|
quote:To which I'd like to add: I have never in my adult life wished violence on any human being. I have witnessed too much of it and its barbaric effects, stood by the graves of too many people cut down too young. I do not hate you and I do not wish any harm to befall you. 
|
#
?
Jun 29, 2019 20:43
|
|
|
|
| # ? May 31, 2024 22:32 |
|
|
I thought hard about including that quote but it was already long enough. That's absolutely the right response to someone exploting a *checks notes* 3750-day attack.
|
|
#
?
Jun 29, 2019 20:51
|
|
|
Well, if somebody signed a key 150,000 times, why can’t you verify it 150,000 times? Seems reasonable to me. 
|
|
#
?
Jun 29, 2019 22:05
|
|
|
It gets quote:I don't even know what to call this attacker. There are no polite words. There is only "this sonufabitch." quote:We ignored them, which was the right thing to do. You don't let people who don't understand problems dictate which problems will be solved. What do you mean that it falls afoul of laws? Censorship  quote:Special criticism goes to the Electronic Frontier Foundation, which paid Micah Lee to publish premade attack tools to exploit these design misfeatures in the keyserver network. Oh, sure, "academic freedom" and "it was about research". quote:Let me make it clear, I'm not accusing that guy of being the responsible party. I don't have evidence to support that, or any other attribution. That jerk's raw sense of entitlement, and his callous talk about how he's vandalized certificates in the past, is not unusual to see among GnuPG's users. It's a long list.  quote:But I tremble with fear for how people I know in hostile regimes are currently at risk of having their tools broken — and then I look at the preening self-righteousness of those louts who feel entitled to burn things down just to make a point. Harik fucked around with this message at 22:34 on Jun 29, 2019 |
|
#
?
Jun 29, 2019 22:29
|
|
|
quote:We ignored them, which was the right thing to do. You don't let people who don't understand problems dictate which problems will be solved.  quote:All it took to strike down a keyserver in the EU was a couple of pages of privacy directive Or, as we call it in English, a law. e: See Rakshazi's comment, which is a thing of glory. quote:Hello, @rjh Arsenic Lupin fucked around with this message at 22:47 on Jun 29, 2019 |
|
#
?
Jun 29, 2019 22:41
|
|
|
Not since the gamers have I seen a man so angry that we live in a society
|
|
#
?
Jun 29, 2019 22:47
|
|
|
Oh, and if you're curious, here's the post he's ranting about. (Apparently my Google-fu is good enough. So proud.) This is a reply to rjh, who is saying some really dumb things.quote:
I don't read this as a direct threat so much as a "this situation is screwed up, consider this hypothetical as it pertains to you".
|
|
#
?
Jun 29, 2019 22:56
|
|
|
im the academic freedom doesn't actually mean academic freedom argument.
|
|
#
?
Jun 29, 2019 23:41
|
|
|
im the recommending a known-broken security tool with trivial tracking capabilities to dissidents in hostile regimes
|
|
#
?
Jun 30, 2019 01:13
|
|
|
Saying "This is critical for democracy in authoritarian nations" is just their way of trying to feel like what they do is anything more than letting nerds poorly cosplay as spies.
|
|
#
?
Jun 30, 2019 15:52
|
|
|
Volmarias posted:Saying "This is critical for democracy in authoritarian nations" is just their way of trying to feel like what they do is anything more than letting nerds poorly cosplay as spies. I wish that's all it was. They've deluded themselves into thinking hiding the body of the message is enough, and built a system that anyone at all can use to map the contacts of dissidents and any authoritarian regime can trivially snoop to ping alerts when someone gets in contact with any of the well-known NGOs or journalists covering their country. All that on top of the impressive array of footguns the overly complex techno-nerd system leaves loaded with a hair trigger.
|
|
#
?
Jun 30, 2019 18:23
|
|
|
Yes, but are they blockchain footguns?
|
|
#
?
Jun 30, 2019 18:25
|
|
|
https://twitter.com/campuscodi/status/1145367923407458304 I heard killing the messenger solves the problem every time.
|
|
#
?
Jun 30, 2019 19:21
|
|
|
Absurd Alhazred posted:https://twitter.com/campuscodi/status/1145367923407458304 I feel like downloading all the records was a bit excessive.
|
|
#
?
Jul 1, 2019 05:23
|
|
|
PBS posted:I feel like downloading all the records was a bit excessive. Hard to downplay how bad the breech was when the proof of concept was "every record".
|
|
#
?
Jul 1, 2019 09:07
|
|
|
Absurd Alhazred posted:https://twitter.com/campuscodi/status/1145367923407458304 This was a really irresponsible way to disclose, I understand why he's facing legal consequences.
|
|
#
?
Jul 1, 2019 14:57
|
|
|
Found a cool tool for your Pen Testing lab: Generates usernames/passwords for AD: https://stealingthe.network/rapidly-creating-fake-users-in-your-lab-ad-using-youzer/
|
|
#
?
Jul 1, 2019 16:07
|
|
|
CommieGIR posted:Found a cool tool for your Pen Testing lab: Generates usernames/passwords for AD: I was all "why wouldn't you just write this yourself in PowerShell" until I realized it pulled from real world password lists which is admittedly pretty cool.
|
|
#
?
Jul 1, 2019 16:29
|
|
Cat Army
|
The Iron Rose posted:I was all "why wouldn't you just write this yourself in PowerShell" until I realized it pulled from real world password lists which is admittedly pretty cool. Why would you need a script to just put in "password1" for 40% of your hypothetical users?
|
|
#
?
Jul 1, 2019 22:26
|
|
|
BUG JUG posted:Why would you need a script to just put in "password1" for 40% of your hypothetical users? "Password123!" on the other hand...
|
|
#
?
Jul 2, 2019 17:46
|
|
|
https://twitter.com/gossithedog/status/1146885884928843776?s=21
|
|
#
?
Jul 6, 2019 00:12
|
|
|
You all should do some basic apk decompile testing on new apps because it is not uncommon to find really easy attacks. a "built to be vulnerable" practice lab like Hackazon (great lab for both android and webserver practice- it has a great randomization feature where the same attack will not always work) has harder to find vulns compared to an new app that forgot to turn off the login for the bug monitoring service inside their build which has the default creds preloaded.
|
|
#
?
Jul 6, 2019 14:51
|
|
|
Google Push 2FA seems like a flaky service. I tried initiating from my work G Suite and my personal Gmail just now, not popping up on my just-rebooted android. This has happened once before last month, it just started working on its own again 30mins later. edit: it just started working again. Flaky as gently caress. Bald Stalin fucked around with this message at 22:26 on Jul 7, 2019 |
|
#
?
Jul 7, 2019 22:16
|
|
|
In what amounts to less fuckup, more impressive work - it seems someone has managed to reverse engineer a local privilege escalation based on the description provided by Peter Holm (the FreeBSD developer who initially informed the security officer):K³ at Secfault Security posted:In February 2019 the FreeBSD project issued an advisory about a possible vulnerability in the handling of file descriptors. Maybe it'll help with the PS4 homebrew scene? OrbisOS is FreeBSD 9.x and they've been struggling with escaping jails for years and years, without much success.
|
|
#
?
Jul 8, 2019 21:05
|
|
|
D. Ebdrup posted:In what amounts to less fuckup, more impressive work - it seems someone has managed to reverse engineer a local privilege escalation based on the description provided by Peter Holm (the FreeBSD developer who initially informed the security officer): based on my work in hosting, only thing most systems use zfs for is filers
|
|
#
?
Jul 8, 2019 23:37
|
|
|
The Zoom video conferencing app for Mac is a giant clusterfuck, apparently: * silently props up an HTTP server that isn't cleared out by uninstalling the app and loads at startup * automatically reinstalls the app and joins a meeting when a Zoom link is activated in the user's browser (requires no user interaction beyond visiting a page) * automatically connects the user to a call with video and audio enabled These are all "features", of course. https://twitter.com/RayRedacted/status/1148377787516030978
|
|
#
?
Jul 9, 2019 04:21
|
|
|
I know people in here were talking about hashivault. Is that the kind of thing that could be deployed via bash and/or python? I'm doing it on AWS, trying to knock out a few birds with one stone by working on an AWS cert, doing a hashivault implementation in a free tier instance as a proof of concept, and learning bash or python for a personal project and so I know WTF I'm doing if I go to a Linux shop.
|
|
#
?
Jul 9, 2019 04:30
|
|
|
https://twitter.com/mathowie/status/1148391109824921600
|
|
#
?
Jul 9, 2019 04:39
|
|
|
“Deployed via bash/python” doesn’t make a ton of sense. New clusters will generally be spun up manually(-ish) so that root tokens, unseal keys, etc can be secured and distributed. New servers in a cluster will be spun up using whatever: docker container, AMI, maybe puppet or ansible, maybe terraform will he involved for infrastructure spinup. Any of those could automate things in bash or python or anything else, but programming languages are not themselves deployment pipelines.
|
|
#
?
Jul 9, 2019 05:29
|
|
|
I can't believe that Zoom issue. Saw it earlier. That's so egregious, a reasonable response is up there with "banning all Zoom software from our network for a long time. "
|
|
#
?
Jul 9, 2019 06:48
|
|
|
22 Eargesplitten posted:I know people in here were talking about hashivault. Is that the kind of thing that could be deployed via bash and/or python? I'm doing it on AWS, trying to knock out a few birds with one stone by working on an AWS cert, doing a hashivault implementation in a free tier instance as a proof of concept, and learning bash or python for a personal project and so I know WTF I'm doing if I go to a Linux shop. Here, codified terraform vault cluster in aws using AMIs: https://github.com/hashicorp/terraform-aws-vault Bash script to install vault: https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/install-vault Bash script to run vault: https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/run-vault Also Ansible if you want Python instead: https://github.com/TerryHowe/ansible-modules-hashivault
|
|
#
?
Jul 9, 2019 07:14
|
|
|
RFC2324 posted:based on my work in hosting, only thing most systems use zfs for is filers Welp, I hope they've got their fleets up-to-date, then.
|
|
#
?
Jul 9, 2019 09:48
|
|
|
D. Ebdrup posted:Really? Because the hosts I know all use ZFS for provisioning and easy rollback. I wish, we use what the customer wants, and neither our sales or our customers know what zfs is
|
|
#
?
Jul 9, 2019 10:32
|
|
|
RFC2324 posted:I wish, we use what the customer wants, and neither our sales or our customers know what zfs is In other news, this is pretty impressive: Mor Levi, Assaf Dahan, and Amit Serper at CyberReason posted:Earlier this year, Cybereason identified an advanced, persistent attack targeting telecommunications providers that has been underway for years, soon after deploying into the environment.
|
|
#
?
Jul 9, 2019 16:56
|
|
|
what's impressive?
|
|
#
?
Jul 9, 2019 17:03
|
|
|
Achmed Jones posted:“Deployed via bash/python” doesn’t make a ton of sense. New clusters will generally be spun up manually(-ish) so that root tokens, unseal keys, etc can be secured and distributed. New servers in a cluster will be spun up using whatever: docker container, AMI, maybe puppet or ansible, maybe terraform will he involved for infrastructure spinup. Any of those could automate things in bash or python or anything else, but programming languages are not themselves deployment pipelines. Sorry, I meant would it be feasible to do the whole thing through a CLI as a fairly fresh CLI user (mostly Windows cmd and PowerShell) or would that just be masochistic? Not so much automating as avoiding the GUI. Because everyone knows real gurus have dusty mice.
|
|
#
?
Jul 9, 2019 18:58
|
|
|
Haha, CLIs https://github.com/webpack/webpack-cli/issues/962
|
|
#
?
Jul 9, 2019 19:03
|
|
|
Anyone here ever used Zoom on a Mac or support Mac users? https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/
|
|
#
?
Jul 9, 2019 20:11
|
|
|
Ranter posted:Anyone here ever used Zoom on a Mac or support Mac users? A HTTP server for every application! A dream has come to life!
|
|
#
?
Jul 9, 2019 20:25
|
|
|
|
| # ? May 31, 2024 22:32 |
|
|
A HTTP server? In MY vpn??
|
|
#
?
Jul 9, 2019 20:36
|
|