|
Cocoa Crispies posted:continuing to pay for apps as they get used is important so that developers can afford to fix problems that show up later instead of just riding off into the sunset with a one-time lump sum we should just discourage connectivity and networking functions instead
|
#
?
Aug 27, 2018 06:49
|
|
|
|
| # ? Jun 9, 2024 03:54 |
|
|
I use like a 6 year old version of budgeting software because the devs got it in their heads to go ~~cloud based subscription app~~ for the next version and it more expensive and way worse now and also now demands all your bank account logins when it didn't before. I will keep using the old version I paid for until I die or the Adobe Air runetime finally stops working on windows.
|
|
#
?
Aug 27, 2018 12:44
|
|
|
I have no problem with app subscriptions. consumable in-app purchases are usually barely disguised gambling and everyone in the industry knows it.
|
|
#
?
Aug 27, 2018 12:55
|
|
|
So, our company is pushing Stealth as a solution for our end point security, but in an environment where we even struggle to patch, how useful would a encrypted tunnel/network segmentation like Stealth be? That and I'm really skeptical about a software tunnel solution for network segmentation...
|
|
#
?
Aug 27, 2018 16:40
|
|
|
Yesterday I Learned how to rekey kwikset smartkey without the original key, or the rekey tool or the locksmith reset tool. (You just take it all apart then reassemble it with the new key in)
|
|
#
?
Aug 27, 2018 17:07
|
|
|
CommieGIR posted:So, our company is pushing Stealth as a solution for our end point security, but in an environment where we even struggle to patch, how useful would a encrypted tunnel/network segmentation like Stealth be? its a replacement for host-based firewalls for micro segmentation but beyond that ehhhhhhhhhhhhh. Protected enclaves are great and all but you still need to assume something is going to bypass it and get inside those tunnels. You can pretty much do this for free today by utilizing IPsec in Windows for AD enrolled clients and kerberos auth
|
|
#
?
Aug 27, 2018 17:36
|
|
|
EMILY BLUNTS posted:Yesterday I Learned how to rekey kwikset smartkey without the original key, or the rekey tool or the locksmith reset tool. explain
|
|
#
?
Aug 27, 2018 17:53
|
|
|
Crime on a Dime posted:explain
|
|
#
?
Aug 27, 2018 19:10
|
|
|
Ulf posted:with physical access you can get root kwikset locks are garbage but yeah this is pretty much the situation. you can rekey pretty much any lock that you are able to disassemble.
|
|
#
?
Aug 27, 2018 19:45
|
|
|
one of my coworkers thinks putting credentials in query string parameters is "just as secure" as in POST body or auth headers and refuses to believe otherwise, help im dying
|
|
#
?
Aug 27, 2018 19:53
|
|
|
Shifty Pony posted:kwikset locks are garbage but yeah this is pretty much the situation. yeah, if you're taking the parts that make the lock lock you can change which keys it works with
|
|
#
?
Aug 27, 2018 19:56
|
|
|
My car was broken into and I got a new lock for it which was keyed differently. So I got the wafers from the old busted lock and put them in the new lock. Fiddly job but it worked out ok.
|
|
#
?
Aug 27, 2018 20:03
|
|
|
spankmeister posted:Fiddly job but it worked out ok. locks.txt
|
|
#
?
Aug 27, 2018 20:04
|
|
|
ate all the Oreos posted:one of my coworkers thinks putting credentials in query string parameters is "just as secure" as in POST body or auth headers and refuses to believe otherwise, help im dying Because the coworker is only thinking about the immediate execution, that would appear logical. It's intermediary HTTP proxies and HTTP servers logging all requests and thus being promoted into being a convenient credential feed for consumption.
|
|
#
?
Aug 27, 2018 20:11
|
|
|
MrMoo posted:Because the coworker is only thinking about the immediate execution, that would appear logical. It's intermediary HTTP proxies and HTTP servers logging all requests and thus being promoted into being a convenient credential feed for consumption. yeah i told him this and his answer was "but we control the server so we can control what it's logging, and besides i'm sure servers log headers too so it's the same"
|
|
#
?
Aug 27, 2018 20:14
|
|
|
The other important area: the credentials will end up in the browser history, not forgetting bookmarks, leading to accidental replay and an easy attack vector. It's also easy for third party JavaScript to pickup window.location and thus the credentials, e.g. advertising.ate all the Oreos posted:yeah i told him this and his answer was "but we control the server so we can control what it's logging, and besides i'm sure servers log headers too so it's the same" "Yes" but without the full URL the logging will be useless, and "no" unless you are only expecting a handful of users, for most setups it simply does not scale. MrMoo fucked around with this message at 20:25 on Aug 27, 2018 |
|
#
?
Aug 27, 2018 20:22
|
|
|
ate all the Oreos posted:one of my coworkers thinks putting credentials in query string parameters is "just as secure" as in POST body or auth headers and refuses to believe otherwise, help im dying this is true* * for a specific definition of security** ** this definition of security is dumb as heck
|
|
#
?
Aug 27, 2018 20:44
|
|
|
prisoner of waffles posted:this is true* great stuff here
|
|
#
?
Aug 27, 2018 20:47
|
|
|
ate all the Oreos posted:yeah i told him this and his answer was "but we control the server so we can control what it's logging, and besides i'm sure servers log headers too so it's the same" "Mistakes happen and you should develop defensively, being one missed url stripping call away from a password in the logs isn't acceptable"
|
|
#
?
Aug 27, 2018 20:53
|
|
|
ate all the Oreos posted:yeah i told him this and his answer was "but we control the server so we can control what it's logging, and besides i'm sure servers log headers too so it's the same" lol which server is this that logs headers asking for a friend, not to send 5tb of http headers in my request, promise 
|
|
#
?
Aug 27, 2018 21:04
|
|
|
many log Referer and UA at least
|
|
#
?
Aug 27, 2018 21:05
|
|
|
i'll be sure to not use referer and user agent to transmit authentication info then, thanks
|
|
#
?
Aug 27, 2018 21:09
|
|
|
Subjunctive posted:many log Referer and UA at least hmm you're right. my next worm is going to be just a browser addon that sets UA to 10MB, then watch the world burn
|
|
#
?
Aug 27, 2018 21:14
|
|
|
Truga posted:hmm you're right. my next worm is going to be just a browser addon that sets UA to 10MB, then watch the world burn in a couple years i think we'll get there. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.1
|
|
#
?
Aug 27, 2018 21:18
|
|
|
prisoner of waffles posted:i'll be sure to not use referer and user agent to transmit authentication info then, thanks yeah transmit authentication information in the tls handshake
|
|
#
?
Aug 27, 2018 21:24
|
|
|
ate all the Oreos posted:yeah i told him this and his answer was "but we control the server so we can control what it's logging, and besides i'm sure servers log headers too so it's the same" hes right in that if your security worry is server side logging, then headers and post content are just as easy to log as the url, however I don't think any servers do headers or content by default. client side url caching is way more of an issue Truga posted:hmm you're right. my next worm is going to be just a browser addon that sets UA to 10MB, then watch the world burn most servers have a header size limit of a few kb
|
|
#
?
Aug 27, 2018 22:04
|
|
|
Truga posted:hmm you're right. my next worm is going to be just a browser addon that sets UA to 10MB, then watch the world burn 413 entity too large.
|
|
#
?
Aug 27, 2018 22:07
|
|
|
Salt Fish posted:413 entity too large. that's what your mum said
|
|
#
?
Aug 27, 2018 22:18
|
|
|
Mr. Nice! posted:that's what your mum said their mom's a computer?!!?
|
|
#
?
Aug 27, 2018 22:28
|
|
|
Mr. Nice! posted:that's what your mum said was she looking in a mirror?
|
|
#
?
Aug 27, 2018 23:13
|
|
|
Mr. Nice! posted:that's what your mum said
|
|
#
?
Aug 28, 2018 02:43
|
|
|
Mr. Nice! posted:that's what your mum said kind of rude of her to turn you down like that, but you really could stand to lose a few pounds
|
|
#
?
Aug 28, 2018 02:47
|
|
|
Mr. Nice! posted:that's what your mum said My mom is 451, your mom is 402.
|
|
#
?
Aug 28, 2018 03:59
|
|
|
Salt Fish posted:My mom is 451, your mom is 402. Yo momma is 418 -- short and stout.
|
|
#
?
Aug 28, 2018 05:32
|
|
|
to my momma I'll always be 417
|
|
#
?
Aug 28, 2018 09:24
|
|
|
my mom is 404 
|
|
#
?
Aug 28, 2018 12:55
|
|
|
is this the new computer janitor thread?
|
|
#
?
Aug 28, 2018 13:00
|
|
|
No please don't poo poo it up
|
|
#
?
Aug 28, 2018 13:11
|
|
|
speaking of gossi https://twitter.com/gossithedog/status/1034334475101130753?s=21
|
|
#
?
Aug 28, 2018 21:51
|
|
|
|
| # ? Jun 9, 2024 03:54 |
|
|
You missed the most important part:someone making a tweet posted:Here is the alpc bug as 0day: https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar … I don't loving care about life anymore. Neither do I ever again want to submit to MSFT anyway. gently caress all of this poo poo. BlankSystemDaemon fucked around with this message at 22:49 on Aug 28, 2018 |
|
#
?
Aug 28, 2018 22:47
|
|
