|
Segmentation Fault posted:looks like them secfuck boys are at it again
|
# ¿ Jan 5, 2017 16:26 |
|
|
# ¿ May 2, 2024 09:49 |
|
best source is still curated twitter unfortunately
|
# ¿ Jan 5, 2017 18:40 |
|
neither of them are on my list tbh
|
# ¿ Jan 5, 2017 18:43 |
|
i change who's on my list frequently (usually if something big happens), and kick off people who are just noise but this has done me well so far: https://twitter.com/zylche/lists/security mostly i just look there for what's happening and if there's any big news my bigger follow list will have something to say/retweet someone of value
|
# ¿ Jan 5, 2017 19:26 |
|
whoever was complaining about signal's egypt approach earlier: https://twitter.com/whispersystems/status/817062093094604800
|
# ¿ Jan 5, 2017 19:55 |
|
https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequatequote:... complaint & exhibits: https://www.ftc.gov/system/files/documents/cases/170105_d-link_complaint_and_exhibits.pdf
|
# ¿ Jan 5, 2017 20:42 |
|
Ur Getting Fatter posted:what the gently caress, Citibank
|
# ¿ Jan 6, 2017 07:12 |
|
hey another document https://www.dni.gov/files/documents/ICA_2017_01.pdf
|
# ¿ Jan 6, 2017 21:50 |
|
Powaqoatse posted:tiny brontosaurus is cool
|
# ¿ Jan 10, 2017 20:07 |
|
imagine i crossposted everything i said in that thread here it's not outside the realm of possibility that a small hosting provider would ask their sysadmin to check their customers for known exploits on vbulletin or its variants the wording isn't clear, but we won't get a discussion out of it if fau bans the other party instead of letting the discussion continue
|
# ¿ Jan 10, 2017 22:03 |
|
OSI bean dip posted:i have proof
|
# ¿ Jan 10, 2017 23:03 |
|
moving the conversation from Bad With Money: cc data is sent to sa's store then ??? processing happens and a payment processor is involved in some manner yes yes old terrible implementation from years ago but it isn't doing any favours towards allegations of cc misused
|
# ¿ Jan 10, 2017 23:36 |
|
Tesseraction posted:Once on the SA servers it's saved to /tmp/Wiggly Wayne DDS.details until the folder is cleared out at midnight.
|
# ¿ Jan 10, 2017 23:42 |
|
the point is that we can only go on your word given the setup zdr, any allegation of misconduct can't be conclusively cleared given the fundamentally flawed system to begin with there's better ways to implement this in 2017 but whether that's in your hands is another matter
|
# ¿ Jan 10, 2017 23:47 |
|
zen death robot posted:I don't know enough about webdev to fix the lovely way the cookie info is handled. That's why lowtax got an actual webdev guy to recode things, but if anyone can point me to some resouces I'll do what I can to fix that poo poo too. this is why i mentioned the payment processor handling a pubkey to the client to handle in the other thread, keep as far away from passing over data you should never be looking at or modifying in the first place. that way no one can make up stories that are technically implausible
|
# ¿ Jan 10, 2017 23:50 |
|
oaky let's start again you know how oauth fundamentally works? imagine that but instead of user credentials it's credit card details really this should be your payment processor who has this all ready to go and you should be on a legacy system to be EoLed
|
# ¿ Jan 10, 2017 23:52 |
|
making you understand the issue isn't quite the same as pressing you to change a system you aren't comfortable with touching on that note turns out the payment provider sa uses does support sane methods of handling cc data http://developer.authorize.net/api/reference/features/acceptjs.html
|
# ¿ Jan 11, 2017 00:01 |
|
i don't have anything more to add other than "here's the problem that gives vague complaints a level of validity and what could be done to stop it", sure as hell don't expect you to resolve it as a first priority
|
# ¿ Jan 11, 2017 00:07 |
|
how many indefinitely valid 'test' certs are active, and may i borrow one
|
# ¿ Jan 11, 2017 00:13 |
|
much like the store going opensource i didn't hear no so will patiently check my inbox
|
# ¿ Jan 11, 2017 00:18 |
|
someone was dumb enough to use heartbleed
|
# ¿ Jan 11, 2017 00:37 |
|
anthonypants posted:well YOUR claim is also unsupported therefore YOU are also just as much the gullible idiot. check mate
|
# ¿ Jan 11, 2017 18:09 |
|
OSI bean dip posted:this is the security fuckup thread; not the journalism integrity one
|
# ¿ Jan 11, 2017 18:48 |
|
ate all the Oreos posted:i assume in this case you'd actually need to access the specific transmitter etc but i guarantee that some time in the near future there will be a life-critical device that will allow some 15 year old who just discovered what a metasploit is to kill someone and you bet your rear end they will do it https://twitter.com/matthew_d_green/status/818818410947682304 in other juniper news: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10753&actp=search
|
# ¿ Jan 11, 2017 21:18 |
|
in non-piss news cellebrite was hacked sometime last year and 900GB of data has been handed to at least motherboard https://motherboard.vice.com/read/cellebrite-sold-phone-hacking-tech-to-repressive-regimes-data-suggests
|
# ¿ Jan 12, 2017 18:40 |
|
google releases key transparency prototype: https://security.googleblog.com/2017/01/security-through-transparency.html good first step towards improving non-browser comms
|
# ¿ Jan 12, 2017 19:11 |
|
it is not an uncommon opinion among dumb people in security
|
# ¿ Jan 13, 2017 19:38 |
|
Ur Getting Fatter posted:i still think a setting that asks you to reverify a contact before resending messages when the key has changed, would pretty much fix this problem. it doesn't have to be on by default, like with signal
|
# ¿ Jan 13, 2017 20:36 |
|
it's not really the companies themselves you should be concerned with regarding telemetry, it's grouping telemetry data form multiple sources without privacy and data usage limitations without the company's consent or knowledge update systems are obviously usability/security trade-offs but the risk is still there
|
# ¿ Jan 14, 2017 02:30 |
|
yeah 10% seems on the low-scale, but long-term spearfishing across 18k targets? how many organisations were involved and what was the level of personalisation? where on the hierarchy were the targets mainly based, and were there obvious attempts at avoiding anyone who'd flag malware or inspect it? v interested in the tech details as kaspersky aren't exactly the most reliable on attribution
|
# ¿ Jan 16, 2017 23:23 |
|
hackbunny posted:sorry to disappoint with a relatively lame post and no eyepyramid update, but the opera 12 source code has just been leaked: shadowban all opera users, especially the ones changing user-agent
|
# ¿ Jan 17, 2017 18:10 |
|
germany ... really though you wouldn't show large-scale capabilities of that nature publicly unless you were effectively at war, like ukraine
|
# ¿ Jan 17, 2017 23:51 |
|
https://bugs.chromium.org/p/project-zero/issues/detail?id=1088quote:On January 12th, an automatic Adobe Acrobat update force installed a new chrome extension with ID efaidnbmnnnibpcajpcglclefindmkaj. You can view it on the Chrome Webstore here: https://chrome.google.com/webstore/detail/adobe-acrobat/efaidnbmnnnibpcajpcglclefindmkaj/
|
# ¿ Jan 18, 2017 20:14 |
|
earlier today 3 key recovery attacks on aes-gcm-siv were unveiled on cfrg (1st is important): https://mailarchive.ietf.org/arch/msg/cfrg/k2mpWgod4mbdOxsvN6EtXHb0BAg more eyepyramid info, it uses a lot more third-party software than previously thought: https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/ ongoing fun with manufacturer test accounts, awaiting part 2: https://research.trust.salesforce.com/Meraki-RCE-When-Red-Team-and-Vulnerability-Research-fell-in-love.-Part-1/
|
# ¿ Jan 18, 2017 23:24 |
|
hackbunny posted:eyepyramid trivia: there's some unused code related to captchas, functions to download/upload both images and text from <url>/captcha/<unique id>. the same module contains code to scrape forms from the page currently open in IE and upload them. no idea about the captcha stuff but it seems out of place. I wonder if eyepyramid is part of a larger family of malware
|
# ¿ Jan 19, 2017 02:04 |
|
banime
|
# ¿ Jan 19, 2017 22:28 |
|
BangersInMyKnickers posted:ios doesn't allow all of those application rights and you have the ability to block it from accessing specific things when it attempts
|
# ¿ Jan 20, 2017 00:18 |
|
eta to *.webex.com xss: https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
|
# ¿ Jan 23, 2017 22:24 |
|
Subjunctive posted:oh that's fine then
|
# ¿ Jan 23, 2017 23:29 |
|
|
# ¿ May 2, 2024 09:49 |
|
it fizzled out, no one's saying that yet
|
# ¿ Jan 24, 2017 00:38 |