|
Martytoof posted:Now I wish I had read this thread before the edits Judging from context it sounds like we definitely didn’t want to know
|
#
?
Oct 13, 2021 02:43
|
|
|
|
| # ? May 30, 2024 13:27 |
|
|
Buff Hardback posted:Judging from context it sounds like we definitely didn’t want to know oh I dunno seems prossibly in the public interest
|
|
#
?
Oct 13, 2021 03:40
|
|
Cat Army 
|
The Iron Rose posted:oh I dunno seems prossibly in the public interest "I think I found/saw a thing at work and I want to know how to exfiltrate data from a Citrix/thin client without setting off DLP alarms and getting my rear end turbo-fired." No more details are needed.
|
|
#
?
Oct 13, 2021 05:40
|
|
|
oh good i was hoping this thread would end up in discovery. wonderful
|
|
#
?
Oct 13, 2021 05:48
|
|
|
I am simultaneously curious af about the details of those posts and relieved the goon was smart enough to listen to the advice and blank them
|
|
#
?
Oct 13, 2021 07:57
|
|
|
Buff Hardback posted:Judging from context it sounds like we definitely didn’t want to know What? No! I absolutely want to know! Should I know? No! No? I’ve said <no/know/nough/noh> too much and now I’m unsure
|
|
#
?
Oct 13, 2021 08:30
|
|
|
DrDork posted:"I think I found/saw a thing at work and I want to know how to exfiltrate data from a Citrix/thin client without setting off DLP alarms and getting my rear end turbo-fired." And the proper advice here is: 1) Don't do it. 2) Don't post details anywhere, especially not on a public forum. 3) Talk to a lawyer. 4) If there is a trusted whistleblower contact option, maybe use that. 5) Lay low and don't draw attention to yourself. 6) Start looking for another job.
|
|
#
?
Oct 13, 2021 08:48
|
|
|
KozmoNaut posted:And the proper advice here is: 7) Fake your death and move to Belize.
|
|
#
?
Oct 13, 2021 08:50
|
|
|
If you mess up, you won't need to fake it.
|
|
#
?
Oct 13, 2021 08:52
|
|
|
Just write “I need this on a t-shirt” in the metadata of the file you want to exfiltrate and wait for it to show up on teespring.
|
|
#
?
Oct 13, 2021 12:32
|
|
|
Kazinsal posted:7) Fake your death and move to Belize. 8) gently caress a whale?
|
|
#
?
Oct 13, 2021 12:55
|
|
|
This is a pretty good article in general, regardless of its relevance to what goons up to: https://twitter.com/juliacarriew/status/1447694945729622024
|
|
#
?
Oct 13, 2021 12:56
|
|
|
Reading that link on a work laptop, just to make any possible future forensics investigation of my browsing history interesting.
|
|
#
?
Oct 13, 2021 12:59
|
|
|
Martytoof posted:Just write “I need this on a t-shirt” in the metadata of the file you want to exfiltrate and wait for it to show up on teespring. 
|
|
#
?
Oct 13, 2021 14:28
|
|
|
Yeah you might want more than a year worth of salary saved up. Most whistleblowers get hosed over in the industry depending what is revealed. I heard about a few beoing peeps still having trouble cause of that.
|
|
#
?
Oct 13, 2021 14:42
|
|
|
Axe-man posted:Yeah you might want more than a year worth of salary saved up. Most whistleblowers get hosed over in the industry depending what is revealed. I heard about a few beoing peeps still having trouble cause of that. The aviation industry is notoriously insular: there simply aren't that many companies involved in aircraft manufacturing, so if you get blackballed by one or two you're pretty hosed--especially if you're not cool with moving to another country. But yeah, it's not unreasonable to expect that unless you are in a very wide industry, you might be better off taking your skills to an entirely different industry where HR might not have your picture up on a wall of Do Not Hires. Not hard to do if your skills are generic programming, or office worker, or whatever. Real hard if your skills are like aviation engine design or whatever.
|
|
#
?
Oct 13, 2021 15:20
|
|
|
Kazinsal posted:7) Fake your death and move to Belize. https://www.youtube.com/watch?v=siFmJz7CZSM
|
|
#
?
Oct 14, 2021 01:50
|
|
|
Kazinsal posted:7) Fake your death and move to Belize. https://www.youtube.com/watch?v=oeYoUN-Mi1o&t=127s I hear Belize is great.
|
|
#
?
Oct 14, 2021 02:32
|
|
|
Missouri developed a very insecure webapp that exposed people's Social Security numbers. Their governor is vowing to hold those responsible who did it. https://twitter.com/thezedwards/status/1448670389148676106?s=20 The hack? Right clicking and viewing the source.
|
|
#
?
Oct 14, 2021 18:38
|
|
|
CommieGIR posted:The hack? Right clicking and viewing the source. These days, I honestly can't tell if this is a joke or you're being serious.
|
|
#
?
Oct 14, 2021 19:27
|
|
|
Martytoof posted:These days, I honestly can't tell if this is a joke or you're being serious. Criminally serious https://twitter.com/GovParsonMO/status/1448697768311132160
|
|
#
?
Oct 14, 2021 19:33
|
|
|
We had a guy getting sued for posting a proof of concept to a municipality doing something similar. Basically, they had a website where you could put in your SSN and get some sort of info back. This guy noticed that there was zero validation, spent 5 minutes writing a script to just spam numbers at the site and got a lot of information out. He immediately sent it to the municipality, who proceeded to successfully sue him for hacking their site. It was a few years ago though, at the details are super hazy.
|
|
#
?
Oct 14, 2021 19:34
|
|
|
There was the guy that incremented an id in a url parameter and got a bunch of att customer info And also Aaron Schwartz And I’m sure there are hundred of other examples
|
|
#
?
Oct 14, 2021 19:47
|
|
|
Martytoof posted:These days, I honestly can't tell if this is a joke or you're being serious. Dead serious. This moron of a Governor blames everyone else for his failure of data security. BonHair posted:We had a guy getting sued for posting a proof of concept to a municipality doing something similar. Basically, they had a website where you could put in your SSN and get some sort of info back. This guy noticed that there was zero validation, spent 5 minutes writing a script to just spam numbers at the site and got a lot of information out. He immediately sent it to the municipality, who proceeded to successfully sue him for hacking their site. It was a few years ago though, at the details are super hazy. Yeah this is why you lawyer up prior to doing a responsible disclosure. CommieGIR fucked around with this message at 19:51 on Oct 14, 2021 |
|
#
?
Oct 14, 2021 19:48
|
|
|
duz posted:Criminally serious *raises hand* Why...why do the highway cops have a digital forensics unit?
|
|
#
?
Oct 14, 2021 19:52
|
|
|
So they can look through your pictures after they confiscate your phone, duh
|
|
#
?
Oct 14, 2021 19:53
|
|
|
"Decoded the HTML source code"
|
|
#
?
Oct 14, 2021 20:47
|
|
|
Bonzo posted:"Decoded the HTML source code" They really think they are going to go after a reporter for doing so too, this is laughably pathetic.
|
|
#
?
Oct 14, 2021 20:52
|
|
|
Defenestrategy posted:*raises hand*
|
|
#
?
Oct 14, 2021 20:57
|
|
|
CommieGIR posted:They really think they are going to go after a reporter for doing so too, this is laughably pathetic. I agree it's pathetic, but you are relying on a bunch of ancient lawyers and judges to understand how a web browser works and how unbelievably irresponsible the state was with the PII. I can't even think of a non-computer analogue that would convey how stupid this is. "Stealing" paper records that the state was storing in piles on the sidewalk? Except that doesn't capture that the website was sending the information out unsolicited to anyone who visited it.
|
|
#
?
Oct 14, 2021 21:32
|
|
|
It's like they made an open records request, and the government failed to redact the PII. The PII was on the back of the page. The reporter pointed out that there was PII on the back of the page, and the governor said they weren't authorized to turn over the page.
|
|
#
?
Oct 14, 2021 21:43
|
|
|
They mailed out a packet and expect you to only look at your page.
|
|
#
?
Oct 14, 2021 21:45
|
|
|
Infosec Thread: Step 1 - Lawyer up
|
|
#
?
Oct 14, 2021 22:15
|
|
|
BrianRx posted:I agree it's pathetic, but you are relying on a bunch of ancient lawyers and judges to understand how a web browser works and how unbelievably irresponsible the state was with the PII. I can't even think of a non-computer analogue that would convey how stupid this is. "Stealing" paper records that the state was storing in piles on the sidewalk? Except that doesn't capture that the website was sending the information out unsolicited to anyone who visited it. A billboard displaying social security numbers has a small, unreadable sign taped to it saying "please don't read this billboard under penalty of law".
|
|
#
?
Oct 14, 2021 22:16
|
|
|
BrianRx posted:I agree it's pathetic, but you are relying on a bunch of ancient lawyers and judges to understand how a web browser works and how unbelievably irresponsible the state was with the PII. I can't even think of a non-computer analogue that would convey how stupid this is. "Stealing" paper records that the state was storing in piles on the sidewalk? Except that doesn't capture that the website was sending the information out unsolicited to anyone who visited it.
|
|
#
?
Oct 14, 2021 22:18
|
|
|
I feel the same way about this guy getting prosecuted as I felt about hypothetically getting hit by a bus in the couple years after I graduated college with like $140k student loan debt and couldn't find better paying work than bouncing. I wished it would happen to me. Not that I wanted to die, just that I knew there'd be no way of walking away from this without a huge payout.
|
|
#
?
Oct 14, 2021 22:49
|
|
|
BlankSystemDaemon posted:Isn't the non-computer analogue that someone came across a directory, opened it, and saw a whole bunch of social security numbers in between a bunch of lines and coloured in various shades? It's like submitting a records request, getting documents back that were redacted by placing electrical tape over what they wanted to hide, and then accusing you of breaking into the records office when you remove the tape later in your home.
|
|
#
?
Oct 15, 2021 00:02
|
|
|
ComWalk posted:It's like submitting a records request, getting documents back that were redacted by placing electrical tape over what they wanted to hide, and then accusing you of breaking into the records office when you remove the tape later in your home. Except it's scotch tape.
|
|
#
?
Oct 15, 2021 00:19
|
|
|
ComWalk posted:It's like submitting a records request, getting documents back that were redacted by placing electrical tape over what they wanted to hide, and then accusing you of breaking into the records office when you remove the tape later in your home. Except, yeah, as the poster above said, you cannot say that they were meaningfully hidden in any way. HTML code is not private, it is distributed to every user of your website in plaintext. I think the "printed on the back of the paper, which you are not supposed to turn over" analogy is most apt.
|
|
#
?
Oct 15, 2021 00:21
|
|
|
|
| # ? May 30, 2024 13:27 |
|
|
The moron doubled down. He really did it https://twitter.com/GovParsonMO/status/1448750830857904129?t=7XrYo2xPjClL5HyLLr4I7A&s=19
|
|
#
?
Oct 15, 2021 00:27
|
|