|
Woops, sorry, tripped over a network cable. Should be back soon.
|
# ? Jun 17, 2023 17:16 |
|
|
# ? May 23, 2024 17:23 |
|
cr0y posted:Did something big break? Did you know they run fiber under i-95?
|
# ? Jun 17, 2023 17:18 |
|
cr0y posted:Did something big break? Comcast in Florida.
|
# ? Jun 17, 2023 17:33 |
|
Oh, in that case carry on.
|
# ? Jun 17, 2023 17:40 |
|
This page is taking several minutes to load... so probably!
|
# ? Jun 17, 2023 17:50 |
|
mllaneza posted:Comcast in Florida. Bugs hit a backbone
|
# ? Jun 17, 2023 18:25 |
|
that's what you get for not dialing 811
|
# ? Jun 18, 2023 22:01 |
|
Is anybody else getting way more porn spam/scam/phish into their network lately? I like seeing naked ladies in my queue as much as the next guy, but where it used to be a sometimes treat, now I’ve got users forwarding porn all day.
|
# ? Jun 19, 2023 22:59 |
|
navyjack posted:Is anybody else getting way more porn spam/scam/phish into their network lately? I like seeing naked ladies in my queue as much as the next guy, but where it used to be a sometimes treat, now I’ve got users forwarding porn all day. We told you to stop going to those websites
|
# ? Jun 23, 2023 03:24 |
|
jaegerx posted:We told you to stop going to those websites ITS FOR MY JOB, MOM!
|
# ? Jun 23, 2023 16:14 |
|
I started getting flooded a few weeks back and found my anti-spam appliance had stopped working because an unpatched cert expiration removed its ability to validate its license. gently caress Cisco. If you're using ironports, check that.
|
# ? Jun 24, 2023 13:18 |
|
KS posted:gently caress Cisco.
|
# ? Jun 24, 2023 13:32 |
|
Trying to throw together some appsec security training for developers. Besides Mutillidae (I go this running and accessable from the network but as soon as someone makes an xss request or something similar the connection gets dropped by my machine :/ ) and DVWA. Also did WebGoat (this seems to only be local machine available ) . Does anyone have a docker based vuln application I can host for this. Or suggestions on how you go about doing hands on 'hack the box' type stuff. I'm thinking recap of owasp, show the app off to the group with a couple of intro problems. Followed by some individual or small teams goofing around.
|
# ? Jun 27, 2023 17:36 |
|
Juice Shop? https://hub.docker.com/r/bkimminich/juice-shop I think there's even a pre-rolled CTFd w/ Juice Shop combo to run a points-based CTF.
|
# ? Jun 27, 2023 17:59 |
|
sterster posted:
This is pretty much what I do for my college security interns when I have to teach "intro to hacking for complete idiots." I do a live demo of this rick and morty themed CTF from tryhackme, then I load juice shop onto some vm's on an isolated network and say "have at it nerds! wake me up if you got questions!"
|
# ? Jun 27, 2023 18:36 |
|
sterster posted:Trying to throw together some appsec security training for developers. Besides Mutillidae (I go this running and accessable from the network but as soon as someone makes an xss request or something similar the connection gets dropped by my machine :/ ) and DVWA. Also did WebGoat (this seems to only be local machine available ) . Does anyone have a docker based vuln application I can host for this. Or suggestions on how you go about doing hands on 'hack the box' type stuff. its not as clean and nice as Juice Shop, but if you want docker specific vulnerability exercises I've used VulHub. https://github.com/vulhub
|
# ? Jun 27, 2023 23:20 |
|
Thanks for the suggestions, I did get juice up and running and although I initially didn't 'get' it. It's pretty slick. Looks much better than most of the other vuln apps too. Thanks again. Famethrowa posted:its not as clean and nice as Juice... .how ya doing old buddy. Long time no talk.
|
# ? Jun 28, 2023 15:58 |
|
Regarding secure passwords, wouldn't a passphrase made with half made-up words that makes sense to you but no one else be a good idea to reduce the risk of the words being in a wordlist? Something like "Mr.KaschmorkenFloopsHisBadroops" Or the strategy on of my friends used to use, just a long sentence like "hellomynameisvincentandthisismygoogleloginandiliketoeatpizzasometimes"
|
# ? Jun 29, 2023 14:39 |
|
Claeaus posted:Regarding secure passwords, wouldn't a passphrase made with half made-up words that makes sense to you but no one else be a good idea to reduce the risk of the words being in a wordlist? (Editing for clarity) Really long sentences and passphrases of gibberish you choose lack entropy (random text chosen by people tends to follow patterns iirc), but if you used truly random made up english-sounding gibberish (as in not made up by a person - truly random) I guess that might work. Something like using this: https://randomwordgenerator.com/fake-word.php (i'm not endorsing actually using this to generate a passphrase though) But regardless the entire point is the words being in a word list doesn't really matter in terms of entropy as long as you have enough words and they are truly randomly chosen. I don't think the idea of using gibberish word lists really caught on because if you're the type of person to memorize gibberish phrases you're probably the type of person that can just memorize a strong password. I personally only use passphrases for passwords I have to memorize and/or enter frequently by hand, like the password to my 1Password vault. Cold on a Cob fucked around with this message at 14:57 on Jun 29, 2023 |
# ? Jun 29, 2023 14:44 |
|
All the words from A Clockwork Orange are probably in every word list as well
|
# ? Jun 29, 2023 14:51 |
|
Cold on a Cob posted:(Editing for clarity) So I guess the hardcore password cracking tools also tries patterns like this so it wouldn't have to brute-force a password like "kaschmorken" since that kind of reads like a word?
|
# ? Jun 29, 2023 15:09 |
|
Learn hashcat and that will teach you all you need to know about enthusiast grade cracking. Siffice to say The more you know about a potential password, length, possible characters,etc the easier it is to crack.
|
# ? Jun 29, 2023 15:13 |
|
Claeaus posted:Regarding secure passwords, wouldn't a passphrase made with half made-up words that makes sense to you but no one else be a good idea to reduce the risk of the words being in a wordlist? The reason for using words in a passphrase is to make them easier to remember, compared to other passwords of similar entropy. So it would have to be a word that you know well. I suppose creating a fully random passphrase and replacing a word with a word not on the common lists is the equivalent of using a random alphanumeric password and replacing a letter with a symbol. Making a custom wordlist for passphrases containing passphrase lists from all the languages you speak and some custom words might make sense if you generate and memorize passphrases regularly. But I was too lazy to do so last time, and I expect that to continue. Grammatically correct sentences have much much less entropy per letter then random passphrases.
|
# ? Jun 29, 2023 16:15 |
|
VictualSquid posted:The reason for using words in a passphrase is to make them easier to remember, compared to other passwords of similar entropy. So it would have to be a word that you know well. Yeah, but misspell a word or two, replace a "to" with a 2 or a "for" with a 4, place some symbol somewhere (start,middle, end) and that should be plenty, shouldn't it?
|
# ? Jun 29, 2023 16:23 |
|
Win this game and use the resulting password, guaranteed to be uncrackable: https://neal.fun/password-game/
|
# ? Jun 29, 2023 16:28 |
|
I also enjoy the time and effort put into the topic of loving password complexity and basically anything doing with passwords in the year of our lord.
|
# ? Jun 29, 2023 16:45 |
|
so, like, yes there are ways to crack english-like passwords that are easier than truly random ones, and normal ol' sentences are easier still. unless you are worried about someone spending six+ figures of compute time cracking your password, specifically, this is not at all relevant. even if you are worried about that, if the strength of your password is really the right place for them to spend that money, something has gone terribly wrong. min-maxing password strength is a good exercise for new security engineers because it helps them understand the importance of selecting a good hashing algorithm, how brute force techniques work, parlays nicely into parity and timing sidechannels, and so on. and, perhaps more importantly, it shows the fundamental limitations of passwords as such. for end users, policy definition, etc, "password must be long" is enough. this is to say that: Sickening posted:I also enjoy the time and effort put into the topic of loving password complexity and basically anything doing with passwords in the year of our lord.
|
# ? Jun 29, 2023 17:00 |
|
Sickening posted:I also enjoy the time and effort put into the topic of loving password complexity and basically anything doing with passwords in the year of our lord.
|
# ? Jun 29, 2023 17:02 |
|
Its less to complain about you guys in the thread, but jfc am I completely loving bored with talking about password on a professional level. Every time its the focus of discussion, its often just because we are trying to ignore greater issues.
|
# ? Jun 29, 2023 17:45 |
|
Sickening posted:Its less to complain about you guys in the thread, but jfc am I completely loving bored with talking about password on a professional level. Every time its the focus of discussion, its often just because we are trying to ignore greater issues. Well, we can't bring peace or solve world hunger in here. So we talk about passwords.
|
# ? Jun 29, 2023 18:27 |
|
No you see to be compliant with what this third party says we have to give up our passwordless identity platform and return to enforced password complexity with 30 day expiration.
|
# ? Jun 29, 2023 18:28 |
|
Volguus posted:Well, we can't bring peace or solve world hunger in here. So we talk about passwords. Password complexity can't save us.
|
# ? Jun 29, 2023 18:39 |
|
I had a fun password convo today at work. I'm in the process of setting up MFA to be a requirement for any local IAM user with console access in an AWS account, that is not someone using SSO/IAC and assuming a role. We somehow only have a smattering of these accounts to my shock. I reach out to a guy who has one. Tell him to either delete the account as it hasnt been used in 8 months, or enable MFA if he still needs it. Not only am I told that he does need it, but he cant remember the password and he cant access it anymore. He also refuses to use SSO to sign in for.....reasons. Also no I dont have any power to actually do any of this. I just politely nag people then either get thanked for bringing it up or ignored. Oh well paychecks keep coming in I guess.
|
# ? Jun 29, 2023 18:41 |
|
Thanks Ants posted:No you see to be compliant with what this third party says we have to give up our passwordless identity platform and return to enforced password complexity with 30 day expiration. I was in an appsec meeting last week an internal app with extremely sensitive data had a powerpoint of 7 pages of "security". Those 7 slides could have been deleted an replaced with "we plan to protect this on the ground breaking technology of password complexity". My mental health has been in a steady state of decline this summer. BaseballPCHiker posted:I had a fun password convo today at work. I would place a ticket in my access request method of choice and say "removing inactive account of x" and then plan to ask for forgiveness if it comes up later.
|
# ? Jun 29, 2023 18:43 |
|
Thanks Ants posted:No you see to be compliant with what this third party says we have to give up our passwordless identity platform and return to enforced password complexity with 30 day expiration. This hits close to home and is, in fact, the topic of a meeting I currently am suffering through.
|
# ? Jun 29, 2023 20:27 |
|
Thanks Ants posted:No you see to be compliant with what this third party says we have to give up our passwordless identity platform and return to enforced password complexity with 30 day expiration. Yeet the third party out a window.
|
# ? Jun 29, 2023 23:05 |
|
Is there a reverse engineering/hardware hacking thread so I don't disrupt passwordchat or is here appropriate? I fell down a rabbit hole of trying to peer into the firmware for my lovely aliexpress CarPlay LCD for my motorcycle and it kind of surfaced how little I remember about this side of the house. To the extent that binwalk automates a lot of the simple extraction I've gotten a fairly good look at the innards, but I'm trying to dd the kernel out of the firmware bundle and not sure I'm doing it right. Binwalk shows me: code:
It could be that I've been sitting in front of this computer since 6am and I just need a break, but the resulting dd output doesn't identify as a linux kernel if I run it against the "file" command. I guess that could just be expected but I doubt it would have some unknown magic number so I'm fairly certain I did something wrong. All the typical "here's how I hacked my router's firmware in 30 seconds" blogs seem to find devices that have lzma compressed kernels and are super easily picked out of binwalk so iunno. I'll get back to this tomorrow. At this point I don't actually care about getting the kernel, I'm just trying to understand whether I'm doing something wrong as a matter of principle.
|
# ? Jun 30, 2023 02:49 |
|
BaseballPCHiker posted:I had a fun password convo today at work. Get Guard Duty to bitch about these accounts in order to give you official looking ammo needed to set up automated revocation of certs followed by subsequent deletion of idle accounts.
|
# ? Jun 30, 2023 03:10 |
|
Sirotan posted:Win this game and use the resulting password, guaranteed to be uncrackable: https://neal.fun/password-game/ This does probably produce good passwords but nothing pisses me off more than trying to reset something for work and running into a series of complexity requirements. Needs a number. Needs uppercase. Too many repeating characters. Too similar to a previous password gently caress YOU THIS IS A TEST VM
|
# ? Jun 30, 2023 03:13 |
|
|
# ? May 23, 2024 17:23 |
|
Takes No Damage posted:This does probably produce good passwords but nothing pisses me off more than trying to reset something for work and running into a series of complexity requirements. Needs a number. Needs uppercase. Too many repeating characters. Too similar to a previous password gently caress YOU THIS IS A TEST VM Did you overfeed Paul too? Classic mistake (For real though this game is those frustrations amplified. I think I made it to rule 22 before closing it in disgust lol)
|
# ? Jun 30, 2023 04:33 |