|
0day posting in a new thread that gives me an excuse to write off the thousands of unread posts in the old one
|
# ¿ Apr 8, 2016 19:31 |
|
|
# ¿ May 22, 2024 11:24 |
|
caro is alive
|
# ¿ Apr 8, 2016 19:39 |
|
better charset support? lol if u don't remember dos programs being all [√] relevant to thread: p sure norton for dos did that
|
# ¿ Apr 10, 2016 08:50 |
|
remember security fuckups
|
# ¿ Apr 11, 2016 01:44 |
|
anthonypants posted:you're probably thinking of the old thread
|
# ¿ Apr 11, 2016 03:44 |
|
yeah i hate ipv6 because i liked the insignificant level of deniability provided by nat if oses are configured to rotate thats p cool thoKazinsal posted:btw what's the rule on gang-tagging yourself if you're going to be doing a title change anyways? kosher/not kosher i only got around to paying after lf was deleted but still al aqsa posters brigade 4 lyf maybe don't follow my advice tho, i'm a p bad poster Shaggar posted:If a government agency is storing user creds in reversible form for one of their applications, what is the best way to get them to fix it? I've emailed the responsible organization w/ details and suggestions. Should I do anything else?
|
# ¿ Apr 12, 2016 06:49 |
|
Cocoa Crispies posted:granny natting, not double dmz natting like you should be anthonypants posted:loving asus routers!!!! my parents used to have an adsl1 modem connected to a wifi router, then when they got adsl2+ dad bought a combined modem/router but with no wifi because he was adamant that the neighbours must've been hacking the wifi and using up all the download quota (this was when i still lived there and i even said "nah i'm p sure that's just me doing all the downloading" because i loving love consuming digital content but w/e we had everything cabled so i didn't care). then about two years ago mum got a tablet so needed wifi so i just told dad to dig up the old wifi router from before and i went to set it up to work like an access point. dad always bought the cheapest possible d-link poses so there was literally no way in either device's configurations to avoid the worst possible double natting but w/e it was just for tablet browsing so who cares
|
# ¿ Apr 12, 2016 07:23 |
|
ratbert90 posted:Cause baby, now we've got bad block.
|
# ¿ Apr 12, 2016 18:42 |
|
goddamnedtwisto posted:to be honest though, the fact that the vast majority of internet users these days are behind nat is probably the most effective defence against those sort of worms - early 2000s was of course the peak of the dsl "modem" years
|
# ¿ Apr 13, 2016 04:54 |
|
the coolest ones by definition get full public disclosure without any warning (even to the vendor)
|
# ¿ Apr 13, 2016 05:05 |
|
tbh it can be even cooler if you just exploit it without it ever getting disclosed
|
# ¿ Apr 13, 2016 06:55 |
|
ehh that's a usability issue not a secfuck wikipedia lets (or used to idk) people register without an email address. they have a warning that without one password losers are boned but don't actually stop it which is handy if signing up a burner account for vandalism
|
# ¿ Apr 13, 2016 18:43 |
|
hackbunny posted:I use emoji in my code, like this: { return [NSString stringWithFormat:@"💩 %@", self]; }
|
# ¿ Apr 14, 2016 07:39 |
|
ewiley posted:e: sorry didn't mean to insult everyone
|
# ¿ Apr 14, 2016 12:52 |
|
lol if it's not on the company's domain that could be a good idea...
|
# ¿ Apr 14, 2016 17:46 |
|
Shaggar posted:put them on your one drive and share them only with a specific user. anyone with the url will still have to log in and only the user you authorized will be able to access it. e: like i assume that won't happen if you use onedrive properly but the wired article doesn't really make it clear so idk. tech journalism is trash
|
# ¿ Apr 15, 2016 16:35 |
|
this is probably old but i just saw it come up on twitter today: trip report from the hacking team own: https://ghostbin.com/paste/6kho7 i especially liked quote:The worst thing that could happen would be that my backdoor or post-exploit tools would make the system unstable, and force an employee to investigate. So I spent a week testing my exploit, backdoor, and post-exploit tools in the networks of other vulnerable businesses before entering Hacking Team network. quote:NoSQL, or rather NoAuthentication, has been a great gift to the hacker community edit: well yeah this was the other one that jumped out at me code:
jony ive aces fucked around with this message at 04:44 on Apr 18, 2016 |
# ¿ Apr 17, 2016 10:34 |
|
Powerful Two-Hander posted:shall i compare thee to an md5?
|
# ¿ Apr 18, 2016 01:37 |
|
from my experience in the very early 00s (i was only in high school at the time but my dad lectured there so yeah...) my university appeared to (?) give public ips for everything (only a /16 tho) but was already firewalled to gently caress idk i don't really understand networking
|
# ¿ Apr 18, 2016 08:30 |
|
vOv posted:e: lol SA filters S J W into robocop
|
# ¿ Apr 18, 2016 08:32 |
|
spankmeister posted:anroid sjw lol
|
# ¿ Apr 18, 2016 12:33 |
|
notavirus.scr wants to install updates, give it admin rights?
|
# ¿ Apr 18, 2016 19:20 |
|
my mum hasn't used her laptop in a while and is worried she'll get 0wned in the time it takes it to install updates also wants me to go have a look at it because she's worried she'll click yes on an "update" that isn't i told her she can handle it and will probably be fine. lol
|
# ¿ Apr 18, 2016 19:29 |
|
OSI bean dip posted:this is the case everywhere. some security professionals publish their passwords on github <---- look! the op!
|
# ¿ Apr 20, 2016 07:02 |
|
isn't that how op's service works as well
|
# ¿ Apr 20, 2016 12:03 |
|
what if you push a commit to a private repo and then some time later set it to public, obviously you can still search but would it show up in a feed? i accidentally did that with a student project a while back. someone else was in charge of our net stuff so idk but it's possible he did it in a bad way that had enough in our sourcecode to 0wn our free student azure (lol) account. this was just after we'd finished our final presentation (it wasn't really a coding-focused subject but then at the end the lecturer asked to see our code anyway and we were like sure just make it public i guess) so it didn't matter what happened, but a few weeks later i was dicking around in our app and it had mysteriously stopped working. so i guess either we got owned or we were just really lovely programmers who make stuff that breaks easily
|
# ¿ Apr 20, 2016 14:44 |
|
flakeloaf posted:what's wrong with keep rear end again? at least the site their binaries are hosted on does https (tho that's only a recent addition) but your downloads will probably still be injected full of malware because that site is sourceforge
|
# ¿ Apr 20, 2016 19:28 |
|
OSI bean dip posted:this is horrible because shaggar cannot see the forest from the trees here okay? OSI bean dip posted:this is horrible because shaggar
|
# ¿ Apr 21, 2016 06:59 |
|
ilu shaggar
|
# ¿ Apr 21, 2016 06:59 |
|
i'm glad i brought up lets encrypt but yeah in case anyone was wondering keep rear end is a p deece password manager if you can get past the insecure method of actually obtaining it. tho keep in mind what other posters said about "every nerd has their favourite password manager who gives a poo poo" and how keep rear end being open sores means things can be a big mess of plugins
|
# ¿ Apr 21, 2016 07:12 |
|
maybe the mess of third party things for stuff like mobile apps is trapping some people into sticking with the 1.x file format or something
|
# ¿ Apr 21, 2016 10:17 |
|
Thermopyle posted:even with the web auto fill plugin and the keepass mobile app thingy, lastpass is just so much easier to use for me (or maybe i'm just too used to the LP way). i guess keepass autofill is theoretically prone to secfucks if you happen to hit the hotkey combo at the wrong time though. without a web plugin it only uses the window title to determine which password to type which could be taken advantage of. and until recently my bank had their full page title as just "Login Page" lol OSI bean dip posted:the greys are overly paranoid about whatsapp
|
# ¿ Apr 22, 2016 16:05 |
|
good point i do have it removed from some individual passwords but not from the default one, gonna fix that now (i guess having a mix of different per-site ones and a global default could potentially become an issue as well but yolo) e: my favourite is sites that somehow make tab not work
|
# ¿ Apr 22, 2016 16:16 |
|
Trabisnikof posted:Switching from Drupal to Wordpress, I'm looking forward to future secfuckups turns out even in 2016 they still have emails about this or that module tagged "critical - xss" at least once a month, with rce and csrf being fairly common too php devs vv
|
# ¿ Apr 22, 2016 18:57 |
|
OSI bean dip posted:goons in the games forum disable anti-virus to let their mods work one time i was playing a clean game and noticed that my save game had been flagged. i googled it and found others had the same problem while running avast which i was dumb enough to use at the time and the advice (from other players) was to disable it while playing. it's stupid that the programs conflicted like that, but at least disabling av to specifically play an unmodded game is relatively less dumb than "pls turn off av to execute this file from some rando on the internet" also a few third party mods that were found to be useful but not cheats were cryptographically signed by the game's devs so that people could use those ones without getting flagged. so for people who really did want to cheat, some genius came up with the idea of making any mod work if you just added a fake signature, by replicating whatever standard windows signing dll the game used but making it always return true. the file was distributed with a big warning to only drop it in the game directory and not system32 but it's still p lomarf that gamers were doing that
|
# ¿ Apr 23, 2016 19:16 |
|
Dessert Rose posted:I read it with the kink meaning and it makes perfect sense that way LordSaturn posted:more like steve ballmurder
|
# ¿ Apr 24, 2016 06:28 |
|
Malloc Voidstar posted:The SWIFT malware sample was uploaded to Virustotal possibly by the author himself, to find out if static antiviruses detect it or not. like, i get why hacking team were all DO NOT UPLOAD TO VIRUSTOTAL IT WILL JEOPARDISE EVERYTHING because they do share files with researchers, but still would be p lomarf if they end up arresting someone based on virustotal's ip address logs though
|
# ¿ Apr 25, 2016 12:06 |
|
virustotal say they share files with av vendors and whoever but on what basis does anyone choose a file for closer inspection? people probably upload "true negatives" all the time. maybe if a file gets a lot of comments or downvotes they pass it around for everyone to have a look at but if it's 0day that's not the case i mean i guess in theory someone could have like a "meta-heuristic" that flags executables found to have certain internet/filesystem/crypto/etc related functions for manual analysis but lol Cocoa Crispies posted:I can't say I wouldn't have done the same
|
# ¿ Apr 25, 2016 12:43 |
|
Powerful Two-Hander posted:word to your moms, i came to drop cyberbombs
|
# ¿ Apr 26, 2016 03:27 |
|
|
# ¿ May 22, 2024 11:24 |
|
inside everyone is a spooky skeleton trying to get out
|
# ¿ Apr 26, 2016 07:54 |