|
public address system or personal assistant?
|
# ? Apr 18, 2024 04:08 |
|
|
# ? Jun 8, 2024 12:14 |
|
palo alto?
|
# ? Apr 18, 2024 04:10 |
|
personal altoids
|
# ? Apr 18, 2024 04:21 |
|
pain in the rear end
|
# ? Apr 18, 2024 04:31 |
|
Poopy Assumptions
|
# ? Apr 18, 2024 05:21 |
|
prepare anus
|
# ? Apr 18, 2024 06:32 |
|
Plain Almonds
|
# ? Apr 18, 2024 06:53 |
|
was talking with our MSP. they have 750 palo altos and the majority of them have IoC log entries of some kind. they’re hoping that the entries are benign or researchers testing stuff and don’t actually indicate compromise.
|
# ? Apr 18, 2024 13:28 |
|
That's a nice thing to hope.
|
# ? Apr 18, 2024 13:30 |
|
Wiggly Wayne DDS posted:
holy lmao at the pen test reports. this is pretty much the entirety of the reports. page 1, cover page. page 2, blurb + these graphs. page 3, graph legend. there is no page 4. plus the whole "3 minutes" thing. are they being wilfully ignorant?
|
# ? Apr 18, 2024 13:38 |
|
some movement on this issue: 2024-04-10: Entrust: CPS typographical (text placement) error - as a tldr Entrust mis-issued 6008 certs and are not doing anything about them Jeremy Rowley posted:Entrust isn't revoking these certificates because re-issuance would result in the exact same certificate? Do I have that correct? Wayne posted:I'm looking for clarity here. Entrust states that there iss no intention to revoke but cite no authority overriding their obligations.
|
# ? Apr 18, 2024 13:39 |
|
go get em wayne
|
# ? Apr 18, 2024 14:12 |
|
i am pointing strongly at the don’t touch the poop rule BUT i am waiving it as the bugzilla is open to the public, technically wayne is very clearly capable and acting in good faith as to the purpose of the bugzilla nothing is being exploited (which is what traditionally has gotten threads iced) i am running up a yellow flag for the rest of the thread and this is not an invitation or okay for everyone else to go hogge wilde
|
# ? Apr 18, 2024 14:16 |
|
hogge wilde: oscar wilde’s lesser known brother who’s into ye olde sec fucks
Raymond T. Racing fucked around with this message at 14:41 on Apr 18, 2024 |
# ? Apr 18, 2024 14:25 |
|
quote:there isn't a good way i'm aware of to mass check crt.sh links crt.sh can be queried directly (it's a big postgres db) with any postgresql client (I'm partial to TablePlus). crt.sh port 5432 u: guest no password database: certwatch
|
# ? Apr 18, 2024 14:47 |
|
Kovacs posted:crt.sh can be queried directly (it's a big postgres db) with any postgresql client (I'm partial to TablePlus).
|
# ? Apr 18, 2024 14:49 |
|
Using a database client to interact with a database over the internet is one of those things that's probably fine, but it feels intuitively so, so wrong to me.
|
# ? Apr 18, 2024 15:08 |
|
Antigravitas posted:Using a database client to interact with a database over the internet is one of those things that's probably fine, but it feels intuitively so, so wrong to me. super meat boy did this for its custom level database it turns out your intuition would have been entirely correct in that case
|
# ? Apr 18, 2024 15:14 |
|
Antigravitas posted:Using a database client to interact with a database over the internet is one of those things that's probably fine, but it feels intuitively so, so wrong to me. yeah i was gonna say, i can't immediately think of why this is bad but holy moly does it feel bad in my gut
|
# ? Apr 18, 2024 15:36 |
|
the exposed db is probably a readonly mirror of the real db, making it a non-issue
|
# ? Apr 18, 2024 15:55 |
|
Jabor posted:super meat boy did this for its custom level database super meat boy also used hard-coded credentials with full access, which is somewhat worse than just exposing a db to the public
|
# ? Apr 18, 2024 16:01 |
|
Truga posted:the exposed db is probably a readonly mirror of the real db, making it a non-issue I assume the issue isn't "whoops we can write something" but instead "whoops turns out DB servers aren't generally as battle hardened as web servers at this point, and exploits do get found that might allow a foothold and place to pivot via RCE"
|
# ? Apr 18, 2024 16:08 |
|
Shame Boy posted:yeah i was gonna say, i can't immediately think of why this is bad but holy moly does it feel bad in my gut It's even more fun periodically justifying it to the security team when they whinge about port 5432 being open. It's a public-good service, dammit. It is read-only, too.
|
# ? Apr 18, 2024 16:36 |
|
Pendragon posted:was talking with our MSP. they have 750 palo altos and the majority of them have IoC log entries of some kind. they’re hoping that the entries are benign or researchers testing stuff and don’t actually indicate compromise. hope is my favourite strategy Captain Foo posted:i am pointing strongly at the don’t touch the poop rule BUT screw you, you’re not my dad. I’ll yell in bugzilla if I want to
|
# ? Apr 18, 2024 16:37 |
|
Subjunctive posted:hope is my favourite strategy you know what I’m talking about
|
# ? Apr 18, 2024 16:39 |
|
yeah as nice as the db is i can't use it to do what i really need, it's good for domain lookups but for extracting ocsp status and revocation time for a batch of 6k sha256 sums it's not any better despite storing all of that data in blobs per-cert. in theory i could reverse engineer the list with ca_id but it doesn't support issuer notbefore and notafter lookups i've grabbed a crl and am looking to do some data analysis, but tying them back to certs is a headache (it's serial number, timestamp, reason). i can figure out their activity period and revocation capability but it's tying it back to a specific cert list is a nightmare
|
# ? Apr 18, 2024 16:42 |
|
waiting with bated breath for the part 2 on amir's substack
|
# ? Apr 18, 2024 17:40 |
|
I wonder if all of these security researchers made it to palo alto's hall of fame? Its very prestigious. As a member of it myself, I was honored that they put my name on it and gave me absolutely nothing else considering the exploit i found for them was terrifying. But they also didn't actually fix it and it showed up in the news months later. Oopsie doodle.
|
# ? Apr 18, 2024 17:45 |
|
Truga posted:the exposed db is probably a readonly mirror of the real db, making it a non-issue still feels like an issue
|
# ? Apr 18, 2024 17:52 |
|
Shame Boy posted:still feels like an issue
|
# ? Apr 18, 2024 17:58 |
|
skill issue, maybe
|
# ? Apr 18, 2024 18:43 |
|
Wiggly Wayne DDS posted:eh not really like i know that if properly configured it shouldn't be an issue it just feels like an issue, idk
|
# ? Apr 18, 2024 18:47 |
|
yeah, hard to get over the "don't expose the db to the internet" rhetoric that's been drilled into us for 20 years
|
# ? Apr 18, 2024 18:51 |
|
I dunno who’s fuzzing the Postgres protocol handler but I bet they aren’t using exactly the same config as you are
|
# ? Apr 18, 2024 19:03 |
|
also I don’t know how much Postgres likes having a ton of connection churn; proxysql is a hero to many for a reason
|
# ? Apr 18, 2024 19:05 |
|
Subjunctive posted:also I don’t know how much Postgres likes having a ton of connection churn; proxysql is a hero to many for a reason pgbouncer is the only way we can keep Postgres usable
|
# ? Apr 18, 2024 19:08 |
|
idk how to do the fancy quote url stuff: https://bugzilla.mozilla.org/show_bug.cgi?id=1890898quote:"Our CDN statistics show that between March 22, 2024, 15:02 UTC and March 26, 2024, 17:07 UTC our CPS versions 3.18 and 3.19 were downloaded 30 times by desktop or mobile browsers, excluding Entrust networks. the argument is "well no one read the CPS that was wrong, so it's fine"??? this is a new low for me in the saga good lord
|
# ? Apr 18, 2024 21:12 |
|
quote:
you got that right, bugzilla
|
# ? Apr 18, 2024 21:38 |
|
A few weeks ago I had no idea the CA/Browser Forum existed and today I won’t be satiated until we bathe in Entrust’s blood. This thread rules.
|
# ? Apr 18, 2024 22:07 |
|
|
# ? Jun 8, 2024 12:14 |
|
someone at work today asked if we should join CA/BF because we do a lot of stuff with certs and why not, and I eventually became relatively sure that they aren’t Wayne (no, we should not)
|
# ? Apr 18, 2024 22:21 |