|
Not double posting https://www.techrepublic.com/article/50-gb-of-data-left-exposed-on-amazon-s3-bucket-by-analytics-firm-birst/ quote:Configuration data was placed in an unsecured Amazon S3 bucket by the business analytics software firm Birst, according to security researchers at UpGuard. On January 15th, UpGuard detected the unsecured bucket—which contained IP addresses, administrative credentials, passwords, and private keys.
|
# ? Mar 1, 2018 22:59 |
|
|
# ? May 30, 2024 01:20 |
|
What's UpGuard?
|
# ? Mar 1, 2018 23:22 |
|
ozymandOS posted:What's UpGuard? http://lmgtfy.com/?q=upguard
|
# ? Mar 1, 2018 23:24 |
|
Sickening with the sick anti-joke punchline
|
# ? Mar 1, 2018 23:26 |
|
ChubbyThePhat posted:Sickening with the sick anti-joke punchline I couldn't help it, the joke was terrible.
|
# ? Mar 1, 2018 23:27 |
|
ozymandOS posted:What's UpGuard? Not much, you?
|
# ? Mar 1, 2018 23:31 |
|
Sickening posted:I couldn't help it, the joke was terrible. It arguably made it more funny.
|
# ? Mar 1, 2018 23:32 |
|
Stanley Pain posted:It's only freakin March. Surely you're mistaken. It's still September
|
# ? Mar 2, 2018 03:02 |
|
When September eeeeeends
|
# ? Mar 2, 2018 04:03 |
|
Volmarias posted:Wasn't there some user testing showing that users gave exactly zero fucks about EV and mostly didn't even know that it existed? And they are correct. All you have to do is setup a corporation in some state (so you can provide the legal papers), with a synonym name to a (not too) well-known company and register for some TLD nobody will find weird. And there you go, you own a swipe.cx EV cert or whatever.
|
# ? Mar 2, 2018 10:10 |
Do you remember, ∞th night of September? Not changing the mind of infosecs While chasing the butts away Our hearts were crying In the key that our souls were sighing As we wasted in the night
|
|
# ? Mar 3, 2018 09:43 |
|
https://twitter.com/oculus/status/971556153946669056 Keep your certs up to date, folks!
|
# ? Mar 8, 2018 02:23 |
|
So ridiculous.
|
# ? Mar 8, 2018 02:29 |
|
Absurd Alhazred posted:https://twitter.com/oculus/status/971556153946669056 *snerk* I really should ask my ex-friend about his oculus.
|
# ? Mar 8, 2018 02:48 |
|
Absurd Alhazred posted:https://twitter.com/oculus/status/971556153946669056 I'm not very familiar with modern VR stuff, so this is a genuine question: Is there any legitimate reason that a hardware peripheral like a Rift needs to authenticate with a remote server just to function? To get updates, sure, it only makes sense to verify the cert. But to display local content like a game? What on Earth is the sense in that?
|
# ? Mar 8, 2018 03:01 |
|
Powered Descent posted:I'm not very familiar with modern VR stuff, so this is a genuine question: Is there any legitimate reason that a hardware peripheral like a Rift needs to authenticate with a remote server just to function? To get updates, sure, it only makes sense to verify the cert. But to display local content like a game? What on Earth is the sense in that? Because Oculus decided to. The old SDK didn't have this stupid always-online runtime, but they decided to make it required for reasons. I'm glad I wasn't working on the Rift today.
|
# ? Mar 8, 2018 03:09 |
|
Powered Descent posted:I'm not very familiar with modern VR stuff, so this is a genuine question: Is there any legitimate reason that a hardware peripheral like a Rift needs to authenticate with a remote server just to function? To get updates, sure, it only makes sense to verify the cert. But to display local content like a game? What on Earth is the sense in that? It's not (at least not for this.) The issue is simply that a code signing cert expired and they didn't timestamp the signature (which would have allowed it to continue to function) so it couldn't load a critical DLL. So, essentially, they hosed up the signing process for a single DLL that caused windows to reject loading a now unsigned DLL which broke the local platform. Problem now is, it's broken enough that it can't even update itself, so they are going to have to have some sort of offline patching. bull3964 fucked around with this message at 03:14 on Mar 8, 2018 |
# ? Mar 8, 2018 03:11 |
|
Powered Descent posted:I'm not very familiar with modern VR stuff, so this is a genuine question: Is there any legitimate reason that a hardware peripheral like a Rift needs to authenticate with a remote server just to function? To get updates, sure, it only makes sense to verify the cert. But to display local content like a game? What on Earth is the sense in that? Rift has an app store and they want it to be a device like a cell phone rather than a computer peripheral.
|
# ? Mar 8, 2018 03:13 |
|
Powered Descent posted:I'm not very familiar with modern VR stuff, so this is a genuine question: Is there any legitimate reason that a hardware peripheral like a Rift needs to authenticate with a remote server just to function? To get updates, sure, it only makes sense to verify the cert. But to display local content like a game? What on Earth is the sense in that? They're concerned that someone might download a headset, so having it always online makes it harder for pirates to do that.
|
# ? Mar 8, 2018 03:14 |
|
Yeah, like I said though, this doesn't really have anything to do with being online or always connected. They accidentally put a timebomb in a DLL by not timestamping the signature, causing library to spontaneously become unsigned as far as Windows was concerned this afternoon when the cert expired.
|
# ? Mar 8, 2018 03:20 |
|
bull3964 posted:Yeah, like I said though, this doesn't really have anything to do with being online or always connected. They accidentally put a timebomb in a DLL by not timestamping the signature, causing library to spontaneously become unsigned as far as Windows was concerned this afternoon when the cert expired. But that’s not a funny way to show that you’re smarter and aloof. Please try again.
|
# ? Mar 8, 2018 03:28 |
|
bull3964 posted:It's not (at least not for this.) Thanks for the explanation. That makes a lot more sense than what I've been seeing in the news articles, which makes it sound like the Rift contains these lines of code: if (IsExpired(OculusWebsite.Certificate)) { BrickDevice(); }
|
# ? Mar 8, 2018 03:42 |
|
Powered Descent posted:I'm not very familiar with modern VR stuff, so this is a genuine question: Is there any legitimate reason that a hardware peripheral like a Rift needs to authenticate with a remote server just to function? To get updates, sure, it only makes sense to verify the cert. But to display local content like a game? What on Earth is the sense in that? Because they are owned by Facebook, and FB wants to know EVERYTHING you are using your Rift for. I would hazard to guess so they can add in advertising at some point.
|
# ? Mar 8, 2018 04:00 |
|
bull3964 posted:Yeah, like I said though, this doesn't really have anything to do with being online or always connected. They accidentally put a timebomb in a DLL by not timestamping the signature, causing library to spontaneously become unsigned as far as Windows was concerned this afternoon when the cert expired. Well now I feel stupid!
|
# ? Mar 8, 2018 04:19 |
|
Samizdata posted:Because they are owned by Facebook, and FB wants to know EVERYTHING you are using your Rift for. I would hazard to guess so they can add in advertising at some point. Just read the thread.
|
# ? Mar 8, 2018 04:39 |
|
I just wonder how long that DLL hasn't been countersigned. Did the build process in the most recent release gently caress it up or had it not been countersigned from the beginning? What Oculus REALLY hosed up is the communication. This is something that can happen to literally any signed application on windows. They should have gotten out in front of this with a very clear statement to spoon-feed the tech blogs, giving the fundamentals of the code signing process. Now everyone is running around saying that this failed due to an SSL cert on some phone home functionality when this was really just a breakdown of process when they signed that library. The issue isn't even about the cert renewal. It's common for code signing certs to be expired on deployed code, that's why you countersign them. It's sufficient to show that the cert was valid when the code was signed, not at runtime.
|
# ? Mar 8, 2018 04:55 |
|
Hearing rumours that this happened because they signed releases by hand rather than integrating signing into their CD pipeline and one of their machines didn't get the new signing cert when they renewed it
Rufus Ping fucked around with this message at 05:12 on Mar 8, 2018 |
# ? Mar 8, 2018 05:09 |
|
They should have just made sure everything coming out of their books servers was signed
|
# ? Mar 8, 2018 05:54 |
|
https://twitter.com/filip_kafka/status/972168475945963523
|
# ? Mar 10, 2018 19:19 |
Hold on to your butts.
|
|
# ? Mar 12, 2018 15:09 |
|
Dumpster Fire added to dictionary
|
# ? Mar 13, 2018 06:54 |
|
Well done everybody
|
# ? Mar 13, 2018 08:40 |
|
https://lists.samba.org/archive/samba-announce/2018/000435.htmlquote:CVE-2018-1057:
|
# ? Mar 13, 2018 10:58 |
|
|
# ? Mar 13, 2018 11:54 |
|
Potato Salad fucked around with this message at 12:39 on Mar 13, 2018 |
# ? Mar 13, 2018 12:27 |
|
I was ing that awesome Samba news, not
|
# ? Mar 13, 2018 12:37 |
|
Thanks Ants posted:I was ing that awesome Samba news, not You have to be careful with and in these treacherous times.
|
# ? Mar 13, 2018 13:58 |
|
|
# ? Mar 13, 2018 14:22 |
|
On the subject of dumpster fires... https://twitter.com/KateLibc/status/973551222023057408
|
# ? Mar 13, 2018 14:29 |
|
|
# ? May 30, 2024 01:20 |
|
|
# ? Mar 13, 2018 16:17 |