|
ohgodwhat posted:Relatively tame but this guy's not off to a good start: quote:
|
# ? Jan 9, 2017 03:22 |
|
|
# ? Apr 19, 2024 07:56 |
|
So close to understanding and yet
|
# ? Jan 9, 2017 03:36 |
|
Volmarias posted:You're just training the user to hit the enter key after doing an autofill without reading what it says. yeah agreed thats what i was tryin to say with the last bit
|
# ? Jan 9, 2017 03:58 |
|
ohgodwhat posted:Relatively tame but this guy's not off to a good start: my favorite part is that the line he uses to get a random filename for uploads doesn't seem to check if the number/name is already in use -presumably resulting in overwriting an existing file if the random numbers happen to be come out the same. so even if the rest of the stuff wasn't insecure garbage, his upload facility would be unreliable.
|
# ? Jan 9, 2017 04:21 |
|
Volmarias posted:You're just training the user to hit the enter key after doing an autofill without reading what it says. uncheck them by default i guess? though that won't stop users from just blindly clicking everything
|
# ? Jan 9, 2017 05:01 |
|
Browsers have all the information required to determine if fields are visible, even if implementing a solution ends in heuristic whack-a-mole
|
# ? Jan 9, 2017 05:03 |
|
COACHS SPORT BAR posted:as has been said many times before, security often comes at the expense of convenience. solution: patch autofill out of all of these browsers I'm saying I think autofill can still be pretty secure if you make it work on individual inputs instead of the whole form at once
|
# ? Jan 9, 2017 05:26 |
|
Trabisnikof posted:Browsers have all the information required to determine if fields are visible, even if implementing a solution ends in heuristic whack-a-mole did any effort come of kaminsky's DC23 talk yet? https://www.youtube.com/watch?v=9wx2TnaRSGs i see that https://www.w3.org/TR/UISecurity/ exists but not anything actually built into a browser yet
|
# ? Jan 9, 2017 06:45 |
|
vOv posted:uncheck them by default i guess? though that won't stop users from just blindly clicking everything just let the user click on the fields they want filled
|
# ? Jan 9, 2017 07:24 |
|
our tester was trying to connect to a server with winscp. it gave a warning about changed fingerprint and posted a screenshot "the new fingerprint is wh:at:ev:er:th:ef:uc:k" i tried if my connection still worked. it did. so i tried to find the fingerprint. maybe i'm just dumb, but i just can't find it anywhere in either winscp or putty ui. putty stores some super loving long hex string in the registry that looks nothing like the one shown in the dialog. i finally found out the fingerprint by enabling logging in winscp and looking at the log file. it didn't match
|
# ? Jan 9, 2017 10:16 |
|
Wheany posted:our tester was trying to connect to a server with winscp. it gave a warning about changed fingerprint and posted a screenshot "the new fingerprint is wh:at:ev:er:th:ef:uc:k" screenshot or didn't happen I believe you I just want to see it
|
# ? Jan 9, 2017 10:22 |
|
negromancer posted:screenshot or didn't happen You're taking that too literally, the fingerprints are hex, unless that's a really dumb winscp placeholder message. Bearing in mind that it could also be a ecdsa or ed25519 key and client side changes can alter the priority & thus get you a warning (without MITM), the following command gets you the fingerprint on the server: $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub Maybe they were using an old DSA host key and the server no longer supports it. edit: You may need to insert a "-E md5" (after ssh-keygen) to get old-style fingerprints - apparently OpenSSH changed from md5 to sha256 by default in v6.8 (March 2015) and I haven't had to do a careful fingerprint examination in that long. James Baud fucked around with this message at 11:14 on Jan 9, 2017 |
# ? Jan 9, 2017 10:30 |
|
Phone posted:you actually just quarantined the bad discussion, so like the malposts are technically still infecting your system. with this new form of shitposting, you can't take an anti virus approach to these sorts of things and flattening and reinstalling doesn't work. BadPOST
|
# ? Jan 9, 2017 10:46 |
|
James Baud posted:You're taking that too literally, the fingerprints are hex, unless that's a really dumb winscp placeholder message. yes, the fingerprint wasn't literally whateverthefuck, i'm not going to transcribe some screenshot for a yospost the point was that as far as i can tell, there is no way of finding out the saved fingerprint for a given server so that i can compare them well, with putty you can get some really long hex string from the registry, but its way too long and it's not in the same format as the one in the dialog. (two hex digits, colon, two hex digits, colon etc) so the warning is "YOUR poo poo MIGHT HAVE BEEN HACKED, check this fingerprint:" and there is no way to get a known-good value from another instance of winscp or putty to compare them.
|
# ? Jan 9, 2017 11:16 |
|
Wheany posted:yes, the fingerprint wasn't literally whateverthefuck, i'm not going to transcribe some screenshot for a yospost why have a thought this whole time the fingerprint was stored on your end after the first connect, and you could just compare that to whatever was in some Linux file (its 5am and I'm high).
|
# ? Jan 9, 2017 11:43 |
|
Wheany posted:yes, the fingerprint wasn't literally whateverthefuck, i'm not going to transcribe some screenshot for a yospost im pretty sure you can convert the fingerprint to the hash or w/e, it's the same thing that's in authorized_keys
|
# ? Jan 9, 2017 11:59 |
|
wait, I'm high, isn't that literally just the pubkey? and the thing that's displayed is the md5 hash?
|
# ? Jan 9, 2017 12:01 |
|
uncurable mlady posted:wait, I'm high, isn't that literally just the pubkey? and the thing that's displayed is the md5 hash? YES! it's stored in ~/.ssh/authorized_keys I thought? see, that's why I only run scripts at night, and write them in the daytime. The strength of weed I get from my friend ranges from "nice realizing high" to "I might be in a coma so I'm gonna watch Oceans Eleven on repeat".
|
# ? Jan 9, 2017 12:27 |
|
|
# ? Jan 9, 2017 14:05 |
|
uncurable mlady posted:im pretty sure you can convert the fingerprint to the hash or w/e, it's the same thing that's in authorized_keys authorized_keys stores client keys for authentication. you're thinking of the known_hosts file, which stores server keys you've connected to, and is implemented as a flat file (that you need to use ssh-keygen to interact with on modern openssh installs because they hash hostnames to make the files less useful for folks who hack a box and pivot) putty/winscp apparently don't use that mechanism and figuring out an existing stored hash is difficult I say "apparently" here because I am trusting you people at your word that there isn't some known_hosts file lurking about
|
# ? Jan 9, 2017 14:45 |
|
storing that in the windows registry sounds like something putty would do
|
# ? Jan 9, 2017 14:57 |
|
Storysmith posted:authorized_keys stores client keys for authentication. you're thinking of the known_hosts file, which stores server keys you've connected to, and is implemented as a flat file (that you need to use ssh-keygen to interact with on modern openssh installs because they hash hostnames to make the files less useful for folks who hack a box and pivot) that's why you use mobaxterm on windows and stop using putty and winscp like it's 2004.
|
# ? Jan 9, 2017 14:59 |
|
minivanmegafun posted:storing that in the windows registry sounds like something putty would do yes, putty definitely stores the known_hosts equivalent in the registry. on linux, i know that i can run "ssh-keygen -l -f ~/.ssh/known_hosts" to get the colon-delimited fingerprint, but i have no idea how to get putty to give me that information.
|
# ? Jan 9, 2017 15:18 |
|
negromancer posted:that's why you use mobaxterm on windows and stop using putty and winscp like it's 2004. dota 2 sucks though
|
# ? Jan 9, 2017 15:18 |
|
apparently you do that by writing a bad powershell script to dump it out of the registry welcome to windows
|
# ? Jan 9, 2017 15:20 |
|
negromancer posted:that's why you use mobaxterm on windows and stop using putty and winscp like it's 2004. i use extraputty with awful lua scripts right now. there's even a portable version of this. thank you for pointing out this program and ending my nightmare.
|
# ? Jan 9, 2017 15:28 |
|
negromancer posted:YES! it's stored in ~/.ssh/authorized_keys I thought? you can use ssh-keygen -lf ~/.ssh/authorized_keys or known_hosts to dump the hashes. use the -E md5 switch if u need md5 bring back lf
|
# ? Jan 9, 2017 15:30 |
|
negromancer posted:that's why you use mobaxterm on windows and stop using putty and winscp like it's 2004. gently caress, that looks good. How long has that existed ?
|
# ? Jan 9, 2017 15:32 |
|
Fergus Mac Roich posted:i use extraputty with awful lua scripts right now. there's even a portable version of this. thank you for pointing out this program and ending my nightmare. it was pointed out to me in 2013 and a coworker was like "yeah I know about it, but I'm gonna stick to putty, it's reliable, and I've been in sysadmin 14 years, so trust me" he's still a junior sysadmin at a poo poo tier hosting company, so no, don't trust him. Use Mobaxterm. jre posted:gently caress, that looks good. How long has that existed ? at least 2012. It's basically having actual Linux on windows. You can run a scary amount of Linux commands on there and sometimes I forget I'm on a windows box.
|
# ? Jan 9, 2017 15:32 |
|
negromancer posted:that's why you use mobaxterm on windows and stop using putty and winscp like it's 2004.
|
# ? Jan 9, 2017 15:32 |
|
negromancer posted:that's why you use mobaxterm on windows and stop using putty and winscp like it's 2004. why do all of these sites about tools to connect securely to your server via SSL refuse to implement https on their loving geocities website? i love giving out my private keys to .exes i got off some unauthenticated ftp server
|
# ? Jan 9, 2017 15:33 |
|
Ur Getting Fatter posted:why do all of these sites about tools to connect securely to your server via SSL refuse to implement https on their loving geocities website? Ur Getting Fatter posted:why do all of these sites about tools to connect securely to your server via SSL refuse to implement https on their loving geocities website? not sure what you're referring to.
|
# ? Jan 9, 2017 15:35 |
|
negromancer posted:not sure what you're referring to. the mobaxterm site is http and their download is http
|
# ? Jan 9, 2017 15:37 |
|
jre posted:gently caress, that looks good. How long has that existed ? that does look good, but i don't feel like paying over $50 per year(?) to replace putty (and to a lesser extent, winscp)
|
# ? Jan 9, 2017 15:45 |
|
yeah, sorry, i worded that wierdly but basically what Heresiarch said you're trying to sell me a tool that relies on SSL, which i use to connect to servers whose only real line of defense is my private key, the fact that you don't use https on your website is unsettling
|
# ? Jan 9, 2017 15:46 |
|
Heresiarch posted:the mobaxterm site is http and their download is http oh yeah. I don't know when that happened. at one point as far as I can remember it was https, and then when I went back in summer 2016 it was http and I was 🤔 but I had a portable version from like December 2015 that's fine, so I use that.
|
# ? Jan 9, 2017 15:49 |
|
Heresiarch posted:the mobaxterm site is http and their download is http its https for me?
|
# ? Jan 9, 2017 15:51 |
|
oh its cause i force https everywhere, looks like site defaults to http for some dumb reason you can switch it manually though!
|
# ? Jan 9, 2017 15:52 |
|
Wheany posted:that does look good, but i don't feel like paying over $50 per year(?) to replace putty (and to a lesser extent, winscp) If you are using this professionally why would you even blink at $50 for something that will improve your productivity
|
# ? Jan 9, 2017 15:54 |
|
|
# ? Apr 19, 2024 07:56 |
|
anthonypants posted:i'm still trying to get my coworkers to stop using filezilla FileZilla is pretty good so idk why you'd do this.
|
# ? Jan 9, 2017 16:04 |