|
Tobermory posted:Thanks, everyone. I'll steer them in the direction of Securedrop.
|
# ? Apr 21, 2020 01:16 |
|
|
# ? May 9, 2024 23:38 |
|
"I am a javascript master watch me disable your right click on this page "
|
# ? Apr 21, 2020 03:20 |
|
Axe-man posted:"I am a javascript master watch me disable your right click on this page " (C) 2020 Axe-man Do not steal source code
|
# ? Apr 21, 2020 09:28 |
|
Axe-man posted:"I am a javascript master watch me disable your right click on this page " That & sites that disable the marking of text (or even worse, add some stupid disclaimer when you copy & paste like used to be popular with newspapers some years back) are the worst.
|
# ? Apr 21, 2020 10:14 |
|
I like the ones that shuffled the letters, and then had a corresponding font to unshuffle the letters. Copying would just give you nonsense, even viewing the source. It must have killed seo, but maybe they were cheating that. Also gently caress sites that block paste in form fields. I have the don't gently caress with paste extension installed pretty much everywhere.
|
# ? Apr 21, 2020 13:01 |
|
Tobermory posted:Question for the goons in this thread: This kind of stuff terrifies me. I put myself in those shoes and the only reaction I see myself having when being told this is my responsibility is "People who REALLY know what they are doing should be in charge of this.". If people really are going to be potentially murdered over data you are trying to protect, asking for a referral on the SA forums seems like a step too far some how. I hope it works out though.
|
# ? Apr 21, 2020 14:14 |
|
Sickening posted:This kind of stuff terrifies me. I put myself in those shoes and the only reaction I see myself having when being told this is my responsibility is "People who REALLY know what they are doing should be in charge of this.". If people really are going to be potentially murdered over data you are trying to protect, asking for a referral on the SA forums seems like a step too far some how. I hope it works out though. Oh, we're putting people who know what they're doing in charge of things. I'm supposed to help them out in finding some of those people. It's the standard issue where an organization needs technical expertise, but doesn't have enough technical expertise to know what to ask for. Getting pointed in the right direction is incredibly helpful.
|
# ? Apr 21, 2020 20:33 |
|
It's actually very encouraging when an organization's leaders are wise enough to say, "Actually we can't just wing this."
|
# ? Apr 22, 2020 01:37 |
|
Tobermory posted:Oh, we're putting people who know what they're doing in charge of things. I'm supposed to help them out in finding some of those people. It's the standard issue where an organization needs technical expertise, but doesn't have enough technical expertise to know what to ask for. Getting pointed in the right direction is incredibly helpful. Pissing off organized crime, human traffickers, and repressive governments is the kind of thing that might get productive attention from big names in the infosec/crypto worlds, especially if your organization or people in it have a solid track record in that space. Also, you're talking about entering an adversarial space, with some of the most determined and well-funded adversaries on the planet. You're not going to be able to out-hire them on the open market. Your best shot is to take advantage of highly talented people who are more driven by ideals than money. I'd drop an email to Bruce Schneier with the same basic ask you have here: what you're trying to do, what kind of help you need (probably just recommended tools and introductions to anyone who can help), and why it's important. He might or might not be able to give you a meaningful response, but it's at least worth the ask.
|
# ? Apr 22, 2020 02:03 |
|
Reach out to Runa Sandvik on Twitter (or I can intro you if you PM me). She has worked on this stuff for newspapers and advises NGOs on this stuff post-NYT. When I was working on state-adversary stuff she was very helpful.
|
# ? Apr 22, 2020 03:40 |
|
Thanks for the suggestions, everyone. It looks like the current plan is that we're going to reach out to the Freedom of the Press Foundation directly, and work with them to set up securedrop.
|
# ? Apr 22, 2020 06:01 |
|
Subjunctive posted:Reach out to Runa Sandvik on Twitter (or I can intro you if you PM me)
|
# ? Apr 22, 2020 10:32 |
|
Lambert posted:That & sites that disable the marking of text (or even worse, add some stupid disclaimer when you copy & paste like used to be popular with newspapers some years back) are the worst. My bank's disabled ctrl+a on the password field of its login page for some reason. So when you fat-finger your password and instinctively press ctrl+a and start typing again, it doesn't select the text so instead of overwriting the password you append to it. I mailed them about it and it got escalated and the response from some dummy is that it's been disabled for "security reasons".
|
# ? Apr 23, 2020 15:48 |
|
Do they think you can copy the password out of the password field? Is it even a real password field?
|
# ? Apr 23, 2020 20:44 |
|
Its not a bug if its a security feature!
|
# ? Apr 23, 2020 21:17 |
|
klosterdev posted:Its not a bug if its a security feature! New thread title.
|
# ? Apr 23, 2020 21:34 |
|
If it's a real password field, you can just edit the html inline to copy the password out. Not that that's any defense of that nonsense.
|
# ? Apr 23, 2020 21:44 |
|
azurite posted:Do they think you can copy the password out of the password field? When I first sent them a query about it, I got this: quote:Kindly be advised that for security reasons the Ctrl + A option is disabled. So I asked what security benefit was gained by disabling ctrl+a, and I got this: quote:This is not a normal text field. It hides text and allows users to view their input by clicking the eye icon. I suspect whatever they're doing to make the magical eye icon work broke ctrl+a somehow and when the dev couldn't fix it they said it was intentional because it's a security feature and nobody bothered to question it so now it's wont-fix by-design instead.
|
# ? Apr 23, 2020 21:55 |
|
Internet Explorer posted:If it's a real password field, you can just edit the html inline to copy the password out. Not that that's any defense of that nonsense. Uh-oh! Better disable right click then! That will stop them. I am very smart. Guy Axlerod posted:I like the ones that shuffled the letters, and then had a corresponding font to unshuffle the letters. Copying would just give you nonsense, even viewing the source. It must have killed seo, but maybe they were cheating that. Because people with vision impairments can’t use computers. Oh, what’s that? Screen readers? You’re talking nonsense. Their man-servant Enrique can read the screen for them.
|
# ? Apr 24, 2020 05:55 |
|
beuges posted:When I first sent them a query about it, I got this: Isn't chromium introducing the native password revealer thanks to edgium putting it into upstream?
|
# ? Apr 24, 2020 06:02 |
|
beuges posted:When I first sent them a query about it, I got this: did they also disable shift+end and double clicking in the password field?
|
# ? Apr 24, 2020 07:21 |
|
Mr Chips posted:did they also disable shift+end and double clicking in the password field? shift+arrow, shift-home and shift-end don't select anything, but double-clicking does select the whole field. you can also select anything using the mouse as usual. also, if you position the cursor anywhere in the middle of the password and then press the right-arrow, instead of moving the cursor one character to the right, it jumps straight to the end.
|
# ? Apr 29, 2020 07:46 |
|
oops I wrote my own crypto https://github.com/BanditCat/jdubi BanditCat fucked around with this message at 10:45 on Apr 29, 2020 |
# ? Apr 29, 2020 10:37 |
|
BanditCat posted:oops I wrote my own crypto *Angrily taps thread title
|
# ? Apr 29, 2020 17:57 |
|
Is there a browser that does support Wireguard internally and can run as portable install? Looking for this for my new workplace.
|
# ? Apr 30, 2020 01:34 |
|
Combat Pretzel posted:Is there a browser that does support Wireguard internally and can run as portable install? Looking for this for my new workplace. The browser add-on version of Firefox's VPN service works that way, but is limited to 12 hours a month and locked onto mullvad's servers https://fpn.firefox.com/browser A little surprised nobody has forked it to work with e.g. cloudflare's (unmetered) VPN servers instead
|
# ? Apr 30, 2020 03:08 |
|
Hmm thanks, I'll look into it. I'm mostly interested in such a thing, because the new workplace uses thin clients to RDP sessions on virtual Windows Servers. During pauses, I'd like to route my poo poo over my home, or I guess Mullvad.
|
# ? Apr 30, 2020 15:57 |
|
Might be easier to use SSH as a socks proxy than wireguard
|
# ? Apr 30, 2020 17:23 |
|
Rufus Ping posted:Might be easier to use SSH as a socks proxy than wireguard Agreed, that's my standard setup for
|
# ? Apr 30, 2020 17:42 |
|
odd request....that I'm hoping is eye-rollingly easy for the smart lot of you... I'm looking for protocols from the early 00's. Stuff like WEP, TCP/IP, SSL/TLS, SKEME, IKE as they existed at a particlar time back then. I don't know enough about this stuff to know where to look for these. There are a lot of "Histories of the development of the protocols" type stuff, but where do I go for the actual standards? Thanks everyone, it's obvious I don't know what I'm doing so I appreciate it.
|
# ? May 1, 2020 20:00 |
|
On display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard."
|
# ? May 1, 2020 20:05 |
You could try wearing a towel, it works against more fearsome beasts than the leopard.
|
|
# ? May 1, 2020 20:10 |
|
klosterdev posted:On display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard." yeah, I get it, but I've been asked to go get this stuff, so...
|
# ? May 1, 2020 20:11 |
|
AARP LARPer posted:odd request....that I'm hoping is eye-rollingly easy for the smart lot of you... All the old RFCs like 1122 and 1123 and even 780 (760? IP) should be still on the IETF’s site, no? When they’re obsoleted they aren’t removed, just amended to reference the subsequent RFC. Once you know what version you want, you can usually chase the “Obsoletes” links backwards in time until you find it. E: these are the de jure standards; to see any variations needed to interoperate or otherwise succeed practically, you might have to consult contemporaneous source code from browsers and kernels and such
|
# ? May 1, 2020 20:22 |
|
Subjunctive posted:All the old RFCs like 1122 and 1123 and even 780 (760? IP) should be still on the IETF’s site, no? When they’re obsoleted they aren’t removed, just amended to reference the subsequent RFC. Once you know what version you want, you can usually chase the “Obsoletes” links backwards in time until you find it. Thank you! This is exactly the type of starting point I was hoping for. As for wearing a towel, that's happening on May 25th, you amateur. Take care, everyone!
|
# ? May 1, 2020 20:41 |
|
https://twitter.com/campuscodi/status/1257284701770911746
|
# ? May 4, 2020 13:25 |
|
Seems like the most likely thread for people to have experiences with yubikeys, my computer choked trying to read mine today and couldn't enumerate the USB, after plugging it in and out it saw it fine... Y'all have experience with yubikeys going bad or anything? This thing is years old at this point and I've never seen a USB die unless I accidently jammed it in the slot the wrong way or there is a real electrical short. Mostly trying to gauge if I should get a replacement or chalk it up as a fluke. For the record it pretty much never leaves the USB hub it's plugged into (home desktop), which is why I'm giving it any thought.
|
# ? May 5, 2020 18:24 |
|
Mr. Crow posted:Seems like the most likely thread for people to have experiences with yubikeys, my computer choked trying to read mine today and couldn't enumerate the USB, after plugging it in and out it saw it fine... Y'all have experience with yubikeys going bad or anything? This thing is years old at this point and I've never seen a USB die unless I accidently jammed it in the slot the wrong way or there is a real electrical short. Probably just a random usb glitch I've never had issues with them.
|
# ? May 5, 2020 18:28 |
|
AARP LARPer posted:odd request....that I'm hoping is eye-rollingly easy for the smart lot of you... usually just googling "[thing] RFC" will get you where you need to be
|
# ? May 5, 2020 21:18 |
|
|
# ? May 9, 2024 23:38 |
|
from a month ago RE china's firewall and VPNs: They use deep packet inspection and recognize the setup handshake of most common VPN protocols. There's patches to openVPN that apply xor with a 32-bit key to the entire packet specifically to make it more difficult to detect. The idea is you setup your own server & client with a random shared xor key and the DPI boxes can't detect it as an illegal VPN app. It's nearly impossible to do anything useful over there given how locked down everything is and how rampant hacked-up versions of things are because they're either pirated or working around the firewall or the god-awful disaster that are native Chinese android forks.
|
# ? May 10, 2020 01:36 |