|
quote:Researchers have identified a critical "hard-coded credentials" vulnerability (CVE-2018-7800) affecting Schneider Electric floor-standing EVLink Parking units (version 3.2.0-12_v1 and earlier) that could allow attackers to compromise the EVLink Parking device, according to reports. While researchers say it is unclear what additional access can be obtained by compromising the EVLink Parking device, they point out that the device is part of the EVLink Parking network that is remotely managed by a cloud-based central system. According to Schneider, the flaw can be addressed by applying the provided patch or mitigated using a firewall configured to block unauthorized access from remote or external users. this is good
|
#
?
Jan 7, 2019 19:31
|
|
|
|
| # ? May 20, 2024 00:36 |
|
|
Farmer Crack-rear end posted:speaking of meltdowns what's the status of the big spectre/meltdown hullabaloo from last year? how many systems out there are thought to still be vulnerable? variant 4 came out and ms made a new mitigation for it. melt/spectre mitigations are still disabled by default for their server os's but win10 has them on by default and windows now has the microcode update bundled to mitigate spectre for most intel platforms you'll see in the wild. new cpu's are shipping with the microcode "fixes" built in but it will be years before we have silicon that is actually engineered around this issue. we'll likely see continued optimizations around syscall performance hurting disk calls from NVMe's that work around the performance impact of the mitigations before we see a true fix.
|
|
#
?
Jan 7, 2019 19:40
|
|
|
Lain Iwakura posted:this is good ahh yes the advanced hacking technique of "hard-coded credentials"
|
|
#
?
Jan 7, 2019 19:57
|
|
|
Github, on behalf of Microsoft, will be allowing unlimited free private repos for free accounts. I don't know if this is ol' drown out competition with free services thing or just let's try to accumulate all the data thing.
|
|
#
?
Jan 7, 2019 20:57
|
|
|
CmdrRiker posted:Github, on behalf of Microsoft, will be allowing unlimited free private repos for free accounts. I don't know if this is ol' drown out competition with free services thing or just let's try to accumulate all the data thing. 
|
|
#
?
Jan 7, 2019 21:02
|
|
|
That girl looks like one of my cousins’s kids and every time I see it I go all  .
|
|
#
?
Jan 7, 2019 21:11
|
|
|
CmdrRiker posted:Github, on behalf of Microsoft, will be allowing unlimited free private repos for free accounts. I don't know if this is ol' drown out competition with free services thing or just let's try to accumulate all the data thing. free private repos can only have three collaborators, so it is pretty drat limited anyway besides there is a bunch of enterprise features they still charge for, just microsofts modern realization that you want to rope in hobbyists with free tools to the extent possible, the real money is with cost-insensitive companies
|
|
#
?
Jan 7, 2019 21:11
|
|
|
Cybernetic Vermin posted:free private repos can only have three collaborators, so it is pretty drat limited anyway I mean, tbf hasn’t this been their strategy with universities as well?
|
|
#
?
Jan 7, 2019 21:15
|
|
|
Cybernetic Vermin posted:free private repos can only have three collaborators, so it is pretty drat limited anyway I might be too  when it comes to my data, but it is really strange to me when competitors use each other's tech services. I worked for a backup company that used project management software that was owned by a competitor's parent company and a major retailer that uses AWS services. I can't imagine most companies have their poo poo together enough to actually do anything nefarious with the data, but it still leaves me side eyeing stuff like FREE GITHUB FOR EVERYONE!
|
|
#
?
Jan 7, 2019 21:19
|
|
|
Schadenboner posted:I mean, tbf hasn’t this been their strategy with universities as well? Yeah, make the kids in college learn your tools and then the companies that will hire them are forced to pay the service contracts. It works pretty well, I'm fine with it.
|
|
#
?
Jan 7, 2019 21:20
|
|
|
https://twitter.com/KateLibc/status/1082687485887471616
|
|
#
?
Jan 8, 2019 18:19
|
|
|
You can download it and cut out the pieces. It's not sold as a box game: https://pen-testing.sans.org/blog/2018/10/02/sans-pen-test-poster-pivots-payloads-boardgame
|
|
#
?
Jan 8, 2019 19:21
|
|
|
Midjack posted:You can download it and cut out the pieces. It's not sold as a box game: This is something I am going to print and never tell anyone about because I will feel like a giant loser.
|
|
#
?
Jan 8, 2019 20:06
|
|
|
Midjack posted:You can download it and cut out the pieces. It's not sold as a box game: yeah. i should have linked to the pdf. i get lots of stuff from sans but i only do a course every few years. the only one i've really liked was the ics one i did years back
|
|
#
?
Jan 8, 2019 20:57
|
|
|
always a pleasure to see the classics still going strong https://twitter.com/taber/status/1082716704730431488
|
|
#
?
Jan 8, 2019 21:29
|
|
|
NoneMoreNegative posted:always a pleasure to see the classics still going strong was coming to share this, thread with a few more of the uncovered redactions: https://twitter.com/pwnallthethings/status/1082714380800798720
|
|
#
?
Jan 8, 2019 21:57
|
|
|
Did chrome stop trusting disa.mil government CA? https://www.disa.mil/cybersecurity/network-defense/antivirus
|
|
#
?
Jan 8, 2019 22:41
|
|
|
ill field it this time: military signs their own certs
|
|
#
?
Jan 8, 2019 22:46
|
|
|
Bhodi posted:Did chrome stop trusting disa.mil government CA? https://www.disa.mil/cybersecurity/network-defense/antivirus https://twitter.com/KateLibc/status/1082756012396797952
|
|
#
?
Jan 8, 2019 22:49
|
|
|
trust chain on that is completely hosed. you're not allowed to have an upstream trust intermediate have an expiration before the expiration of the downstream trust.
|
|
#
?
Jan 8, 2019 22:50
|
|
|
BangersInMyKnickers posted:trust chain on that is completely hosed. you're not allowed to have an upstream trust intermediate have an expiration before the expiration of the downstream trust. how do you even achieve that
|
|
#
?
Jan 8, 2019 22:51
|
|
|
okay welcome to the loving dumbest pki implementation I have ever seen: wwww.disa.mil exp 11/18/19 DOD ID SW CA-38 exp 9/23/21 DoD Root CA 3 exp 2/17/19 <-- lol DoD Interop Root CA 2 exp 8/15/19 <-- lolè Federal Bridge CA 2016 exp 5/15/20 TSCO SHA256 Bridge CA exp 2/19/19 <-- who the gently caress is this? Alexion Pharmaceuticals Issue 2 CA exp 8/2/27 <-- WHO THE gently caress IS THIS?? Why the gently caress doesn't this stop at DoD Root CA 3 is beyond me but even that they hosed up your root should always have the last expiration date
|
|
#
?
Jan 8, 2019 22:55
|
|
|
I 100% assure you the actual mil systems are pushing all their hosed up root and intermediate certs through GPOs to override the numerous PKI validation errors hahahaha Alexion is a Symantec-issued cert mischief managed
|
|
#
?
Jan 8, 2019 22:56
|
|
|
BangersInMyKnickers posted:okay welcome to the loving dumbest pki implementation I have ever seen: holy heck
|
|
#
?
Jan 8, 2019 22:58
|
|
|
You forgot Diginotar Root CA X3
|
|
#
?
Jan 8, 2019 22:58
|
|
|
BangersInMyKnickers posted:okay welcome to the loving dumbest pki implementation I have ever seen: what the actual gently caress 
|
|
#
?
Jan 8, 2019 22:59
|
|
|
BangersInMyKnickers posted:okay welcome to the loving dumbest pki implementation I have ever seen: what in fuckin tarnation
|
|
#
?
Jan 8, 2019 22:59
|
|
|
I wonder if they attempted to somehow shim in the Symantec trust chain behind the DoD Root CA after the fact when all the contractors and whoever on non-mil systems didn't have it in their trust store and complained about the validation errors. That sounds like something dumb enough for Symantec to try for a buck. There shouldn't be any trust chain to civ computers on this at all. fyi there's like 4 or more different trust chains on this mess depending on your browser/os/phase of the moon https://www.ssllabs.com/ssltest/analyze.html?d=www.disa.mil&s=156.112.108.76&hideResults=on BangersInMyKnickers fucked around with this message at 23:05 on Jan 8, 2019 |
|
#
?
Jan 8, 2019 23:02
|
|
|
Kazinsal posted:what the actual gently caress Ah the Pine Gap CA
|
|
#
?
Jan 8, 2019 23:03
|
|
|
BangersInMyKnickers posted:I wonder if they attempted to somehow shim in the Symantec trust chain behind the DoD Root CA after the fact when all the contractors and whoever on non-mil systems didn't have it in their trust store and complained about the validation errors. That sounds like something dumb enough for Symantec to try for a buck. There shouldn't be any trust chain to civ computers on this at all. This might be an example of someone having more responsibility than they have experience or training.
|
|
#
?
Jan 8, 2019 23:17
|
|
|
The amount of fuckery I see in those various attempts at trust chains would take a team of the finest idiots you could find years to achieve
|
|
#
?
Jan 8, 2019 23:24
|
|
|
BangersInMyKnickers posted:The amount of fuckery I see in those various attempts at trust chains would take a team of the finest idiots you could find years to achieve truly military grade encryption
|
|
#
?
Jan 8, 2019 23:57
|
|
|
Babies Getting Rabies posted:in my experience, upnp is usually the result of having had too much beer
|
|
#
?
Jan 9, 2019 00:07
|
|
|
BangersInMyKnickers posted:okay welcome to the loving dumbest pki implementation I have ever seen: Most likely answer: They've cross signed the CA (as everyone does) but due to wacky devices and whatever old CAs they trusted had to cross sign it to something dumb. Do that for each CA and you see something like that.
|
|
#
?
Jan 9, 2019 01:46
|
|
|
apseudonym posted:Most likely answer: They've cross signed the CA (as everyone does) but due to wacky devices and whatever old CAs they trusted had to cross sign it to something dumb. Does that mean that this list is unordered once past the first few levels (DoD Root CA 3 exp 2/17/19) and since the CAs are cross signed the "wwww.disa.mil exp 11/18/19 < Alexion Pharmaceuticals Issue 2 CA exp 8/2/27 && wwww.disa.mil exp 11/18/19 > DoD Root CA 3 exp 2/17/19" dates can still be valid?
|
|
#
?
Jan 9, 2019 04:09
|
|
|
PCjr sidecar posted:truly military grade encryption
|
|
#
?
Jan 9, 2019 04:21
|
|
|
CmdrRiker posted:Does that mean that this list is unordered once past the first few levels (DoD Root CA 3 exp 2/17/19) and since the CAs are cross signed the "wwww.disa.mil exp 11/18/19 < Alexion Pharmaceuticals Issue 2 CA exp 8/2/27 && wwww.disa.mil exp 11/18/19 > DoD Root CA 3 exp 2/17/19" dates can still be valid? The bag of certs in a TLS connection is unordered (except that the first one is the server cert), so if you have something like: Server -> Intermediate -> Root where Root is also Cross signed by Old the bag of certs might be Server, Intermediate, Root_crosssigned For devices that have Root in their trust store they will build Server -> Intermediate -> Root (Root_crosssigned is ignored) and on old devices you'd build Server -> Intermediate -> Root_crossigned -> Old, you might do this for multiple levels if you have a CA that is itself cross signed by something newish, correct clients prefer trust anchors in path building so it works nicely. However, the server is just returning the leaf and not any other certificates and that's the actual issue. The certificate paths you're seeing in SSLlabs are just possible paths given their set of known certificates so yeah with cross signing you can see a bunch of weird ones but that doesnt mean that's what is actually used and its just SSLLabs trying to find valid paths by following every possible bridge it knows about.
|
|
#
?
Jan 9, 2019 04:32
|
|
|
Kazinsal posted:what the actual gently caress it's the interoperability certificate so we need to have it signed by everyone we interoperate with, duh
|
|
#
?
Jan 9, 2019 16:10
|
|
|
well this is a tome of a bug report: https://hackerone.com/reports/409850
|
|
#
?
Jan 9, 2019 18:44
|
|
|
|
| # ? May 20, 2024 00:36 |
|
|
RWC going well so far https://twitter.com/durumcrustulum/status/1083059647211323392 https://twitter.com/durumcrustulum/status/1083060483031269377 https://eprint.iacr.org/2019/016.pdf
|
|
#
?
Jan 9, 2019 19:14
|
|