|
Kazinsal posted:Related to not rolling your own crypto, V8's Math.random() has some gnarly collision issues. Includes a graphical representation of noise generated by Safari's Math.random() vs. noise generated by V8's Math.random(). Patterns are immediately visible in the V8 one, while the Safari one is much more random. Firefox's is good too, but I bet it's slower by a few microseconds, so the V8 team will be nuh-uh.
|
#
¿
Nov 21, 2015 05:58
|
|
|
|
| # ¿ May 2, 2024 02:22 |
|
|
They're doing the same thing as Lenovo and saying it's not a security problem, too. Burn it. Burn it all.
|
|
#
¿
Nov 24, 2015 19:00
|
|
|
Nobody should feel good about their posts in this thread, FYI.
|
|
#
¿
Dec 18, 2015 04:33
|
|
|
elite_garbage_man posted:I know this was posted a while ago, but I hope it helps. OK, you can be proud of your posting.
|
|
#
¿
Dec 18, 2015 05:55
|
|
|
unknown posted:The Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team Hmm.
|
|
#
¿
Jan 19, 2016 23:43
|
|
|
Ozu posted:"generally known"  That's delightful.
|
|
#
¿
Jan 22, 2016 19:24
|
|
|
If you force the user to change their password after every login, does simple u+o auth become 2-factor? I certainly wouldn't say so.
|
|
#
¿
Feb 16, 2016 01:58
|
|
|
Dex posted:you can manage that - trying to log in twice with the same code, or using the incorrect code twice in a row, locks me out of vpn and site logins until an admin resets my account Yeah, if online brute force attacks are even a little bit of a risk for you, fix that before worrying about the number of factors.
|
|
#
¿
Feb 16, 2016 02:46
|
|
|
The Reddit poster needs to read the whole letter. The phone is unlocked by the PIN, and the requested OS version a) allows PINs to be tested via software, much faster; and b) disables the auto-wipe after 10 failed entries.
|
|
#
¿
Feb 17, 2016 13:28
|
|
|
EVIR Gibson posted:private github account on the same ip I do not understand this.
|
|
#
¿
Mar 21, 2016 03:53
|
|
|
Rufus Ping posted:I think he's suggesting someone might have an exposed e.g. GitLab installation running on their production servers and if it were vulnerable in some way then an attacker could pivot once inside Yeah, I didn't understand how you'd get a private github account on different hosts, but if by "GitHub" he meant "GitLab" and by "account" he meant "installation", I can see it.
|
|
#
¿
Mar 22, 2016 02:08
|
|
|
No.
|
|
#
¿
Mar 28, 2016 14:32
|
|
|
https://letsencrypt.org/
|
|
#
¿
Apr 6, 2016 17:19
|
|
|
mrbass21 posted:Been trying to setup good security settings with Apache. Found Mozillas configuration recommendation page and wondered how reliable it was: https://mozilla.github.io/server-side-tls/ssl-config-generator/ It's good, but it's just SSL config. If you want mod_security or information on directory permissions or fcgi users or whatever, you'll need to look elsewhere.
|
|
#
¿
Apr 12, 2016 05:50
|
|
|
pr0zac posted:You guys know It takes all of 5 minutes to decompile an iOS app and/or mitm the traffic to check claims of backdooring or logging right? Objective-C doesn't even obfuscate symbols, any idiot can do it. I hear Facebook bribed Moxie to install a broken ratchet.
|
|
#
¿
Apr 22, 2016 01:11
|
|
|
feedmegin posted:Whatsapp isn't peer to peer afaik. The underlying protocol is basically jabber. Given that it goes through servers run by Facebook, inspecting the source locally is unlikely to tell you much useful about any logging. Except that the encryption happens locally, and is (auditably) end-to-end. E: metadata about message and voice traffic is visible, if that's what you mean. Subjunctive fucked around with this message at 14:45 on Apr 22, 2016 |
|
#
¿
Apr 22, 2016 13:02
|
|
|
Facebook already says no to law enforcement requests every day. My team has a "come back with a warrant" doormat in our area. We've gone to court to limit what LE can subpoena.
|
|
#
¿
Apr 22, 2016 15:56
|
|
|
The NYT had documents (which they didn't publish wholesale) supporting the claim that the NSA had messed with at least one of the curves, as part of Bullrun.
|
|
#
¿
Apr 25, 2016 06:19
|
|
|
Also related to NSA subversion of cryptosystems: http://www.cryptomuseum.com/crypto/philips/px1000/nsa.htm
|
|
#
¿
Apr 25, 2016 19:13
|
|
|
How do I get in on the coat tails thing? Sounds p sweet.
|
|
#
¿
Apr 28, 2016 22:01
|
|
|
"remote ring0 vulns" is my John McAfee cover band.
|
|
#
¿
Apr 29, 2016 18:33
|
|
|
doctorfrog posted:Is that the sort of thing where you're vulnerable because you're running a Symantec product? You'd be safer with nothing? Yes. Vastly so.
|
|
#
¿
Apr 29, 2016 18:39
|
|
|
apseudonym posted:Symantec.txt AV.gif (it loops)
|
|
#
¿
Apr 29, 2016 18:43
|
|
|
co199 posted:Traditional AV is on life support, but as a last line of defense (e.g. if AV detects something you're already hosed but maybe it might save you a little bit) it's worth having. No. quote:people are literally taking the saying "AV is dead" at face value and running with nothing, in the real world, in 2016 Hi.
|
|
#
¿
Apr 29, 2016 23:21
|
|
|
co199 posted:I was simply using it as an example where actually having an AV product deployed would have helped with one aspect of the issue It's also possible that wearing a seatbelt can kill you by trapping you in a car, but the seatbelt soapbox is still exactly the right one to stand on. You can have a fatal reaction to a vaccine, but you should still get them. The most likely outcome of having AV installed is worse than the most likely outcome of skipping it.
|
|
#
¿
Apr 30, 2016 00:06
|
|
|
co199 posted:I'm not trying to be an rear end in a top hat here, but can you give me a real-world example of securing an environment of say, 10,000 endpoints (we'll softball it with a mix of XP, 7 and 10, Server2k3,2k8r2 and 2k12) without using AV and without getting laughed out of a boardroom for presenting a cost of $texas? My company has > 10K end-user machines and we don't run AV. But I'm curious: what would you do that would replace AV but be really expensive?
|
|
#
¿
Apr 30, 2016 00:17
|
|
|
co199 posted:I wouldn't replace AV, that's the point - I'd use it in conjunction with other tools. You didn't answer the question, you just asked another one. I don't have the complete inventory of tools that we use, though I know some of them. I don't think we share the list publicly, but I think we've given some public talks about how we manage the corporate user fleet. I'm not sure how I would slice out the cost of the investment in "protect against someone sticking in a USB key that contains malware which happens to have been submitted to virustotal" from the general defense against malware. I know that if I suggested to our corporate IT security team that they look at AV as something to put on our systems, they would give me a near-fatal wedgie and ban me from their part of the building. I believe that our software inventory system actually alarms if it detects AV software installed on a corporate machine. AV would make ensuring the integrity of the corp-side networks *more* difficult, in addition to creating a billion points of additional friction for everyone who works here.
|
|
#
¿
Apr 30, 2016 00:27
|
|
|
co199 posted:Ok, I'm not saying AV makes it cheaper, my question was specifically around securing a large enterprise, without AV, for a "reasonable" price. That's probably too broad of a specification, realistically, but for the sake of conversation we'll let it stand. If you're not saying it makes it cheaper, then why the "reasonable" price element? Why would securing a large enterprise without AV cost more than doing it with AV? (Please include the operational cost of having AV bullshit get in your users' way all the time.)
|
|
#
¿
Apr 30, 2016 00:28
|
|
|
Gonna risk a triple-post and quote myself from another thread:Subjunctive posted:My company has a vast number of the most mainstream users possible. When we detect that they have malware on their computers (through how they interact with the service), we direct them to a tool that removes malware, but does not stay installed or set up shop as AV. Even in cases where we know the user has been compromised, the security risks of modern AV software are too high to recommend for ongoing use.
|
|
#
¿
Apr 30, 2016 00:53
|
|
|
Absurd Alhazred posted:If it's the company I think it is then it does in fact stay installed, constantly "suggests" that you buy the full anti-virus, and finds problems like "this web browser you never use has some kind of edge-case vulnerability if you are dumb enough to use it, but if you want us to automatically fix it you'll need to buy our full suite." PM me the details of which was installed? That shouldn't happen.
|
|
#
¿
Apr 30, 2016 03:44
|
|
|
Antillie posted:Must be nice to work in an industry that isn't subject to PCI, HIPAA, GLBA, US Government Contracting, or UK Data Protection Act regulation. It must also be nice to not have any clients that are subject to any of those things either. The HIPAA Security Rule has malicious software protection as Addressable rather than Required, and certainly doesn't mandate lovely consumer AV. There are definitely HIPAA compliant shops that don't install AV on end user PCs. Consumer AV (or even ESET) doesn't meet the PCI DSS requirement, nor is it a necessary component of meeting the requirement -- if you somehow magically have a system that meets the requirement, and you remove AV, it will still meet the (ridiculous, impossible) requirement. I've been a US Gov't contractor for DOE labs working on clusters for nuclear simulation, without AV, and had no issue.
|
|
#
¿
May 1, 2016 00:04
|
|
|
Yeah, I wrote software that handled all the data on some classified clusters as a foreign national without a background check. The parameters of gov't contracting are broad and varied.
|
|
#
¿
May 2, 2016 00:39
|
|
|
E: double
|
|
#
¿
May 2, 2016 04:19
|
|
|
invision posted:Were you like sub-sub-sub-sub-contracted? No, our invoices were sent to the labs, and I worked directly with their systems staff.
|
|
#
¿
May 2, 2016 04:20
|
|
|
apseudonym posted:What vulnerabilities in any platform does AV close off? None. This is very important. Please read this text. Vulnerabilities are how malware get installed, not how malware does its dirty work. And the network-facing software like browsers are increasingly pointless for scale attackers (vs directed) to use, because they get patched too quickly. Except Java, but plugins are dying soon too, and Java is basically unnecessary for the web today anyway. (We have some vendor finance apps at work that need browser Java, so the people who need them get VMs to run them on. The VMs are wiped and recreated after every session, even though they're network-constrained to not leave the corporate network. Java: eternally vigilant.)
|
|
#
¿
May 2, 2016 17:16
|
|
|
Daman posted:taviso's AV bugs are cool but the "RCE" is rarely actually practical or part of the actual AV itself. The worst thing that Tavis has found is not a set of specific vulnerabilities. Rather, it's the iron-clad evidence of industry-wide, structural disregard for the security impact of these products on the end user.
|
|
#
¿
May 2, 2016 17:59
|
|
|
apseudonym posted:I'm not sure I'd go so far as to say that vulns are how malware get installed/executed. Often times it's us, the user, that executes the malware. Sorry, I mean that to the extent vulnerabilities are relevant, they're an installation vector and not really part of how malware goes about operating (excepting some escalation vulns that make persistence and hiding easier).
|
|
#
¿
May 2, 2016 22:42
|
|
|
And that lock can burn your door down, or move your jewelry to the front step.
|
|
#
¿
May 3, 2016 13:52
|
|
|
Red Mike posted:As opposed to having everything open at all times? I'd say it's an improvement. It's like everyone in here is aiming for 100.0% effectiveness, whereas the sane people are looking for covering the 20.0% of cases they can cover with minimal effort. I mean, you can't honestly be claiming that you can cover 20.0% of cases by not doing anything. I don't know where the 20% number comes from, but most AV has side-effects that are pretty undesirable in terms of security, performance, and user experience. Nobody is aiming for 100% effectiveness. The position of the "insane", some of whom are accomplished security professionals, is that AV is a net negative. The positive elements (ability to catch lazily-deployed virus payloads) are decreasing and the negative elements (aggressive upsells, interference with system operation, security vulnerabilities that transcend mere self-parody) are increasing.
|
|
#
¿
May 3, 2016 14:21
|
|
|
|
| # ¿ May 2, 2024 02:22 |
|
|
Codecs (video, audio, image) are legendarily fertile territory for bugs. Stagefright, for example.
|
|
#
¿
May 3, 2016 21:34
|
|