|
Boris Galerkin posted:In totally unrelated news, thanks Bitcoin! Can we go back to hackers goatseing people? Cryptojacking doesn't have the same ring to it.
|
# ? Feb 21, 2018 06:18 |
|
|
# ? Jun 10, 2024 10:44 |
|
Will anybody be at the Mobile World Congress next week by any chance? My company has a booth there and trade shows are soul-crushing when you attend them this way. Meeting a Goon would alleviate a bit of that.
|
# ? Feb 21, 2018 09:48 |
|
Boris Galerkin posted:it was picked up on Ars, Motherboard/Vice, and Guru3D. I’m not sure about Guru3D but the other two have tons of readers. Do people still use Guru3D for GPU reviews? But obtaining the PII of alleged pirates is not what they did. They hacked exactly one person. I was ready to see the company get ripped apart for their actions, but now that they clarified I don't see the point. Hacking one person, with no direct damage? Is a fine of $10000 per instance plus reparations for any harm caused not good enough?
|
# ? Feb 21, 2018 11:25 |
|
Did Stand Your Cyberground actually pass?
|
# ? Feb 21, 2018 13:08 |
|
Dylan16807 posted:But obtaining the PII of alleged pirates is not what they did. They hacked exactly one person. Are you one of those people who thinks businesses actually give a poo poo about fines? They knowingly broke the law. They should go to criminal trial.
|
# ? Feb 21, 2018 13:47 |
|
https://twitter.com/jedisct1/status/966276829748383744
|
# ? Feb 21, 2018 13:59 |
Dylan16807 posted:But obtaining the PII of alleged pirates is not what they did. They hacked exactly one person. They intentionally placed malware on the computers of every customer who downloaded that update. That's corporate death penalty worthy, it doesn't matter if they only actually activated it for one person.
|
|
# ? Feb 21, 2018 14:37 |
|
Theris posted:They intentionally placed malware on the computers of every customer who downloaded that update. That's corporate death penalty worthy, it doesn't matter if they only actually activated it for one person. I don't understand how this is even a debate. The company hosed up and got caught doing something illegal in most countries.
|
# ? Feb 21, 2018 14:43 |
|
Dylan16807 posted:But obtaining the PII of alleged pirates is not what they did. They hacked exactly one person. So you'd be OK with them putting test.exe on your computer as long as they promised to never use it?
|
# ? Feb 21, 2018 16:16 |
|
Dylan16807 posted:But obtaining the PII of alleged pirates is not what they did. They hacked exactly one person. Give me your bank account details. I promise I won’t use it unless your name is “John Smith.”
|
# ? Feb 21, 2018 17:39 |
|
Crossposting from the AWS thread: Has anyone messed around with AWS Lambda functions for penetration testing? My boss asked me to come up with a function to do some penetration testing on our instances, essentially, check to see whether a certain port on a certain instance is open (or maybe ping all ports and return which ones are open?). I'm thinking about using the API gateway and maybe a simple webpage front end that will run the lambda function but I'm open to ideas. I kind of suck with coding in python but this should be a pretty simple. Anyone have any suggestions?
|
# ? Feb 21, 2018 17:42 |
|
I'm going to install this bomb in your house, but don't worry. I won't detonate it on purpose.
|
# ? Feb 21, 2018 17:43 |
|
Dylan16807 posted:But obtaining the PII of alleged pirates is not what they did. They hacked exactly one person. lol at giving the benefit of the doubt to a company that they are being honest that they only used it once on someone who was definitely guilty (according to them). Due process is unnecessary regulation you see.
|
# ? Feb 21, 2018 17:52 |
|
Dylan16807 posted:But obtaining the PII of alleged pirates is not what they did. They hacked exactly one person. So, you really believe all those companies that claim they have never been breached? You really believe they are going to mention all the PII they've "accidentally" received? Also, notice, they go on and on about how they want to nail just one person, but, if they could identify the person that easy to target the password stealer, they wouldn't need it. This was an epically idiotic idea, likely planned by one of those people who look up to and believe the STDH crowd.
|
# ? Feb 21, 2018 18:00 |
|
Looks like Ormandy turned his attention to uTorrent
|
# ? Feb 21, 2018 19:40 |
|
Pretty tame by our standards. The uTorrent Classic breach only even allows an attacker to see what kind of weird porn you've been torrenting, not compromise your machine.
|
# ? Feb 21, 2018 19:43 |
|
Thermopyle posted:So you'd be OK with them putting test.exe on your computer as long as they promised to never use it? Every program with auto-update is just as dangerous when it comes to the company deciding to do a targeted hack. So while I don't like the current state of computer security, I don't think it actually matters if the malware is bundled in the installer or not. Inept posted:lol at giving the benefit of the doubt to a company that they are being honest that they only used it once on someone who was definitely guilty (according to them). Due process is unnecessary regulation you see. Well that's why I said $10k per instance. Let the police investigate and punish them the appropriate amount. No need to trust them. Cup Runneth Over posted:Are you one of those people who thinks businesses actually give a poo poo about fines? They knowingly broke the law. They should go to criminal trial. Sure, I guess, but the comparable sentence for something like low-value identity theft is probably a misdemeanor and actually less than what I was suggesting.
|
# ? Feb 21, 2018 20:34 |
|
Dylan16807 posted:Sure, I guess, but the comparable sentence for something like low-value identity theft is probably a misdemeanor and actually less than what I was suggesting. UK seems to have 10 years per count for their equivalent of felony identity theft, which this would probably count as. EU regulations are likely tougher, but I can't find specifics. So one count for each person who had this installed on their system.
|
# ? Feb 21, 2018 21:05 |
|
Dylan16807 posted:Every program with auto-update is just as dangerous when it comes to the company deciding to do a targeted hack. So while I don't like the current state of computer security, I don't think it actually matters if the malware is bundled in the installer or not. They violated multiple sections of CFAA in the US. That’s definitely multiple felonies if they pierce the veil. If not, that can accumulate to hugely significant fines for a small company like this.
|
# ? Feb 21, 2018 21:10 |
|
Dylan16807 posted:Every program with auto-update is just as dangerous when it comes to the company deciding to do a targeted hack. So while I don't like the current state of computer security, I don't think it actually matters if the malware is bundled in the installer or not. By any chance, are you a criminal? Because you're advocating criminal behavior for no good reason.
|
# ? Feb 21, 2018 21:26 |
|
Dylan16807 posted:Every program with auto-update is just as dangerous when it comes to the company deciding to do a targeted hack. So while I don't like the current state of computer security, I don't think it actually matters if the malware is bundled in the installer or not. You know there's a big gulf in badness between having the capability to do a bad thing and actually doing it?
|
# ? Feb 21, 2018 21:26 |
|
Avenging_Mikon posted:UK seems to have 10 years per count for their equivalent of felony identity theft, which this would probably count as. EU regulations are likely tougher, but I can't find specifics. So one count for each person who had this installed on their system. One count for each person where it ran, I hope you mean. Copying it to all the other machines was stupid but not very meaningful. And wow, that's pretty harsh. I wish data breeches got even 1% that much punishment.
|
# ? Feb 21, 2018 21:29 |
|
apseudonym posted:You know there's a big gulf in badness between having the capability to do a bad thing and actually doing it? I agree entirely. And I file "putting test.exe on computers but not running it, then deleting it" as capability, not wrongdoing.
|
# ? Feb 21, 2018 21:30 |
|
Dylan16807 posted:Copying it to all the other machines was stupid but not very meaningful. That's the very point that makes it meaningful. I mean, you trust someone who would be so idiotic to actually have access to all your passwords?
|
# ? Feb 21, 2018 21:30 |
|
Thermopyle posted:That's the very point that makes it meaningful. It proves they're stupid, but most companies are stupid. Maybe I just have a much lower opinion of the average software developer than you do. I think most developers are one bad employee decision away from getting my passwords stolen. Whether that's triggering their anti-one-guy malware incorrectly, or falling to a phishing attack and letting hackers control their download server, or a hundred other ways. My trust level is low, but this incident doesn't push it much lower. I think the actual hacking is the only important thing that happened here. Anyway I'll shut up now, I think. (I do hope they get punished. I just think the suitable punishment got a lot smaller when the story changed from "collected all suspected pirate passwords" to "one guy's passwords". Unless they lied in which case hit them even harder.) Dylan16807 fucked around with this message at 21:40 on Feb 21, 2018 |
# ? Feb 21, 2018 21:36 |
|
Dylan16807 posted:One count for each person where it ran, I hope you mean. Copying it to all the other machines was stupid but not very meaningful. Pro-tip: installing surveillance bugs is illegal, even if you don't turn them on.
|
# ? Feb 21, 2018 21:36 |
|
Dylan16807 posted:It proves they're stupid, but most companies are stupid. Maybe I just have a much lower opinion of the average software developer than you do. I think most developers are one bad employee decision away from getting my passwords stolen. No, I think you're mostly right. However, I think that most companies should be more harshly punished, not that this company should be punished less.
|
# ? Feb 21, 2018 21:50 |
|
so they claim they had the guy's IP hitting their server, right. but then they restricted their malware to only run if a pirate serial is inserted. obviously, the cracker wasn't the only one using the keygenned serial if he was giving it out on a forum. they probably stole more credentials than just that guy. whether they used them, who knows, they only admitted to that crime once. I'm pretty sure they're admitting to stealing creds from multiple people.
|
# ? Feb 21, 2018 21:58 |
|
Avenging_Mikon posted:Pro-tip: installing surveillance bugs is illegal, even if you don't turn them on. Depends on the state, the location, and the capacities. A audio recording bug in a 1-Party state in a location with no expectation of privacy and permission of the property owner is legal for example.
|
# ? Feb 21, 2018 21:59 |
|
Dylan16807 posted:I agree entirely. And I file "putting test.exe on computers but not running it, then deleting it" as capability, not wrongdoing. Except they did run it
|
# ? Feb 21, 2018 22:08 |
|
Trabisnikof posted:Depends on the state, the location, and the capacities. It's an EU company. The EU is putting in to action a law that requires users to accept each individual cookie a website wishes to use, each time you visit that site. I would be very surprised if 1-Party recordings were legal by companies.
|
# ? Feb 21, 2018 22:15 |
|
The fact remains that a keylogger was installed on systems and it was absolutely intended to be used. By the book, that's a sentencing and severe fine.
|
# ? Feb 21, 2018 22:15 |
|
Dylan16807 posted:I agree entirely. And I file "putting test.exe on computers but not running it, then deleting it" as capability, not wrongdoing. Nah it's wrongdoing and illegal. This is a dumb argument.
|
# ? Feb 21, 2018 22:22 |
|
Avenging_Mikon posted:It's an EU company. The EU is putting in to action a law that requires users to accept each individual cookie a website wishes to use, each time you visit that site. I would be very surprised if 1-Party recordings were legal by companies. the EU continues in their quest to have the most useless and onerous regulatory environment possible Also no, companies intentionally installing malware on your system is not okay whether it's used or not.
|
# ? Feb 21, 2018 22:47 |
|
Authenticode code signing certificate providers these days all want to sell me dongles that require me to mash a button or provide a password every 24 hours for code signing. I want to sign code in my build servers in a data center, with no human presence. Where should I turn to for such capabilities? Do the certificate providers offer it? All I see in web searches are dongles. I would be totally happy with, for example, TPM-locked certificates that are equally secure against theft as physical tokens. I just do not want to have a human sitting in my server rack.
|
# ? Feb 22, 2018 09:04 |
|
Avenging_Mikon posted:It's an EU company. The EU is putting in to action a law that requires users to accept each individual cookie a website wishes to use, each time you visit that site. I would be very surprised if 1-Party recordings were legal by companies. Don't you get it just the once per site, for all the cookies? Or is that a new law because the previous one wasn't annoying enough?
|
# ? Feb 22, 2018 09:51 |
|
Welcome to General Data Protection Regulation, enforced from 25 May 2018. It takes data protection up to eleven across the EU. GDPR is far more wide-reaching than cookies but here is a decent overview of what it means for cookies: quote:Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent. I do not think it affects individual cookies but it does mean that users need to be explicitly informed about what (exactly!) their data is used for. Just "we use cookies to improve our service" does not cut it anymore.
|
# ? Feb 22, 2018 12:13 |
|
EssOEss posted:Authenticode code signing certificate providers these days all want to sell me dongles that require me to mash a button or provide a password every 24 hours for code signing. I want to sign code in my build servers in a data center, with no human presence. Yeah, any of the CAs can do this with a standard signing cert. The reason that you're seeing these weird, elaborate things is that devs on the whole are absolute dumbfucks that do not understand how handle key material and will either leave it sitting around with the private key completely unencrypted or have it set to something trivial that's written in a text file in the directory of the thing itself. When stuff needs signing (which shouldn't be that often) either train one person on how to do it properly and make it their job or script up some kind of mechanism that allows the devs to drop stuff off in an inject directory and have it get signed for them after some approval workflow. Otherwise you're going to have a million copies of the thing floating around, stored incorrectly. We get ours from Comodo and its been Fine.
|
# ? Feb 22, 2018 13:10 |
|
I'm in love with GDPR, it's already generating tears and it's not even in effect yet.
|
# ? Feb 22, 2018 13:14 |
|
|
# ? Jun 10, 2024 10:44 |
|
EssOEss posted:Welcome to General Data Protection Regulation, enforced from 25 May 2018. It takes data protection up to eleven across the EU. Peep the penalties for non-compliance too. 4% of global turnover (or 20 million euros, if that's a bigger number) if you don't get free and informed consent before doing something.
|
# ? Feb 22, 2018 13:32 |