|
The Demon's Souls server protocol is a garbage fire. It uses HTTP The client sends data as encrypted URL format parameters, the server responds with base64 encoded binary data It uses AES for one side of the network connection, with the very advanced key "11111111222222223333333344444444" In some places it uses their own version of base64 with spaces instead of "+" The client always puts garbage at the end of their base64 stuff, probably because they forgot to null terminate a string Then again, my emulated server code is a garbage fire coded in a few days, so it's a good match.
|
# ? Mar 4, 2018 14:49 |
|
|
# ? Jun 8, 2024 11:09 |
|
where does it get the key for the URL parameters?
|
# ? Mar 4, 2018 14:51 |
|
Can someone recommend a CTF practice, or especially one that will refamiliarize me with BackTrack / Kali? I’m going to take an interview that sounds like it will have a similar challenge and I’d like to freshen up with the toolset.
|
# ? Mar 4, 2018 14:54 |
|
Subjunctive posted:where does it get the key for the URL parameters? The key is stored in the binary, so in practice a harder key wouldn't help that much. But you know, TLS/SSL was a thing already back in the old days of 2009.
|
# ? Mar 4, 2018 14:56 |
|
Today, we get to learn about measures multiplayer games sometimes take to ensure only retail servers are used And measures the monster hunter devs clearly didn't care to take.
|
# ? Mar 4, 2018 15:02 |
Potato Salad posted:Today, we get to learn about measures multiplayer games sometimes take to ensure only retail servers are used any links?
|
|
# ? Mar 4, 2018 15:06 |
|
game security is a dumpster fire anyway check out this very good podcast about the subject: https://darknetdiaries.com/episode/7/ https://darknetdiaries.com/episode/8/
|
# ? Mar 4, 2018 17:34 |
|
Wait, does the private server require that I send all of my dns traffic to a 3rd party?
|
# ? Mar 4, 2018 17:38 |
|
Salt Fish posted:Wait, does the private server require that I send all of my dns traffic to a 3rd party? from your playstation, yes
|
# ? Mar 4, 2018 17:41 |
|
I've never used a playstation but it probably has a store function right? And it probably has other media functions and friends lists? If this private server gets popular what are you going to do with all of that dns traffic? I mean, I don't need to guess, I should just be able to ask ymgve for a breakdown of what people are requesting. Like my nintendo switch for sure transmits data related to authenticating to my paypal account and other sensitive data.
|
# ? Mar 4, 2018 17:46 |
|
it only requires a few domains to be redirected, but if you ask people to set up their own personal dns proxy to play then the server will have a total population of just yourself
|
# ? Mar 4, 2018 17:50 |
|
spankmeister posted:game security is a dumpster fire anyway i still love the story about how the meat boy dev was talking directly to a sql database with credentials stored in plaintext in the executable and when someone pointed out that this is very bad and offered some tips on designing a more secure system his response was "NO IT'S FINE I KNOW WHAT I AM DOING I AM A SMARTY MAN GAME DEVELOPER AFTER ALL!" of course the predictable thing happened, because if something on the internet is wreckable there is some anti-social weirdo out there who will wreck it just for fun "I KNOW WHAT I AM DOING" seems to be the battle cry of the arrogant right before they literally or figuratively cut off a finger
|
# ? Mar 4, 2018 17:52 |
|
“shut up haters I loving wrote the wiki on the thermal properties of wax” - icarus
|
# ? Mar 4, 2018 18:52 |
|
Carbon dioxide posted:xlsx is open source though. It's literally a .zip file containing a bunch of .xml files. i did not know this
|
# ? Mar 4, 2018 19:58 |
|
flakeloaf posted:i did not know this it’s ok, nobody knows what all the parts mean so it doesn’t really matter that you can reuse a parser
|
# ? Mar 4, 2018 20:06 |
|
Dunno if this counts, but ordering a takeout in the UK, I just accidentally put in the wrong security/CVV number for my debit card saved on just-eat, and it... just went through totally fine? Isn't verification basically what this number is for?
|
# ? Mar 4, 2018 20:58 |
|
Surprise T Rex posted:Dunno if this counts, but ordering a takeout in the UK, I just accidentally put in the wrong security/CVV number for my debit card saved on just-eat, and it... just went through totally fine?
|
# ? Mar 4, 2018 21:08 |
|
Subjunctive posted:it’s ok, nobody knows what all the parts mean so it doesn’t really matter that you can reuse a parser does the spec still define some functionality as "render this the way microsoft office 97 did" or did they eventually clean all that out?
|
# ? Mar 4, 2018 21:17 |
|
For online people delivery apps (lyft, uber, etc) they must have some weird poo poo going on, that or banks are super loose with $5-$25 purchases through them cause we had a card get popped, had to get it replaced. Replaced where it mattered (pornhub, crunchyroll, brazzers, etc) and then promptly forgot. Take a lyft to the city, everything works fine. Same with uber. It was cool for a while until both apps popped up a warning saying the card didn't work anymore, took about a month. Not that I was scamming the system or anything just pure apathy until my wife, looking over our expenses asked what card I was using for lyft/ubers that month.
|
# ? Mar 4, 2018 21:46 |
Surprise T Rex posted:Dunno if this counts, but ordering a takeout in the UK, I just accidentally put in the wrong security/CVV number for my debit card saved on just-eat, and it... just went through totally fine? iirc the short story there is "level of confidence" a merchant can afford. the transaction itself is p much processed based on the number alone, maybe number + cardholder name - we had a chat on this itt a few versions ago, someone will probably chime in too. so, basically, if you are an amazon you can skip asking customers their birth certificate or whatever because refunding a scam or two will be pennies on the dollar of your lean mean make run with barely any profits machine now when you are a small time vendor you might be really picky about everything matching perfect, to avoid x or y or z + on top of that there are technical specs for each card type which limit how useful the error codes are for them (e.g. if your store will get "oops" or "wrong cvv") something like that
|
|
# ? Mar 4, 2018 21:49 |
|
The_Franz posted:i still love the story about how the meat boy dev was talking directly to a sql database with credentials stored in plaintext in the executable and when someone pointed out that this is very bad and offered some tips on designing a more secure system his response was "NO IT'S FINE I KNOW WHAT I AM DOING I AM A SMARTY MAN GAME DEVELOPER AFTER ALL!" his reaction made a huge impression on me about nerd insecurity heh insecurity get it
|
# ? Mar 4, 2018 21:56 |
|
Optimus_Rhyme posted:Replaced where it mattered (pornhub, crunchyroll, brazzers, etc) lol
|
# ? Mar 4, 2018 22:21 |
|
infernal machines posted:smashthestate This wouldn't be the worst password tbqh "Smash the State NSF" would be a perfectly secure password. Yet another way that Deus Ex was way ahead of it's time.
|
# ? Mar 4, 2018 22:54 |
|
cinci zoo sniper posted:something like that I thought there were like 5 different pieces of information that you could collect and submit to have a credit card processed, but you only needed 3. IIRC you can submit the number, zip code, CVV, or you could do the number, the cardholders name, CVV, or you could do number, expiration date, zip code, etc etc. And then you have the merchant collecting n+1 in their form, but their software only sends some set of those to the actual MSP? Salt Fish fucked around with this message at 23:37 on Mar 4, 2018 |
# ? Mar 4, 2018 23:35 |
|
duz posted:does the spec still define some functionality as "render this the way microsoft office 97 did" or did they eventually clean all that out? idk what the "spec" says but that's definitely how the actual office renders stuff. protip: office renders office documents completely differently from the "spec" and the only way to get pixel-perfect recreations of the documents people send you is to open them in office itself, while making sure your printer settings are the same as the person who sent it (yes really)
|
# ? Mar 4, 2018 23:50 |
|
all the many rendering libraries, even the ones microsoft supposedly supports, do not render the way office renders and so are totally useless if you have clients such as banks who will freak out and mash the alarm button whenever a border is one pixel too wide
|
# ? Mar 4, 2018 23:52 |
|
Optimus_Rhyme posted:For online people delivery apps (lyft, uber, etc) they must have some weird poo poo going on, that or banks are super loose with $5-$25 purchases through them cause we had a card get popped, had to get it replaced. Replaced where it mattered (pornhub, crunchyroll, brazzers, etc) and then promptly forgot. Take a lyft to the city, everything works fine. Same with uber. It was cool for a while until both apps popped up a warning saying the card didn't work anymore, took about a month. either lyft & Uber might be delaying and batching the transactions to save on fees but they’re definitely tokenizing the card number (which is the right thing to do) which usually comes with a grace period after the root PAN gets invalidated like iTunes just last month let me know the card that got revoked just about three years ago quit working
|
# ? Mar 5, 2018 05:53 |
|
The_Franz posted:i still love the story about how the meat boy dev was talking directly to a sql database with credentials stored in plaintext in the executable and when someone pointed out that this is very bad and offered some tips on designing a more secure system his response was "NO IT'S FINE I KNOW WHAT I AM DOING I AM A SMARTY MAN GAME DEVELOPER AFTER ALL!" the barrier to entry was so low on that issue, i'll bet it was some normal social person.
|
# ? Mar 5, 2018 05:53 |
|
crazysim posted:the barrier to entry was so low on that issue, i'll bet it was some normal social person. an anti-social but not asocial person
|
# ? Mar 5, 2018 08:44 |
|
Soricidus posted:“shut up haters I loving wrote the wiki on the thermal properties of wax” - icarus
|
# ? Mar 5, 2018 10:34 |
|
cinci zoo sniper posted:https://blog.elcomsoft.com/2017/08/one-password-to-rule-them-all-breaking-into-1password-keepass-lastpass-and-dashlane/ lol They really should have done more to explain the weak work factor defaults. They didn't really break anything and its just a brute force tool so whatever, but the fact that Office doc encryption work factor is like 10x+ the default for many of these things is shameful.
|
# ? Mar 5, 2018 15:37 |
|
BangersInMyKnickers posted:They really should have done more to explain the weak work factor defaults. They didn't really break anything and its just a brute force tool so whatever, but the fact that Office doc encryption work factor is like 10x+ the default for many of these things is shameful. i legitimately thought it was a joke after reading the sentence "Granted, these are still nearly an order of magnitude less secure than, say, Microsoft Office 2016 documents" and was like "oh this must be a joke and i got fooled i better make a funny joke about it to save face" hence that april fools post i made
|
# ? Mar 5, 2018 15:47 |
|
Surprise T Rex posted:Dunno if this counts, but ordering a takeout in the UK, I just accidentally put in the wrong security/CVV number for my debit card saved on just-eat, and it... just went through totally fine? I've written software to interface with credit card processors in the past. all processors can verify a user's address (just the number part technically), zip code, and CVV. however, even if those are wrong, processors don't automatically decline the transaction. some processors let you change some setting to decline if they're wrong, but even then it's just the processor forcing a decline rather than the credit card company actively saying, "this card is bad." (the only things that cause that are a bad credit card number or the person is over the limit, sometimes the expiration date but that's iffy, oh and being over the limit isn't a guarantee either some processors will just charge up to the limit and leave it up to you to handle the partial charge) so why does the takeout place accept CVV and do gently caress-all with it? well, if the CVV is right, they get a lower transaction fee. if it's wrong, the takeout place probably decided that it's not worth the customer service hassle to have someone input the right one (not to mention that many people would just give up and go elsewhere with their money), so they just accept it anyway. I had companies turn on just basic zip code checking in our software and then turn it off a week later after a giant customer service backlash (hell hath no fury like a customer who believes they told you the correct zip code and the processor says otherwise). Pendragon fucked around with this message at 15:59 on Mar 5, 2018 |
# ? Mar 5, 2018 15:56 |
|
The_Franz posted:i still love the story about how the meat boy dev was talking directly to a sql database with credentials stored in plaintext in the executable and when someone pointed out that this is very bad and offered some tips on designing a more secure system his response was "NO IT'S FINE I KNOW WHAT I AM DOING I AM A SMARTY MAN GAME DEVELOPER AFTER ALL!" hmm this was a link to the screenshot of the aforementioned but that has some credentials and addresses in it that may or may not constitute poop touching, even if it is 6 years temporally displaced. whoops DOG AT THE DOOR fucked around with this message at 16:34 on Mar 5, 2018 |
# ? Mar 5, 2018 16:25 |
|
ate all the Oreos posted:all the many rendering libraries, even the ones microsoft supposedly supports, do not render the way office renders and so are totally useless if you have clients such as banks who will freak out and mash the alarm button whenever a border is one pixel too wide no two versions office render the same document the same way
|
# ? Mar 5, 2018 16:36 |
|
ate all the Oreos posted:idk what the "spec" says but that's definitely how the actual office renders stuff. protip: office renders office documents completely differently from the "spec" and the only way to get pixel-perfect recreations of the documents people send you is to open them in office itself, while making sure your printer settings are the same as the person who sent it (yes really) parsing ooxml is practically impossible however the "open" spec is still useful because it makes it easy to predictably generate office documents. using the reverse engineered stuff with the old formats was always a bit of a crapshoot. now you can be pretty drat sure that your 3rd party application can produce a high quality xlsx. (at least as high quality and as predictably as office itself can, which, you know, isn't all that great)
|
# ? Mar 5, 2018 16:40 |
|
Notorious b.s.d. posted:no two versions office render the same document the same way
|
# ? Mar 5, 2018 18:25 |
|
some sort of.. portable document format?
|
# ? Mar 5, 2018 18:27 |
|
infernal machines posted:some sort of.. portable document format?
|
# ? Mar 5, 2018 18:33 |
|
|
# ? Jun 8, 2024 11:09 |
|
my last big LaTeX project I neglected to setup a docker or vagrant that pulled the right versions of all the tools it used and I survived
|
# ? Mar 5, 2018 18:34 |