|
The Fool posted:Maybe setup Algo for yourself as a learning experience. I was interested in that at my last place, if I move somewhere that I have hardwired, reliable internet again (hopefully in a few months) I might pull my Pi out of storage and give it a whirl.
|
# ? Feb 5, 2020 21:51 |
|
|
# ? Jun 3, 2024 16:46 |
|
you can cloud host it for the cost of a beer/month
|
# ? Feb 5, 2020 23:05 |
|
But then I wouldn't have a beer You make a good point, I've got an AWS account and should really be working on learning that poo poo. Maybe I'll start figuring out how to do that at work tonight rather than watching YouTube. Yes, I get the irony in sending all of my data to one of the biggest datascrapers in the world in order to transmit it privately.
|
# ? Feb 5, 2020 23:15 |
|
22 Eargesplitten posted:Yes, I get the irony in sending all of my data to one of the biggest datascrapers in the world in order to transmit it privately. Have we tested in the courts whether Google/Amazon actually honor our requests to control our data when it's paid e.g. a paying customer deletes a file, it's actually been deleted and not in some high level amazon black hole that bezos or the feds can get it later
|
# ? Feb 6, 2020 05:20 |
|
"The court finds in favor of the megacorp, now if you'll excuse me I'm going to fly to the house I just bought on lake Como, completely unrelated to this case."
|
# ? Feb 6, 2020 05:22 |
|
Yeah I feel like it goes a bit like that.
|
# ? Feb 6, 2020 16:47 |
|
What's a good resource to get some more info as to what malware C&C might be getting hosted on a particular IP?
|
# ? Feb 6, 2020 17:03 |
|
22 Eargesplitten posted:I've heard people talking about how VPNs would help get around ISPs throttling traffic post net neutrality death, is there any truth to that? Seems like it would be a minor amount of effort for a company as big as Comcast to keep track of known VPN nodes and throttle them, It is relatively trivial(and can be fairly automated) to get your own VPS with a public IP and run OpenVPN via a non-default port on it. Not sure it's worth the effort of blacklisting a few thousand? Hundred thousand? IPs on their part.
|
# ? Feb 6, 2020 17:15 |
|
cr0y posted:What's a good resource to get some more info as to what malware C&C might be getting hosted on a particular IP? Passivetotal is a pretty good starting point.
|
# ? Feb 8, 2020 14:33 |
|
holy poo poo cisco
|
# ? Feb 10, 2020 13:38 |
|
oh god what now
|
# ? Feb 10, 2020 14:55 |
|
I don't think you need a special event to go "holy poo poo cisco". I go "holy poo poo cisco" when I get up in the morning just out of habit. This is not a euphemism.
|
# ? Feb 10, 2020 15:08 |
|
Martytoof posted:oh god what now
|
# ? Feb 10, 2020 15:17 |
|
evil_bunnY posted:CDPwn I'm going back to bed
|
# ? Feb 10, 2020 15:44 |
|
|
# ? Feb 10, 2020 16:14 |
|
Lol
|
# ? Feb 10, 2020 16:40 |
|
tbh that's a better use of most cisco desk phones
|
# ? Feb 10, 2020 16:54 |
|
Cisco products having additional critical vulnerabilities/backdoors discovered is simply called a "regular day".
|
# ? Feb 10, 2020 16:56 |
|
Good thing they’re so cheap and easy to set up, otherwise people might be upset over this.
|
# ? Feb 10, 2020 17:09 |
|
Now make the C2 spawn a Multiplayer server and force all the phones into it.
|
# ? Feb 10, 2020 17:15 |
|
gently caress yes, bring back the office LAN party.
|
# ? Feb 10, 2020 17:22 |
|
Amazing.
|
# ? Feb 10, 2020 17:52 |
|
|
# ? Feb 11, 2020 13:48 |
|
https://twitter.com/sawaba/status/1226951570279063553 "They" being Equifax. Read the whole thread and sob.
|
# ? Feb 11, 2020 16:05 |
|
He doesn't touch on the ACTUAL most ridiculous part, which is that Equifax suffered zero meaningful consequences. Their stock price is at an all time high. The executives who were "forced to resign" or whatever are all rich as gently caress and never had to work another day in their lives anyway. Nothing changed at all.
|
# ? Feb 11, 2020 16:38 |
|
Now now, the CIO and some other manager level guy got 4 months home confinement and had to relinquish their profits from insider trading.
|
# ? Feb 11, 2020 17:20 |
|
Docjowles posted:He doesn't touch on the ACTUAL most ridiculous part, which is that Equifax suffered zero meaningful consequences. Their stock price is at an all time high. The executives who were "forced to resign" or whatever are all rich as gently caress and never had to work another day in their lives anyway. Nothing changed at all.
|
# ? Feb 11, 2020 18:37 |
|
|
# ? Feb 11, 2020 18:43 |
|
I've been tasked with bringing a web application up to spec, security wise. Starting point is a plintext "password" column, and ASP.NET website code. (They have to improve securty to be in line with GDPR rules, and I get the impression that's the only reason anyone cares.) Ended up here after some preliminary googling (also various questions/answers on Security StackExchange, but those tend to be 7-8 years old, which seems like it's bad in this area): https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html I have no idea whather this is up to date or accurate, with argon2 being described as the new hotness in 2015. Been looking at PBKDF2, since it thas a native .NET implementation, but being stuck on .NET 4.0 leaves me with no hash algorithm beyond SHA1, which I get the imression is a bad idea to use. What's the preferred algorithm these days (Preferrably something that's fairly easy to integrate with a .NET environment)? Also, should I yell at someone that we need to upgrade from .NET 4.0?
|
# ? Feb 11, 2020 18:46 |
|
Can't really go wrong with bcrypt. It's boring by now so it has good libraries and people know how it behaves. I wouldn't do sha1. Salted Sha256 maybe, but it's not a good password hashing algo since it's made for speed. It would certainly bring you into compliance and the upper tier of security, password storage wise…
|
# ? Feb 11, 2020 18:55 |
|
Nostalgamus posted:Also, should I yell at someone that we need to upgrade from .NET 4.0? If it all possible, convince people to start moving to .NET Core
|
# ? Feb 11, 2020 18:56 |
|
Docjowles posted:He doesn't touch on the ACTUAL most ridiculous part, which is that Equifax suffered zero meaningful consequences. Their stock price is at an all time high. The executives who were "forced to resign" or whatever are all rich as gently caress and never had to work another day in their lives anyway. Nothing changed at all. well yeah but they are totally gonna send me that $125 any day now!!
|
# ? Feb 11, 2020 19:13 |
|
Nostalgamus posted:I've been tasked with bringing a web application up to spec, security wise. Starting point is a plintext "password" column, and ASP.NET website code. (They have to improve securty to be in line with GDPR rules, and I get the impression that's the only reason anyone cares.) I think getting off plaintext passwords is a Do It Now level thing, if these are passwords for customers outside your company you have. If the only hash system you can implement on your website Right Now is SHA1, then use SHA1. You could also hash with PBKDF2 or bcrypt or whatever, as an additional column in your database at the same time, with the hopes that your webapp will get updated with newer .NET and you can just delete the old SHA1 column. That is an unexploded bomb that needs to be disposed of, because if you're forced to disclose "we got hacked and they stole passwords in plaintext" it'll blow up the company.
|
# ? Feb 11, 2020 20:09 |
|
https://twitter.com/jsnover/status/1227048779439693824
|
# ? Feb 11, 2020 20:17 |
scrypt has some interesting ideas including memory hardening (ie. trying to make it so that not only compute but also sufficient memory is required to attempt to bruteforce). The last paragraph in the conclusion is also rather important: scrypt paper posted:Finally, we recommend that cryptographic consumers make themselves aware of the strengths of the key derivation functions they are using, and choose passwords accordingly; we suspect that even generally security-conscious users are in many cases not aware how (in)secure their passwords are.
|
|
# ? Feb 11, 2020 21:14 |
|
Sirotan posted:well yeah but they are totally gonna send me that $125 any day now!! That poo poo right there pisses me off beyond words. That the loving feds piped up saying that we should accept Equifax's pathetic "monitoring" rather than extracting whatever part of a pound of flesh out of those greedy douchbags we could just chaps my rear end. It's not much, but it's something. gently caress you - you work for ME, not THEM, you assholes. indeed.
|
# ? Feb 12, 2020 00:54 |
|
Klyith posted:That is an unexploded bomb that needs to be disposed of, because if you're forced to disclose "we got hacked and they stole passwords in plaintext" it'll blow up the company. Unless your company is named Equifax. In that case you're fine.
|
# ? Feb 12, 2020 01:14 |
|
Darchangel posted:gently caress you - you work for ME, not THEM Lol if you actually think this
|
# ? Feb 12, 2020 01:25 |
|
Thanks for the advice. I've added the BCrypt.Net library form here: https://github.com/BcryptNet/bcrypt.net, and it seems to be working well so far. The project's not quite a time bomb yet - it's a former internal tool that's being opened for outside access, with a new/separate user database, so old data shouldn't be a concern. On the other hand, they've already started public testing before I had time to actually implement this.
|
# ? Feb 12, 2020 19:04 |
|
|
# ? Jun 3, 2024 16:46 |
I assume you've considered that that bcrypt implementation might not be as audited (or audited at all?) compared with the original?
|
|
# ? Feb 12, 2020 20:21 |