|
Maybe I'm late on cipher discussions, but https://cipherli.st is a nice resource that I've used before
|
# ? Jan 6, 2017 18:59 |
|
|
# ? Apr 25, 2024 16:13 |
|
ratbert90 posted:Random question: uhh... sign it yourself? all my dumb embedded poo poo, routers, switches, whatever are signed by a little CA I made that my devices all have installed. or do you mean you need to have it signed by a valid globally-known CA?
|
# ? Jan 6, 2017 18:59 |
|
ratbert90 posted:Random question: afaik, no. since you'd have to provide a host name and i'm assuming you won't know that in advance.
|
# ? Jan 6, 2017 19:13 |
|
reminder that you can download a variety of preconfigured HyperV machines with various versions of windows' directly from microsoft for free at modern.ie,
|
# ? Jan 6, 2017 19:37 |
|
ratbert90 posted:Random question: if you control all the devices that will connect to that embedded device: * you can have a company root and add that root to everything's trusted CAs and then have the production embedded device ship with key/cert that chain to that root if you don't control every device that will connect to that production embedded device and it's being set up by people with competent it departments with private CA infrastructure your best bet is to either: * provide a mechanism to set the box's CN, generate a key that stays on the device, generate a csr for the it department to download and sign with their internal root, and a way for them to upload a corresponding cert once issued * provide a way to upload both a valid key and cert if you don't control every device that will connect to that production embedded device and it's being NOT set up by people with competent it departments: * lomarf why even care
|
# ? Jan 6, 2017 19:40 |
|
ratbert90 posted:Random question: on our appliance, we use a built-in hardcoded wildcard certificate. of course it's not secure, it's not hard at all to dump the private key shared by all appliances, but it's just for bootstrapping, the admin interface (with a hardcoded default password that must be changed at the first login btw ) has a function to generate a unique private key and a csr, and load a new certificate. you need something like that our appliance requires adding a line to the hosts file with the initial hostname and ip of the device, but you could skip that step by using a hardcoded hostname like device.domain.tld that resolves to the hardcoded initial ip
|
# ? Jan 6, 2017 19:43 |
|
Winkle-Daddy posted:afaik, no. since you'd have to provide a host name and i'm assuming you won't know that in advance. depends on what the cert is being used for, if it's just to identify the device as valid it's common name could be a serial number or something instead of a domain name e: this assumes you're not using it for HTTPS if that's not clear
|
# ? Jan 6, 2017 19:44 |
|
hackbunny posted:I wonder if 1password could use a custom keyboard instead of the clipboard, as an interface between password database and applications apps can also opt in to password manager integration, which 1password supports
|
# ? Jan 6, 2017 19:57 |
|
duTrieux. posted:reminder that you can download a variety of preconfigured HyperV machines with various versions of windows' directly from microsoft for free at modern.ie, and they only have to be re-armed every 90 days! pretty convenient!!
|
# ? Jan 6, 2017 20:05 |
|
run a crack on them or just save state and refresh every now and again
|
# ? Jan 6, 2017 20:10 |
|
http://www.bbc.com/news/technology-38521973 Folks scanned for non-password protected mongoDB databases exposed to the open internet and if there was any useful data in them, encrypted them with ransomware. Nice.
|
# ? Jan 6, 2017 20:32 |
|
Last Chance posted:i remember i tried this with a key i got through some MS win 7 upgrade promotion and it would only let me download a french or korean windows 7 iso lol the windows 10 download page can be coerced into showing download options for windows 7 and 8 as well with a little js
|
# ? Jan 6, 2017 21:05 |
|
OSI bean dip posted:r/netsec proves to be the best place to see painful discussions on password managers doesn't apple already have some kind of secure clipboard feature for safely holding sensitive data anyways? i could swear I saw something like that in a wwdc video once
|
# ? Jan 6, 2017 21:07 |
|
COACHS SPORT BAR posted:the windows 10 download page can be coerced into showing download options for windows 7 and 8 as well with a little js windows 8 you say? i'm intrigued
|
# ? Jan 6, 2017 21:08 |
|
BobHoward posted:doesn't apple already have some kind of secure clipboard feature for safely holding sensitive data anyways? i could swear I saw something like that in a wwdc video once yes. apps cant get data out of the clipboard unless they are the app that put it there (or the user long presses and brings up the copy/paste menu and presses paste)
|
# ? Jan 6, 2017 21:15 |
|
ate all the Oreos posted:depends on what the cert is being used for, if it's just to identify the device as valid it's common name could be a serial number or something instead of a domain name yeah, i was assuming https was the purpose of that... Is there a way in OSX to see what extension it's complaining about? e: I'm reading OSX just doesn't support name constraints, so nevermind. GG Apple. Winkle-Daddy fucked around with this message at 21:30 on Jan 6, 2017 |
# ? Jan 6, 2017 21:19 |
|
hey another document https://www.dni.gov/files/documents/ICA_2017_01.pdf
|
# ? Jan 6, 2017 21:50 |
|
BiohazrD posted:yes. apps cant get data out of the clipboard unless they are the app that put it there (or the user long presses and brings up the copy/paste menu and presses paste) doesn't facebook encourage you to post URLs from your clipboard on your timeline, or was that shut down du to being incredibly creepy?
|
# ? Jan 6, 2017 22:06 |
|
My PIN is 4826 posted:doesn't facebook encourage you to post URLs from your clipboard on your timeline, or was that shut down du to being incredibly creepy? yeah they cant do this anymore, who knows if it was the reason why the clipboard was locked down but maybe
|
# ? Jan 6, 2017 22:08 |
|
wikileaks has announced a plan to basically dox verified twitter users en masse https://twitter.com/WLTaskForce/status/817431533183238144 so far their method for doing this seems to consist of not being able to spell people's names correctly https://twitter.com/markpopham/status/817465179881480193
|
# ? Jan 6, 2017 22:32 |
|
does the fact that wikileaks will be frequently doxxing the wrong people make us feel more or less comfortable about the project
|
# ? Jan 6, 2017 22:38 |
|
Flying Leatherman posted:Maybe I'm late on cipher discussions, but https://cipherli.st is a nice resource that I've used before that config is going to have some compatibility issues. it's not "bad" in any way, but test it for your particular use case and don't roll it out blindly or you're going to piss off people with legacy but still supported clients. also, AES256 has questionable security merits over AES128 but definable overhead. Probably won't mean much if you're not passing a lot of traffic, but AES128 is still more than secure and might be preferable for high-volume applications. Hopefully AES offload in hardware has made that largely moot but the differential is still there.
|
# ? Jan 6, 2017 22:44 |
|
qntm posted:does the fact that wikileaks will be frequently doxxing the wrong people make us feel more or less comfortable about the project to be fair, wikileaks has a pretty good track record for releasing information with only the highest possible regard for the personal safety of innocent civilians [said with the least straight face possible]
|
# ? Jan 6, 2017 22:45 |
|
Hey sec boys how would SWIM go about haxx0ring all the un1337 n00bzz?
|
# ? Jan 6, 2017 22:58 |
|
SpaceClown posted:Hey sec boys how would SWIM go about haxx0ring all the un1337 n00bzz? don't sign your posts
|
# ? Jan 6, 2017 23:11 |
|
SpaceClown posted:Hey sec boys how would SWIM go about haxx0ring all the un1337 n00bzz? very carefully
|
# ? Jan 6, 2017 23:18 |
|
Flying Leatherman posted:Maybe I'm late on cipher discussions, but https://cipherli.st is a nice resource that I've used before on a government project we weren't even allowed to use tls 1.0 1.1 and 1.2 only. i was ok with it, of course.
|
# ? Jan 6, 2017 23:18 |
|
lol, no 1.0 but 1.1. specs written by idiots.
|
# ? Jan 6, 2017 23:20 |
|
this number is not high enough! I require the slightly higher number! pay me six figures!
|
# ? Jan 6, 2017 23:20 |
|
please turn on ssl 2 and 3 as they are much larger than these puny 1.x protocols
|
# ? Jan 6, 2017 23:21 |
|
I guess they're worried about CBC attacks?
|
# ? Jan 6, 2017 23:30 |
|
if you're worried about cbc attacks then you go 1.2-only. 1.1 is pre-gcm. and if you're worried about cbc then you give a cipher list, 1.2 supports plenty of bad ciphers as well.
|
# ? Jan 6, 2017 23:40 |
|
ratbert90 posted:Random question: Get a 50 year certificate But no, I don't think you can. What you can do is allow the customer to add their own certificate, and they can either suck or get one from their own internal CA E: welp i can't scroll
|
# ? Jan 6, 2017 23:53 |
|
Meat Beat Agent posted:so far their method for doing this seems to consist of not being able to spell people's names correctly ahahahahahhaha
|
# ? Jan 7, 2017 00:11 |
|
duTrieux. posted:run a crack on them COACHS SPORT BAR posted:the windows 10 download page can be coerced into showing download options for windows 7 and 8 as well with a little js unacceptable
|
# ? Jan 7, 2017 00:23 |
|
ate all the Oreos posted:wanna talk about how to not broadcast traceable signals if you know about it? I might drunk effort post it later but it depends the scale and skill of your attacker. If you're trying to hide from the spooky level country/worldwide stuff I don't have a good tip except "don't".
|
# ? Jan 7, 2017 00:44 |
|
COACHS SPORT BAR posted:the windows 10 download page can be coerced into showing download options for windows 7 and 8 as well with a little js i used this to downloaded and archive 32 and 64 bit win 7 isos as a 'just in case' windows 10, too. gently caress windows 8.
|
# ? Jan 7, 2017 00:50 |
|
apseudonym posted:I might drunk effort post it later but it depends the scale and skill of your attacker. If you're trying to hide from the spooky level country/worldwide stuff I don't have a good tip except "don't". "mossad gonna mossad"
|
# ? Jan 7, 2017 03:07 |
|
https://twitter.com/xkeepah/status/817597393449271296
|
# ? Jan 7, 2017 06:49 |
|
|
# ? Apr 25, 2024 16:13 |
|
why is it a laptop version
|
# ? Jan 7, 2017 07:56 |