|
Pile Of Garbage posted:i'm the one dingus still using password safe how does it rate? it was dogshit 10 years ago when work forced me to use it and I am amazed the thing isn't dead
|
#
?
Feb 20, 2019 17:38
|
|
|
|
| # ? Jun 11, 2024 01:11 |
|
|
Shame Boy posted:is it normal for CTO's to be morons, because ours thinks SHA-256 is the "most secure encryption" and we should use it to hash passwords because "it's what bitcoin uses" tell him about sha384 and blow his loving mind
|
|
#
?
Feb 20, 2019 17:57
|
|
|
Shame Boy posted:is it normal for CTO's to be morons, because ours thinks SHA-256 is the "most secure encryption" and we should use it to hash passwords because "it's what bitcoin uses" at a big enough place it's normal sure if you need to compromise you can go with pbkdf-2 using sha-256 and like 100,000 iterations, it's NIST-approved and it is using sha-256
|
|
#
?
Feb 20, 2019 18:12
|
|
|
nadim is back https://twitter.com/isislovecruft/status/1098270385148022784
|
|
#
?
Feb 20, 2019 18:46
|
|
|
holy poo poo, I haven’t heard that name in so long And he’s a sex criminal? 
|
|
#
?
Feb 20, 2019 18:50
|
|
|
whouldathunkit?
|
|
#
?
Feb 20, 2019 18:55
|
|
|
drat, both mIRC and WinRAR vuln disclosures on the same day
|
|
#
?
Feb 20, 2019 18:58
|
|
|
is WinRAR more people find flaws in the encrypted archive implementation or something that could actually result in code execution?
|
|
#
?
Feb 20, 2019 19:00
|
|
|
BangersInMyKnickers posted:is WinRAR more people find flaws in the encrypted archive implementation or something that could actually result in code execution? https://twitter.com/NadavGrossman/status/1098223116734685184 there's a lucrative market in auditing programs that security researchers would never use in a thousand years, the problem is finding them
|
|
#
?
Feb 20, 2019 19:02
|
|
|
I think the latest one is code execution and has apparently been there for over 15 years or something. e: fb ^^^ and yep.
|
|
#
?
Feb 20, 2019 19:04
|
|
|
i do wonder what word 'lucrative' is an autocorrrect of in that sentence
|
|
#
?
Feb 20, 2019 19:05
|
|
|
in other news, https://arstechnica.com/gadgets/2019/02/googles-nest-security-system-shipped-with-a-secret-microphone/quote:Google gave a statement to Business Insider yesterday, saying, “The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part.” According to the company, "the microphone has never been on and is only activated when users specifically enable the option.”
|
|
#
?
Feb 20, 2019 19:06
|
|
|
Cocoa Crispies posted:at a big enough place it's normal sure this originally came up because i caught this in a design meeting and mentioned that passwords should be hashed over thousands of iterations using an algorithm specifically designed to handle it and he was like "but why, bitcoin only does it two times to make it extra secure and it's, like, unhackable! why would you need more than that?"
|
|
#
?
Feb 20, 2019 19:08
|
|
|
"Getting caught was an error on our part.”
|
|
#
?
Feb 20, 2019 19:08
|
|
|
Wiggly Wayne DDS posted:code execution lol oh joy this is going to cascade in to dozen of AV engines just like every time this happens
|
|
#
?
Feb 20, 2019 19:09
|
|
|
So after reading through the writeup, I'm going to reiterate what I've said a few times to anyone doing security risk assessments: run all their libraries and binaries through get-pesecurity https://github.com/NetSPI/PESecurity and raise holy hell if any component of their product is at minimum not opting in to dep, aslr, sehop, and code signing. The first three are typically sufficient the stop these types of vulns with the application just crashing instead of executing arbitrary code (signing is nice to detect tampering), or at least delay a determined attacker. If its a newer product I would also be requiring code guard opt-ins as well. You can mitigate against poo poo products by either installing EMET or using the new security center stuff in the later win10 builds to explicitly mitigate known poo poo code but that's playing wack-a-mole and I would only recommend it for your most critical systems because maintenance of it can be painful
|
|
#
?
Feb 20, 2019 19:27
|
|
|
Proteus Jones posted:"Getting caught was an error on our part.”
|
|
#
?
Feb 20, 2019 19:37
|
|
|
Cybernetic Vermin posted:i do wonder what word 'lucrative' is an autocorrrect of in that sentence
|
|
#
?
Feb 20, 2019 19:48
|
|
|
BangersInMyKnickers posted:So after reading through the writeup, I'm going to reiterate what I've said a few times to anyone doing security risk assessments: run all their libraries and binaries through get-pesecurity https://github.com/NetSPI/PESecurity and raise holy hell if any component of their product is at minimum not opting in to dep, aslr, sehop, and code signing. The first three are typically sufficient the stop these types of vulns with the application just crashing instead of executing arbitrary code (signing is nice to detect tampering), or at least delay a determined attacker. If its a newer product I would also be requiring code guard opt-ins as well. You can mitigate against poo poo products by either installing EMET or using the new security center stuff in the later win10 builds to explicitly mitigate known poo poo code but that's playing wack-a-mole and I would only recommend it for your most critical systems because maintenance of it can be painful CFG should be mandatory for that list too, there's no practical reason other than DRM obfuscation bullshit to disable it. Also EMET and more is just a cmdlet now, easy to use. Set-ProcessMitigation
|
|
#
?
Feb 20, 2019 21:00
|
|
|
Daman posted:Also EMET and more is just a cmdlet now, easy to use. Set-ProcessMitigation Yeah, and you have GPO options for it too but we're going to be stuck with server2012 systems for a while and the earliest win10/2016 builds still needed emet unless you wanted to be manually setting reg keys and other nonsense.
|
|
#
?
Feb 20, 2019 21:02
|
|
|
Schadenboner posted:
desktops can sleep/hibernate too 
|
|
#
?
Feb 20, 2019 21:09
|
|
if you let your laptop "sleep" or "hibernate". Pull the battery, hold down the power button to discharge the capacitors, turn 360 degrees and walk the gently caress away.
|
you can't pull the battery on modern laptops anymore because gently caress you
|
|
#
?
Feb 20, 2019 21:14
|
|
|
lol just lol if your suspend and hibernate processes don't encrypt all of your memory
|
|
#
?
Feb 20, 2019 21:18
|
|
|
Security Fuckup Megathtead - v17.0 - Getting caught was an error on our part. Mods, please
|
|
#
?
Feb 20, 2019 21:34
|
|
|
pseudorandom name posted:lol just lol if your suspend and hibernate processes don't encrypt all of your memory
|
|
#
?
Feb 20, 2019 21:43
|
|
|
there was a talk that i believe was posted in this thread (or its progenitors) a while back about hacking airline booking backends (and i think through exposed portals for travel agents??) including being able to get any persons boarding passes and stuff like that anyone remember this?
|
|
#
?
Feb 20, 2019 21:59
|
|
|
BIGFOOT EROTICA posted:there was a talk that i believe was posted in this thread (or its progenitors) a while back about hacking airline booking backends (and i think through exposed portals for travel agents??) including being able to get any persons boarding passes and stuff like that karsten nohl from 33c, maybe? https://www.youtube.com/watch?v=vjRkpQever4
|
|
#
?
Feb 20, 2019 22:00
|
|
|
flakeloaf posted:if you want to take an apple's password from scratch ram, you must first create the universal system-level process https://www.youtube.com/watch?v=zSgiXGELjbc
|
|
#
?
Feb 20, 2019 22:10
|
|
|
Midjack posted:karsten nohl from 33c, maybe? https://www.youtube.com/watch?v=vjRkpQever4 this seems right
|
|
#
?
Feb 20, 2019 22:10
|
|
|
actionjackson posted:hey is this video accurate because I can't understand all this techno-moon language someone call anderson cooper and get him on the case. Shame Boy posted:is it normal for CTO's to be morons
|
|
#
?
Feb 20, 2019 23:43
|
|
|
that vid is entirely plausible imo, its essentially the same complaint as with the creepy animated childrens videos from 2017 if you leave the recommender/autoplay thing to its own devices then it will quickly steer you towards certain local minima in the 'space of videos' depending on where you start, which you wouldn't stumble on otherwise. forget to close youtube after watching one instructional breast exam video and you will wake up the following day surrounded by dangerously horny teenage boys from india
|
|
#
?
Feb 21, 2019 00:54
|
|
|
Rufus Ping posted:forget to close youtube after watching one instructional breast exam video and you will wake up the following day surrounded by dangerously horny teenage boys from india That sounds like a shortcut at least a few people would enjoy though.
|
|
#
?
Feb 21, 2019 01:05
|
|
|
HEY PETER MAN IT'S THE BREAST EXAMS ON YOUTUBE
|
|
#
?
Feb 21, 2019 01:36
|
|
|
One of the really cool things about twitter and every other social media site is that everyone outsources their human moderation judgement to the philippines which is a country that elected duterte. I unironically think thats one of the causes of the rise of the alt right.
|
|
#
?
Feb 21, 2019 01:52
|
|
|
https://thehardtimes.net/harddrive/hey-wanna-see-some-nazi-poo poo/
|
|
#
?
Feb 21, 2019 02:40
|
|
|
can any android touchers riddle me this one please https://twitter.com/hilare_belloc/status/1098382700841500672
|
|
#
?
Feb 21, 2019 02:46
|
|
|
Rufus Ping posted:can any android touchers riddle me this one please
|
|
#
?
Feb 21, 2019 02:58
|
|
|
Dunno. Could be
|
|
#
?
Feb 21, 2019 03:06
|
|
|
mystes posted:The second one isn't just a list of all the permissions that the app asks for based on its manifest file? yeah, is it this? one other wrinkle is the android API level. prior to android API 23 (i.e. Android 6.0) the user is given an all-or-nothing permission list upon installing an app. you either accept all the permissions the app says it might want to access, or you don't install the app. if you have a device that is API 23 or higher, and the app is also compiled with API 23 or higher, you aren't given this list upon app installation, and are instead asked (similar to iOS) when an app wants to use a "sensitive" permission
|
|
#
?
Feb 21, 2019 03:09
|
|
|
|
| # ? Jun 11, 2024 01:11 |
|
|
Methanar posted:One of the really cool things about twitter and every other social media site is that everyone outsources their human moderation judgement to the philippines which is a country that elected duterte. Cheap onshore alternative is the American South
|
|
#
?
Feb 21, 2019 05:04
|
|
