|
ratbert90 posted:Random question: if you control all the devices that will connect to that embedded device: * you can have a company root and add that root to everything's trusted CAs and then have the production embedded device ship with key/cert that chain to that root if you don't control every device that will connect to that production embedded device and it's being set up by people with competent it departments with private CA infrastructure your best bet is to either: * provide a mechanism to set the box's CN, generate a key that stays on the device, generate a csr for the it department to download and sign with their internal root, and a way for them to upload a corresponding cert once issued * provide a way to upload both a valid key and cert if you don't control every device that will connect to that production embedded device and it's being NOT set up by people with competent it departments: * lomarf why even care
|
#
¿
Jan 6, 2017 19:40
|
|
|
|
| # ¿ May 2, 2024 05:20 |
|
|
Trabisnikof posted:Browsers have all the information required to determine if fields are visible, even if implementing a solution ends in heuristic whack-a-mole did any effort come of kaminsky's DC23 talk yet? https://www.youtube.com/watch?v=9wx2TnaRSGs i see that https://www.w3.org/TR/UISecurity/ exists but not anything actually built into a browser yet
|
|
#
¿
Jan 9, 2017 06:45
|
|
|
uncurable mlady posted:im pretty sure you can convert the fingerprint to the hash or w/e, it's the same thing that's in authorized_keys authorized_keys stores client keys for authentication. you're thinking of the known_hosts file, which stores server keys you've connected to, and is implemented as a flat file (that you need to use ssh-keygen to interact with on modern openssh installs because they hash hostnames to make the files less useful for folks who hack a box and pivot) putty/winscp apparently don't use that mechanism and figuring out an existing stored hash is difficult I say "apparently" here because I am trusting you people at your word that there isn't some known_hosts file lurking about
|
|
#
¿
Jan 9, 2017 14:45
|
|
|
Aquarium of Lies posted:lol a company I'm interviewing at had an unsecured mongo instance get ransomewared very recently well that's two reasons not to work there then unless youre heading up a "get us off of mongo" project
|
|
#
¿
Jan 11, 2017 05:23
|
|
|
so what's going to be the next security punching bag nosql database I would bet redis except it would have to actually keep useful data in it long enough for a hacker to connect
|
|
#
¿
Jan 11, 2017 06:49
|
|
|
darkforce898 posted:How would you go about issuing valid certificates on hundreds of devices that change their public IP address daily? this is the kind of thing letsencrypt is designed to make feasible: hundreds of uniquely keyed certs valid for short enough time scales that you can fire and forget them, when before it'd be an expensive UCC with a poo poo ton of names or a wildcard that was somehow even more expensive if they're externally accessible devices like you say they are, run the letsencrypt client on them, as configured by the configuration management you surely must have with hundreds of things that change their public IPs daily if they can't be externally accessible split-horizon your dns, map the external *.thingyouwouldgetawildcardfor.fleetofsquirrels.edu view to point at a machine running letsencrypt, and write scripts to automatically generate the certs and then put the certs into the right places using the configuration management you surely must have with hundreds of things that change their IPs daily also, in terms of CAs/registrars with decent prices and decent humans, gandi is up there.
|
|
#
¿
Jan 12, 2017 00:07
|
|
|
rumor was that phineas fisher was arrested in a raid in catalan but lol maybe not
|
|
#
¿
Jan 31, 2017 23:50
|
|
|
ate all the Oreos posted:good to see gitlab has worse backup practices than my dumbass personal website why does your dumbass personal website have a half terabyte of postgres database
|
|
#
¿
Feb 1, 2017 06:36
|
|
|
anthonypants posted:since when did a receipt printer need to be pci compliant if a receipt printer has a way to talk to it over the public internet do you really believe the pos terminal itself does not
|
|
#
¿
Feb 5, 2017 05:43
|
|
|
Rufus Ping posted:gocardless, direct debit charging -as-a-service company, got burglarised password protected is not encrypted whoops
|
|
#
¿
Feb 7, 2017 19:35
|
|
|
in the off chance anyone here is on the other side of the embargo, what's the verdict on the new xen vuln (xsa-212)? how hosed are my clouds?
|
|
#
¿
Mar 24, 2017 02:16
|
|
|
lol Cisco how do you use 32 bit signed timestamps ityool 2017 http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64291.html
|
|
#
¿
Apr 1, 2017 23:21
|
|
|
a literal sec gently caress up also I cannot stop reading that brand name as "slime eye" which is a really crass name for a cervix
|
|
#
¿
Apr 3, 2017 20:28
|
|
|
before any of you waste time trying i have been unable to get ms comic chat running under wine
|
|
#
¿
Apr 4, 2017 05:51
|
|
|
interesting tool: https://github.com/huntergregal/mimipenguin mimikatz-style memory dumping and searching for linux passwords. requires root, seems focused on linux desktop users, so all three of us should be careful.
|
|
#
¿
Apr 6, 2017 16:26
|
|
|
crosspost from the grey thread because this thing from last year is hilarious to me https://arstechnica.com/security/2016/04/nation-wide-radio-station-hack-airs-hours-of-vulgar-furry-sex-ramblings/ mass radio box hacking leads to more people learning about furries the box maker has published a statement: quote:Barix would like to emphasize that its devices are secure for Broadcast use when set up correctly and protected with a strong password. With several hundreds of thousands of Barix devices in operation worldwide, these unfortunate security breaches are an extreme rarity. or to summarize, "why the gently caress are you setting six character passwords on the boxes that control your radio feed and putting them on the public internet" Storysmith fucked around with this message at 06:05 on Apr 10, 2017 |
|
#
¿
Apr 10, 2017 06:00
|
|
|
flakeloaf posted:https://twitter.com/xor/status/854833469880283136 no highs, no lows, customer data flows
|
|
#
¿
Apr 20, 2017 07:11
|
|
|
I can never remember which sdr nerd is into decoding tpms sensors but I think it's Jared Boone? anyway it's a simple enough protocol that you can leave a hackrf with a portapack plugged in and decode a bunch from passing cars and log them to an sd card with time of day this has been diy surveillance state corner
|
|
#
¿
Apr 21, 2017 05:31
|
|
|
Cocoa Crispies posted:as a shorty playing in group policy settings secfuck thread bringing the hits 
|
|
#
¿
May 6, 2017 06:33
|
|
|
|
| # ¿ May 2, 2024 05:20 |
|
|
im password Pepsico!
|
|
#
¿
May 21, 2017 20:08
|
|