|
Migishu posted:Security Fuckup Megathread - v13.0.1 - looks like them secfuck boys are at it again
|
#
¿
Jan 5, 2017 16:38
|
|
|
|
| # ¿ May 2, 2024 10:30 |
|
|
Wiggly Wayne DDS posted:whoever was complaining about signal's egypt approach earlier: That was me, and I'm gonna stand by that with skill its not impossible to catch using things like timing and sizes and such signals, I worked with people who built tools for this kind of stuff (and sold them to lovely human being  ) and I hosed a lot of lovely tor stealth projects that tried to mask as other things.Thankfully Egypt blows and hasn't blown the money on people who can 
|
|
#
¿
Jan 6, 2017 03:12
|
|
|
spankmeister posted:Yeah but can you do all that on a national scale? Sure, why wouldn't you? The information you get at a national scale makes it easier to spot outliers. But y'know,  and 
|
|
#
¿
Jan 6, 2017 09:10
|
|
|
ate all the Oreos posted:wanna talk about how to not broadcast traceable signals if you know about it? I might drunk effort post it later but it depends the scale and skill of your attacker. If you're trying to hide from the spooky level country/worldwide stuff I don't have a good tip except "don't".
|
|
#
¿
Jan 7, 2017 00:44
|
|
|
pr0zac posted:gonna just quote myself on twitter here then go rock climbing instead of arguing cause the people who want to assume facebook is mustache twirlingly evil will never be convinced otherwise The security community is dumb and people running around shouting "WhatsApp can't read your messages even if they want to" was dumb and primed this freakout. People thinking it's a backdoor and not an obvious feature (omg I switched phones and didn't get your messages  ) are just silly.End to end doesn't mean you don't have to trust the people building your messaging app, but it seems like a lot of people missed that.
|
|
#
¿
Jan 13, 2017 19:11
|
|
|
Ah yes, the good ol' "I don't trust my OS but somehow don't think Im completely hosed"
|
|
#
¿
Jan 13, 2017 20:08
|
|
|
I knew we were missing someone in this security bingo.
|
|
#
¿
Jan 14, 2017 00:30
|
|
|
I got another recruiter email from Uber, at least this one got closer to what I actually do.
|
|
#
¿
Jan 18, 2017 20:32
|
|
|
Rooney McNibnug posted:
Play stupid games win stupid prizes
|
|
#
¿
Jan 19, 2017 01:55
|
|
|
Jabor posted:Pretty sure no-one thinks this is a good fix for the issue, but if the developer thinks they've addressed it sufficiently then it makes sense to release the details so everyone else can make up their mind about it. This is correct.
|
|
#
¿
Jan 24, 2017 00:53
|
|
|
redleader posted:have there been any reports of malware taking advantage of av vulnerabilities? I've heard rumblings. AV and security products make great targets because they're highly privileged low quality code. They're absolutely perfect targets if you're doing something targeted and want to be sneaky. If I wanted to get on your network all sneaky like I'd go for security boxes you've got (firewalls, AV boxes, MitM boxes, etc) first.
|
|
#
¿
Jan 27, 2017 21:23
|
|
|
BangersInMyKnickers posted:I doubt AV RCEs are going to be a serious risk for home/personal computers. There's enough fragmentation in the market that you're not going to get consistent payload deployment like going after the OS/browser/plugin trifecta and releasing an exploit through spam or ad channels is going to get it picked up on by the vendors quickly and a hotfix is going to get thrown in to their update channel and distributed to virtually all the endpoints inside a day or two. That's a whole lot of effort developing the payload for an RCE only to immediately bring yourself under heavy scrutiny and have your ingress cut off and your payload wiped in the next definition push. Government and corps should definitely be concerned since it will be worth the attacker's effort and the limiting targeting means you're more likely to go completely unnoticed and keep a permanent presence on their network. Fragmentation makes it less effective but OSes are improving greatly and AV is not, it's only going to get worse. The cost of a chrome exploit is less than an exploit in some lovely AV that injects stuff into chrome. Then again if you're going for maximum machine count you just ignore personal devices all together and make a botnet of lovely iot devices.
|
|
#
¿
Jan 27, 2017 22:26
|
|
|
Fuzzy Mammal posted:https://assets.documentcloud.org/documents/3424611/Read-the-Trump-administration-s-draft-of-the.pdf This doesn't look retarded enough to be real
|
|
#
¿
Jan 31, 2017 04:30
|
|
|
Subjunctive posted:don't say retarded 
|
|
#
¿
Jan 31, 2017 04:34
|
|
|
OSI bean dip posted:i have a grey that doesn't get why teamviewer is idiotic I dont understand how that thread is so good at bringing out weird views on security.
|
|
#
¿
Feb 3, 2017 07:26
|
|
|
Winkle-Daddy posted:E: ^^^ I was like you once before. Then I learned I was being stupid. :/ Because MiTMing stops someone from exfiltrating all your secrets off your network MiTMs remain a bad idea.
|
|
#
¿
Feb 8, 2017 06:14
|
|
|
Winkle-Daddy posted:can you give some examples? our research team had fun with some endpoints protection stuff recently and I'd love to throw them some suggestions of things to look at next The security appliances are in an even worse state than endpoint security, I've never gotten my hands on one that wasn't laughably bad.
|
|
#
¿
Feb 8, 2017 18:52
|
|
|
What did I just read?
|
|
#
¿
Feb 9, 2017 20:29
|
|
|
pr0zac posted:how does this thread have 90 pages of discussion i am so loving confused D&D
|
|
#
¿
Feb 9, 2017 20:37
|
|
|
James Baud posted:My theory goes: "indistinguishable from regular behavior" (as you do get occasional PIN prompts despite fingerprint), but I'm basing that on how the Nexus 5x and Pixel work, dunno about other phones. Generally I'm not convinced there are many situations where they'll just go "darn, foiled by this clever nerd" and not just make your life rather unpleasant.
|
|
#
¿
Feb 12, 2017 21:31
|
|
|
hackbunny posted:why would they do that? Why would they not, they can assume that you were using duress mode if they dont like you and treat you accordingly. I don't think duress modes actually work in practice, the claim that they'd help you against a repressive government sounds like a good way to get a dissident murdered. infernal machines posted:also in the news: you don't have to provide us with your decrytion key, but we will hold you in jail indefinitely until you give us your unencrypted data so we can build a case against you. I mean, yeah? That's been the legal precedent and its not like they're going to say "darn, foiled by this clever nerd" when you refuse to provide them access.
|
|
#
¿
Feb 13, 2017 00:23
|
|
|
hackbunny posted:but he did foil them? they can't write anywhere that he's a pedophile. it's not a small victory for a pedophile that was caught quote:why do people have to turn instantly dumb and resort to absolutes when certain topics are discussed. no consideration of risk, reward, precedent, just straight to the scenario where they beat you for the password (which is trivial to solve btw: just don't know the password). why the hell would they do that?! (answer: because the solution is too much work and you'd just throw your hands up and pretend it's unsolvable) There's always been countries where this kind of poo poo was possible and this has been on the minds of people for a while(and CBP has been lovely for a loving while) its not a new thing. We're being 'dumb' because when you're building security features you have to make sure that they actually provide the properties you are promising your users. Promising security you cant deliver, especially against a repressive regime is unethical as gently caress. I don't think any of these duress features have been properly thought through in any of the considerations you listed. Your adversary doesn't care if you don't know your password or if you wont share it, this isn't some sovereign citizen poo poo where you say some magic gotcha and they shrug and give up, they want the access and dont give a gently caress about excuses and if they think you're lying they can be pretty lovely to you.
|
|
#
¿
Feb 13, 2017 05:08
|
|
|
Meat Beat Agent posted:car go bep bep quote this if you agree Sorry I'm in a lovely argumentative mood
|
|
#
¿
Feb 13, 2017 07:30
|
|
|
This made me very sad, thanks thread!
|
|
#
¿
Feb 22, 2017 02:30
|
|
|
I would have accepted "most Security Experts suck rear end at building real things" as a response instead of "OMG NSA".
|
|
#
¿
Feb 23, 2017 02:20
|
|
|
"Terminating TLS is smart and wont blow up in our face!"
|
|
#
¿
Feb 24, 2017 03:25
|
|
|
Lol
|
|
#
¿
Feb 27, 2017 21:37
|
|
|
cinci zoo sniper posted:To my dear nephew. I would break TZ for this shirt
|
|
#
¿
Mar 3, 2017 18:19
|
|
|
Loving Africa Chaps posted:It's probably because the NSA won't give the FBI any more exploits if they get burned all the time. At the moment they are prosecuting more cases they are having to drop with this exploit so it seems to be a sensible move if they feel it means more paedophiles end up in jail overall Judging by the Android section this is pretty old stuff
|
|
#
¿
Mar 7, 2017 16:24
|
|
|
OSI bean dip posted:how old? i imagine that there is a lot of android 2.x use out there https://developer.android.com/about/dashboards/index.html not really. Given that they don't even mention anything newer than KK in any way maybe 2-3 years at best, all the devices they reference are also at least that old.
|
|
#
¿
Mar 7, 2017 16:36
|
|
|
Volmarias posted:To play devil's advocate, this is only the numbers for devices that still contact the play store (iirc). All the garbage Chinese spin-offs that don't come with Google preloaded, or where the user isn't signed into a Google account (I ran into someone with a G1 a couple years back who never signed into a Google account on the device, and didn't realize that there was an app ecosystem) won't be counted in these numbers. If you're a TLA it depends on your targets, you're still going to be needing to attack flagships.
|
|
#
¿
Mar 7, 2017 17:00
|
|
|
Pryor on Fire posted:holy loving poo poo Finally posting quality will improve.
|
|
#
¿
Mar 7, 2017 17:59
|
|
|
Volmarias posted:Sure, but the point was that the graph isn't necessarily representative of the actual demographics of Android in the world. Given the number of devices that go into it it's still pretty representative overall outside of China.
|
|
#
¿
Mar 7, 2017 19:37
|
|
|
Volmarias posted:So, having not actually read the source material, and not wanting to read the possibly hyperbolic wikileaks writeup, is there anything in the recent CIA leak which is particularly unexpected? It seems like "no" since normally I'd be reading all about it here with No
|
|
#
¿
Mar 8, 2017 01:06
|
|
smilies etc if there was.
|
This is a better answer than mine
|
|
#
¿
Mar 8, 2017 01:13
|
|
|
Plorkyeran posted:there's iOS 9 exploits in the dump so it can't all be that old The dates don't seem consistent at all, the Android section is definitely mostly written before L shipped (it mentions some upcoming stuff in L in future tense)
|
|
#
¿
Mar 8, 2017 01:20
|
|
|
Wiggly Wayne DDS posted:ya abusing captive portals is in the cia's docs where they outline that the https cert for captive.apple.com is a big pain in the rear end and they'd never be able to source it Captive portals are garbage so you have to test http if you plan to send anything plaintext, since they may let HTTPS through unmolested but then gently caress up HTTP. Pretty much everyone does this but usually only when you move networks or if something looks particularly off. Captive portals are a fuckup.
|
|
#
¿
Mar 8, 2017 16:58
|
|
|
 oh hey its the snapchap poo poo again
|
|
#
¿
Mar 12, 2017 20:25
|
|
|
pseudorandom name posted:why would android even allow this at all? Because that's not what FLAG_SECURE is protecting against (because apps reading other apps windows is stupid Windows level poo poo)
|
|
#
¿
Mar 12, 2017 22:39
|
|
|
|
| # ¿ May 2, 2024 10:30 |
|
|
Subjunctive posted:didn't it used to be possible to overlay a transparent window over the active one and read back the composited result of your "own" window? I remember us stumbling across something like that when building the messenger chat heads, but I could be misremembering. maybe it was the opposite direction (main window could read chat heads). Not content AFAIK, but you can abuse SYSTEM_ALERT_WINDOW to snag taps or mask UI but pass through taps.
|
|
#
¿
Mar 12, 2017 22:56
|
|