|
https://twitter.com/taviso/status/843280970430078977 don't drink the pee
|
# ? Mar 21, 2017 16:41 |
|
|
# ? Jun 7, 2024 12:49 |
|
flakeloaf posted:https://twitter.com/taviso/status/843280970430078977 I love Tavis.
|
# ? Mar 21, 2017 16:47 |
|
Sure don't use lastpass if you want. But since you should use a password manager, just don't use auto-fill, or auto-sync on any of them.
|
# ? Mar 21, 2017 17:33 |
|
or you could use a pwm that isn't broken, but what do i know
|
# ? Mar 21, 2017 17:35 |
|
Truga posted:or you could use a pwm that isn't broken, but what do i know Oh Word? You know that %piece of software% isn't broken? drat make sure to link your Computer Science Thesis itt, thanks.
|
# ? Mar 21, 2017 17:41 |
|
ate poo poo on live tv posted:auto-sync wait what's wrong with auto-sync now, that's my whole reason for wanting 1password so i can just change my passwords once and have all four or five or whatever the hell i'm up to machines go 'yup ok' if dropbox gets owned i'm hosed anyway so hail eris or satan or whatever
|
# ? Mar 21, 2017 17:43 |
|
flakeloaf posted:wait what's wrong with auto-sync now, that's my whole reason for wanting 1password so i can just change my passwords once and have all four or five or whatever the hell i'm up to machines go 'yup ok' Eh, that's just my opinion about limiting risk. If your password vault exists in only one place and you just c+p from it, then all the web-hook vulnerabilities don't matter. If dropbox get's owned, then yea I agree it's basically the same as a sync-service getting owned. Eitherway, I still think it's prudent not to enable web-site integration with any password manager.
|
# ? Mar 21, 2017 17:53 |
|
I have some general custodial poo poo to do that I have been putting off, but my coworker was asking about services to manage identity theft because somebody started using his identity from a breach two years ago. So I hoped y'all can answer some questions that go all over the place while I go down my list here: 1. Are there any services this guy can get to help mitigate the damage of this identity theft? It's apparently using some stale information that should be easy to notice. He particularly wants to know a good service that goes beyond credit monitoring and into checking the dark web for him to see if his poo poo's for sale. 2. I have diversified my passwords but now have a text file with a poo poo ton of passwords. I want to vault it somehow. I pretty much only ever use my passwords on my home PC and my work laptop. I was thinking of just using a USB thumb key, encrypting a password file on there, and maybe having an application to work with that file. For my little world, would this generally suffice? I understand walking that key back and forth may be a risk, but I generally intend to keep the files on both machines and just synchronize them. Heck, maybe I don't even need the USB key and could just do that over the network. I generally don't even try to log into poo poo from my phone if I can help it. 3. Is there anything I should worry about when using cookies for a client-side web application? I am trying to save the user's session using a cookie, and I want to be a big boy and not make it a place that stashes their user credentials in an easy-to-read way externally.
|
# ? Mar 21, 2017 18:13 |
|
this owns https://twitter.com/heroku/status/844213289097859072
|
# ? Mar 21, 2017 18:19 |
|
keepass solves #2 you can set up a vault file/key file combination if you're worried about dropping your thumbstick and having your passwords stolen or w/e
|
# ? Mar 21, 2017 18:24 |
|
aww yiss they finally shipped it
|
# ? Mar 21, 2017 18:29 |
|
just use icloud keychain
|
# ? Mar 21, 2017 18:48 |
|
https://twitter.com/kyletorpey/status/844243876231680001 /r/mycrimes
|
# ? Mar 21, 2017 19:04 |
|
lastpass vuln is up: https://bugs.chromium.org/p/project-zero/issues/detail?id=1209#c5quote:win = window.open("https://1min-ui-prod.service.lastpass.com/"); quote:LastPass responded and said they have NXDOMAIN'd 1min-ui-prod.service.lastpass.com while they investigate. quote:I've uploaded the exploit here:
|
# ? Mar 21, 2017 19:19 |
|
lmbo
|
# ? Mar 21, 2017 19:23 |
|
quote:They also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac. this to me seems scarier than the secfuck tbh
|
# ? Mar 21, 2017 19:24 |
|
Wiggly Wayne DDS posted:lastpass vuln is up: https://bugs.chromium.org/p/project-zero/issues/detail?id=1209#c5 lol at whoever was checking the vuln not even looking at it to see what it did before blindly running it in a mac lastpissssssssssss
|
# ? Mar 21, 2017 19:25 |
|
Wiggly Wayne DDS posted:lastpass vuln is up: https://bugs.chromium.org/p/project-zero/issues/detail?id=1209#c5
|
# ? Mar 21, 2017 19:26 |
|
|
# ? Mar 21, 2017 19:30 |
|
|
# ? Mar 21, 2017 19:33 |
|
quote:They also said they couldn't get my exploit to work, but I checked my apache access logs and they were using a Mac. Naturally, calc.exe will not appear on a Mac. lol
|
# ? Mar 21, 2017 19:35 |
|
some darknet dealer just got caught with a mycrimes.xlsx
|
# ? Mar 21, 2017 19:41 |
|
If you've got the vulnerability there, why not just port calc.exe to Mac and then inject and run it?
|
# ? Mar 21, 2017 19:41 |
|
Doom Mathematic posted:If you've got the vulnerability there, why not just port calc.exe to Mac and then inject and run it? What
|
# ? Mar 21, 2017 19:43 |
Doom Mathematic posted:If you've got the vulnerability there, why not just port calc.exe to Mac and then inject and run it? if userag == mac do this else that
|
|
# ? Mar 21, 2017 19:44 |
|
Doom Mathematic posted:If you've got the vulnerability there, why not just port calc.exe to Mac and then inject and run it? lol at their blistering incompetence on not even matching operating systems when checking if the vulnerability existed, furthermore https://twitter.com/joernchen/status/844255882707910656
|
# ? Mar 21, 2017 19:46 |
|
Doom Mathematic posted:If you've got the vulnerability there, why not just port calc.exe to Mac and then inject and run it? Running a familiar harmless binary already on the target computer is totally different than injecting arbitrary code that "looks" like it's harmless. See every game crack ever.
|
# ? Mar 21, 2017 19:46 |
Wiggly Wayne DDS posted:it's a proof of concept, a rushed example to show that it works and not a universal perfect exploit designed to send os-specific payloads whats wrong in cert tho, unless they are not ovned by logmein
|
|
# ? Mar 21, 2017 19:46 |
|
cinci zoo sniper posted:whats wrong in cert tho, unless they are not ovned by logmein
|
# ? Mar 21, 2017 19:48 |
Wiggly Wayne DDS posted:it's not a wildcard cert so doesn't cover the subdomain
|
|
# ? Mar 21, 2017 19:50 |
|
Cripes, folks, I was being facetious. I just think it would be funny if an exploit launched Windows calc.exe on a Mac.
|
# ? Mar 21, 2017 20:33 |
|
Doom Mathematic posted:Cripes, folks, I was being facetious. I just think it would be funny if an exploit launched Windows calc.exe on a Mac.
|
# ? Mar 21, 2017 20:51 |
|
https://twitter.com/kyletorpey/status/844243876231680001 /r/mycrimes
|
# ? Mar 21, 2017 20:59 |
|
.
|
# ? Mar 21, 2017 21:08 |
|
I don't understand why password managers are so bad. Shouldn't they be relatively straightforward to make with some competent security people on your team? I understand that antivirus software is pretty complex so there are secfucks abound, but password managers shouldn't be that complex.
|
# ? Mar 21, 2017 21:13 |
|
Raere posted:I don't understand why password managers are so bad. Shouldn't they be relatively straightforward to make with some competent security people on your team? I understand that antivirus software is pretty complex so there are secfucks abound, but password managers shouldn't be that complex. the problems are almost always related to browser integration. keepass doesn't have browser integration, and as far as I'm aware, their only fuckup thus far was checking for updates over http (which was fixed after some whining by the author) e: 1pass has a pretty clean record so far as well, right? lastpass is the only one getting flagged for stupid poo poo like this on a weekly basis burning swine fucked around with this message at 21:21 on Mar 21, 2017 |
# ? Mar 21, 2017 21:18 |
|
https://www.reddit.com/r/programming/comments/60jc69/company_with_an_httpserved_login_form_filed_a/df7vnzp/quote:So. Believe it or not, his number is on the website. I just called him. He was quick to answer too.
|
# ? Mar 21, 2017 21:24 |
|
Doom Mathematic posted:If you've got the vulnerability there, why not just port calc.exe to Mac and then inject and run it? why not just call /Applications/Calculator.app
|
# ? Mar 21, 2017 21:25 |
|
COACHS SPORT BAR posted:the problems are almost always related to browser integration. keepass has browser integration if you use a plugin and i use the plugin and it seems to not be terrible about it like you can disable autofill and it will only, specifically fill username/password and you can direct it to only fill one or the other and not both automatically and it tells you what it's doing and idk it seems fine and i don't want tavis telling me how bad it's actually implemented
|
# ? Mar 21, 2017 21:31 |
|
|
# ? Jun 7, 2024 12:49 |
COACHS SPORT BAR posted:the problems are almost always related to browser integration.
|
|
# ? Mar 21, 2017 21:33 |