|
98% of security people fall into one of two camps: 1. people without the slightest understanding of what is and isn't a security vulnerability 2. people who don't get that making something more secure is pointless if you make the thing you're securing useless in the process
|
#
?
Dec 21, 2017 17:34
|
|
|
|
| # ? May 22, 2024 07:04 |
|
|
hobbesmaster posted:linus probably saw one too many “root access allows you to run arbitrary commands” vulns and blew up at them whats painful is that hes too pigheaded to hire spender so instead gets people to reimplement his work, poorly
|
|
#
?
Dec 21, 2017 17:48
|
|
|
Boiled Water posted:maybe it’s linux people in general hating things, people, themselves yeah linux torvalds is kind of a derisive gently caress and so many security people are arrogant as poo poo too linux's organizing principle is "linux gets what linux wants" and when he decides he'd rather stick his fingers in his ear and screech about how security people are bad that's what we get
|
|
#
?
Dec 21, 2017 18:51
|
|
|
maskenfreiheit posted:Did anyone post this yet?
|
|
#
?
Dec 21, 2017 19:33
|
|
|
https://twitter.com/motherboard/status/943876599325384704 
|
|
#
?
Dec 21, 2017 20:12
|
|
|
https://twitter.com/hdmoore/status/943913699630346240 2017 and Math.random is still being used
|
|
#
?
Dec 21, 2017 20:30
|
|
|
Cocoa Crispies posted:yeah linux torvalds is kind of a derisive gently caress and so many security people are arrogant as poo poo too his problem is that a lot of security patches will set new rules, make the penalty for stepping over the line instant death for a process and then ask for it to be merged after barely testing it and adding last minute "oops, forgot about case x" fixes, which means that other forgotten things will almost certainly break and make life miserable for people.
|
|
#
?
Dec 21, 2017 20:38
|
|
|
linus thinks bugs are bugs, and that includes security bugs, and would rather fix the bugs through careful engineering than add protection layers. spender believes strongly that the right way forward is adding protection layers that make bugs in the kernel inert, and if it breaks things, he sees that as the actual bug. both linus and spender are hotheads who will never agree on anything. linus is right when he says security people are insane, and spender is right when he says linux security is a shitshow. your operating system is a piece of poo poo, bicth
|
|
#
?
Dec 21, 2017 20:45
|
|
|
Suspicious Dish posted:linus thinks bugs are bugs, and that includes security bugs, and would rather fix the bugs through careful engineering than add protection layers. Spender is far worse than Linus, which says a lot, if he weren't such a toxic jerk in his interactions with others and actually worked to get his changes upstream instead of screaming about how right he is we might actually have those hardening changes in devices instead of angry Twitter posts about how right he is.
|
|
#
?
Dec 21, 2017 21:05
|
|
|
an update appears: https://twitter.com/chort0/status/943933566596952065
|
|
#
?
Dec 21, 2017 21:18
|
|
|
Wiggly Wayne DDS posted:an update appears: slightly related: is there tooling that allows for an audit of local CAs being used? macos compatible preferred
|
|
#
?
Dec 21, 2017 21:40
|
|
|
Wiggly Wayne DDS posted:2017 and Math.random is still being used genuine asking-from-ignorance question - what should they be doing?
|
|
#
?
Dec 21, 2017 22:30
|
|
|
salted hash browns posted:slightly related: is there tooling that allows for an audit of local CAs being used? macos compatible preferred on windows you would just use gpos or wmi to enforce or audit cert stores but idk how it works for Linuxes.
|
|
#
?
Dec 21, 2017 22:35
|
|
|
Inexplicable Humblebrag posted:genuine asking-from-ignorance question - what should they be doing? they should be using a cryptographically secure random number generator. By using math.random someone could theoretically predict a password that would be generated.
|
|
#
?
Dec 21, 2017 22:37
|
|
|
Inexplicable Humblebrag posted:genuine asking-from-ignorance question - what should they be doing? cloud flare has a wall of lava lamps which seems to work
|
|
#
?
Dec 21, 2017 22:37
|
|
|
Shaggar posted:they should be using a cryptographically secure random number generator. By using math.random someone could theoretically predict a password that would be generated. yes, but instead of "could theoretically" you can assume "will definitely".
|
|
#
?
Dec 21, 2017 22:41
|
|
|
Shaggar posted:they should be using a cryptographically secure random number generator. By using math.random someone could theoretically predict a password that would be generated. yeah an example of this is that bitcoin wallet code generator that used Math.random() and someone popped by just literally running the generateCode() function for every millisecond between the time that the site started and now. Then it's just a matter of testing each code generated, which is a far smaller space than otherwise required.
|
|
#
?
Dec 21, 2017 22:44
|
|
|
Inexplicable Humblebrag posted:genuine asking-from-ignorance question - what should they be doing? there's no generally cross-browser-compatible way what they should probably be doing is anything other than crypto in js
|
|
#
?
Dec 21, 2017 22:47
|
|
|
Cocoa Crispies posted:there's no generally cross-browser-compatible way it's a good thing that's not js then
|
|
#
?
Dec 21, 2017 22:53
|
|
|
strange that the cto isn't talking through legal: https://twitter.com/CraigLurey/status/943948894743834624
|
|
#
?
Dec 21, 2017 22:57
|
|
|
Inexplicable Humblebrag posted:genuine asking-from-ignorance question - what should they be doing? Cocoa Crispies posted:there's no generally cross-browser-compatible way https://caniuse.com/#feat=getrandomvalues
|
|
#
?
Dec 21, 2017 23:25
|
|
|
Wiggly Wayne DDS posted:an update appears:
|
|
#
?
Dec 21, 2017 23:26
|
|
|
anthonypants posted:is that bad not if you trust blizzard to 1) generate the key material for it correctly 2) not abuse it
|
|
#
?
Dec 21, 2017 23:28
|
|
|
scam email going around "from" paypal@paypal.com https://twitter.com/HungrySuccubus/status/943956940727525376
|
|
#
?
Dec 22, 2017 00:49
|
|
|
Jewel posted:scam email going around "from" paypal@paypal.com I don't understand what the scam here is, and why that thread is full of furrys.
|
|
#
?
Dec 22, 2017 00:54
|
|
|
it's like stuxnet only it targets mains-driven bad dragon devices
|
|
#
?
Dec 22, 2017 00:58
|
|
|
that looks legit but i guess they inadvertently sent it to normal customers not sellers who use their API
|
|
#
?
Dec 22, 2017 01:13
|
|
|
you're not supposed to use GET on SOAP? how do you do GET things then
|
|
#
?
Dec 22, 2017 01:15
|
|
|
mrmcd posted:I don't understand what the scam here is, and why that thread is full of furrys. i assume the full e-mail has a link to paypal.com.totallynotascam.com or something, but it is possible paypal hosed it up
|
|
#
?
Dec 22, 2017 01:23
|
|
|
I want to subscribe to a paid infosec magazine/journal for CISSP CPEs. Any recommendations? Preferably something without cyber in the title so I know it's not trash.
|
|
#
?
Dec 22, 2017 02:53
|
|
|
vOv posted:i assume the full e-mail has a link to paypal.com.totallynotascam.com or something, but it is possible paypal hosed it up yes. there's a link down below that takes you to shady website. they spoofed the sender address
|
|
#
?
Dec 22, 2017 03:03
|
|
|
Raere posted:I want to subscribe to a paid infosec magazine/journal for CISSP CPEs. Any recommendations? Preferably something without cyber in the title so I know it's not trash.
|
|
#
?
Dec 22, 2017 03:06
|
|
|
2600
|
|
#
?
Dec 22, 2017 03:29
|
|
|
when will people stop using the "from:" field as an indicator whether a mail is supposedly good or bad
|
|
#
?
Dec 22, 2017 03:32
|
|
|
mrmcd posted:I don't understand what the scam here is, and why that thread is full of furrys. it may surprise you to learn this, but furries are regular people just like you and I who use twitter and get spoofed scam emails
|
|
#
?
Dec 22, 2017 03:35
|
|
|
Jewel posted:scam email going around "from" paypal@paypal.com code:Ulf fucked around with this message at 03:58 on Dec 22, 2017 |
|
#
?
Dec 22, 2017 03:56
|
|
|
anthonypants posted:is that bad tavis says what they're doing looks fine to him so i'm going to assume that the people melting down over it don't know what they're talking about
|
|
#
?
Dec 22, 2017 04:27
|
|
|
Some of you guys would be surprised at just how large a percentage of all incoming security vulnerability reports are convoluted versions of "if I have root and do [thing], I get root!"
|
|
#
?
Dec 22, 2017 04:42
|
|
|
James Baud posted:Some of you guys would be surprised at just how large a percentage of all incoming security vulnerability reports are convoluted versions of "if I have root and do [thing], I get root!" 99%?
|
|
#
?
Dec 22, 2017 04:52
|
|
|
|
| # ? May 22, 2024 07:04 |
|
|
hobbesmaster posted:99%?
|
|
#
?
Dec 22, 2017 05:37
|
|