|
Sup, SELinux still good and cool.
|
#
¿
Apr 8, 2016 19:19
|
|
|
|
| # ¿ May 22, 2024 10:28 |
|
|
Is there a SHA256 sum of this thread? I could only find a md5sum.
|
|
#
¿
Apr 8, 2016 19:23
|
|
|
Cause baby, now we've got bad block.
|
|
#
¿
Apr 12, 2016 18:03
|
|
|
Why the gently caress does CPIO not support extended attributes yet? gently caress you CPIO! And double gently caress you kernel for only supporting CPIO for initramfs. 
|
|
#
¿
Apr 12, 2016 21:21
|
|
|
Adix posted:I've never used dd before, but that's input and output, isn't it Yep. And DD is a exact byte for byte duplicate of whatever you are copying.
|
|
#
¿
Apr 13, 2016 15:03
|
|
|
Chris Knight posted:time to pay. pal.
|
|
#
¿
Apr 14, 2016 16:28
|
|
|
deep impact on vhs posted:hear me out on this: im gonna make a viral marketing campaign, and the end goal will be to have tens of thousands of people calling me a retard Well that would be easy, the 2nd part is ready done.
|
|
#
¿
Apr 17, 2016 01:12
|
|
|
The sql password on the project I inherited was motocross, stored in plaintext, on a product that had the same simple root password for every single one we sold. 
|
|
#
¿
Apr 17, 2016 18:32
|
|
|
Powerful Two-Hander posted:shall i compare thee to an md5? Thou art more salted and hashed.
|
|
#
¿
Apr 18, 2016 03:09
|
|
|
Parallel Paraplegic posted:first and most obvious question: why are you rolling your own protocol Don't roll your own protocol. Hitler rolled his own protocol and look what happened to him!
|
|
#
¿
Apr 27, 2016 15:17
|
|
|
Shaggar posted:reminds me of the RIAA/MPAA PIRACY IS NOT A VICTIMLESS CRIME.
|
|
#
¿
Apr 27, 2016 16:08
|
|
|
Loving Africa Chaps posted:I've pointed this out on the departmental email including links to hscic guidance but looks like it's still going ahead! You do realize that if you continue to do this you can also be found culpable in this illegal activity right?
|
|
#
¿
Apr 28, 2016 13:27
|
|
|
Volmarias posted:Enjoy your newfound moral dilemma of doing the right thing and getting fired for "unsatisfactory performance" in a year and black balled, or dealing with the vague threat of criminal culpability from a law that has never resulted in a prosecution. And that's the dilemma. If know it's poo poo, and I'm not trying to act morally superior. Just giving him the heads up is all.
|
|
#
¿
Apr 28, 2016 13:32
|
|
|
Parallel Paraplegic posted:"That guy knew it was wrong and didn't try to physically stop us it's his fault!!!" More like: That guy knew it was wrong and still continued to send texts out.
|
|
#
¿
Apr 28, 2016 14:41
|
|
|
ewiley posted:Meh, doing thing with explicit approval from management is 99% of the time an employee's get out of jail free card. Unless you're murdering someone in a Nazi death camp, 'just following orders' is actually a valid defense. You're not personally responsible for securing your employers process, just following it consistently and correctly. They may have compensating controls on the back-end that he's unaware of. If it was me I would CYA with at least a email from management, if not a printed and signed document explicitly saying it's ok for me to do this. Edit* I have done this twice in my career, and both times management backed off and told me to forget about doing it. Making somebody else culpable is the easiest way to get illegal activities to stop pretty quick.
|
|
#
¿
Apr 28, 2016 14:49
|
|
|
Shaggar posted:nah if he brought it up with his hospitals lawyers they'll drop a bag of poo poo on the docs so fast because they know its a terrible and pointless risk when there are easy ways to do it correctly. I forgot that hospitals have lawyers on retainer specifically for this. This is probably the correct answer, as it seems like Shaggar knows his poo poo when it comes to infosec in hospitals. Also, this is what I imagine all hospital lawyers to be like: https://www.youtube.com/watch?v=u1ZtaaFZDcI&hd=1
|
|
#
¿
Apr 28, 2016 14:54
|
|
|
Nissan also used lovely plastic around their time for their guides as well on the VQ engines. They failed spectacularly at 150k miles on the dot.
|
|
#
¿
Apr 28, 2016 15:38
|
|
|
Trying "<script>test</script>" breaks SA Needful lmbo.
|
|
#
¿
Apr 28, 2016 17:32
|
|
|
Symbolic Butt posted:cjs: thinking about rolling my own crypto When you roll your own crypto, your roll with Hitler.
|
|
#
¿
Apr 28, 2016 20:16
|
|
|
Don't post my password of SEVLOWREBMIT. Thanks!
|
|
#
¿
May 4, 2016 14:30
|
|
|
online friend posted:ok so that was loving stupid He's saying remote code execution aint no big, some people might just get a bit of spam, what's the big deal???
|
|
#
¿
May 5, 2016 18:38
|
|
|
The chip is stupid and is subject to MitM attacks. https://www.youtube.com/watch?v=JABJlvrZWbY
|
|
#
¿
May 11, 2016 15:06
|
|
|
Parallel Paraplegic posted:thanks! I am a embedded Linux systems engineer and the sheer lack of security I find in like, 99% of all embedded Linux devices is horrifying. Plain-text passwords thrown on the FS? Debug scripts in production? root enabled? easily guessed passwords? production code written in python left un-compiled on the device? Seen it all and then some.
|
|
#
¿
May 12, 2016 16:13
|
|
|
Parallel Paraplegic posted:at least it's using SSL when it wgets a kernel module and insmod's it without checking anything about what it is If we had a Embedded Linux security thread the op would just be a gigantic "LOL" and nothing more. Jesus christ that's bad.
|
|
#
¿
May 12, 2016 18:13
|
|
|
Parallel Paraplegic posted:yeah I saw a few neato strings. I have yet to see a foreign programmed module not puke horribly at the first sign you try to use it in any way shape or form it wasn't meant to be used. 10$ says that module comes from India.
|
|
#
¿
May 12, 2016 20:10
|
|
|
Just for some quick fun I logged into my Edgemax router to see if they had SELinux enabled. NOPE. How hard is it to integrate SELinux into your projects? I did it in less than a week, and that's with a custom policy on top of it. God drat embedded Linux security is a joke.
|
|
#
¿
May 13, 2016 16:29
|
|
|
Parallel Paraplegic posted:This one time I tried to set it up when I was like 15 years old and it was hard and I gave up Oh god what is a policy how to I edit it? WHY CAN'T I RUN AUDIT2ALLOW ON MY EMBEDDED DEVICE???
|
|
#
¿
May 13, 2016 16:32
|
|
|
It's a unicorn. Much like the unicorn, it's a myth that this product isn't a scam.
|
|
#
¿
May 14, 2016 13:07
|
|
|
spankmeister posted:I usually google the hash first, works way better than it should. I am starting to think I am the only embedded Linux systems engineer that uses sha256 and disables root. 
|
|
#
¿
May 15, 2016 03:36
|
|
|
jetz0r posted:we found the unicorn Our current product is a RTOS that's user/pass is admin/admin, runs a open telnet server that can't be termed off and let's you delete the bootloader that can be learned from the help menu. The front end web interface is just as bad with a log out feature that just brings you to a log out page and doesn't actually log you out. We are switching to a embedded Linux platform (the reason I was hired) and I am focusing 100% on security. Disabling root, sha256, SELinux, removing any programs, ssh (with a ssh chroot jail), initramfs on a secure partition, encrypted emmc, a one time programmable sha256 key in the processor die for program authentication, and a bunch of other poo poo I can't think of at the moment. I am pretty excited about it!
|
|
#
¿
May 15, 2016 16:38
|
|
|
Heresiarch posted:i know that this is an autocorrect glitch but i laughed YeOldeButchere posted:what the hell, do you have any idea how much time you're losing on all that useless bullshit when you should be pushing to the market asap??? I told the higher ups October and sales/marketing tried to push July. I shut them the gently caress down real quick. 
|
|
#
¿
May 15, 2016 22:26
|
|
|
Parallel Paraplegic posted:When I tried to do that at my last job someone literally showed me how security didn't matter because we lose $x money for every day we're not launching and a security breach is only estimated to lose us $y money so it's fine! I told them it will prevent corporate espionage and they instantly gave me the go-ahead. We have had our products stolen before, so it was a easy sell. The fact that it protects customers is just second to them.
|
|
#
¿
May 16, 2016 14:46
|
|
|
Midjack posted:if it's a legitimate rc.script the server has ways to just try to shut that whole thing down
|
|
#
¿
May 17, 2016 04:52
|
|
|
The new engineer is trying to convince me that a self signed certificate on a internal git server is bad and that we should fork over the money for a signed certificate on all of our internal servers.  He is upset that the build server (that's internal only) has git ssl verification turned off and that it's not a safe security practice. Well yeah, if that build server, or git server could be connected to from the outside.
|
|
#
¿
May 18, 2016 14:22
|
|
|
Jabor posted:the new engineer is right. Sure, and that's how it is on corporate. On the engineering network on a different domain without any outward facing servers, is it possible to have "Companyname.com" issue certs for "*.eng.local" ? Edit* I am retarded and am now looking into a internal CA. Thanks fellow infosec anklebiters! I am not good with the internet oh god. FlapYoJacks fucked around with this message at 14:40 on May 18, 2016 |
|
#
¿
May 18, 2016 14:37
|
|
|
Jabor posted:yes? Yeah, I am almost done setting this up. Why the gently caress didn't I do this to begin with? I have failed you infosec thread.  At least all the servers I setup on the network have firealld turned on, selinux enabled, yum-cron, and ssl enabled. FlapYoJacks fucked around with this message at 14:53 on May 18, 2016 |
|
#
¿
May 18, 2016 14:48
|
|
|
Shaggar posted:u can setup a 2 tier internal CA infrastructure in windows pretty easily. Create an offline root and then online intermediates for doing the actual signing. If you have 2 internal networks you can create 2 intermediates signed by the shared root and then deploy them all thru ad. ez pz. I did it with the domain Cent7 server in like, 5 minutes.
|
|
#
¿
May 18, 2016 15:31
|
|
|
Shaggar posted:yuck Cent7 is cool and good. It also has SELinux set to enforcing.
|
|
#
¿
May 18, 2016 15:37
|
|
|
Dex posted:how long did you spend arguing with the new guy before this Like, a minute or so? I was too busy working on the embedded Linux project to really pull my concentration for long.
|
|
#
¿
May 18, 2016 15:41
|
|
|
|
| # ¿ May 22, 2024 10:28 |
|
|
Phone posted:there's a nadim bot I use IRC and Slack. 
|
|
#
¿
May 18, 2016 20:29
|
|