|
apropos man posted:Would it be possible to have two verions of the kernel: one for Vee-Emming and one for plain desktop/laptop use? I don't wanna lose up to 30% performance. You'd need two separate computers, one with the patch (Whatever it is) installed and the other without the patch installed. Of course I'd refrain from running out and buying poo poo or whatever until the embargo is lifted and we actually find out how big a deal the issue really is.
|
#
¿
Jan 3, 2018 15:15
|
|
|
|
| # ¿ May 13, 2024 15:42 |
|
|
D. Ebdrup posted:Aren't we used to this by now? I know I am. Nothing gets me excited anymore and I'm already at the upper limit of drinking.
|
|
#
¿
Jan 10, 2018 12:32
|
|
|
B-Nasty posted:To be fair, it's a little better than just a text file. The master p/w in the batch file is encrypted using Window's DPAPI, which is locked to a user account. The DPAPI key, though stored on disk, is encrypted with the login credentials, so an active user session would be necessary. Just want to clarify something here, the key derivation mechanism you're describing is PBKDF2 however DPAPI can be utilised with a normal plain-text key so it's worth verifying the implementation.
|
|
#
¿
Jan 15, 2018 19:30
|
|
|
Whoever is behind the SwiftOnSecurity account is just a scub-tier Windows computer janitor who thinks spamming furry stuff is hi-lar-ious. Oh and they get burrhurt easily if you call them out.
|
|
#
¿
Jan 19, 2018 10:44
|
|
|
If your joke is "CELEBRITY doing THING" then that's going to become stale 1k tweets later.
|
|
#
¿
Jan 19, 2018 18:19
|
|
|
Weekly Infosec Podcast by Gilbert Gottfried
|
|
#
¿
Jan 19, 2018 18:39
|
|
|
It makes things easier when you realise that every single CVE submission is just an Aristocrats joke.
|
|
#
¿
Jan 19, 2018 19:38
|
|
|
CLAM DOWN posted:Sorry, thought you were the other guy who threw out Sourceforge as a negative of qbittorrent. SF's track record is inexcusable. Just use Deluge.
|
|
#
¿
Feb 1, 2018 18:52
|
|
|
Furism posted:Is anybody here starting to implement/deploy TLS 1.3? If so, I'd like to hear about your use cases. This article discusses a lot of the sticking points regarding TLS 1.3 adoption: https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet/. The key takeaway IMO is that a large amount of devices that do HTTPS intercept simply crap the bed when they encounter TLS 1.3. It will probably be quite some time before the various vendors start officially supporting it on their products (Or at least release software that doesn't break when it sees TLS 1.3).
|
|
#
¿
Feb 2, 2018 16:35
|
|
|
Boris Galerkin posted:Isn’t he like an actual murderer? He's wanted for questioning in Belize concerning the death of his former neighbours. Based on his Bluelight posts from the time it sounds pretty drat plausible that he did go and get his murder on (His username was stuffmonger): http://www.bluelight.org/vb/threads/541627-Hello-and-an-MDPV-Question Edit: VVV yeah that's mentioned in the Bluelight thread. VVV Pile Of Garbage fucked around with this message at 14:23 on Feb 9, 2018 |
|
#
¿
Feb 9, 2018 13:40
|
|
|
Gotta source mats from an independent galaxy. Ofc if you're looking to mitigate against high-level localised relativity deconstruction attacks (?) then we'll need an independent universe.
|
|
#
¿
Feb 9, 2018 21:34
|
|
|
ufarn posted:Anyone played with Quad9 for DNS? Sounds neat, but I don't know how much they actually block. If you're in Australia I'd avoid it, IBM are having issues there which breaks stuff that uses geo-DNS stuff (e.g. Office 365).
|
|
#
¿
Feb 12, 2018 10:39
|
|
|
ElCondemn posted:I don’t understand the issue people have with LastPass, sure they were hacked but my understanding is that they encrypt using your “master key”. So all you’d have to do to remain secure is not share your private key. Certainly it would be good to keep your vault secret too but it’s as safe as your keepass database would be if say your Dropbox was hacked... It's not just that they were breached and that serious exploits were found in their software, it's that they responded to it in an extremely poor manner. These days it's more of a "when" than an "if" for companies being breached and/or their software being exploited. This means that they need to plan for these scenarios and know how to respond. The folks behind LastPass clearly did not plan for such a situation either through lack of understanding or not giving a gently caress. Either way, their lacklustre response to the incidents and their attempts to downplay them have shown that they don't give two fucks about security. Also what Truga said. Edit: and Wiggly Wayne.
|
|
#
¿
Feb 16, 2018 17:32
|
|
|
 ElCondemn works for Amazon and is shill
|
|
#
¿
Feb 16, 2018 18:31
|
|
|
Kerning Chameleon posted:phishing Your focus should be less on prevention and more on mitigation. Phishing attacks exploit humans which are imperfect and certainly not infallible systems. No matter how careful you are falling victim to phishing is really an inevitability given sufficient time. So, what you want to focus on is mitigating the impact of your credentials being compromised. From the sound of it you're already taking the right steps, specifically using different credentials for each website and enabling 2FA wherever possible. Beyond that I guess you could deliberately change the passwords for all your accounts on a schedule however that would be a PITA. Honestly you're already doing more than can be expected so maybe chill out a bit? AlternateAccount posted:So we get "analysts" from our security team sending us giant exports of "SUSPICIOUS LOGIN ACTIVITY ON EXECUTIVE ACCOUNTS." Most of the time it's just page after page of BAD PASSWORD. They expect me to somehow grill our C-levels about whether or not it was them. No. I am not doing that. Sounds like they're just running garbage-tier reports against your environment that identify things like "X account failed auth Y number of times in period Z". You wouldn't perchance be relying on a BPO for security operations stuff? Either way tell them to stop running rubbish Nessus reports and get a proper SIEM appliance that's configured to do correlation and analysis to actually identify real risks.
|
|
#
¿
Feb 23, 2018 17:53
|
|
|
Password Safe is still fine right? I use it at home with the safe file stored on a BitLockered iSCSI LUN because I don't really care about browser integration or cloud syncing or whatever. Works for me and pretty sure it's safe.
Pile Of Garbage fucked around with this message at 13:31 on Feb 25, 2018 |
|
#
¿
Feb 25, 2018 12:53
|
|
|
Lastpass is garbage. Therefore anything which isn't Laspass is significantly less garbage.
|
|
#
¿
Feb 25, 2018 17:08
|
|
|
Stop using lastass or fuckoff?
|
|
#
¿
Feb 25, 2018 19:05
|
|
|
Wiggly Wayne DDS posted:i did mention them being repeatedly breached and ignoring that the attacker's had far more access and capabilities than pr said right Please respond to this ElCondemn
|
|
#
¿
Feb 25, 2018 19:21
|
|
|
Unless you're being paid by Lastass things will surely get to a point where you have to take a step back and think "Wow, OK I'm sure stretching definitions and garbage to meet those pre-described sales points, is that even my responsibility anymore?"
|
|
#
¿
Feb 25, 2018 19:46
|
|
|
I might not be remembering this properly but I'm pretty sure those are screenshots anthonypants took around the time of the Sony Pictures breach when private keys for code-signing certs were found amongst the data released and anthonypants used them to sign an executable. The issue here is that the cert is issued by a trusted root CA so clients would have no issues with accepting it.
|
|
#
¿
Feb 28, 2018 14:02
|
|
|
NPR merged with WorldStar.
|
|
#
¿
Mar 13, 2018 17:42
|
|
|
Avenging_Mikon posted:I'm really bad with time zones, okay? I figured I'd missed you. It's live now https://www.youtube.com/watch?v=DRnDBPQIEmo
|
|
#
¿
Mar 13, 2018 18:56
|
|
|
I occasionally work offshore and on this one rig the company provided a wired network but there wasn't any WiFi. So to get around this the crew brought these little TP-Link Ethernet-to-WiFi bridges on-board and hooked them up in their cabins (There wasn't any 802.1x configured because the company didn't deploy an ACS appliance on-board and the latency over the VSAT link to onshore was too high). It was really bad but we had no way of stopping them. One time when I was out there I was troubleshooting an intermittent connectivity issue with the CSR's personal laptop and I discovered another DHCP server on the network (Snooping was never configured on the switch). After further digging I found the source: one of the TP-Link bridge dongles. Turns out one of the more savvy crew members (The logistics supervisor iirc) realised that everyone using these dongles never changed the login creds for their web interface. So before he boarded the helicopter to go home at the end of his swing he logged onto the CSR's bridge dongle and hosed with the settings, including enabling the device's DHCP server and changing the SSID to "I EAT DICKS". When I pointed this out to the CSR all he said was "Oh so that's why I can't connect to the wireless in my cabin." That's my WiFi story.
|
|
#
¿
Mar 23, 2018 14:45
|
|
|
Darchangel posted:I spotted this at work once, years ago: And? What's the password?
|
|
#
¿
Mar 23, 2018 16:20
|
|
|
22 Eargesplitten posted:Why would someone who got the FBI Surveillance Van joke care enough to track you down? Yeah I was also confused by that comment. Like it's normal to track down and assault the operators of wireless networks that you don't agree with? I'm imagining one of those YT prank videos where some scrawny dude is about to be pulverised and he's screaming "IT'S A PRANK IT'S A PRANK" whilst frantically pointing at a WAP.
|
|
#
¿
Mar 23, 2018 16:48
|
|
|
Wow that's a pretty funny story about you lying to people and breaking their personal property. Good job mate you sure policed that network.
|
|
#
¿
Mar 23, 2018 17:56
|
|
|
Cup Runneth Over posted:It seems pretty harmless to me? Really? wolrah posted:If they were nice I'd help them get it set up properly, if they were lovely about it I'd play on their ignorance and tell them I was with IT (technically true) to threaten them with consequences. I couldn't actually enforce those things and didn't even work in the right department, but it usually worked. Repeat offenders may have had their device reflashed to OpenWRT. Whether or not what they did was illegal or violated some magical campus rule is really besides the point, dudes a dingus.
|
|
#
¿
Mar 23, 2018 18:28
|
|
|
The Fool posted:When I worked university support, the network department would confiscate home routers if found. With wired networks these days it's far easier for campuses to either deploy 802.1x everywhere and/or deploy a transparent proxy with captive portal. Deploying campus-wide managed wireless is also easier thanks to centralised AP management. For open wired networks it's also possible to do things in a safe manner by enabling 802.1x with MAB (Students register their device MACs with campus IT for access) and/or just lock things down enough to allow devices in a safe manner (BPDU guard and DHCP snooping plus something I'm probably missing).
|
|
#
¿
Mar 23, 2018 18:51
|
|
|
The Fool posted:I almost forgot, all devices on the network had publicly route-able addresses. As in, if you requested port 80 opened and they granted it, you could host a website on your computer and just give out your computers actual IP address. Or register a domain and point it at your computer in your dorm room. Ahaha yeah I've read about this, campuses being given a /8 of public address space and then not bothering with NAT. I'd lose my mind trying to deal with that kind of poo poo, glad you made it out alive (Or did you?)
|
|
#
¿
Mar 23, 2018 19:23
|
|
|
wolrah posted:They were affecting network access for the entire building because their DHCP was faster to respond than the official one, and in previous times this had happened the official IT department took multiple days to resolve the problem. I bent the truth a bit to resolve the problem faster for myself and the rest of the people in the building. Nah, those are shite excuses. It's called DHCP snooping and has been around for ages, that would have handled your rogue DHCP server issue. Sounds like you ignored using technical solutions in favour of throwing your weight around to be the big network boy. Unacceptable behaviour and the fact that you don't seem to realise this makes me fear for your current employer, assuming you're still in the industry.. The Fool posted:As a student in the early 00's it was pretty awesome. Host TFC and CS servers on university internet? Run a MUD on a linux box? Start a web business in your dorm room? That rules. Exceptionally hosed from a network standpoint but to be there 
|
|
#
¿
Mar 23, 2018 21:09
|
|
|
Same except for ICSS on an off-shore rig (No one bother to configure NTP, god drat telecoms idiots!!!)
|
|
#
¿
May 9, 2018 18:25
|
|
|
Thanks Ants posted:Do people have a preferred ACME client for IIS? Good question. I've been meaning to look into exactly that as I'd like to use a Let's Encrypt certificate with NPS.
|
|
#
¿
May 12, 2018 15:27
|
|
|
Turns out Strava wasn't the only opsec disaster app out there: https://www.bellingcat.com/resources/articles/2018/07/08/strava-polar-revealing-homes-soldiers-spies/
|
|
#
¿
Jul 8, 2018 14:22
|
|
|
evil_bunnY posted:This was painfully obvious to everyone with 2 brain cells when the strava thing hit. It was an opsec issue, not a strava one. Yeah well why didn't you take your two brain cells and write a detailed research piece about it instead of posting in retrospect like a lovely Nostradamus. Also I never said it wasn't an opsec issue?
|
|
#
¿
Jul 8, 2018 15:39
|
|
|
|
| # ¿ May 13, 2024 15:42 |
|
|
I was just posting a thing that I thought people might enjoy reading. Also posted the same thing in the secfuck thread in case you want to throw your weight around there.
|
|
#
¿
Jul 8, 2018 16:16
|
|