|
Sickening posted:I don’t see the benefit to be this emotionally invested. Facebook intentionally works to be part of people’s emotional landscape, so it’s not uncommon whether it’s valuable or not.
|
# ? Feb 23, 2019 16:38 |
|
|
# ? May 25, 2024 00:48 |
|
Subjunctive posted:I think Facebook has enough documented bullshit by this point to be condemned pretty soundly on several fronts. (Boris seems to not want to raise any of those, though, which is an odd strategy.) I wanted (want) to know if clipboard upload has changed to be one of those cases, and I know apseudonym can cut through folklore to evidence (if I’m interpreting his post correctly in the first place), that’s all. I still periodically have chastising conversations with FB C-suite and VPs about their bullshit. I know they are hosed up. I just want to know if they hosed this specific thing up, because I have a direct historical relationship to it.
|
# ? Feb 23, 2019 17:37 |
|
If you want to talk infosec or make any remote claim that you work in this field, loving post proof/evidence for your wild rear end claims or shut the gently caress up. This field doesn't operate on your hyperbolic assumptions and biases.
|
# ? Feb 23, 2019 17:39 |
|
CLAM DOWN posted:If you want to talk infosec or make any remote claim that you work in this field, loving post proof/evidence for your wild rear end claims or shut the gently caress up. This field doesn't operate on your hyperbolic assumptions and biases. It's 'cool' if you really want to defend implementations that send your password to any application on the device that wants to listen for it, but you continue to miss the point.
|
# ? Feb 23, 2019 17:45 |
|
apseudonym posted:
Can you show me where I stated a stance on either side of this topic? "Present evidence for your claims" isn't defending anything wtf
|
# ? Feb 23, 2019 17:46 |
|
CLAM DOWN posted:Can you show me where I stated a stance on either side of this topic? "Present evidence for your claims" isn't defending anything wtf You seemed to take a pretty hostile stance to my rant that using the clipboard for a password manager is straight up insane, which I assumed was a defense of that implementation -- because I've had this argument elsewhere recently If it was a hostile stance at my poo poo posting then let's move along to the next thing.
|
# ? Feb 23, 2019 17:48 |
|
ya all of your recent posts are getting overly defensive at clipboards and the autofill api not as defensive as boris though
|
# ? Feb 23, 2019 17:50 |
|
Wiggly Wayne DDS posted:ya all of your recent posts are getting overly defensive at clipboards and the autofill api It makes me angry that a password manager would do that not gonna lie.
|
# ? Feb 23, 2019 17:52 |
|
apseudonym posted:You seemed to take a pretty hostile stance to my rant that using the clipboard for a password manager is straight up insane, which I assumed was a defense of that implementation -- because I've had this argument elsewhere recently I'm not defending poo poo. I'm hostile to your worthless shitposting, correct.
|
# ? Feb 23, 2019 17:52 |
|
CLAM DOWN posted:I'm not defending poo poo. I'm hostile to your worthless shitposting, correct. Then in non rant form: There is no valid reason, except , to use the clipboard for a password manager on Android, there are multiple alternative approaches that span all versions, and to do so is reckless way to handle user passwords. Happy?
|
# ? Feb 23, 2019 17:59 |
|
apseudonym posted:Then in non rant form: And that's exactly why I mentioned that autofill that they introduced I think in Oreo addresses the clipboard weakness? And I think iOS has an autofill thing too? What even is your point?
|
# ? Feb 23, 2019 18:14 |
|
CLAM DOWN posted:And that's exactly why I mentioned that autofill that they introduced I think in Oreo addresses the clipboard weakness? And I think iOS has an autofill thing too? What even is your point? The point is "there is no reason to use the clipboard for this on any version of Android". Autofill in O is the right way to do this, but the standard response to sending people there is "but that's not on enough devices yet", which is a fair point for an app developer to make. Even with that though on older devices they should be using things like a custom ime or accessibility services (you see good password managers implementing these or similar), not the clipboard On O+ Autofill is great (and someday I'll effort post in yospos how it works) and is designed with properly handling passwords inside the Android security model in mind, so yes that's the thing they should obviously use if they can. I was specifically ranting about clipboard being dumb even if you didn't have that. apseudonym fucked around with this message at 18:33 on Feb 23, 2019 |
# ? Feb 23, 2019 18:29 |
|
CLAM DOWN posted:This field doesn't operate on your hyperbolic assumptions and biases. Lmao that's crazy of course it does.
|
# ? Feb 23, 2019 18:36 |
|
Blinkz0rz posted:Lmao that's crazy of course it does. Given how much I rant about how lovely the security industry is for the straight up off the mark crazy (e.g. the current poorly written freakout about analytics going around) it's a fair enough call-out.
|
# ? Feb 23, 2019 18:38 |
|
Subjunctive posted:I’m asking because a) I know it wasn’t transmitted when that was first added, and b) because I want to yell at people there if it is now. (Similarly with Chrome, whose parent also had a network-interposing research app using enterprise certificates app until FB got in trouble. I have better people to yell at for FB though.)
|
# ? Feb 23, 2019 19:25 |
|
evil_bunnY posted:Did you yell at your FB peeps about the vpn app? I yelled about Onavo when I was there and killed a crazy plan to bundle it with the main app on Android, and several times since I’ve left. Most people I know there think that team are dangerous and not very bright (their HTTP proxy engine — the whole point of the thing really — was historically very fragile and repeatedly kept us from rolling out networking improvements in the apps). And yet they keep getting to do stuff. E: FWIW the internal threads about the cert being revoked were 95% “well we loving deserve it” and 4% “but google has one too!”, I’m told. Subjunctive fucked around with this message at 19:43 on Feb 23, 2019 |
# ? Feb 23, 2019 19:40 |
|
apseudonym posted:I don't know if FB uploads the URLs without interaction, I was being somewhat hyperbolic trying to emphasize that clipboard listeners make clipboard based password managers insane. You gotta tell me when to not take you literally, friend. Maybe we can agree on an emoji signal. I’m gonna try to get a friend to take over the source watch I had on clipboard calls anyway, though.
|
# ? Feb 23, 2019 19:42 |
|
CLAM DOWN posted:If you want to talk infosec or make any remote claim that you work in this field, loving post proof/evidence for your wild rear end claims or shut the gently caress up. This field doesn't operate on your hyperbolic assumptions and biases. What does proof of working in the field entail? (Historically some pieces of the field actually have bent to my biases, probably mostly to our mutual detriment. I wouldn’t be surprised if the same were true of apseudonym, minus the detriment.)
|
# ? Feb 23, 2019 19:46 |
|
Subjunctive posted:You gotta tell me when to not take you literally, friend. Maybe we can agree on an emoji signal. Sorry about that, off my shitposting game, how about ? Subjunctive posted:What does proof of working in the field entail? , TLS usage is way up, insecure TLS usage is way way down, work stress levels more or less unchanged. As for the VPN thing, the pure research version is a lot less interesting to me than what it used to be which IMO didn't make it clear to users they were being spied on. I at least now have good ammunition against the endless claim that VPNs are the solution. apseudonym fucked around with this message at 19:59 on Feb 23, 2019 |
# ? Feb 23, 2019 19:57 |
|
Blinkz0rz posted:Lmao that's crazy of course it does. You're right, I should have used the word "shouldn't".
|
# ? Feb 23, 2019 22:23 |
|
Subjunctive posted:killed a crazy plan to bundle it with the main app on Android
|
# ? Feb 26, 2019 13:27 |
|
OK, so if you had to speculate, what does the following represent?code:
|
# ? Feb 26, 2019 17:35 |
|
Bitcoin wallet
|
# ? Feb 26, 2019 18:18 |
|
AlternateAccount posted:OK, so if you had to speculate, what does the following represent? How'd you get my wifi password?
|
# ? Feb 26, 2019 18:27 |
|
AlternateAccount posted:OK, so if you had to speculate, what does the following represent? That's my SA password?!
|
# ? Feb 26, 2019 18:31 |
|
AlternateAccount posted:OK, so if you had to speculate, what does the following represent? Don't doxx me (base64 encoded string?)
|
# ? Feb 26, 2019 18:33 |
|
AlternateAccount posted:OK, so if you had to speculate, what does the following represent? A miserable pile of secrets
|
# ? Feb 26, 2019 18:40 |
|
It's a public key block, right?
|
# ? Feb 26, 2019 19:06 |
|
Jeoh posted:Don't doxx me Looks to me like an SSL cert encoded into base64 for a Cisco ASA. I wish to God I didn't know that.
|
# ? Feb 26, 2019 19:13 |
|
Thanks for the guessing, I really don't know what it is, I hadn't gotten any further than some kind of base64 string that didn't decode into anything readable. It uhhh... turned up in an AD attribute, so I was trying to figure out wtf it was.Jedi425 posted:Looks to me like an SSL cert encoded into base64 for a Cisco ASA. How do you know it's specifically a Cisco ASA thing?
|
# ? Feb 26, 2019 19:24 |
|
It's the continue code for the last level of Battle Toads NES. e: does the trailing == mean anything? I feel like I've seen it before but that's probably my pattern matching in overdrive.
|
# ? Feb 26, 2019 19:26 |
|
AlternateAccount posted:Thanks for the guessing, I really don't know what it is, I hadn't gotten any further than some kind of base64 string that didn't decode into anything readable. It uhhh... turned up in an AD attribute, so I was trying to figure out wtf it was. I don't, but every time in my life I have seen one of those it's been for setting up a trustpoint on an ASA. As far as I know, the ASA is the only device that requires you to install certs via the CLI in base64 format. (I think ASDM can do regular people certificates but gently caress the ASDM.) I hate them.
|
# ? Feb 26, 2019 19:31 |
|
base64 strings are padded to a certain length with trailing equals signs if necessary. It's just part of the format.
|
# ? Feb 26, 2019 19:33 |
|
Jedi425 posted:I don't, but every time in my life I have seen one of those it's been for setting up a trustpoint on an ASA. As far as I know, the ASA is the only device that requires you to install certs via the CLI in base64 format. (I think ASDM can do regular people certificates but gently caress the ASDM.) I hate them. Yeah but you wouldn't... stick it an AD attribute for that....
|
# ? Feb 26, 2019 19:38 |
|
AlternateAccount posted:Yeah but you wouldn't... stick it an AD attribute for that.... What's the attribute called? (When I guessed, I didn't know you'd found it in AD. )
|
# ? Feb 26, 2019 19:47 |
|
Jedi425 posted:What's the attribute called? (When I guessed, I didn't know you'd found it in AD. ) Additionally, is it on a computer or a user?
|
# ? Feb 26, 2019 19:52 |
|
Jedi425 posted:What's the attribute called? (When I guessed, I didn't know you'd found it in AD. ) I hope it's userCertificate.
|
# ? Feb 26, 2019 19:57 |
|
So in an effort to get back into doing fun coding things again, I'm going to probably demonstrate how I worked with breach data via Twitch streams. Still trying to come up with an angle I like but I feel like it's time to let people know that I am a terrible software developer and have bad ideas on how I approached the entire mess. I'm not going to release the Canario source code but I'll probably rewrite it for funsies and dump that on Github as I go along.
|
# ? Feb 27, 2019 00:02 |
|
Cup Runneth Over posted:It's a public key block, right? Public key blocks usually start with "MI". This is a unknown encrypted/compressed block that has been encoded to base64. Utils I'm using is not seeing this as any normal compression so going with encrypted now since the de-base64 output entropy is very high.
|
# ? Feb 27, 2019 00:45 |
|
|
# ? May 25, 2024 00:48 |
|
Lain Iwakura posted:So in an effort to get back into doing fun coding things again, I'm going to probably demonstrate how I worked with breach data via Twitch streams. Still trying to come up with an angle I like but I feel like it's time to let people know that I am a terrible software developer and have bad ideas on how I approached the entire mess. I doubt you're worse than me. My whole approach: hack at the keyboard until it works does it work every time (trap exceptions) repeat last step until it runs all the way am I getting results that look like they might be correct Done. Solicit input from team members? NO BECAUSE I SAID IT WAS DONE
|
# ? Feb 27, 2019 01:33 |