quote:

Security firms have launched routers at CES that can stop smart household gadgets being hijacked by hackers.
Symantec, BitDefender and Intel unveiled devices that scrutinise data as it flows across home networks.
The companies say routers with built-in defences will be essential as homes are filled with net-connected gadgets.
The routers also come with parental control features that help manage how much time children spend online and what they see.
Home invasion
"You will have to buy a security solution for your internet-of-things," said Alex Balan, chief security researcher at BitDefender.

quote:

"You will have to buy a security solution for your internet-of-things," said Alex Balan, chief security researcher at BitDefender.

quote:

"You will have to buy a security solution for your internet-of-things,"

quote:

"You will have to buy a security solution for your internet-of-things,"

quote:

"You will have to buy a security solution for your internet-of-things,"

quote:

Young Russian denies she aided election hackers: ‘I never work with douchebags’
White House claims Alisa Shevchenko was involved in hacking the US election but in an interview she says authorities misinterpreted facts or were fooled

She said she dropped out of three different universities, as she was passionate about learning but did not enjoy the structure of a university course. Around 2004, she joined Kaspersky Lab, a high-profile Russian cybersecurity firm.

She left to set up her own company, initially called Esage Lab (“I was thinking of something ‘sage’, as in a wizard or a magician,” she said). Later, she changed its name to ZOR.

ohgodwhat posted:

Relatively tame but this guy's not off to a good start:
http://security.stackexchange.com/questions/147216/hacker-used-picture-upload-to-get-php-code-into-my-site

Roughly, "I don't know how this hacker is getting PHP files past my client side validation!"

quote:

I can tell that the picture upload box was definitely the problem based on the file name of the PHP code that was uploaded. Example, I ended up with logo1234567.php (tells me it's coming from the File Upload box that handles logo pics When I store data from edit boxes, I use all three of PHP's functions to clean it:

code:

$cleanedName = strip_tags($_POST[name]); // Remove HTML tags 
$cleanedName = htmlspecialchars($cleanedName); // Allow special chars, but store them safely. 
$cleanedName = mysqli_real_escape_string($connectionName, $cleanedName);

negromancer posted:

that's why you use mobaxterm on windows and stop using putty and winscp like it's 2004.

Wheany posted:

that does look good, but i don't feel like paying over $50 per year(?) to replace putty (and to a lesser extent, winscp)

OSI bean dip posted:

zen death robot posted:

Here's the rub. While I might be able to do it, I do not feel comfortable in doing so because that's not my area of expertise.

Number19 posted:

yossec: who's a good ssl cert vendor in 2017? let's encrypt won't work for this. I've had a recommendation for alphassl but i want to see who else is decent these days. i need a wildcard cert for part of the project.

mod saas posted:

test korea best korea

pixaal posted:

Ticket phone call email all came in at the same time.

Someone is quitting in style:
All printed items now show the company name as WE SUCK DICKS 8====D

The "all users" permissions in our ERP software for some reason includes the ability to edit the company name. My favorite part is logging is disabled since everything already logs a username next to it so it just doubles up on everything (but a few functions that don't). Last time it was enabled it crippled the old server. Maybe my request to test logging on the new hardware will be approved.

We have hundreds of custom permission groups with tons of overlap and most people are members of 50+. I'm going to have to audit every one of these next week now. Which is also something I said should be done and have never been given time to do!

Fuzzy Mammal posted:

it may be happening

Bonfire Lit posted:

misissued certs for test.com and example.com (and some other certs/precerts that contain obviously bogus data)

again

apseudonym posted:

I dont understand how that thread is so good at bringing out weird views on security.

OSI bean dip posted:

dipshit greys do not last long in here hth

uncurable mlady posted:

i see this is your first eripsa encounter then

flosofl posted:

Jesus, shut the gently caress up. You're gonna get the thread closed. Go to D&D and masturbate about laws and civil resistance there.

OSI bean dip posted:

https://twitter.com/taviso/status/832744397800214528

ratbert90 posted:

Today in non-sec fuckups I made a tool that chunks through all of the packages in Buildroot and if it's hosted on GitHub or PyPI it checks to see if there's an update and if so auto-generates a patch to submit to the Buildroot team.

Almost 60% of the python libraries were out of date.
40% of those were out of date by more than 2 major revision numbers.

ratbert90 posted:

Oh I talked to the maintainers and they were all for it. 58 patches submitted!

ratbert90 posted:

I actually scanned the dependencies if there was a dependencies.txt, I tried to import the module as well, and then if there was example code I tried to run that.

Out of the 58 patches, 3 were broken as far as I could tell.


I am embedded, this is just a side project for fun.

quote:

As far as I could tell ...

Chris Knight posted:

lomarf

https://twitter.com/ressym/status/834458698563145728

OSI bean dip posted:

It doesn't matter to me if you're "rich", you're as white as many other posters in this thread and unlike many people who are not white, you've had the ability to get a degree that enabled you to teach at two post-secondary institutions. Like many other white males such as yourself, you've also attempted to go into business in a white male-dominated field--we're talking about your failed cryptocurrency nonsense.

Now as a white male, you're trying to impose a social order that again will make white males such as yourself have a privileged position. How can someone who makes minimum wage who is just as likely to not be a white male like yourself be able to afford an 8x8 grid of "EMV chips" (again something you have failed to explain) when they cost an exorbitant amount of money that they're unlikely to be able to put aside?

quote:

Sorry for bursting your tender white male bubble, Eripsa, but no matter what you say you're as white as they come. I'm Irish and by that definition I am not technically "white" but guess what? I am and so are you. Where you were raised, what level of education your parents have, or where you were born are completely irrelevant to me. You have the privilege of being white and just like most people with attitudes like yours, you don't understand it.

You're white.

Wiggly Wayne DDS posted:

we've been trying to get osi to stop posting for years to no effect

OSI bean dip posted:

I regret that post and I acknowledged in the thread it was wrong of me

pr0zac posted:

https://twitter.com/dchest/status/834808975556239360

owns

Wiggly Wayne DDS posted:

cloudflare reverse proxies are dumping uninitialized memory: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

quote:

We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

anthonypants posted:

Needless to say, this did not convey to me that they take the program seriously.

anthonypants posted:

Cloudflare's statement: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Wiggly Wayne DDS posted:

itym SHAvage

OSI bean dip posted:

OSI bean dip posted:

it's hard to tell really

sarehu posted:

It's very easy to test my hypothesis. Take my 8 characters-and-less passwords on websites I use (they go down to 6), count how many times my accounts have been lost from the password being hacked, and compare the results with your however-long passwords that make you feel secure.

I've never lost any account to somebody brute forcing my password over the wire. Or from anybody getting the password database and cracking it offline. That would be doable, but there's minimal harm that could be done on any service for which that could be accomplished.

ate poo poo on live tv posted:

*millions of dollars in lost revenue for customers*

Truga posted:

the s in iot stands for security

Zero One posted:

I have a login for a top-5 global bank that allows me to process international funds transfers (on behalf of my clients) worth millions of dollars.

It has 2FA which is in the form of a little authenticator with a keypad they mailed to me. I log into their website and then it prompts me to enter an 8 number challenge code into the device. It then gives me an alpha-numeric response to type into the website. Then I have a personal password.

Over the past few months I've discovered the website re-uses challenge codes. And not just like the same one after 60 days... I will often get the same code several times a week. There appear to be a max of 10 codes or so. Then the authenticator will give the same response to the same challenge code. It isn't salted based on the time or date or anything.

This has resulted in me memorizing the codes (I login and out multiple times a day) so I don't need to use the authenticator anymore.

OSI bean dip posted:

browse the site from tor:

Wiggly Wayne DDS posted:

p good demo https://www.youtube.com/watch?v=yPZmiRi_c-o

paper: https://cmaurice.fr/pdf/ndss17_maurice.pdf

quote:

Even in the presence of extraordinarily high system activity, we can maintain a transmission rate between 34.27 KBps and 45.09 KBps with an error rate of 0% on Amazon EC2 virtual machines, which is three orders of magnitude higher than previous covert channels on Amazon EC2. Based on this error-free covert channel, we built the first implementation of TCP through a cache covert channel. We verified the practical applicability of our error- free TCP connection by tunneling SSH and telnet connections reliably between two colocated Amazon EC2 virtual machine

CRIP EATIN BREAD posted:

oh jesus the IP to that thing is in one of the videos.

apseudonym posted:

Its not janky

apseudonym posted: