|
what the gently caress, Citibank edit: greenpos bestpos
|
# ¿ Jan 6, 2017 05:08 |
|
|
# ¿ May 2, 2024 02:49 |
|
negromancer posted:that's why you use mobaxterm on windows and stop using putty and winscp like it's 2004. why do all of these sites about tools to connect securely to your server via SSL refuse to implement https on their loving geocities website? i love giving out my private keys to .exes i got off some unauthenticated ftp server
|
# ¿ Jan 9, 2017 15:33 |
|
yeah, sorry, i worded that wierdly but basically what Heresiarch said you're trying to sell me a tool that relies on SSL, which i use to connect to servers whose only real line of defense is my private key, the fact that you don't use https on your website is unsettling
|
# ¿ Jan 9, 2017 15:46 |
|
Volmarias posted:You know full well that it's never getting a firmware update. i've asked this before but i can't remember the answer, do these devices come with ipv6 disabled? if these things have telnet running on port 23 or whatever, is that getting broadcast to the internet without NAT?
|
# ¿ Jan 10, 2017 17:04 |
|
https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messagesquote:WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman. However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. quote:Boelter said: “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.” Here's the 2016 blog post which this article is based on. if I'm understanding correctly, the problem boils down to whatsapp automatically resending undelivered messages without first asking for user-input if the recipient's key has changed (like Signal does). further, whatsapp doesn't warn you of a changed key by default, you have to enable the warning (probably to prevent confused users from freaking out whenever someone changes their phone or reinstalls the app). the only thing that I think the article gets wrong, or at least misrepresents, is that whatsapp is supposedly re-encoding messages that have already been delivered to the server. those messages are encrypted, you can't decrypt them without the recipient's key, which Whatsapp supposedly doesn't have. ie: if my phone is offline, or if I've cleared my chat history, whatsapp would theoretically be unable to re-encrypt the message and re-send it. in theory, the only way would be for the sender's app to re-send the messages with the new encryption key, right? so on whatsapp's side this would be easily solvable by adding a second switch that says "ask before resending messages if recipient's key has changed?", to which Whatsapp has responded: quote:"[...] We were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing.[...]" ofc there's also the question of if you can actually trust an unaudited closed-source app but that's moot, really edit: for what it's worth, there's precedent of Facebook literally going "we really can't decrypt these messages, even if we wanted", while a Brazilian judge was threatening to throw it's Latin America CEO in jail for contempt in a murder case. dpkg chopra fucked around with this message at 15:32 on Jan 13, 2017 |
# ¿ Jan 13, 2017 15:27 |
|
pr0zac posted:yeah basically only very few sec people get that the only way to make encryption and privacy protections universal is to make them useable by regular people, sometimes this means trading off perfect security to a degree in favor of usability in order to make adoption possible and advance the norm i posted an example in my op but fwiw pretty much everyone i've talked to in law enforcement has told me that they are basically hosed w/r/t reading whatsapp messages unless they have access to the phone itself (ie: access to the app), and i've read quite a few articles touting it as the messaging app of choice when it comes to encryption, right below Signal, so you're definitely above most everything else when it comes to public perception. i still think a setting that asks you to reverify a contact before resending messages when the key has changed, would pretty much fix this problem. it doesn't have to be on by default, like with signal
|
# ¿ Jan 13, 2017 20:07 |
|
Wiggly Wayne DDS posted:it already exists ??
|
# ¿ Jan 13, 2017 20:45 |
|
has anyone done a wireshark of a Windows 10 installation? that poo poo must light up like a Christmas tr even before you get to the opt out section
|
# ¿ Jan 14, 2017 05:39 |
|
this seems like the recipe for a sec fuckup. like i fully expect that in 6 months we'll be seeing a news article about this thing actually routing all your dns requests through their server or the app stripping all ssl certificates so that they can analyze your traffic like comodo did also apple already tracks data usage per app in settings, is that info not available to apps?
|
# ¿ Jan 14, 2017 16:23 |
|
that youtube video of the guy that found the bit diagrams of tsa locks posted on a government website and just made his own
|
# ¿ Jan 14, 2017 17:37 |
|
waSSHing machine
|
# ¿ Jan 17, 2017 14:40 |
|
the idea of the government controlling your washing machine so that it doesnt use too much electricity is such a perfect combination of computers, government surveillance and communism that I want these things to be active now just to watch republican's heads explode. we live in the most mundane cyberpunk dystopia ever
|
# ¿ Jan 17, 2017 18:09 |
|
can't wait for the state-sponsored malware that infects the smartgrid and marks the hottest day of the year as "off-peak". nationwide panic as millions of washers and dryers start their spin cycles simultaneously and bring down the whole grid
|
# ¿ Jan 17, 2017 20:32 |
|
Boiled Water posted:
Would you like to know more? Servers currently unavailable, please try again later.
|
# ¿ Jan 19, 2017 16:42 |
|
cloudy with a chance of occasional broadcast storms
|
# ¿ Jan 20, 2017 03:12 |
|
http://edition.cnn.com/2017/01/22/travel/united-grounds-domestic-flights-because-of-it-issue/index.html?adkey=bnquote:United Airlines grounds domestic flights because of IT issue not copying the article because there's literally no other useful info bets on it being a) cryptolockered servers b) someone hosed around with that exploit of the booking system that let you change reservations c) ddos d) Russian hacking e) node.js comedy option
|
# ¿ Jan 23, 2017 02:49 |
|
that's the same system that had issues in October sysadmins gonna get fired
|
# ¿ Jan 23, 2017 03:05 |
|
mod saas posted:test korea best korea
|
# ¿ Jan 23, 2017 23:07 |
|
Security Fuckup Megathread - If path contains ".anime" kill
|
# ¿ Jan 26, 2017 14:57 |
|
(sorry, OSI)
|
# ¿ Jan 26, 2017 18:38 |
|
the asterisks correlate to the missing letters so it can't be presssecretary e:fb
|
# ¿ Jan 26, 2017 18:59 |
|
Shaggar posted:pretty sure the asterisks are the same count for all addresses to prevent disclosing length so presssec or presssecretary would both work they're not, they correlate exactly
|
# ¿ Jan 26, 2017 18:59 |
|
pressy.spice@gmail.com
|
# ¿ Jan 26, 2017 19:02 |
|
cinci zoo sniper posted:just slightly amusing to see a "darknet hacker enterprise" doing something mundane "i'm sorry boris, we're gonna have to let you go because our HR department has detected that you've been etching swastikas into your ecstasy shipments and, well, there's just no room for that type of behavior in our organization."
|
# ¿ Feb 6, 2017 21:08 |
|
https://twitter.com/cra0kalo/status/828947326425133057
|
# ¿ Feb 7, 2017 15:32 |
|
flakeloaf posted:brownsomeware AC/DC-256 encryption
|
# ¿ Feb 9, 2017 20:25 |
|
cheese-cube posted:work secfuck: we've just discovered that one of our EPCs is "sharing" data with us from an SMB share that's exposed to the internet. it appears they've at least configured fw policies to only allow connections from our main static NAT IP but loving lmao is IP spoofing a thing? I've never looked into it. (yes I know there's a million reasons why having poo poo exposed directly to the internet even with IP restrictions is a bad idea, I'm just curious if it's an actual avenue of attack)
|
# ¿ Feb 13, 2017 14:15 |
|
Wiggly Wayne DDS posted:if the security experts are the ones installing nsa backdoors, then who are the ones detecting them? who pentests the pentesters?
|
# ¿ Feb 23, 2017 04:08 |
|
what does 110gpu/year processing mean in real world dollars? i imagine it varies because legit actors will pay for cloud processing which is probably more expensive but more efficient, while criminals/APTs will use botnet computing which is cheaper but less efficient?
|
# ¿ Feb 23, 2017 16:40 |
|
Volmarias posted:Well, that's easy to solve, just have one of them click on a phishing email and all of their emails will be encrypted. ransomware: still more secure than symantec products
|
# ¿ Mar 3, 2017 20:51 |
|
same tbh
|
# ¿ Mar 9, 2017 02:05 |
|
loving lol i hope that's on purpose
|
# ¿ Mar 9, 2017 16:53 |
|
Loving Africa Chaps posted:Don't know if it was a rapid patch but my dot replied "no! I work for Amazon" honestly the fact that the answer isn't "no! I work for you!" is still concerning
|
# ¿ Mar 9, 2017 21:10 |
|
from pretty much everything i've read so far and from what smart people in this thread keep saying, the main reason IoT botnets are so powerful is because pretty much every manufacturer contracts their poo poo out to the lowest possible tier developer who shits out the cheapest, most outdated hardware, running unaudited, outdated code, with either hardcoded credentials (or no credentials), and undocumented root shells exposed straight to the internet. this makes the cost-per-unit-hacked extremely low for the people that are creating the botnets and allows them to grow to gigantic sizes, and also to be distributed all around the world. so maybe before looking at extreme solutions like killswitches, maybe we can incentivize the industry to step up the bare minimum quality of their products? at the very least you make it substantially more expensive for these botnets to be created and run. dpkg chopra fucked around with this message at 15:31 on Mar 15, 2017 |
# ¿ Mar 15, 2017 15:28 |
|
flakeloaf posted:that just creates space for an unethical person in a less-regulated place to step up and occupy the niche. like when you shoot all the skunks in your garden and raccoons move in and you say "man do i wish i had the skunks back" it's already been mentioned but the us is the main tech market, and people usually buy their poo poo at big brands. if those stores stop buying those products, you can bet your rear end D-link, TP-Link, Netgear and all those low-cost, china-based manufacturers are going to step up their game. both approaches involve "regulations" but by going against sellers in the US you basically use market forces against itself and you can still use a more direct approach of auditing and testing devices like the FDA does. the isp as a gatekeeper means that you're going to get a lot of false-positives, getting into a discussion about how much should ISPs bee looking into private traffic, and eventually botnets will adapt by encrypting their traffic
|
# ¿ Mar 15, 2017 15:50 |
|
there's no silver bullet, I think. a coordinated, multipronged approach by the leading world economies could work to a point but lol at that happening under the current climate. I honestly think shifting civil liability to everyone in the supply chain has the highest ROI
|
# ¿ Mar 15, 2017 15:51 |
|
zillowned
|
# ¿ Mar 15, 2017 16:07 |
|
ate poo poo on live tv posted:Civil Forfeiture is hosed up and shouldn't be applauded in anyway. i hope he has a speedy but fair trial that results in conviction and that he is forced to return all moneys and goods obtained via his illicit activities, and they parade it in front of him as they confiscate it
|
# ¿ Mar 15, 2017 18:31 |
|
flakeloaf posted:and nothing of value was lost
|
# ¿ Mar 15, 2017 19:16 |
|
|
# ¿ May 2, 2024 02:49 |
|
spotted at my local supermarket: scalable network infrastructure
|
# ¿ Mar 16, 2017 19:51 |