|
ate all the Oreos posted:idk if you already know this but in case you don't: that's a standard default IIS error that you can get from pretty much anything because nobody ever bothers to make custom error pages Thanks. I don't use that stack, so I didn't know. All I knew was that it looked pretty boilerplate. I was just more alarmed that I wasn't getting better error handling with redirection or not found. Maybe I have high standards or something.
|
# ? Oct 2, 2018 22:14 |
|
|
# ? Jun 10, 2024 19:42 |
|
leaving the default 500 page up is kinda janky though
|
# ? Oct 3, 2018 00:56 |
|
AstuteCat posted:Looked at an API for an application I use. API expects secrets to be stored in the query string parameters for calls. In particular, to get an API token, you send a GET request to https://xxxx.com/api/login?userid=john@doe.com&password=dohdoh oh yeah, reminds me of that time someone here wrote an endpoint that took in credit card numbers from the querystring i'm pretty sure it's still in production
|
# ? Oct 3, 2018 03:47 |
|
Munkeymon posted:leaving the default 500 page up is kinda janky though and it means their probably .NET code is running into an unhandled exception redleader posted:oh yeah, reminds me of that time someone here wrote an endpoint that took in credit card numbers from the querystring once had a CSO (whose main tactic was printing out 1000s of pages of "stuff" and stacking up giant piles of paper on his desk for reasons??), who wanted us to write some custom virus definitions to automatically have AV flag and quarantine anything file that was found to have 16 consective numbers in it unencrypted since that might be a credit card number! Needless to say we didn't do that. Has anyone actually worked under a CSO who actually did anything besides writing press releases / get quoted in articles and occasionally attend conferences? Maybe I've just had bad luck but that seems to be their main job description.
|
# ? Oct 3, 2018 05:57 |
|
sadus posted:Has anyone actually worked under a CSO who actually did anything besides writing press releases / get quoted in articles and occasionally attend conferences? Maybe I've just had bad luck but that seems to be their main job description. no, n/a, n/a, n/a Had one that believed in whitelisting ip address ranges for incoming traffic when ACCEPT 0.0.0.0/0, ALLOW 0.0.0.0/0 is a core feature the product. Strangely enough also seems to think running a WAF in log only mode and shipping the logs to a server that hadn't been online in probably 3+ years was GOOD SECURITY. Probably still makes 10x what I make. How are these people still trusted to breathe? Edit: Try suggesting we drop malformed request traffic say.. lacking a host header in a HTTP request (per RFC spec an invalid request) NO WE CAN'T DO THAT WE MIGHT BE LOSING LEGITIMATE TRAFFIC. SeaborneClink fucked around with this message at 06:23 on Oct 3, 2018 |
# ? Oct 3, 2018 06:18 |
|
a fun fact is that as a manager you’ll always be wrong. I liked being a cso but I always also suffered from imposter syndrome lol at examples given tho
|
# ? Oct 3, 2018 07:36 |
|
sadus posted:and it means their probably .NET code is running into an unhandled exception yeah, that's not a big deal just, again, kinda janky
|
# ? Oct 3, 2018 12:50 |
|
Munkeymon posted:yeah, that's not a big deal just, again, is kinda janky but you repeat yourself
|
# ? Oct 3, 2018 13:22 |
|
What's the regkey you can set to block psloggedon enumeration for windows hosts? Google is failing the hell out of me right now.
|
# ? Oct 3, 2018 14:34 |
|
sadus posted:whose main tactic was printing out 1000s of pages of "stuff" and stacking up giant piles of paper on his desk for reasons?? christ you just gave me flashbacks to my old job. for new potential customers, we'd have them send us all their powerpoints so we could see how much duplicated effort went into them (part of our software's big selling point was that we could manage that poo poo for you and make generating slideshows out of arbitrary documents and powerpoints much easier) and give them a report back of how many slides were direct copies of each other, how many were visually the same except with slightly different text, how many had inaccurate / incomplete information or were violating compliance laws etc. naturally instead of using some image similarity algorithm or software, or doing this on a computer at all even, the process was to print out every single document they sent us onto ream after ream of paper and then have professional services hand-sort them on a big table. this took two or three people loving days to complete.
|
# ? Oct 3, 2018 14:52 |
|
ate all the Oreos posted:christ you just gave me flashbacks to my old job. for new potential customers, we'd have them send us all their powerpoints so we could see how much duplicated effort went into them (part of our software's big selling point was that we could manage that poo poo for you and make generating slideshows out of arbitrary documents and powerpoints much easier) and give them a report back of how many slides were direct copies of each other, how many were visually the same except with slightly different text, how many had inaccurate / incomplete information or were violating compliance laws etc. Bet they were impressed and you got their business though.
|
# ? Oct 3, 2018 19:27 |
|
Volmarias posted:Bet they were impressed and you got their business though. eh sometimes yes, sometimes no. with most companies i'd assume that if they're willing to dump that much time and effort into doing it it must be giving measurable returns but that company was... incredibly dumb. the whole thing was pretty much a hobby for the born-rich owner so he could feel like a big boy who had a real life business, so the company did a lot of totally nonsensical things because he thought that's what customers wanted or just because he wanted it done that way. he even turned down all outside investment specifically so he didn't have to give up any control over anything. that place was loving ridiculous and working there for a few years pretty much got me set for life with all the crazy stories of weirdos and incompetence i'll ever need
|
# ? Oct 3, 2018 19:47 |
|
|
# ? Oct 3, 2018 20:28 |
|
lmbo symantec firewall module is adding 5-15ms of additional latency to even basic poo poo like icmp what a pile of garbage
|
# ? Oct 3, 2018 22:59 |
|
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies ron-paul-its-happening.gif
|
# ? Oct 4, 2018 12:02 |
|
Whoever wrote this sneaked in a little joke quote:Elemental servers sold for as much as $100,000 each, at profit margins of as high as 70 percent, according to a former adviser to the company. Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.
|
# ? Oct 4, 2018 12:29 |
|
when is the world going to abandon these cursed machines
|
# ? Oct 4, 2018 12:36 |
|
All the people I know who deal with supply chain security seem completely terrified and exhausted all the time. Tip of the iceberg and all that.
|
# ? Oct 4, 2018 12:44 |
|
mrmcd posted:https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies That is impressively scary. Bhodi posted:Whoever wrote this sneaked in a little joke Also impressive. But funny, not scary.
|
# ? Oct 4, 2018 12:47 |
|
mrmcd posted:All the people I know who deal with supply chain security seem completely terrified and exhausted all the time.
|
# ? Oct 4, 2018 12:51 |
|
mrmcd posted:https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies I'm guessing these targeted the high-end high-density boards, since those would be most likely to be doing something interesting vs. running Bob's Flower Shoppe employee database. Still, not surprising in the least seeing as how the Chinese government exerts influence on factories there. Guess I'll have to find another low-end net appliance supplier tho :\ edit: i suppose this story isn't completely accurate then https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/ ewiley fucked around with this message at 13:54 on Oct 4, 2018 |
# ? Oct 4, 2018 13:50 |
|
ewiley posted:edit: i suppose this story isn't completely accurate then https://arstechnica.com/information-technology/2017/02/apple-axed-supermicro-servers-from-datacenters-because-of-bad-firmware-update/ that story's called out in the hardware piece
|
# ? Oct 4, 2018 13:55 |
|
Cocoa Crispies posted:that story's called out in the hardware piece Ahh, didn't see that. Well I guess it makes sense that a firmware update would fail if there are extra chips on board!
|
# ? Oct 4, 2018 13:56 |
|
apple and amazon issued strong flat denials and all but said the story was made up wholesale so now i don't know who to believe
|
# ? Oct 4, 2018 14:15 |
|
Bhodi posted:apple and amazon issued strong flat denials and all but said the story was made up wholesale so now i don't know who to believe what does your heart tell you?
|
# ? Oct 4, 2018 14:17 |
|
On the one hand, exclusively anonymous sources, no physical evidence and a security apparatus that's interested in self-promotion for forever-expanding funding and FUD On the other, technical embarrassment plus capitalism and reduced consumer confidence leading to stock dips
|
# ? Oct 4, 2018 14:20 |
|
also, government gag orders
|
# ? Oct 4, 2018 14:33 |
|
good thing China wasn't intercepting shipments of Cisco routers and installing implants in them before the arrived
|
# ? Oct 4, 2018 14:44 |
|
redleader posted:when is the world going to abandon these cursed machines
|
# ? Oct 4, 2018 14:51 |
|
redleader posted:when is the world going to abandon these cursed machines
|
# ? Oct 4, 2018 15:03 |
when I used to live in dc I was friends with someone who worked at the Government Accountability Office and was part of a team investigating how fake chips were making their way into specialty hardware ordered by the government. the non-secret report he was able to share with me was pretty enlightening. in most cases it was what you would expect with lower quality devices being packaged as higher quality part numbers and failing at higher rates as a result, but in a few it was just crazy poo poo using embedded controllers to convert signals to and from dirt cheap commodity devices to the pinout and behavior of the specialty stuff. that setup was super optimized to pass test programs but failed spectacularly when put under sustained loads in actual use. I knew better than to ask what they found and put in the secret portions of the investigation but when I commented about how nuts that converting setup was he did say something like "that's what they are doing to skim off a few bucks per unit, just imagine what they are doing for espionage." so yeah I can totally believe this story.
|
|
# ? Oct 4, 2018 15:04 |
|
Ah, the good ol' "report myself as 32GB of storage when I'm actually 8MB and a lying microcontroller"
|
# ? Oct 4, 2018 15:10 |
exactly. but unlike the dodgy flash drives which you can crack open the shell and easily see the deception, these were chips packaged at the same facility as the real ones and required an x-ray inspection to spot. i want to say that a thermal camera while running was also an option but can't remember for sure if the thing they were in had enough room to let you do that.
|
|
# ? Oct 4, 2018 15:21 |
|
redleader posted:when is the world going to abandon these cursed machines butlerian jihad time, imo although sending someone a letter telling them to cleain their looking glass will lack some of the piquancy of yospos i'm sure we'll all adjust.
|
# ? Oct 4, 2018 15:23 |
|
BangersInMyKnickers posted:lmbo symantec firewall module is adding 5-15ms of additional latency to even basic poo poo like icmp what a pile of garbage lol 15+ms of latency on links moving over 500mbit and full up drops once it hits the 700mbit range gently caress you symantec yo poo poo is trash
|
# ? Oct 4, 2018 15:25 |
|
skipped 4500 posts to say china hacked the planet, lol
|
# ? Oct 4, 2018 15:38 |
|
Captain Foo posted:skipped 4500 posts to say china hacked the planet, lol leave b 4 ur expunged lol j/k friend
|
# ? Oct 4, 2018 15:45 |
|
goddamnedtwisto posted:butlerian jihad time, imo never a better time to start exchanging postcards and letters with e-friends
|
# ? Oct 4, 2018 15:55 |
|
mrmcd posted:https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies this poo poo is why i'm so happy some govt officials took a ten euros bribe to close the state owned chip foundries in order to get all sensitive chips from the US and China, especially when that chip foundry was making money hand over fist with the requests and contracts from the rest of Europe and was actively expanding
|
# ? Oct 4, 2018 16:06 |
|
|
# ? Jun 10, 2024 19:42 |
|
|
# ? Oct 4, 2018 16:36 |