|
posting on the first page cause thats important
|
# ¿ Apr 8, 2016 19:17 |
|
|
# ¿ May 22, 2024 07:15 |
|
cool imessage vuln found by a friend of mine https://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/ quote:Messages (iMessage) for OS X from Apple implements its user interface via an embedded version of WebKit. Additionally, Messages on OS X will render any URI as a clickable HTML <a href=”URI”> link. An attacker can create a simple JavaScript URI (e.g.,java script:) that when clicked, allows the attacker’s code to gain initial execution (cross-site scripting) in the context of the application DOM. particularly like this part: quote:One of the most notable differences between an embedded version of WebKit and a web browser like Chrome or Safari is that WebKit does not implement any same-origin policy (SOP) because it is a desktop application pr0zac fucked around with this message at 21:37 on Apr 8, 2016 |
# ¿ Apr 8, 2016 21:31 |
|
Ur Getting Fatter posted:assuming state actors aren't after my bitcoins is truecrypt still a decent choice for full disk encryption? what os are you running that doesn't have built in full disk encryption already?
|
# ¿ Apr 8, 2016 22:14 |
|
Sharktopus posted:I like baud bitches thats my fuckin problem oh hey someone else actually got the same tag as me im no longer alone
|
# ¿ Apr 9, 2016 20:23 |
|
cheese-cube posted:lol you're jelly af pls tell me you didn't buy Subjunctive the avatar when hes currently also offering to buy it for people... the financial inefficiencies in this thread are making my autism go crazy rn
|
# ¿ Apr 10, 2016 01:16 |
|
jony ive aces posted:remember security fuckups mods rename thread gang tag chat pls
|
# ¿ Apr 11, 2016 02:06 |
|
FopeDush posted:I was eagerly awaiting the first earth-shattering vuln that would render all of the remaining XP boxes well and truly dangerous the XP sp3 pos edition extended support ends today so all XP boxes are now end of lifed for security updates RIP
|
# ¿ Apr 12, 2016 19:14 |
|
required joke about all versions of windows being pos edition
|
# ¿ Apr 12, 2016 19:16 |
|
ewiley posted:I keep wondering when we hit peak stupid security bullshit and this industry will finally decline and become the firewall and code janitors we REALLY should be rather than attention-whoring rockstar wannabes, but then i realize that it'll never happen because there's still just too much drat money in it try running/working a bug bounty program for a while if you want to face the terrible future of the industry re: every single person thinking they and their vuln is gods gift to infosec
|
# ¿ Apr 14, 2016 14:50 |
|
ewiley posted:Oh god i couldn't imagine the stupid poo poo that must get flooded into a bug bounty inbox. Does every CEH that can run OpenVAS or nikto just constantly send bug reports hoping for some money? Do you at least have some barrier to entry like solving a riddle about HTML, or is it just an email address? @facebook it was 90% arguing with people about dumb edge cases around blocking logic and why profile pictures aren't considered private @uber we just started the program so its tons of script kiddies running scans and letting us know we have an urgent SQLi in our joomla (we don't run joomla) but we're using hackerone so we get reputation for reporters and can block and rate limit people which should improve the signal/noise the 5% of reports that are high quality make the programs invaluable though and large public facing companies that have the resources to start one but don't are real dumb (Apple)
|
# ¿ Apr 14, 2016 18:03 |
|
Cocoa Crispies posted:i'm not even sorry re: You contacted Facebook: Report a Security Vulnerability - Inconsistent Username Case #238032086 im not sure what this means so instead im gonna reminisce about the porn guy that would use the bug bounty form to constantly report all his porn competitors that was good stuff
|
# ¿ Apr 14, 2016 18:14 |
|
Midjack posted:looks like a glory hole for your computer probably about as likely to give you a virus too
|
# ¿ Apr 15, 2016 04:49 |
|
I think im missing something e: oh god dammit there's the pass's barcode
|
# ¿ Apr 15, 2016 06:25 |
|
ErIog posted:It's more that if they're sniffed then whoever sniffed it needs no other authentication to be able to view the picture. I noticed it a while ago, and I bet most hangout users don't know it behaves like that. Any picture you send over Hangouts to another user is public information. So maybe find another way to send your dick picks. so wait are we talking the exceedingly common unguessable but "public" CDN uris that are used by basically everyone or it literally slaps them publicly in your Google photos where anyone can easily find them cause im confused
|
# ¿ Apr 15, 2016 18:49 |
|
Parallel Paraplegic posted:so while thinking about how to correlate blocks recorded by my VPS and my home network I had a terrible idea for a thing and want you guys to poke holes in it. basically, a distributed system for recording and disseminating records of IP's that were caught by like fail2ban or something. everyone publishes theirs that they find and other people can choose to subscribe to one person or another and that person can then forward other people's blocks that they also trust, web-of-trust style. at its most basic it would just be sending "hey i saw ip x.x.x.x doing [thing]" and then each node decides what exactly to do with that information, rather than sending implicit "you should block these guys" lists. you could also build it on top of a DHT so you could efficiently look up IP's in it, maybe, who knows facebook started something sorta similar with some other big orgs which of course means only big orgs can get in right now: https://developers.facebook.com/products/threat-exchange
|
# ¿ Apr 19, 2016 00:04 |
|
Shaggar posted:right. thats fine for me or you where we understand how DNS works. that won't happen because of Internet Explorer's SmartScreen Filter which has existed since IE8. how do you not know about this?
|
# ¿ Apr 21, 2016 05:07 |
|
Malloc Voidstar posted:http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/ i was still at fb when this came in and his reporting "hey i found RCE also theres already some hacker in there doing all kinds of weird stuff might wanna check that out" made for a pretty hilarious friday
|
# ¿ Apr 21, 2016 19:06 |
|
Daman posted:so FB employees should post how fuckin owned they were by getting all their LDAP creds logged by hackforums level APTs itt if you're thinking about that post as "facebook failed at security" and not "this is why bug bounty programs are huge wins" you're thinking about it wrong
|
# ¿ Apr 21, 2016 22:14 |
|
necrotic posted:prezto is better/faster and doesnt have a moronic install procedure
|
# ¿ Apr 21, 2016 22:59 |
|
Vlad the Retailer posted:CryptoCat rewritten from scratch, now a desktop app using the Signal protocol it's probably sending all your messages to facebook
|
# ¿ Apr 24, 2016 02:39 |
|
Symbolic Butt posted:cjs: thinking about rolling my own crypto it's dangerous to go alone! take this https://download.libsodium.org/doc/
|
# ¿ Apr 28, 2016 18:57 |
|
Dessert Rose posted:lol @ you loving idiots making fun of a military encryption device having clearly labeled interfaces and buttons you should post more about military crypto opsec stuff it sounds real cool </seriouspost>
|
# ¿ Apr 28, 2016 20:33 |
|
Powercrazy posted:They use IRC for interfleet communications within carrier groups. wait are we talking about eve online now?
|
# ¿ Apr 28, 2016 20:35 |
|
dan guido live tweeting the verizon data breach investigation report is pretty great https://twitter.com/dguido/status/725786943737442308
|
# ¿ Apr 28, 2016 23:14 |
|
Rufus Ping posted:i goatse'd patreon's slack engineering channel using their own api keys and all i got was a shoutout on risky.biz this was high quality goatse use
|
# ¿ May 1, 2016 19:24 |
|
Parallel Paraplegic posted:i switched to GraphicsMagick years ago and am secure in the knowledge that less people use it so i probably will not find out about security vulnerabilities and feel safe my only open source contribution of the last like 5 years was an RCE fix in graphicsmagick that i found because i was doing OSI bean dip posted:brb running afl on graphicsmagick that
|
# ¿ May 3, 2016 19:40 |
|
i mean base64 is basically a really lovely substitution cipher so i guess you could call it encryption sorta
|
# ¿ May 4, 2016 01:46 |
|
Wheany posted:hmm, the people who made software for people who don't want to pay for poo poo team up with a dude who made a website for people who don't want to pay for poo poo, are making software that makes people automatically pay for poo poo? I know you're joke posting but lots of people, including me, don't really mind most ads but run adblock because it's a basic security necessity now (see previous AV is poo poo argument)
|
# ¿ May 4, 2016 13:22 |
|
Parallel Paraplegic posted:learn about cyber security from the pathological liar who actually wants the title of "owes taxes for capital gains on $500 million in bitcoin he doesn't really own"
|
# ¿ May 4, 2016 16:51 |
|
wyoak posted:I would like to know what the fitbit scale vuln was https://twitter.com/taviso/status/726126119263424512 IoT folks
|
# ¿ May 5, 2016 22:51 |
|
cheese-cube posted:means that they are either storing using reversible encryption or just plain text. the latter is, unfortunately, more likely but both are equally terrible. or they're being smart and storing the hashes of multiple permutations of common mistakes the way many web propert oh who am I kidding it's plain text
|
# ¿ May 8, 2016 16:02 |
|
anthonypants posted:but can you inject your own answers legit try this pls
|
# ¿ May 10, 2016 03:47 |
|
relevant http://fortune.com/2016/05/10/pornhub-bug-bounty-program-hackerone/
|
# ¿ May 10, 2016 19:38 |
|
gonadic io posted:see how pizzas often get to you faster than an ambulance would http://www.kctv5.com/story/31934056/dominos-pizza-employees-save-life-of-frequent-customer
|
# ¿ May 10, 2016 21:32 |
|
Subjunctive posted:aw yeah, vulns in an IDE that expose local file content to malicious remote web pages. gonadic io posted:btw it wasn't opening the webpage in intellij but just visiting it with intellij running
|
# ¿ May 12, 2016 01:27 |
|
Lightbulb Out posted:watch out porn hubbers quote:"The Pornhub team investigated the claim from the hacker named 1x0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible. This incident was merely a hoax and no Pornhub systems were breached during those recent events. explains why he didn't take the $25k bug bounty reward
|
# ¿ May 16, 2016 19:49 |
|
ultramiraculous posted:can someone walk be back from the feeling that this could be a really bad idea? i see my recent movement towards mobile security was a good career choice
|
# ¿ May 19, 2016 01:38 |
|
DirtyFalcon posted:What do you think of defensive security I listen to risky biz also but defensive security is the only podcast I listen to and don't feel I'm being sold something, also one of the few where the hosts don't drive me nuts or seem like complete idiots It's also prob the most applicable if you're working a normal security job, ie: defending some company's network as they actually focus on that kind of discussion more than whatever currently hot stunt hacking
|
# ¿ May 19, 2016 13:42 |
|
CommunistPancake posted:can someone explain this to me blue coat is a company that sells interception and hacking gear to such groups as the syrian government they possess an intermediate signing certificate from Symantec which means they can ssl strip and mitm any traffic from a device that trusts Symantec as a ca which is pretty much all of them
|
# ¿ May 27, 2016 01:52 |
|
|
# ¿ May 22, 2024 07:15 |
|
PCjr sidecar posted:whole lot of poop-touching advocacy itt touching the poop yourself is never a good idea convincing someone else to is often hilarious though that said, surebet should probably continue to do nothing since I don't think they're looking for yospos superstardom
|
# ¿ May 30, 2016 16:27 |