|
y i k e s
|
#
?
Jan 21, 2019 13:51
|
|
|
|
| # ? May 19, 2024 23:43 |
|
|
That's quite the horror story 
|
|
#
?
Jan 21, 2019 14:17
|
|
|
But it uses technology, it must be much more secure
|
|
#
?
Jan 21, 2019 14:50
|
|
|
Boiled Water posted:have an excellent thread: https://twitter.com/hacks4pancakes/status/1086000837615382529 smart locks are awful but dumb keycode locks are great pull up, technology, you almost had it
|
|
#
?
Jan 21, 2019 15:09
|
|
|
my brothers and I got our parents a smart lock for Christmas, I should see if I can get one and gently caress with it too
|
|
#
?
Jan 21, 2019 15:09
|
|
|
"not being sufficiently stumpfuck stupid to allow your home to be open to anyone who can work iot garbage" isn't a protected class so let's evict you for this reason
|
|
#
?
Jan 21, 2019 15:36
|
|
|
Apparently they don’t even hash/salt the PIN numbers.
|
|
#
?
Jan 21, 2019 15:38
|
|
|
Pin and tumbler locks are basically keycode locks where you don't need to remember the keycode and you don't need electricity. Anyone with the key pin lengths and knowhow can file a key. So that's why you're not supposed to take photos of keys, or at least keep photos of keys completely secure
|
|
#
?
Jan 21, 2019 15:47
|
|
|
bob dobbs is dead posted:Pin and tumbler locks are basically keycode locks where you don't need to remember the keycode and you don't need electricity. Anyone with the key pin lengths and knowhow can file a key. So that's why you're not supposed to take photos of keys, or at least keep photos of keys completely secure I love how most of the master keys for major cities/regions public safety departments are openly called by some series of numbers which happens to be the pin sequence. Good opsec everybody
|
|
#
?
Jan 21, 2019 15:49
|
|
|
https://www.youtube.com/watch?v=7R4CRQpz0Dc I guess this works in combination with https://www.youtube.com/watch?v=ye-C-OOFsX8
|
|
#
?
Jan 21, 2019 15:53
|
|
|
tbf if ur gonna do common biting like that it doesn't matter how well you protect your key documentation since the folks who would use it can just decode the key from a lock. its really just there to prevent tampering by kids and other casual assholes
|
|
#
?
Jan 21, 2019 15:55
|
|
|
bob dobbs is dead posted:Pin and tumbler locks are basically keycode locks where you don't need to remember the keycode and you don't need electricity. Anyone with the key pin lengths and knowhow can file a key. So that's why you're not supposed to take photos of keys, or at least keep photos of keys completely secure BangersInMyKnickers posted:I love how most of the master keys for major cities/regions public safety departments are openly called by some series of numbers which happens to be the pin sequence. Good opsec everybody yeah https://www.youtube.com/watch?v=AayXf5aRFTI https://www.youtube.com/watch?v=aVPSaKLKHd4 locks are important as a definite signal that access is forbidden in some cases, and that picking a lock is almost always something very explicit you're doing to access a space without authorization, which is a good thing to build legal frameworks on
|
|
#
?
Jan 21, 2019 15:56
|
|
|
Media Bloodbath posted:https://www.youtube.com/watch?v=7R4CRQpz0Dc they make keys with active elements to make them even harder to copy, but I would be surprised if the manufacturer actually claimed the key was uncopyable.
|
|
#
?
Jan 21, 2019 15:57
|
|
|
Shaggar posted:they make keys with active elements to make them even harder to copy, but I would be surprised if the manufacturer actually claimed the key was uncopyable. look what thread you're in, are you sure you'd be surprised?
|
|
#
?
Jan 21, 2019 16:00
|
|
|
Cocoa Crispies posted:my brothers and I got our parents a smart lock for Christmas reported for elder abuse
|
|
#
?
Jan 21, 2019 16:04
|
|
|
my best swing at that protest wise would be to reinstall the lock on like a bathroom door or some poo poo and maybe send all of the network traffic to a chinese vpn or something.
|
|
#
?
Jan 21, 2019 19:21
|
|
|
Boiled Water posted:have an excellent thread: https://twitter.com/hacks4pancakes/status/1086000837615382529 jesus gently caress
|
|
#
?
Jan 21, 2019 20:27
|
|
|
the most amazing part of that story is the expectation that the iot hub thingy will be plugged into the tenant's own personal network equipment also @hacks4pancakes is a good infosec person to follow on twitter. she posts lots of cool and interesting news
|
|
#
?
Jan 21, 2019 20:41
|
|
|
wow that’s really lovely but also bad that I have to click on that and read 30 microposts to understand what’s going on. I’m sure I would move as well. Which will work, for now.
|
|
#
?
Jan 21, 2019 20:49
|
|
|
Hed posted:wow that’s really lovely but also bad that I have to click on that and read 30 microposts to understand what’s going on.
|
|
#
?
Jan 21, 2019 21:15
|
|
|
Bhodi posted:somewhere in that thread she says the management company is installing them in 40,000 units, and if it's considered a success (saves them money somehow) you better believe everyone else will adopt it as well WarDriver 40,000
|
|
#
?
Jan 21, 2019 21:18
|
|
|
I can't wait until they're force to replace them all in 5 years because the company folded and the app no longer works
|
|
#
?
Jan 21, 2019 21:27
|
|
|
the defunct gutted smart locks + mismatched add-on deadbolts will provide good cyberpunk aesthetics for our future slums
|
|
#
?
Jan 21, 2019 21:30
|
|
|
Bhodi posted:somewhere in that thread she says the management company is installing them in 40,000 units, and if it's considered a success (saves them money somehow) you better believe everyone else will adopt it as well now the right way to tackle this is by tackling energy usage and teaching people how to use their heating device correctly for them. can't wait to see the first housing association to be stupid enough to roll any of these out, because somewhere a vendor is attempting to grift
|
|
#
?
Jan 21, 2019 21:34
|
|
|
Bhodi posted:somewhere in that thread she says the management company is installing them in 40,000 units, and if it's considered a success (saves them money somehow) you better believe everyone else will adopt it as well i'm certain the mgmt company will come back later and say "heh well now that we've increased the value of these units with our smart IoT app-enabled locks  of course we have to jump your rent another hundo a month" (on top of the couple hundo they were already going to jump the rent)
|
|
#
?
Jan 21, 2019 21:42
|
|
|
lol ok symantec here we go again they have this thing called a shared insight cache, which at its core is just a big memory lookup table of process hashes, the definition rev, and the number of clients that voted it clean. so when things are doing disk scans, they can call back to this server and get a verdict on the file without doing the full scanning poo poo locally and expending those cycles. they sell it as a vdi optimization thing, but really you could use it for any system so long as they have a low latency connection to the server and .5mbit network overhead to spare. the documentation is garbo with some kind of cert-less TLS implementation they you can intercept and then creds being passed inside that tunnel, but I guess you can increase the vote threshold before a hash is marked clean to minimize the risk of cache tampering. there's not any scaling guidelines to speak of so I'm profiling this thing to figure it out what I have to throw at it and I see the client start spamming hundreds of new sockets against the cache instance. at one point in the scanning process, the client opens 100+ sockets to the cache listener, and it seems to happen at around the same point at the beginning of every scan, which means I can have 650 clients doing this at once before this stupid things starts running off the rails for a failure mode I'm sure they didn't validate for. for a company that claims to be an enterprise security vendor they sure do loving suck at it
|
|
#
?
Jan 21, 2019 21:54
|
|
|
well you wanted enterprise security
|
|
#
?
Jan 21, 2019 22:01
|
|
|
Cocoa Crispies posted:WarDriver 40,000 the new warhammer 40k faction looking good.
|
|
#
?
Jan 21, 2019 22:02
|
|
|
Wiggly Wayne DDS posted:pretty sure the private sector will try and use the money-saving angle, but there's literally no way this will save money. even small scale attempts to use localised moisture sensors to try and see how effective new damp-proofing installations are have resulted in overt privacy issues when put against a timescale (e.g. why is the bedroom getting high readings on a saturday night for 5 minutes?) same but smartmeters can already rat you out for having an undeclared guest in the house etc
|
|
#
?
Jan 21, 2019 22:03
|
|
|
BangersInMyKnickers posted:lol ok symantec here we go again This seems like a poor implementation of a good idea though? Does anything do this well/correctly/less-potato?
|
|
#
?
Jan 21, 2019 22:04
|
|
|
So, I'm closing this ticket, after all the drama. Several remarks when closing: macOS (from OP) is using the Sparkle framework, and not the code is src/ so it's totally OT, the code in src/ checks the new PGP key based on the previous one, a contrario from what Rodger Combs claims (comment 5); see Reddit for analysis, the new update system is still in the work. Serving the status over HTTPS (not the binary files) could only solve one issue "upgrade to non-last version", in case we have 3.0.4 (not-vuln), 3.0.5 (vuln) and 3.0.6 (not-vuln) and the attackers does a replay attack, with a MITM, and serves 3.0.5 to the 3.0.4 version. This is extremely rare in VLC-land where the very large majority of issues come from old code from VLC and libavcodec. As VLC does not warn when it cannot contact the updates server, HTTPS will not solve the freeze version. As for DSA, it is weak indeed, because you can brute-force decrypting, but to create a valid fake message is a different task. And the code supports RSA for the new system, as you can see in the source code file. The system is not perfect, but is far from being broken as some people would like to pin. Finally, this topic is covered in several other tickets. If you have a precise point to make or security issue to report, use the security channel, not the bugtracker.
|
|
#
?
Jan 21, 2019 22:16
|
|
|
It's a plenty good idea and why I'm trying to enable it, I'm just worried that it will poo poo itself when I have 20k clients all jabbering it at once. If they were less-poo poo this would have a secure out of box config with some kinda of cert validation of the server instead of blind-tls and some kind of rpc endpoint mapper to handle the socket limits that are loving obvious for any large-scale deployment. I have to assume that most products have something similar for optimization, though probably doing some kind of cloud lookup to the vendors servers by deferring the actual scan of the file until it get can a verdict back on the file from the cloud or it times out and fails back to a local scan.
|
|
#
?
Jan 21, 2019 22:16
|
|
|
BONGHITZ posted:As for DSA, it is weak indeed, because you can brute-force decrypting, but to create a valid fake message is a different task. ... unless i'm mistaken, no it literally is not
|
|
#
?
Jan 21, 2019 22:18
|
|
|
vodkat posted:same but smartmeters can already rat you out for having an undeclared guest in the house etc i'm taking a viewpoint from a heavy social housing area where choice of energy supplier is delegated, but advice is available on cutting costs and thtc meters are encouraged. the only parties to see the energy use would be the tenant and energy company to bring this back to secfuckup smart meters were pushed well before the tech was ready to hit milestones on carbon neutral targets. enjoy having smets1 devices in houses for decades as waiting a year wasn't politically viable
|
|
#
?
Jan 21, 2019 22:39
|
|
|
Wiggly Wayne DDS posted:
and this is bad because?
|
|
#
?
Jan 21, 2019 22:49
|
|
|
a more thorough analysis: http://watt-logic.com/2018/06/13/smets2/ take note of gb-specific zigbee
|
|
#
?
Jan 21, 2019 22:58
|
|
|
BangersInMyKnickers posted:It's a plenty good idea and why I'm trying to enable it, I'm just worried that it will poo poo itself when I have 20k clients all jabbering it at once. If they were less-poo poo this would have a secure out of box config with some kinda of cert validation of the server instead of blind-tls and some kind of rpc endpoint mapper to handle the socket limits that are loving obvious for any large-scale deployment. I have to assume that most products have something similar for optimization, though probably doing some kind of cloud lookup to the vendors servers by deferring the actual scan of the file until it get can a verdict back on the file from the cloud or it times out and fails back to a local scan. wouldnt randomizing scan times alleviate this problem? is that even possible in SEP?
|
|
#
?
Jan 21, 2019 23:04
|
|
|
Raere posted:wouldnt randomizing scan times alleviate this problem? is that even possible in SEP? yes, and no. it is a poo poo product.
|
|
#
?
Jan 21, 2019 23:05
|
|
|
have you considered some sort of distributed ledger to handle this
|
|
#
?
Jan 21, 2019 23:10
|
|
|
|
| # ? May 19, 2024 23:43 |
|
|
http://blog.pear.php.netquote:A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it's back online. lmao 6 months jfc
|
|
#
?
Jan 21, 2019 23:50
|
|
