|
lotta deep state shills itt
|
#
?
Oct 14, 2018 09:31
|
|
|
|
| # ? Jun 8, 2024 22:55 |
|
|
There are checks and balances for dealing with anonymous sources. These Bloomberg hacks have not done their journalistic duties.
|
|
#
?
Oct 14, 2018 10:48
|
|
|
If it actually exists, I have zero doubt we'll see a presentation done at the next DEFCON.
|
|
#
?
Oct 14, 2018 19:21
|
|
|
BobHoward posted:it's like your purposefully misunderstanding the objections to help feed your paranoia look I agree with all that. process improvements will trickle down, so there will be more and more space on chips and nothing to put there. that space is going to get filled with something, even if for a particular chip that something is not (ever?) powered up. no one’s going to reverse-engineer and audit all of that for every chip but that’s not the narrative used to try to counter the Bloomberg article: “don’t worry, everything’s fine because what the article said didn’t happen as everyone knows it would be cheaper and easier to use malicious firmware” what bothers me about this line of reasoning is not just that what it proposes doesn’t work against those who write their own firmware, but that it’s redundant. Bloomberg’s narrative already said “don’t worry, there was this thing but they caught it, so everything’s fine” if someone wants to believe that everything is fine then he/she can just take the Bloomberg article as describing a novel trick that won’t work now that it was revealed and be on his/her merry way
|
|
#
?
Oct 14, 2018 19:34
|
|
|
Max Facetime posted:look I agree with all that. process improvements will trickle down, so there will be more and more space on chips and nothing to put there. that space is going to get filled with something, even if for a particular chip that something is not (ever?) powered up. no one’s going to reverse-engineer and audit all of that for every chip
|
|
#
?
Oct 14, 2018 19:37
|
|
|
okay is there any evidence beyond anonymous sources and paranoid ravings? the line of reasoning can bother you all it wants, it's not changing the end story
|
|
#
?
Oct 14, 2018 19:38
|
|
|
anthonypants posted:no one is saying that everything is fine, but if you can't tell that transparent, overblown bullshit like badbios or the bloomberg pieces are incredibly bad for infosec, i don't know what to tell you
|
|
#
?
Oct 14, 2018 19:38
|
|
|
anthonypants posted:no one is saying that everything is fine, but if you can't tell that transparent, overblown bullshit like badbios or the bloomberg pieces are incredibly bad for infosec, i don't know what to tell you it’s incredibly bad for infosec only because Bloomberg and badbios reveal, respectively, that the best answer infosec can give you is “someone reasonably paranoid would find the implants”, and what happens when someone reasonably paranoid tries to find implants
|
|
#
?
Oct 14, 2018 20:38
|
|
|
redleader posted:lotta deep state shills itt buddy, if the deep state is anything like deep dish pizza, I am ALL IN Chris Knight fucked around with this message at 21:23 on Oct 14, 2018 |
|
#
?
Oct 14, 2018 21:20
|
|
|
Max Facetime posted:it’s incredibly bad for infosec only because Bloomberg and badbios reveal, respectively, that the best answer infosec can give you is “someone reasonably paranoid would find the implants”, and what happens when someone reasonably paranoid tries to find implants
|
|
#
?
Oct 14, 2018 21:43
|
|
|
Wiggly Wayne DDS posted:okay is there any evidence beyond anonymous sources and paranoid ravings? the line of reasoning can bother you all it wants, it's not changing the end story weve got plenty of hearsay and conjecture those are kinds of evidence
|
|
#
?
Oct 14, 2018 21:53
|
|
|
anthonypants posted:start seeing everything soldered onto a pcb as dangerous are they that wrong though
|
|
#
?
Oct 14, 2018 23:43
|
|
|
bring back wire wrap
|
|
#
?
Oct 15, 2018 00:25
|
|
|
A colleague showed me this today. Apparently huge numbers of database passwords are available in plaintext via google, particularly for users of certain ~PHP FRAMEWORKS~. https://www.google.com/search?q=production+db_password+filetype%3Aenv+inurl%3Acom
|
|
#
?
Oct 15, 2018 03:43
|
|
|
Stabby McDamage posted:A colleague showed me this today. Apparently huge numbers of database passwords are available in plaintext via google, particularly for users of certain ~PHP FRAMEWORKS~.  good poo poo
|
|
#
?
Oct 15, 2018 05:34
|
|
|
Stabby McDamage posted:A colleague showed me this today. Apparently huge numbers of database passwords are available in plaintext via google, particularly for users of certain ~PHP FRAMEWORKS~. Looks like Django as well. Still don’t see how google is indexing a .env file. Don’t touch the poop.
|
|
#
?
Oct 15, 2018 06:00
|
|
|
JumpinJackFlash posted:Still don’t see how google is indexing a .env file. This was my jam in the 2000's before I actually knew anything about sec. So many loving webservers are misconfigured out of the box. "Can I just download X?" is still my go-to first step auditing a web server, and it's deeply depressing how often that kindergarten-grade "exploit" works.
|
|
#
?
Oct 15, 2018 12:32
|
|
|
Stabby McDamage posted:A colleague showed me this today. Apparently huge numbers of database passwords are available in plaintext via google, particularly for users of certain ~PHP FRAMEWORKS~. lol, some funny passwords in there. not touching the pooping, just watching it.
|
|
#
?
Oct 15, 2018 14:39
|
|
|
fins posted:lol, some funny passwords in there. not touching the pooping, just watching it. code:
|
|
#
?
Oct 15, 2018 14:42
|
|
|
huh so some people do actually use "secret" as a password. search engines indexing misconfigured directories has been a thing for a while yet it is still amusing. I bet there is a huge cache of similar in the major archive sites too.
|
|
#
?
Oct 15, 2018 14:44
|
|
|
Shifty Pony posted:huh so some people do actually use "secret" as a password. a lot of things use it as the example password to demonstrate how to set your password, and people just enter it as their actual password because they're stupid or they don't care or they think they're being cute
|
|
#
?
Oct 15, 2018 15:10
|
|
|
Shame Boy posted:a lot of things use it as the example password to demonstrate how to set your password, and people just enter it as their actual password because they're stupid or they don't care or they think they're being cute everyone knows security thru obscurity isn't but perfect security thru obscurity by being too obvious to ever guess... it's invincible checkmate hackerailures
|
|
#
?
Oct 15, 2018 15:17
|
|
|
you know how the fix of this is going to be "add .env to robots.txt" and it'll be glorious
|
|
#
?
Oct 15, 2018 15:24
|
|
|
anyone know of a guide for turning a cheapo mikrotik into a VPN appliance I could just throw on a home network and forget about? my dad was complaining he can't stream his local sports on his ipad when he travels because of region/provider locking so I was thinking it'd be a nice xmas gift to plug a box in, install a VPN app on his ipad and just walk him through the magic steps so he can stream the cubs game from wherever just like when he's home
|
|
#
?
Oct 15, 2018 15:33
|
|
|
no but you could get one of these for p cheap and have it as a dedicated vpn appliance. it just runs openvpn
|
|
#
?
Oct 15, 2018 15:43
|
|
|
BIGFOOT EROTICA posted:no but you could get one of these for p cheap and have it as a dedicated vpn appliance. it just runs openvpn $170+ for a used one is not "pretty cheap", especially when the mikrotiks sell for like $40 new idk of any guide but setting it up yourself shouldn't be too hard if you've done anything with mikrotik devices before, it's got support for most common VPN setups and I'm sure there's a guide for "make all the traffic go over the VPN"
|
|
#
?
Oct 15, 2018 15:54
|
|
|
get a sling subscription with the cloud dvr add-on and be done with it
|
|
#
?
Oct 15, 2018 15:55
|
|
|
Shame Boy posted:$170+ for a used one is not "pretty cheap", especially when the mikrotiks sell for like $40 new youre gonna spend 20+ hours janitoring the mikrotik just to get it set up and then its gonna stop working properly because its both your router and your VPN terminator and the cpu is overloaded because youre streaming video over it at 8-10mbps with 8mb of ram and a lovely mips cpu that cant handle realtime encryption of that much traffic but sure you'll save like $100
|
|
#
?
Oct 15, 2018 17:22
|
|
|
BIGFOOT EROTICA posted:youre gonna spend 20+ hours janitoring the mikrotik just to get it set up and then its gonna stop working properly because its both your router and your VPN terminator and the cpu is overloaded because youre streaming video over it at 8-10mbps with 8mb of ram and a lovely mips cpu that cant handle realtime encryption of that much traffic have you used one made in the last like, 10 years... like for simplicity i agree this is probably the best option, especially since it's not your network but your dad's: BangersInMyKnickers posted:get a sling subscription with the cloud dvr add-on and be done with it but if you still want to go the hardware route a modern mikrotik is perfectly adequate for this 
|
|
#
?
Oct 15, 2018 17:39
|
|
|
I like sophoses for the most part but they also require a subscription for features which is why used ones are cheap. you can run their vm version for personal use for free if you want to tho.
|
|
#
?
Oct 15, 2018 18:15
|
|
|
huh, I didn't know Sling was doing that sort of thing nowdays. interesting but I don't want to pay for it and I bet he'll balk at paying for that on top of cable (old man yells at cloud has nothing on him complaining about the cable bill) guess I'll get a cheap mikrotik off amazon and see if I can make it dance. I'm not too worried about speed because I'm not planning on making it the gateway router since they have a comcast modem/router for that and I don't want to janitor their network remotely. hell I'm not super worried about security either since it's just a way around dumbass region locks - I'm just asking here because it seems like the kinda thing regular posters here would have done already
|
|
#
?
Oct 15, 2018 18:20
|
|
|
don't go too cheap on it. i use an old rear end rb333 for a 5.8ghz access point, but it used to be my router, and it falls the gently caress over just passing like 70 mbit of traffic. VPN has tons of crypto so it needs even more beef - make sure to buy enough machine that it can handle all that for whatever video streams or online poker or whatever you're trying to cheese
|
|
#
?
Oct 15, 2018 18:21
|
|
|
these days stream piracy is incredibly easy so most people I think just use those sites for blackout games
|
|
#
?
Oct 15, 2018 18:22
|
|
|
if microtik publishes what processor they use, look for something supporting aes-ni or whatever arm calls their aes optimization instructions
|
|
#
?
Oct 15, 2018 18:24
|
|
|
how does google even find a .env doesnt it need to be linked to it
|
|
#
?
Oct 15, 2018 18:25
|
|
|
its linked in the directory listing
|
|
#
?
Oct 15, 2018 18:26
|
|
|
JumpinJackFlash posted:Looks like Django as well. Still don’t see how google is indexing a .env file. Don’t touch the poop. im sure this is easy to do in php since the default/simplest option is "paths in urls for your site directly map to a directory on disk containing .php files", but you have to try pretty hard to gently caress up this bad in django
|
|
#
?
Oct 15, 2018 18:32
|
|
|
BangersInMyKnickers posted:if microtik publishes what processor they use, look for something supporting aes-ni or whatever arm calls their aes optimization instructions
|
|
#
?
Oct 15, 2018 18:34
|
|
|
i understand the appeal of buying a box but i would recommend just paying $5/month for a cloud vps like from digital ocean or wherever, setting up algo, generating keys for everyone and sending the .mobileconfig profiles to any ios devices works great for services out of the country, though it would not be hard for things to start noticing "this ip is in the digital ocean/aws/azure/whatever" block, not a residential connection, so it could easily stop working at any time my mom got a ton of use out of it for history channel and pandora on her ipad when on vacation
|
|
#
?
Oct 15, 2018 18:38
|
|
|
|
| # ? Jun 8, 2024 22:55 |
|
|
a droplet that I'm going to guess is just resold time from us-bfe-1 or whatever underutilized AZ isn't going to help get on the Illinois local fox sports site
|
|
#
?
Oct 15, 2018 18:44
|
|