|
I made it to rule 35 but couldn't find a new 16 minute and 4 second long YouTube video without any numbers in the URL so that I could fit the time in my password without going over a sum of 25 for the digits in it before Paul starved. Whoever made it knew what they were doing and that I'd be poking around in the source, the fucker
|
#
?
Jun 30, 2023 08:13
|
|
|
|
| # ? May 17, 2024 07:28 |
|
|
https://ubuntu.com/tutorials/how-to-verify-ubuntu#4-retrieve-the-correct-signature-key Ok, please tell me I am crazy. Am I the only person in the world who understands that this does nothing? You look at the signature you got for your ISO, then you specifically download the exact public key that you already know was used to produce that signature, then you verify it. I don't want to know if my SHA256SUM file has a valid signature, I want to know that it was signed with the right private key. Looking at the signature to determine which key is right is the dumbest possible path you could take. There should be a big 'What is the current correct Ubuntu ISO signing key fingerprint?' FAQ. And multiple websites that maintain a list of the current signing key fingerprints for various distros, so someone could compare all those sources to make sure they all match, etc..etc.. EDIT: Manjaro does a good job, saying to pull from their gitlab or from ubuntu's keyserver but by name instead of by fingerprint. https://wiki.manjaro.org/index.php?title=How-to_verify_GPG_key_of_official_.ISO_images Arch does okay too, saying to use wkd or linking to the exact fingerprint from ubuntu's keyserver. https://archlinux.org/download/ Linux mint specifies which fingerprint exactly to get from the ubuntu keyserver: https://linuxmint-installation-guide.readthedocs.io/en/latest/verify.html Debian also specifies fingerprints: https://www.debian.org/CD/verify Qubes talks in great detail (unsurprising) about how to verify the fingerprints: https://www.qubes-os.org/security/verifying-signatures/ So maybe it's just ubuntu being horrible fuckups and encouraging terrible practices? Rescue Toaster fucked around with this message at 18:59 on Jul 6, 2023 |
|
#
?
Jul 6, 2023 18:48
|
|
|
Rescue Toaster posted:https://ubuntu.com/tutorials/how-to-verify-ubuntu#4-retrieve-the-correct-signature-key I would assume they are only serving valid Ubuntu signing keys from hkp://keyserver.ubuntu.com
|
|
#
?
Jul 6, 2023 19:53
|
|
|
Nukelear v.2 posted:I would assume they are only serving valid Ubuntu signing keys from hkp://keyserver.ubuntu.com Oh, anybody can submit their key to keyserver.ubuntu.com. Hopefully, if you put "Ubuntu CD Image Automatic Signing Key" as the name it would be rejected. But I bet you could come up with something that wouldn't be automatically rejected and would trick someone stupid enough to follow ubuntu's instructions to grab whatever fingerprint was used on their malicious SHA256SUM file. I doubt this is some serious attack vector where there's malicious images floating around signed with some fake signature hoping that people smart enough to bother checking it would be dumb enough to follow ubuntu's procedure. It is worth noting there is a key named "Ubuntu CD Image Automatic Signing Key" that is not the current key. Presumably it's still owned by ubuntu and they know what it is, but it's not obvious as a third party that that's the case. But, A) I could see someone working somewhere following a procedure without realizing what's wrong with it, or even worse, something being automated following ubuntu's instructions, which could actually be a problem. B) I don't think it's indicative of good security practices at canonical if this is the procedure they came up with to verify ISOs. All those other distros did a way better job and some have far less professional resources. Rescue Toaster fucked around with this message at 21:27 on Jul 6, 2023 |
|
#
?
Jul 6, 2023 21:23
|
|
|
Lol if you think anyone ever bothers even verifying the checksums, let alone the gpg signature
|
|
#
?
Jul 6, 2023 21:26
|
|
|
spankmeister posted:Lol if you think anyone ever bothers even verifying the checksums, let alone the gpg signature if you can't check the full key from either side to compare you should move on from 1993 rather than making another weak link in the chain for someone to rely on e: lol evil32 was nine years ago, almost to the day
|
|
#
?
Jul 6, 2023 21:46
|
|
|
All this password talk made me remember this tweet https://twitter.com/specopssoftware/status/1658857543131701248 https://specopssoft.com/wp-content/uploads/2023/05/Time-to-Crack-MD5-Hashed-Passwords_V.3.svg
|
|
#
?
Jul 7, 2023 00:27
|
|
|
md5 is insecure in 2023 oh my stars
|
|
#
?
Jul 7, 2023 06:25
|
|
|
Fozzy The Bear posted:All this password talk made me remember this tweet MD5 hasn't been deprecated because it's instantly guessable, it's been deprecated because the first collision was found in 1996, practical X.509 collisions were possible in 2005, and it was used to create a rogue CA in 2008. EDIT: Also, you never ever want just a hash function to be the only thing protecting stored passwords - for that you want a key derivation function with the number of iterations based on the time it takes to decrypt, with the minimum time being 2 seconds. Today, this means scrypt/argon if you're not in a memory-constrained environment, PBKDF2 if you're working with FDE in a bootloader or on an embedded system. Additionally, the cryptographic right answers are still as relevant today as they were in 2009 when Colin Percival came up with them - and SHA2 hasn't changed as the recommendation for hashing algorithms since then, either. BlankSystemDaemon fucked around with this message at 10:03 on Jul 7, 2023 |
|
#
?
Jul 7, 2023 09:53
|
|
|
That page reads like an ad and when I got to this part I just gave up
|
|
#
?
Jul 7, 2023 10:15
|
|
|
spankmeister posted:That page reads like an ad and when I got to this part I just gave up Yeah it does. They are not wrong, but its a smug way to put it. But this also assumes that the person running the cracking is aware its already compromised. Just because its compromised doesn't mean they know it already. It just raises the risk significantly that it could be found out.
|
|
#
?
Jul 7, 2023 14:30
|
|
|
CommieGIR posted:Yeah it does. They are not wrong, but its a smug way to put it. The very first thing you do is run through all the cracked passwords you already have, because it's by far the fastest. Then you start using rules, and only then do you start bruteforcing.
|
|
#
?
Jul 7, 2023 15:39
|
|
|
I thought md5 was just used these days to do quick file hash comparisons?
|
|
#
?
Jul 7, 2023 15:48
|
|
|
Defenestrategy posted:I thought md5 was just used these days to do quick file hash comparisons? It's questionable whether it's better to use CRC or MD5 for comparisons, it'll depend entirely on the implementation.
|
|
#
?
Jul 7, 2023 15:49
|
|
|
CommieGIR posted:But this also assumes that the person running the cracking is aware its already compromised. Just because its compromised doesn't mean they know it already. It just raises the risk significantly that it could be found out. e:f;b
|
|
#
?
Jul 7, 2023 15:58
|
|
|
BlankSystemDaemon posted:That's not really the same thing, because it's not cryptographically-relevant. Now I want to write a tool that modifies executables to do something nasty but MD5 to the same hash.
|
|
#
?
Jul 7, 2023 16:00
|
|
|
more falafel please posted:Now I want to write a tool that modifies executables to do something nasty but MD5 to the same hash. Keygen music plays and goatse lowers down from the top of the screen and starts spinning and morphing like an old 3D demo.
|
|
#
?
Jul 7, 2023 16:07
|
|
|
BlankSystemDaemon posted:That's not really the same thing, because it's not cryptographically-relevant. Yea, but I thought people where using sha or aes +salt to do password hashing. So being able to crack md5 hashes in a trivial amount of time is irrelevant past legacy systems?
|
|
#
?
Jul 7, 2023 16:18
|
|
|
Defenestrategy posted:Yea, but I thought people where using sha or aes +salt to do password hashing. So being able to crack md5 hashes in a trivial amount of time is irrelevant past legacy systems? If people are implementing password hashing using a simple hash or a cipher+salt, they're making at least two mistakes; implementing their own crypto, and not following advice from actual cryptographers.
|
|
#
?
Jul 7, 2023 16:29
|
|
|
BlankSystemDaemon posted:I think spending so much time thinking about a bad ad is a waste of time, OP.
|
|
#
?
Jul 7, 2023 18:43
|
|
|
spankmeister posted:The very first thing you do is run through all the cracked passwords you already have, because it's by far the fastest. Then you start using rules, and only then do you start bruteforcing. That's assuming their dictionary is up to date - Its often not.
|
|
#
?
Jul 7, 2023 19:16
|
|
|
CommieGIR posted:That's assuming their dictionary is up to date - Its often not. Do you even know how this "hacking" thing works?
|
|
#
?
Jul 7, 2023 19:44
|
|
|
spankmeister posted:Do you even know how this "hacking" thing works? Enough to be employed to do so, I suppose.
|
|
#
?
Jul 7, 2023 20:09
|
|
|
CommieGIR posted:Enough to be employed to do so, I suppose. same
|
|
#
?
Jul 7, 2023 20:18
|
|
|
that's a pretty low bar
|
|
#
?
Jul 8, 2023 03:32
|
|
|
ghostinmyshell posted:Keygen music plays and goatse lowers down from the top of the screen and starts spinning and morphing like an old 3D demo. The screen locks into 320x240 and a magic eye spinning goatse shows up.
|
|
#
?
Jul 8, 2023 04:17
|
|
|
Can yall give me some insight into how yall triage/remediate your pentest/scan tickets. Currently we're a small department responsible for both infrastructure and product security. When we run scans we're taking note of the who, what, when, where, why and how to fix whatever problem and kicking them over the wall to either side of the house. The product side is fine with this because they have a ton of devs so they generally fix stuff fairly quick, the IT side is very slow with this because theyre an equally small department with other priorities. Our manager wants to somehow lower their mean time to remediation, but I dont see how beyond either doing as much of the infra tickets as we can before kicking over stuff that we absolutely cant do with our permission set or getting the company to increase IT headcount.
|
|
#
?
Jul 19, 2023 17:10
|
|
|
Defenestrategy posted:Can yall give me some insight into how yall triage/remediate your pentest/scan tickets. There is no silver bullet answer for this. Someone will have to do the work. Every org is going to be different on their resources constraint. In one of my orgs the security team does a lot of ops in concern to things like this because there is simply no one else. Orgs that don't invest in ops people anymore often struggle with finding bodies to do non-dev security remediation. This is dysfunctional because your manager is probably judged on remediation time tables yet isn't directly in control of them. You also have the boring rear end people yelling SEPERATION OF DUTY  . God speed.
|
|
#
?
Jul 19, 2023 17:29
|
|
|
Defenestrategy posted:Can yall give me some insight into how yall triage/remediate your pentest/scan tickets. This is the issue with Vulnerability Management in general. When I was in charge of vuln management in my shop, the only way to really grab this traction was change from above. Leadership needed to change some expectations to make it very known that the remediation of these issues is both tracked and scrutinized in relation to the gauge of performance for any given team. Once that trickles down to team managers this will actually start to move forward. There's a good chance you'll need to help build a process with those teams to deal with your requests specifically, but once that's all done you should see a pretty significant turn around in efficacy. tl;dr - it's a long road mostly governed by people than by tech.
|
|
#
?
Jul 19, 2023 17:32
|
|
|
It seems like, when you do a pentest or similar, you should budget both the cost of the test, and some kind of time/money for actually fixing whatever the bastards find. Get management to sign off on the test plus the actual work required in advance, so it can go into planning, with maybe like 10% of infra time going to it, or whatever is needed. So yeah, lots of soft infosec/governance work, good luck!
|
|
#
?
Jul 19, 2023 20:16
|
|
|
Sickening posted:There You also have the boring rear end people yelling SEPERATION OF DUTY I'm sometimes one of those boring people, but I can't fathom somebody trying to claim that separation of duties matters when you are assigning individual tickets for remediating individual problems to parties, so long as they are at least empowered to do the work :/
|
|
#
?
Jul 19, 2023 20:38
|
|
|
Potato Salad posted:I'm sometimes one of those boring people, but I can't fathom somebody trying to claim that separation of duties matters when you are assigning individual tickets for remediating individual problems to parties, so long as they are at least empowered to do the work :/ Separation of duty feels like more of a luxury instead of being a blocker these days. I would also argue that in some of my orgs the people yelling "SEPERATION OF DUTY" was just creating situations where nothing can be done as there is nobody with that duty, defeating the point of separation of duty by creating more risk.
|
|
#
?
Jul 19, 2023 20:52
|
|
|
*directed at the product manager* Separate THIS doody 
|
|
#
?
Jul 19, 2023 21:06
|
|
|
Kevin Mitnick died of pancreatic cancer.
|
|
#
?
Jul 20, 2023 02:15
|
|
|
Ah that’s a shame. His books were a good read.
|
|
#
?
Jul 20, 2023 02:34
|
|
|
RIP. lovely way to go.
|
|
#
?
Jul 20, 2023 02:58
|
|
|
Defenestrategy posted:Can yall give me some insight into how yall triage/remediate your pentest/scan tickets. In cases like this its really important to look into systemic themes behind individual vulnerabilities found in a scan. Is there a regular patching cycle or not? If not, push for that rather than individual vulnerability remediation, and move to using aggregated metrics over time to measure the efficacy of the program. Are you finding vulns in containers? Is there a system that ensures folks are following latest major lts versions? If not, that's a good place to spend time and human capital. Are folks using a myriad of OSes and images? Probably worth looking into building a blessed image factory for a few supported OSes and try and get people onto the same standard. Bulging out an image factory will also allow certain kinds of workloads to be run ephemerally, which can address a whole swathe of patching issues. Basically, if they can't improve mean time to remediation under the current system, evaluate if the current system is any good and then make changes to it (with their partnership). Everyone's MTTR looks great if everytime they deploy they get the latest system patches 
|
|
#
?
Jul 20, 2023 14:04
|
|
|
Claeaus posted:Regarding secure passwords, wouldn't a passphrase made with half made-up words that makes sense to you but no one else be a good idea to reduce the risk of the words being in a wordlist? Listen very carefully: the first rule of passwords that you do not reuse the same password for multiple services. Not complexity, not resistance to dictionary attacks. Because maybe one of the places you use your password is stupid and compromised, and when you type your long ultra-secure password in the bad guys don't even need to crack it. They see it in plain text and say "lol floops badroops". So, if you can remember 10 or 20 different nonsense phrases then yes your idea is fine. Since you can't do that, you should instead get a password manager and use a passphrase for that. It can even be a shorter and simpler passphrase! Password managers are strongly resistant to GPU cracking and much more secure than the average website. (Apologies to the rest of the thread that is tired of passwords.)
|
|
#
?
Jul 20, 2023 14:22
|
|
|
gently caress that sucks. I need to go back and finally finish Art of Deception. We need better IDS / endpoint monitoring for the pancreas; poo poo is scary. Klyith posted:(Apologies to the rest of the thread that is tired of passwords.) Shumagorath fucked around with this message at 14:35 on Jul 20, 2023 |
|
#
?
Jul 20, 2023 14:32
|
|
|
|
| # ? May 17, 2024 07:28 |
|
|
Klyith posted:Listen very carefully: the first rule of passwords that you do not reuse the same password for multiple services. We have a solution for this issue. We must learn from that recent password game and all services must implement obnoxious and random password requirements. When a service requires that your password is at least 13 characters long, must contain at least two numbers, three capitals and one small letter, the 4th character must be Y, 7th number 2, and 11th character must be # you are unlikely to be able no reuse it.
|
|
#
?
Jul 20, 2023 22:28
|
|
