|
EVIL Gibson posted:I have views of VPNs but I will come off as a paranoid schizo referencing post-WW2 treaties...
|
# ? Aug 30, 2019 19:44 |
|
|
# ? May 31, 2024 14:23 |
|
The Iron Rose posted:Only if you keep the same VM or use an elastic IP, but yes they can certainly tie traffic from that IP address a new set of browsing data. They can't get your real world identity from just an EC2 IP address though, which is all I'm trying to say. It depends who “they” is here, right? If you are using your VPN to connect to mycrimes.ru and AWS gets a subpoena asking who had 4.2.0.0 on June 9, they should be able to easily make that connection (depending on Amazon’s log retention policies etc). But yeah some rando advertiser won’t have the data to make that connection unless you build up a browsing history from that same IP over time. Which you can mitigate by deleting and rebuilding your VM to force a new public IP.
|
# ? Aug 30, 2019 19:45 |
|
Docjowles posted:It depends who “they” is here, right? If you are using your VPN to connect to mycrimes.ru and AWS gets a subpoena asking who had 4.2.0.0 on June 9, they should be able to easily make that connection (depending on Amazon’s log retention policies etc). But yeah some rando advertiser won’t have the data to make that connection unless you build up a browsing history from that same IP over time. Which you can mitigate by deleting and rebuilding your VM to force a new public IP. Well, I doubt .ru addresses respond to subpoena's often...
|
# ? Aug 30, 2019 20:03 |
|
EVIL Gibson posted:I have views of VPNs but I will come off as a paranoid schizo referencing post-WW2 treaties... Hey, I never let that stop me. and let your tinfoil freak flag fly.
|
# ? Aug 30, 2019 20:52 |
|
I know nothing about STUN/TURN technology, except that they somehow, magically, allow two computers behind a NAT to talk to one another. It works, it's awesome. It doesn't seem to work when I'm connected via VPN though. Is that a problem of the VPN provider I'm using (nordvpn)? Is that a technology limitation? Background, albeit irrelevant but i gotta brag: I made a webapp to showcase my company's latest object recognition technology, where we show crap we identified from the user's webcam stream in realtime. Essentially, you point your browser to the URL we give you, allow webcam access and we paint on the video stuff we identified. You dance in front of the camera and the app follows you (for example). This requires the WebRTC technology found in newer browsers, since it works over UDP and is a lot faster than just plain websockets (a lot faster ). This WebRTC technology is using STUN/TURN servers to connect via UDP two clients (it's originally made for peer to peer video streaming) that are behind a NAT. I am using for this little demo the Google public STUN servers. If it's get remotely serious i'll host my own, but for now Google will do. And I tested it today from home: On my plain connection, it works fine. I connected via VPN, just to see what the latency would be and what's the impact: no dice. The connection doesn't get made. Why? What's the deal?
|
# ? Aug 30, 2019 23:09 |
|
IIRC webrtc/stun/turn is considered a glaring vulnerability in the VPN world
|
# ? Aug 31, 2019 00:01 |
|
Raenir Salazar posted:Clearly the only reliable method of security is carrier pigeons. Adding chaos to UDP is not a terrible idea.
|
# ? Aug 31, 2019 00:10 |
|
Nah it's already figured out: https://tools.ietf.org/html/rfc1149
|
# ? Aug 31, 2019 00:45 |
|
lmao @jack was hacked https://twitter.com/TwitterComms/status/1167591003143847936
|
# ? Aug 31, 2019 03:05 |
|
SIM hijack?
|
# ? Aug 31, 2019 03:52 |
|
xtal posted:SIM hijack? The "security oversight" was probably the CSR following the contradictory orders of "don't do anything to the account if the customer doesn't remember their password" and "you must help the customer reset the password if they are too dumb to remember their password". All I needed to reset my own account password was the super secret information of my SSN and DOB so I don't think this is far fetched.
|
# ? Aug 31, 2019 05:00 |
|
Volguus posted:I know nothing about STUN/TURN technology, except that they somehow, magically, allow two computers behind a NAT to talk to one another. It works, it's awesome. It doesn't seem to work when I'm connected via VPN though. Is that a problem of the VPN provider I'm using (nordvpn)? Is that a technology limitation? It depends on how aggressive the NAT is, it'll work behind some VPNs but not others. Nord claims that you can still use WebRTC over their VPN, so I don't know why it's failing for you.
|
# ? Aug 31, 2019 06:26 |
Mustache Ride posted:Nah it's already figured out: https://tools.ietf.org/html/rfc1149 Dylan16807 posted:It depends on how aggressive the NAT is, it'll work behind some VPNs but not others. Nord claims that you can still use WebRTC over their VPN, so I don't know why it's failing for you. ..although adding NAT to a network doesn't make it better either, so The trick to getting WebRTC and other traffic inside the tunnel is to use the the OS to redirect all traffic through the tunnel, which at least can be done on every OS I know of with IPSec, and I believe can be done with OpenVPN too if it's configured properly. Or setup your gateway device with the VPN connection, that works too.
|
|
# ? Aug 31, 2019 11:03 |
|
D. Ebdrup posted:It's been figured out better. It worked just fine in that RFC.
|
# ? Aug 31, 2019 18:06 |
astral posted:It worked just fine in that RFC.
|
|
# ? Aug 31, 2019 21:14 |
|
I'm building a small website as a way of giving access to clueless users to the functionality of a script I wrote. Part of this requires me to request user credentials from them. The API I am using does not allow for me to redirect them to a login page to get a token. Are there any steps beyond setting up SSL encryption and properly configuring the username/password inputs that I need to take to protect my users' security? No user login data is stored on my servers, it is forwarded directly to the API to receive a token upon form submission. I don't store anything in a database.
|
# ? Sep 1, 2019 05:25 |
|
Volmarias posted:The "security oversight" was probably the CSR following the contradictory orders of "don't do anything to the account if the customer doesn't remember their password" and "you must help the customer reset the password if they are too dumb to remember their password". All I needed to reset my own account password was the super secret information of my SSN and DOB so I don't think this is far fetched. yea it's something that happens a lot, and it's funny that it happened to the CEO of twitter
|
# ? Sep 1, 2019 06:13 |
|
Cup Runneth Over posted:I'm building a small website as a way of giving access to clueless users to the functionality of a script I wrote. Part of this requires me to request user credentials from them. The API I am using does not allow for me to redirect them to a login page to get a token. Are there any steps beyond setting up SSL encryption and properly configuring the username/password inputs that I need to take to protect my users' security? No user login data is stored on my servers, it is forwarded directly to the API to receive a token upon form submission. I don't store anything in a database. Seems like a simple scenario. The only thing that pops into mind immediately is that, as with any web form, you should apply CSRF protections to ensure that the browsers of users tricked into visiting malicious sites cannot be tricked into unintentionally interacting with your script (especially important if you have any persistent state in your website, such as the user remaining logged in).
|
# ? Sep 1, 2019 11:51 |
|
I would recommend doing SAML authentication/SSO if your infrastructure supports it and you think you might have the skills.
|
# ? Sep 1, 2019 19:03 |
|
If you do password auth over a proxy, one thing is that you'll need to worry about it ending up in log files. Make sure it won't end up in the URL, especially.
|
# ? Sep 1, 2019 19:07 |
|
Visual simulation of Enigma machine in operation. Made me feel a pang that I can't share it with my father.
|
# ? Sep 1, 2019 19:22 |
|
The Fool posted:I would recommend doing SAML authentication/SSO if your infrastructure supports it and you think you might have the skills. xtal posted:If you do password auth over a proxy, one thing is that you'll need to worry about it ending up in log files. Make sure it won't end up in the URL, especially. The API requires POST requests.
|
# ? Sep 1, 2019 22:58 |
|
https://twitter.com/dnsprincess/status/1168274528650301441
|
# ? Sep 2, 2019 01:52 |
|
Open the door I'm the wifi inspector
|
# ? Sep 2, 2019 04:41 |
|
Sir are you aware your router is broadcasting an ssid? This is highly irregular. I’ll need to see your licence.
|
# ? Sep 2, 2019 23:09 |
|
Soricidus posted:Sir are you aware your router is broadcasting an ssid? This is highly irregular. I’ll need to see your licence. Surly Community Security: Boy, thats sure a strange way to find those SSIDs. I remember when I had one of those SSIDs after that trip to Thailand in 1980. Burned my peter for weeks. edit: it's actually funny because you could probably wardrive so much better if you had the gear of those Big Brother TV license inspectors. I heard not only can they tell if you are receiving a signal but be able to point out which apartment has the pirate* TV. *I know, not really pirate but you need to pay your taxes for the BBC which I would gladly do since a lot of their programming, like the nature documentaries and various Whos, are awesome EVIL Gibson fucked around with this message at 23:06 on Sep 3, 2019 |
# ? Sep 3, 2019 23:00 |
|
EVIL Gibson posted:Surly Community Security: Boy, thats sure a strange way to find those SSIDs. I remember when I had one of those SSIDs after that trip to Thailand in 1980. Burned my peter for weeks. TV license inspector? You gotta be loving kidding, right?
|
# ? Sep 4, 2019 03:08 |
|
Wow that’s a blast from the past. I remember that story being a thing back in the CRT days; I thought the plausibility finally got too thin even for urban legends once everybody went LCD/LED/plasma/etc
|
# ? Sep 4, 2019 03:21 |
|
RFC2324 posted:TV license inspector? You gotta be loving kidding, right? https://en.wikipedia.org/wiki/Television_licence A lot of countries do weird (to North Americans) things with their public tv funding. It makes me wonder if telethons are ever a thing there.
|
# ? Sep 4, 2019 03:40 |
|
EVIL Gibson posted:Surly Community Security: Boy, thats sure a strange way to find those SSIDs. I remember when I had one of those SSIDs after that trip to Thailand in 1980. Burned my peter for weeks. The secret to how they detect unlicensed viewers is that they have a list of every address that doesn't have a license.
|
# ? Sep 4, 2019 03:48 |
|
Achmed Jones posted:Wow that’s a blast from the past. I remember that story being a thing back in the CRT days; I thought the plausibility finally got too thin even for urban legends once everybody went LCD/LED/plasma/etc There is also a much simpler non-technical method that would have been very effective in the era of appointment television, and that's just to drive down the street at night watching the flickering glow coming through the curtains. If it matches what's on TV, they're probably watching TV. Maybe have a bumper with a distinct brightness and/or color profile that makes it easy to recognize playing at specific intervals. Obviously this would be less effective in the modern world of DVRs and only really works when it's properly dark out, but could still be used during late night news, sporting events, etc. Of course some of the claims that have been made about the capabilities of these vans get in to Van Eck phreaking, like being able to identify someone watching licensed programming from a recording of any kind (videotape, DVR, computer). While still technically plausible I find it a lot harder to believe that they were doing it from vans for purposes of enforcing TV licensing.
|
# ? Sep 4, 2019 16:06 |
|
They are also weird creepy assholes about it: Also consider that this is a YEARLY COST of $195 levied on every colo(u)r TV. That's a substantial portion of the cost of an average decent sized LCD. It's absolutely insane. AlternateAccount fucked around with this message at 16:54 on Sep 4, 2019 |
# ? Sep 4, 2019 16:51 |
|
They couldn't update that motherboard photo?
|
# ? Sep 4, 2019 18:06 |
|
Moey posted:They couldn't update that motherboard photo? Don't need to update your photos if your servers never change
|
# ? Sep 4, 2019 19:33 |
|
AlternateAccount posted:They are also weird creepy assholes about it: Isn't it per-household? And $16 a month for everything BBC isn't outrageous.
|
# ? Sep 4, 2019 20:53 |
|
Dylan16807 posted:Isn't it per-household? Wikipedia posted:As of April 2019, the licence fee is £154.50 for a colour and £52.00 for a black and white TV Licence. edit: you are correct. I fail at reading comprehension.
|
# ? Sep 4, 2019 22:03 |
|
We're implementing a HRIS including payroll, all in one. I'm the only IT person on the project. HR are refusing to give me full admin access during development/testing, instead insisting that we do this incremental 'restrict all your access as much as possible until you hit a wall and then we'll take a day or two figuring out how to give you the additional access you need to get this ready by go-live date, but also go-live date will NOT be pushed out even if the IT aspects of this aren't ready' because they're worried I'm going to look up people's SSN and salary. I'm domain admin, admin of everything in our environment. I can do all sorts of poo poo to get to this data anyway. But this isn't the funny part to me. Now they've decided because it's also payroll that there's SOX implications and so HR/Payroll shouldn't be assigning their own elevated permissions in the HRIS, instead IT will receive a ticket/approval and then grant the access in HRIS to the HR/Payroll worker. So now my deliberately restricted custom role in HRIS can assign permissions. Including full admin permissions. To myself...
|
# ? Sep 4, 2019 22:17 |
|
Ranter posted:But this isn't the funny part to me. Sounds like you're getting a raise!
|
# ? Sep 4, 2019 23:21 |
What is the entry point for these scam popups? Is it a bad ad or actual malware on a machine? Windows Defender isn't showing any problems and windows updates are actually up to date. According to my mom, she had just done a yahoo search for weather and clicked on some of the results. Looking around in the browser history doesn't show anything objectionable.
|
|
# ? Sep 5, 2019 04:46 |
|
|
# ? May 31, 2024 14:23 |
|
rafikki posted:What is the entry point for these scam popups? Is it a bad ad or actual malware on a machine? Windows Defender isn't showing any problems and windows updates are actually up to date. According to my mom, she had just done a yahoo search for weather and clicked on some of the results. Looking around in the browser history doesn't show anything objectionable. Usually bad ads or something she clicked on.
|
# ? Sep 5, 2019 05:06 |