|
I'm tired of seeing the phrase "don't roll your own crypto". Yeah it's good advice if I'm trying to make web 2.0 mobile next big apps or whatever, but it's really loving annoying when you're learning about cryptography and some pile of meat stuck to a mouse replies with, "don't you know better than to ask ". It makes me think that the person who states it actually knows nothing about cryptography and is trying to cover up their personal insecurity with some cultist utterance. It's about ethics in cryptography.
|
# ¿ Nov 20, 2015 22:29 |
|
|
# ¿ Apr 28, 2024 17:03 |
|
Right, perhaps not if you are producing a product, but it is good to have an understanding of its use. It's a matter of trust in that regard. I understand how RSA and AES and SHA work, but not when it comes to using ECDH or different padding or something. I trust those (and their implementations) by virtue of my understanding of them, and by knowing the situations of where they do start to unravel. But I've only ever had to implement ElGamal, and it was not fun and it would had been easier to use a proper one. I dunno, I had an argument with some developers of some open source crypto application over not using the NIST curves or EC at all as the default scheme simply because none of us were actually well versed in how they work. They're faster, sure, but that's not the point ... dougdrums fucked around with this message at 22:54 on Nov 20, 2015 |
# ¿ Nov 20, 2015 22:52 |
|
For serious things I use a nonsense sentence, or a dumb joke I haven't told anyone, and remember it and the steps I use to manipulate it. Sometimes this involves Cyrillic or Chinese characters if allowed. I'm pretty sure that's the best any human can do.
|
# ¿ Nov 20, 2015 23:00 |
|
OSI bean dip posted:Any basic understanding of prime numbers would be enough to not let you wonder about why these are the largest pairs. I am not going to explain what is wrong in this code because if you're asking this then you shouldn't dare think about writing such. How can nerds be so smug.
|
# ¿ Nov 22, 2015 07:59 |
|
via posted:Wrong thread, I'm sure. But this has been bothering me for at least 15 years. Why were dictionary/brute force attacks ever possible? What is the use in letting a client attempt 1,000,000 passwords? Why would it even let you try five? People still brute force ssh servers, I guess people still use guessable ones.
|
# ¿ Nov 24, 2015 03:45 |
|
Mr Chips posted:Can you explain the mathematics for the first bit for everyone else who's interested in understanding why? This is Euclid's theorem. (In this case, Wikipedia probably has a simpler explanation, next to scanning a textbook.) Also, small primes can be easily guessed, which is supposed to be the hard part about RSA. M_Gargantua posted:I was wondering something about the practical side of security for disk encryption. If I don't have FDE equipped drives is it more secure to use software based encryption on the whole drive and have encrypted containers on it or to have multiple logical volumes encrypted with different passwords. I don't think there's any reason not to just encrypt everything. I'm not sure what the windows equivalent is, but I've used the single group LVM/LUKS approach sarehu mentioned without any issues, and without doubting it. You only need one key, too. I also wouldn't trust the OS to not write something telling with multiple volumes mounted. Also it's easy to make sure that my swap partition/file is encrypted. This is what I'm talking about : LVM on LUKS. You just leave the boot partition unencrypted. I think there's a way to finagle GRUB into using an encrypted kernel image and initramfs too, but I never tried. dougdrums fucked around with this message at 16:15 on Nov 28, 2015 |
# ¿ Nov 28, 2015 16:11 |
|
I wonder if the prevalence of online patient info sites increases or decreases breaches from misdelivery re healthcare. Also never allow employees to use email.
|
# ¿ May 9, 2017 03:26 |
|
You used to have to get those from a public site that used the same root ...
|
# ¿ May 23, 2017 03:37 |
|
Yeah, a good part of commercial infosec is auditing and regulatory compliance, which is a field that you might not run into otherwise doing IT/dev. Check out PCI standards, and get familiar with the requirements of HIPAA, FERPA, etc. Oh whoops you just mentioned this ... thought I'd just make note of it while I'm about. I learned about PCI from just reading the standards documents online, they're very helpfully written. Vvv Oh yeah, http://csrc.nist.gov/publications/PubsSPs.html and specifically 800-30: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf dougdrums fucked around with this message at 20:22 on Aug 31, 2017 |
# ¿ Aug 31, 2017 20:14 |
|
Yeah it's all incredibly dull. If I were to do this as my career forever I think I'd go into LE instead. I'm sure LE have their share of boring poo poo, but it still seems like a much more useful and interesting gig.
|
# ¿ Aug 31, 2017 20:29 |
|
Cowboy Mark posted:Contracted out some work to a developer. I'm not sure they entirely understand how to use SSH, and then they were complaining they couldn't connect to our server to transfer some files. A long while ago, I set up a dev environment on digital ocean for some subcontractors to work with. They had no sort of pki in place, and no real idea how to do it, so I cut them a working key under a new root, delivered it by hand, and showed them how to use it with putty. 3AM, I get a message from DO saying that the server is racking up abuse complaints. The only thought I had was that the subcontractor must be breached. Lo, that's how those dudes found out that they had been hosed for awhile. I was glad we didn't give them direct access to our poo poo.
|
# ¿ Sep 2, 2017 12:20 |
|
Subjunctive posted:Equifax laying off anyone related to security would be a really bad look. I mean firing your CISO and poo poo is the standard course of action. That's pretty much their role from what I understand -- to be hired in order to be fired.
|
# ¿ Sep 20, 2017 19:40 |
|
I check my mail like every other week, and there's never anything important. I literally use all of it as grill or fireplace kindling, unless it's completely covered in ink. In that case, I just shove it back into my post box. Eventually the postman will get frustrated and remove it all, except for the one time my voter registration card had "please empty mailbox" written on it. He's the one stuffing it with junk ...
|
# ¿ Oct 1, 2017 22:09 |
|
If you want full encryption, keep another one in a safe with otp codes. E: There's a small chance that they've cooked up some scheme to obscure memory, and that's what's getting flagged. Perhaps its been modified by something else, too. Are you comfortable sharing the name of it? dougdrums fucked around with this message at 22:44 on Feb 12, 2019 |
# ¿ Feb 12, 2019 22:12 |
|
Methylethylaldehyde posted:It's really hard to rm -rf your tapes when they're stored in a file cabinet across town. I would thank jesus that they didn't do the needful instead: https://twitter.com/VFEmail/status/1095021927972909056?s=20
|
# ¿ Feb 14, 2019 11:40 |
|
Yeah I had way to much time yesterday to read about it, and it seems the motive was to destroy some info after it was retrieved, without giving away what the target was. He said something to the effect of, "I don't know how they had the password to every vm." Of course they probably did not have the password/keys to every vm so whatever it was had to really be worth it.
|
# ¿ Feb 14, 2019 12:31 |
|
That still qualifies as reachable from the internet though. I keep the backups for my business in a deposit box. I remeber one place where they just had a zip file on the dc and were like, "yeah of course we keep backups!" I think some places have some confusion between backups in case you gently caress up some configuration and backups in case your poo poo gets wiped by an attacker/fire/mother nature. dougdrums fucked around with this message at 12:42 on Feb 14, 2019 |
# ¿ Feb 14, 2019 12:38 |
|
Have two of them (that is, configure a system for backups, and keep another version offline). Drop off a copy on my way home. Maybe use a third party too.
dougdrums fucked around with this message at 12:49 on Feb 14, 2019 |
# ¿ Feb 14, 2019 12:44 |
|
Subjunctive posted:Drop off a server? (I like the “on my way home” backup rotation strategy for a mail provider’s data, though.) Yeah no poo poo, I was clearly just giving an example for my case. You store a copy on media somewhere safe, regardless of scale. It's not exactly a novel concept.
|
# ¿ Feb 14, 2019 13:01 |
|
Subjunctive posted:Sure, there are lots of ways to rotate media to distant storage. That’s not the same as the backup server that generates those media being unreachable from the internet transitively. (It also puts constraints on your restore options.) You still have the previous version if your backup server gets hosed. It's a redundancy. You have to assume (like in this case) that if it's hooked up, it's at risk. You can keep a backup server live and restrict traffic, there's nothing wrong with that. You shouldn't stake your whole business on it being hosed though. The maersk/petya case is a good example. dougdrums fucked around with this message at 13:14 on Feb 14, 2019 |
# ¿ Feb 14, 2019 13:03 |
|
I agree it's not necessary to take it offline transitively. If transporting physical media is impractical, you should at least back it up with a third party. Most places aren't google.
|
# ¿ Feb 14, 2019 13:18 |
|
Fair enough, most of the people I used to work with were likely to gently caress something up, or they didn't have the resources to maintain it otherwise. Either way it reduces the risk of your business being burned to the ground in a few hours time. You can't eliminate it totally. If you've got the resources to maintain it, no reason not to. Hence why I [meant to say] "maybe". Having offline media is still useful even if you don't make copies frequently. dougdrums fucked around with this message at 13:35 on Feb 14, 2019 |
# ¿ Feb 14, 2019 13:31 |
|
Yeah I think I've might of misread you in my morning state, The way I have mine set up personally is to make outbound ssh connections to the stuff I need backed up, and restrict it to those specific hosts. All inbound is dropped. I might gently caress it up, or there's some other hereto unknown vulnerability, so I keep copies offline. I have no idea how many users they had. dougdrums fucked around with this message at 13:53 on Feb 14, 2019 |
# ¿ Feb 14, 2019 13:49 |
|
Are we talking about someone manually making a copy and then walking it over to an airgapped machine? Yeah that's dumb I'd agree. I think the confusion was when I said it shouldn't be connected to the internet, I meant there should be backups on physical media somewhere. In vfemail's case (which boasted the extra security as a feature), I don't think they had enough users to make it impractical, or they could do incremental backups or something. Just seems like they were playing with fire.
|
# ¿ Feb 14, 2019 14:13 |
|
Oh yeah, like I would consider my backup server scheme above to be connected to the internet, regardless of how it's configured. I mean like physically connected, there's a non-zero chance of it communicating to and from the outside world, Bulgaria, 300 lb guy in new jersey, whatever. Fwiw I did red team stuff and had plenty of people argue that I could not possibly had access to a host without internal help/abusing the scope because it was "not connected to the internet". It didn't matter because I did it from the parking lot anyways. The point I was making with that tweet was that rm just unlinks files. I assumed that they already had total control of their stuff through some unknown exploit beforehand. dougdrums fucked around with this message at 14:39 on Feb 14, 2019 |
# ¿ Feb 14, 2019 14:30 |
|
I'm not sure what you're responding to, but 194.108.44.53:8161 is what's in the host header. ASCII numbers are themselves plus 0x30.
|
# ¿ Mar 1, 2019 17:10 |
|
They blurred out the hex in the actual report. I like that it checks netstat for other specific ip's though, to kill the process. It's like they got a personal grudge w/ other rear end in a top hat miners. Also no worries, I'm certainly brain damaged from writing dsl compilers by now
dougdrums fucked around with this message at 22:57 on Mar 1, 2019 |
# ¿ Mar 1, 2019 22:54 |
|
That quote reminds me of when the local uni caught some people using a usb keylogger, and the FBI found out about it through a message broadcast on the uni's alert system. I'm almost certain most orgs are required to report breaches anyways, so why not get the help right away? Should pull himself up by his own bootstrap.js imo
|
# ¿ Mar 13, 2019 21:25 |
|
Every once in a while I'll do the ol:code:
|
# ¿ Mar 14, 2019 19:13 |
|
If only bash did it too
|
# ¿ Mar 15, 2019 02:31 |
|
S-box had a backdoor
|
# ¿ Mar 19, 2019 16:03 |
|
Virigoth posted:This looks invasive as gently caress to run on a laptop (yes it is provided by my work) and when we get it installed I should halt doing anything but work on it. Virigoth posted:I'm glad it looks like a standard tool, and I don't do any weird illegal poo poo on my laptop anyway because I'm not a complete fuckup, but I always like to try to check / learn as much as I can about these things.
|
# ¿ May 2, 2019 18:04 |
|
Internet Explorer posted:Showing my ignorance here, does no one use Elastic Stack or does that not have specific enough tools for what InfoSec folks need? dougdrums fucked around with this message at 05:19 on May 16, 2019 |
# ¿ May 16, 2019 05:16 |
|
Yeah that's what I'm slowly finding out ELK is cool if I log stuff from an API that's already sorted out, and honestly it's pretty swanky for $0 (well, $0 plus the machinery). I'm just always chasing what I need to map out for this product it seems.
|
# ¿ May 16, 2019 06:05 |
|
Sickening posted:bounty program is such poo poo.
|
# ¿ May 24, 2019 01:18 |
|
Ya as unfortunate that it may be, I'll take it over the risk of being held up at the border where I'm a born citizen for christ sake.
|
# ¿ Nov 15, 2019 00:29 |
|
.
|
# ¿ Oct 14, 2020 03:15 |
|
|
# ¿ Apr 28, 2024 17:03 |
|
Nalin posted:In reality you'll just get a pin number in a text message.
|
# ¿ Oct 30, 2020 03:30 |