
|
|
|
thanks 
|
|
#
?
Dec 11, 2017 14:43
|
|
|
Jewel posted:I still don't quite get it, it's hinting at RCE in battlenet but.. what is localbattle.net? Like, that's not a registered domain and I cant find anything in the battle.net client that hosts some kind of web interface access like some programs do. And googling that url only returns that taviso tweet. my guess is localbattle.net is a local proxy that does Something with the authenticator and they're putting a local cert trust to handle it maaaaaybe with an identical private key on every install or maybe it can be used to validate for domains it shouldn't be who knows at this point
|
|
#
?
Dec 11, 2017 14:45
|
|
|
my guess is it's just accessible from the network and you can send it something it'll execute
|
|
#
?
Dec 11, 2017 14:54
|
|
|
well that’s a given but what was the likely design goal?
|
|
#
?
Dec 11, 2017 14:56
|
|
|
My money is on Blackberry Stupid, like not bothering to do the work to support 2FA on the backend so its shimmed in through the local proxy
|
|
#
?
Dec 11, 2017 15:03
|
|
|
https://twitter.com/imnoah/status/936948776119537665
|
|
#
?
Dec 11, 2017 16:58
|
|
|
hahahahaha
|
|
#
?
Dec 11, 2017 17:00
|
|
|
Wait a minute. Waaaait a minute. Does archive.org have copies of all DMCA'd youtube videos? Because that would be quite a big deal.
|
|
#
?
Dec 11, 2017 17:20
|
|
|
That would own
|
|
#
?
Dec 11, 2017 17:26
|
|
|
Surely they don't have the storage needed to scrape all of youtube
|
|
#
?
Dec 11, 2017 17:27
|
|
|
spankmeister posted:Surely they don't have the storage needed to scrape all of youtube they probably only scrape certain channels that talk isn’t on def con’s media server fwiw
|
|
#
?
Dec 11, 2017 17:52
|
|
|
spankmeister posted:That would own
|
|
#
?
Dec 11, 2017 17:57
|
|
|
Carbon dioxide posted:Wait a minute. It's way more likely to have them if the link had been spread widely before the thing got taken down. Some random video a channel with 2 videos and 3 viewers ever puts up and gets taken down probably won't be grabbed.
|
|
#
?
Dec 11, 2017 18:03
|
|
|
https://twitter.com/magoo/status/939227346887884800 theft of 4700 bitcoins is $75,000,000 not bad for a couple hours work
|
|
#
?
Dec 11, 2017 18:47
|
|
|
i feel like there should be an asterisk whenever a news article says something like "$75,000,000 of bitcoins were stolen!" because there's no way in hell the thieves are converting all those bitcoins to hard currency in any reasonable time frame and without setting off regulatory scrutiny and/or a market crash.
|
|
#
?
Dec 11, 2017 20:25
|
|
|
what passes for regulatory scrutiny when it comes to butts
|
|
#
?
Dec 11, 2017 20:26
|
|
|
Kuvo posted:i feel like there should be an asterisk whenever a news article says something like "$75,000,000 of bitcoins were stolen!" because there's no way in hell the thieves are converting all those bitcoins to hard currency in any reasonable time frame and without setting off regulatory scrutiny and/or a market crash. well yeah they will HODL until it's at least $200,000,000 in butts
|
|
#
?
Dec 11, 2017 20:27
|
|
|
flakeloaf posted:what passes for regulatory scrutiny when it comes to butts
|
|
#
?
Dec 11, 2017 20:33
|
|
|
how soon we forget the crushing tyranny of THE BITLICENSE
|
|
#
?
Dec 11, 2017 21:10
|
|
|
infernal machines posted:guess who made it to ars The blog linked has a summary of the vulnerabilities, which are indeed... interesting quote:An attacker can remotely unlock any safe in this product line through specially formatted Bluetooth messages, even with no knowledge of the pin code. The phone application requires the valid pin to operate the safe, and there is a field to supply the pin code in an authorization request. However the safe does not verify the pin code, so an attacker can obtain authorization and unlock the safe using any arbitrary value as the pin code. In other news - HP left off another keylogger: https://www.scmagazineuk.com/hidden-hp-keylogger-found-preinstalled-on-models-dating-back-to-2012/article/713242/ canis minor fucked around with this message at 21:42 on Dec 11, 2017 |
|
#
?
Dec 11, 2017 21:39
|
|
|
The fact that WS2016 has SMBv1 turned on by default is so bad I can't even describe it.
|
|
#
?
Dec 11, 2017 22:22
|
|
|
So I'm having an argument at work with someone because a system grants all users admin access by default, however you can go in set the account to have read only access. They disagree that this is a problem. That's my head in the sand SecFuck story.
|
|
#
?
Dec 11, 2017 22:26
|
|
|
ratbert90 posted:The fact that WS2016 has SMBv1 turned on by default is so bad I can't even describe it. It's on out of box but turns itself off as some period of time when it determines it isn't in use. It's still not great, but better than it initially appears
|
|
#
?
Dec 11, 2017 22:34
|
|
|
ratbert90 posted:The fact that WS2016 has SMBv1 turned on by default is so bad I can't even describe it. at least they dropped 32bit finally, 6 years after osx did
|
|
#
?
Dec 11, 2017 22:34
|
|
|
Perplx posted:at least they dropped 32bit finally, 6 years after osx did
|
|
#
?
Dec 11, 2017 22:34
|
|
|
my current secfuck story: work laptops and computers don’t have encrypted drives, no bitlocker no nothing.
|
|
#
?
Dec 11, 2017 22:39
|
|
|
Boiled Water posted:my current secfuck story: work laptops and computers don’t have encrypted drives, no bitlocker no nothing. lol hope you have TPMs in them
|
|
#
?
Dec 11, 2017 22:41
|
|
|
Current secfuck status: looking at the CRC implementation in proxmark firmware.
|
|
#
?
Dec 11, 2017 22:43
|
|
|
BangersInMyKnickers posted:lol hope you have TPMs in them how would it help with bitlocker turned off?
|
|
#
?
Dec 11, 2017 22:49
|
|
|
because its trivial to rollout after the fact so long as you have tpm. if not, good luck getting people to remember their additional password/pin
|
|
#
?
Dec 11, 2017 22:50
|
|
|
there’s no plan to roll it out it’s  all the way down
|
|
#
?
Dec 11, 2017 22:57
|
|
|
Got local admin? Cause turn that poo poo on anyway
|
|
#
?
Dec 11, 2017 23:01
|
|
|
BangersInMyKnickers posted:lol hope you have TPMs in them do anything other than rinkydink best buy specials not come with bitlocker capable TPM these days?
|
|
#
?
Dec 11, 2017 23:20
|
|
|
I know the Lenovo yoga and I think yoga 2 shipped without one
|
|
#
?
Dec 11, 2017 23:26
|
|
|
those are rinkydink best buy specials. see also: mac book pros.
|
|
#
?
Dec 11, 2017 23:31
|
|
|
Boiled Water posted:there’s no plan to roll it out I have another layer on this. None of our work PCs have drive encryption because they're too busy bikeshedding the solution. Their workaround? Nobody is allowed to purchase >128GB laptop hard drives, to prevent "too much" data being lost. The upshot is that since the last Windows update I no longer have enough space to have VS2015 and 2017 installed simultaneously and I can't procure a larger HDD to do my loving job
|
|
#
?
Dec 11, 2017 23:34
|
|
|
theodop posted:I have another layer on this. lmao do some sh/sc posters work in your it department or something
|
|
#
?
Dec 11, 2017 23:46
|
|
|
|
| # ? May 15, 2024 18:22 |
|
|
Cocoa Crispies posted:lmao do some sh/sc posters work in your it department or something big businesses make terrible decisions
|
|
#
?
Dec 11, 2017 23:59
|
|