|
ymgve posted:also this puts the burden of restricting on the browser, so if you have a non-sane browser, like IE5 for some reason, you might still be vulnerable IIRC IE5's proto-XHR didn't allow any xdomain requests, other than through their trust zone bullshit. oh, and the still-to-this-day ignoring of port number in the origin
|
# ? Jan 12, 2018 15:48 |
|
|
# ? May 28, 2024 15:10 |
|
ymgve posted:also this puts the burden of restricting on the browser, so if you have a non-sane browser, like IE5 for some reason, you might still be vulnerable old versions of flash didn't have any cross-origin stuff and also let you set headers iirc the way we fixed riak http mapred was to make it check both referer and origin, because xhr had consistent behavior, and vulnerable versions of flash were old-ish, and i think the long term fix was
|
# ? Jan 12, 2018 15:57 |
|
Proteus Jones posted:I'm not seeing where you can come to that conclusion from the link you gave. No I mean like I just saw a colleague do it on his phone and get 10 vouchers for free poo poo for clicking on the radio button in the app. From looking at the link it's not meant to work like that, dunno if there's anyone else who's actually noticed it but it made me lol.
|
# ? Jan 12, 2018 16:22 |
|
wew https://twitter.com/FSecure/status/951738561535119360
|
# ? Jan 12, 2018 17:02 |
|
In Intel news, there's also this:https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/ posted:We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center. We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue. So, they botched the microcode update that resolves one of the Spectre variants... but how badly are we talking here?
|
# ? Jan 12, 2018 17:08 |
|
i mean thats what happens when you have to rush a patch out because some amd moron discloses all your poo poo a week early
|
# ? Jan 12, 2018 17:09 |
|
actually that brave engineer was defending his company being unfairly characterised as affected by an embargoed vulnerability
|
# ? Jan 12, 2018 17:13 |
|
Seriously gently caress Intel for throwing AMD under the bus for Meltdown and trying to drag them down as well
|
# ? Jan 12, 2018 17:16 |
|
BangersInMyKnickers posted:Seriously gently caress Intel for throwing AMD under the bus for Meltdown and trying to drag them down as well They did get hit by Spectre, but yeah, it was hilarious to see Intel try to frame it as fully affecting AMD too.
|
# ? Jan 12, 2018 17:46 |
|
https://twitter.com/hanno/status/951840524754923521quote:Hi,
|
# ? Jan 12, 2018 17:53 |
|
James Baud posted:In Intel news, there's also this: i'd assume they will likely get this fixed, they are however operating on fantastically short timelines compared to where their usual hardware validation operates, and it is likely a minefield of small, never before seen, bugs to navigate as they do this microcode work overall things are looking better than many feared (and/or hoped)
|
# ? Jan 12, 2018 17:54 |
|
Cybernetic Vermin posted:i'd assume they will likely get this fixed, they are however operating on fantastically short timelines compared to where their usual hardware validation operates, and it is likely a minefield of small, never before seen, bugs to navigate as they do this microcode work Oh for sure, just calling attention to "you really want to watch for the next microcode update" with possibility that giving this one a pass altogether may be a good idea depending on situation.
|
# ? Jan 12, 2018 18:22 |
|
Progressive JPEG posted:google refuses to enable u2f against firefox
|
# ? Jan 12, 2018 18:40 |
|
I dont get this. Is this something firefox needs to implement on their end or is da g00g basically just not allowing this functionality to work on gapps? can you use u2f on other sites on firefox?
|
# ? Jan 12, 2018 18:51 |
|
You need to enable a setting in about:config but once you do that it works fine. I've enabled/used U2F on Github, Fastmail, Dropbox, and Gandi with Firefox ...check version... 57 without any problems. Github (and possibly others, didnt check) will apparently even give a different UI depending on whether that about:config setting is actually enabled, so I assume there's some sort of API available that can be used by sites to check for U2F support by the browser. Google are just blindly assuming useragent Firefox == no support
|
# ? Jan 12, 2018 18:59 |
|
pay-with-bitcoin fuckup results in coinbase and overstock.com giving out bitcoins basically for free: https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/ e: whoops, this is a couple days old, so it might have been posted already. still hilarious
|
# ? Jan 12, 2018 19:10 |
|
Sapozhnik posted:
i told off our devs the other day because they were embedding an antiforgery token in . Net mvc pages but didn't know what it was actually for so weren't ever validating it in the controllers, nice security theatre there everyone! Powerful Two-Hander fucked around with this message at 19:21 on Jan 12, 2018 |
# ? Jan 12, 2018 19:19 |
|
Progressive JPEG posted:Google are just blindly assuming useragent Firefox == no support Google does naive user-agent poo poo all the time
|
# ? Jan 12, 2018 19:30 |
|
and, i genuinely believe, entirely on purpose
|
# ? Jan 12, 2018 20:15 |
|
Progressive JPEG posted:You need to enable a setting in about :config but once you do that it works fine. I've enabled/used U2F on Github, Fastmail, Dropbox, and Gandi with Firefox ...check version... 57 without any problems. Apparently they're actually blindly assuming you can just overwrite the window.u2f property because they're bad at coding and didn't read their own spec.
|
# ? Jan 12, 2018 20:18 |
|
i've been idly wondering what the absolute worst-case scenario would be for a security flaw. one thought that comes to mind would be some kind of unpatchable hardware bug in a bunch of routers where large swathes of the internet would just be hard down until new routers could be manufactured and deployed.
|
# ? Jan 12, 2018 21:09 |
|
Powerful Two-Hander posted:i told off our devs the other day because they were embedding an antiforgery token in . Net mvc pages but didn't know what it was actually for so weren't ever validating it in the controllers, nice security theatre there everyone! the security theater is that .net mvc doesn't validate the csrf token automatically like the much better framework it's a knockoff does
|
# ? Jan 12, 2018 21:12 |
|
Farmer Crack-rear end posted:i've been idly wondering what the absolute worst-case scenario would be for a security flaw. one thought that comes to mind would be some kind of unpatchable hardware bug in a bunch of routers where large swathes of the internet would just be hard down until new routers could be manufactured and deployed. it will undoubtedly be an unpatachable flaw in consumer ISP modem/router combos that would require the ISP to replace them all at their cost. i'm pretty sure these already exist and no one talks about it because there's nothing anyone can do about it anyways
|
# ? Jan 12, 2018 21:13 |
|
Number19 posted:it will undoubtedly be an unpatachable flaw in consumer ISP modem/router combos that would require the ISP to replace them all at their cost. i'm pretty sure these already exist and no one talks about it because there's nothing anyone can do about it anyways bizarro pangloss calling out this (as in this is already reality) as the worst of all possible worlds right here
|
# ? Jan 12, 2018 21:16 |
|
Cocoa Crispies posted:the security theater is that .net mvc doesn't validate the csrf token automatically like the much better framework it's a knockoff does which framework would that be?
|
# ? Jan 12, 2018 22:01 |
|
Farmer Crack-rear end posted:i've been idly wondering what the absolute worst-case scenario would be for a security flaw. one thought that comes to mind would be some kind of unpatchable hardware bug in a bunch of routers where large swathes of the internet would just be hard down until new routers could be manufactured and deployed. general-use solutions to factorization and elliptic curves in the same day
|
# ? Jan 12, 2018 22:36 |
|
MALE SHOEGAZE posted:wait so if I have a database or webapp running on localhost, some random javascript from the web can access that and download data and then send it back to wherever? Subjunctive posted:no, unless you configure the local service to permit it, via CORS headers this specific vulnerability wasn't from setting cors header, it was from not verifying the host name, leaving the service vulnerable to a DNS rebinding attack i don't know any servers that set cors headers by default, but it's not unusual to serve for any hostname for easy development etc so the attacker serves a page from evil.com, and then switches the DNS for evil.com to 127.0.0.1 after you load the page that doesn't let you steal cookies, sessions etc since you're still serving from evil.com as far as the browser is concerned, but if you were assuming you could skip authentication because hey, you only bind to localhost, no one else can call this then you get wrecked
|
# ? Jan 12, 2018 22:40 |
|
pseudorandom name posted:Apparently they're actually blindly assuming you can just overwrite the window.u2f property because they're bad at coding and didn't read their own spec. chome is the new internet explorer
|
# ? Jan 12, 2018 22:41 |
|
Progressive JPEG posted:general-use solutions to factorization and elliptic curves in the same day aes has an easily exploited backdoor and everything everywhere using it can be read as plaintext would actually probably be the worst
|
# ? Jan 12, 2018 22:41 |
|
a P=NP proof with an even modestly practical algorithm would be a glorious day in general computation, but a horrific one in security it seems unlikely, but it is a deep philosophical question to expand on that "seems", and we have nothing other than that philosophizing currently
|
# ? Jan 12, 2018 22:42 |
|
Shinku ABOOKEN posted:which framework would that be? rails obv. http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf quote:To protect against all other forged requests, we introduce a required security token that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller, and is the default for newly created Rails applications:
|
# ? Jan 12, 2018 22:50 |
|
Farmer Crack-rear end posted:i've been idly wondering what the absolute worst-case scenario would be for a security flaw. one thought that comes to mind would be some kind of unpatchable hardware bug in a bunch of routers where large swathes of the internet would just be hard down until new routers could be manufactured and deployed. russian hackers guess the password of dprk's twitter account (k1mjong)
|
# ? Jan 12, 2018 22:51 |
|
Subjunctive posted:no, unless you configure the local service to permit it, via CORS headers sometimes just sending the request can be enough even if you don't get to read the response Condiv posted:I really don’t get why they don’t make a bytecode for webpages that all weblangs can compile to? that's what wasm is supposed to be
|
# ? Jan 13, 2018 00:29 |
|
Cybernetic Vermin posted:a P=NP proof with an even modestly practical algorithm would be a glorious day in general computation, but a horrific one in security yeah but "modestly practical algorithm" is a big deal on top of "P=NP" if it turns out to be true but the best version is O(n^20) or something, that'll be pretty entertaining at pissing everyone off
|
# ? Jan 13, 2018 01:04 |
|
Dylan16807 posted:yeah but "modestly practical algorithm" is a big deal on top of "P=NP" true, but it is hard to pin what is likely and not without dipping into some philosophical matters. for hash functions the O(n^20) will be an immediate issue, and even larger exponents will open a lot of doors to e.g. the nsa, or any state actor really if one wants to picture a security armageddon which is quite possible it should be seriously kept in mind e: update to ^20 to keep in sync with your updated number
|
# ? Jan 13, 2018 01:10 |
|
The Matrix reality escape exploit was a pretty big deal.
|
# ? Jan 13, 2018 01:59 |
|
ate poo poo on live tv posted:The Matrix reality escape exploit was a pretty big deal. i just couldn't believe it was on the
|
# ? Jan 13, 2018 02:52 |
|
Cocoa Crispies posted:rails obv. http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf that would actually be pretty nice, though idk if it would actually work with "manual" ajax requests but then again you'd lock those down as much as is possible anyway (or just leave it because 'nobodies gonna hack an internal app'). i think you could implement the same thing in .net by extending the base helpers/controllers but ehhh
|
# ? Jan 13, 2018 02:56 |
|
Farmer Crack-rear end posted:i've been idly wondering what the absolute worst-case scenario would be for a security flaw. one thought that comes to mind would be some kind of unpatchable hardware bug in a bunch of routers where large swathes of the internet would just be hard down until new routers could be manufactured and deployed. The broadcast system for Fox News is quietly subverted, and an official looking announcement that China has launched nuclear weapons at the US is played nationally. Trump's Twitter account credentials are pre-stolen, and it now tweets that we are retaliating. Non zero chance of a nuclear standoff that accidentally turns hot.
|
# ? Jan 13, 2018 03:32 |
|
|
# ? May 28, 2024 15:10 |
|
Farmer Crack-rear end posted:i've been idly wondering what the absolute worst-case scenario would be for a security flaw. one thought that comes to mind would be some kind of unpatchable hardware bug in a bunch of routers where large swathes of the internet would just be hard down until new routers could be manufactured and deployed. i mean like worst (best) case is obvs the end of the world. but to be realistically & subtly widespread, maybe it'd be something small but ubiquitous, like when someone noticed that a bunch of quicksort implementations were suboptimal because they were all copied from the same buggy sample code. e: maybe in K&R?
|
# ? Jan 13, 2018 04:03 |