|
hackbunny posted:"the worst that could happen", when you're a pedophile and you get caught, handily beats that, I'd say point of order: they claim he's a pedophile, they haven't proven that, or even charged him with being one. i can't think of too many other reasons he'd spend a year and a half in jail rather than co-operate either, but still.
|
# ¿ Feb 13, 2017 05:42 |
|
|
# ¿ May 21, 2024 04:18 |
|
bep bep secfuck car question: other than that jeep thing from a couple years back, have there been any reports of internet connected vehicles being hacked? teslas are basically just a bunch of networked ubuntu vms, and i'd be curious to know if gm onstar systems are meaningfully firewalled from the ecu in any way
|
# ¿ Feb 13, 2017 07:36 |
|
i've worked with a company that supplies pos solutions to grocery chains. their standard builds for both POS and admin terminals disable UAC and store the system admin password in the registry. all the first run batch scripts they use to prep the image also ship on the PCs and are not removed, passwords for the system and the POS apps are hardcoded and appear to be the same for each client. once they sent me the IPs and VPN keys for an unrelated client while trying to figure out how to configure a secure VPN tunnel. a tunnel to an otherwise open network in a retail store, with apparently no firewall rules to block connections on their end to other clients. they claim PCI compliance
|
# ¿ Feb 13, 2017 09:15 |
|
i get that this isn't the place for it, but is there a thread we can use to talk about the ongoing comically terrifying opsec fuckups of the american administration? cause boy howdy there's a humdinger today.
|
# ¿ Feb 13, 2017 20:23 |
|
i also did a thing: https://forums.somethingawful.com/showthread.php?threadid=3809850 race to see who gets gassed first
|
# ¿ Feb 13, 2017 21:13 |
|
*NSA, and random aides, while surrounded by mar-a-largo guests having diner join us in the opsec thread for more
|
# ¿ Feb 14, 2017 02:27 |
|
stoopidmunkey posted:Finance uses it at work for talking to our bank. The program sucks and the brightcloud protections in it time out causing connection issues. We had to turn off the web filtering to get it to work for the nice ladies that cut my check. it's been pushed for years up here by a few of the banks. i'm constantly having to pull it from systems because it breaks https sessions in new and exciting ways. breaks in the sense of connections just plain ol fail at random if it's running. it also occasionally manages to peg an entire cpu core, doing something
|
# ¿ Feb 14, 2017 19:07 |
|
local secfuck: went to a local rogers reseller today to swap my cable modem, all their demo androids are signed in using the store's gmail account. google drive shows all the store's files, presumably backed up to the cloud, including store security, accounting, employee, and customer information. somehow no one seems to have noticed this. gg guys.
|
# ¿ Feb 17, 2017 00:36 |
|
lol, an iot safe? loving amazing
|
# ¿ Feb 21, 2017 04:40 |
|
apple ditched supermicro over servers with compromised firmware
|
# ¿ Feb 24, 2017 18:20 |
|
rjmccall posted:i mean, that too information security is job security
|
# ¿ Feb 24, 2017 19:08 |
|
so the ex-kaspersky guy got fingered for treason by a well connected business man who is also allegedly involved in cyber crime
|
# ¿ Feb 27, 2017 23:08 |
|
burglary as a service also, just a low rent clone of the unfortunately named fobcouver.ca
|
# ¿ Feb 27, 2017 23:33 |
|
or slip a receipt under the door. but yeah, why did you carry a can of compressed air?
|
# ¿ Feb 28, 2017 06:16 |
|
that's very sneakers of you
|
# ¿ Feb 28, 2017 06:51 |
|
too early to tell if it's a secfuck, but amazon broke the internet
|
# ¿ Feb 28, 2017 20:51 |
|
is there anything particularly wrong with microsoft's sstp vpn?
|
# ¿ Feb 28, 2017 23:38 |
|
I loose the rights
|
# ¿ Mar 4, 2017 05:49 |
|
ultramiraculous posted:hacking a very specific model of samsung tv to be used as a listening device... i haven't seen that part of the dump yet, but samsung tvs share an in house linux distro, unless the specific exploit has been patched, pretty much every smart tv using that stack will be vulnerable, and that can span several model years and series
|
# ¿ Mar 8, 2017 07:08 |
|
apache struts vuln getting savaged in the wild bonus: tons of implementations remain unpatched because it has to be updated on an application by application basis
|
# ¿ Mar 9, 2017 19:36 |
|
3DO will also read burned discs without modification, although it's very selective about what type of burned discs it will reliably read.
|
# ¿ Mar 14, 2017 17:00 |
|
FTC: IoT will just have to self-regulate. i'm sure it'll be fine
|
# ¿ Mar 14, 2017 17:18 |
|
Subjunctive posted:what would the scope of IoT regulation be, if there were some? "thing with network connection"? seems more FCC at that point roughly, something mandating ongoing manufacturer support and minimum levels of security for internet connected devices. e.g. your fridge/stove/babymonitor/drone/doorbell connects to the internet in any fashion then you have to provide security updates for x number of years for any discovered vulnerabilities and it has to have some basic level of authenticated access, no hard coded root passwords, etc. have really basic pen testing certification requirement, like a CE mark
|
# ¿ Mar 14, 2017 17:53 |
|
yes, but that's the whole point of having something like the FTC, to pass regulation to protect consumers because businesses will not do it voluntarily.
|
# ¿ Mar 14, 2017 17:58 |
|
anthonypants posted:afaik the CE mark is a lot like UL certification, and neither of those are the american government but the FTC requires those certifications for certain types of products to be sold in the us.
|
# ¿ Mar 14, 2017 18:10 |
|
ate all the Oreos posted:seems more like they're saying the FTC should require certification of some kind that's aimed at security rather than physical safety it's this, i was responding to subjunctive about how this could hypothetically fall under the FTC's mandate, shaggar also presented a solution
|
# ¿ Mar 14, 2017 18:40 |
|
fishmech posted:the pickiness reputation for the 3do comes from the fact that a lot of 90s/early 2000s cd burners and media were just plain lovely, and would produce discs on the edges of tolerance. it's far less of a problem with any disc you'd buy in recent years. from experience, no. i experimented with a half dozen different brands of cdr to get my FZ-1 to read burned discs, only five years ago. the pickup will read pressed discs 100% of the time, depending on the cdr, it will either not see it as a valid disc at all or fail/reset while loading constantly.
|
# ¿ Mar 14, 2017 18:44 |
|
anthonypants posted:did anyone post this one yesterday http://www.zdnet.com/article/leaked-us-military-files-exposed/ holy poo poo. this seems like it should be bigger news
|
# ¿ Mar 15, 2017 00:15 |
|
Volmarias posted:I'm sure that the company that operates entirely from China is going to actually provide those updates after pinky swearing to do it. Are you going to mandate that the retailer does it instead? how do we deal with any other product that is found to be defective after sale? computers are not magical unicorns, we can use the same legislation we already have.
|
# ¿ Mar 15, 2017 03:44 |
|
i'm not drafting policy here. broadly, you have minimum security standards and a certification mark showing you meet the standard. you have minimum ongoing support requirements for anything that's found to breach the standard, for x years your company, or your representative in the us is financially responsible for costs associated with any lapse or recall. i don't know exactly how enforcement works, to my knowledge there are some basic requirements for electrical devices sold in the united states, things like requiring UL and CE marks, so in theory something similar to that
|
# ¿ Mar 15, 2017 05:22 |
|
well i suppose it depends on how you qualify a safety hazard. if your device has a known vulnerability, you don't patch it, and it participates in a DDoS that knocks the eastern seaboard offline, i think there's an argument to be made for culpability there.
|
# ¿ Mar 15, 2017 05:37 |
|
somewhat, so either i'm very wrong (likely), or this is another case where computers are magic because reasons and no one has gotten anyone to bite on those grounds (probably not) i think you would have a clearer case if some critical infrastructure went offline due to an IoT DDoS and there were a directly attributable loss of life. although even then, it would probably be easier to focus on the direct cause of death. infernal machines fucked around with this message at 05:45 on Mar 15, 2017 |
# ¿ Mar 15, 2017 05:43 |
|
bandwidth costs? hardship due to the police shaking you down over participating in cybercrime (lol)
|
# ¿ Mar 15, 2017 05:48 |
|
Subjunctive posted:if a life-critical piece of infrastructure fails because of unwelcome network traffic, lawyers are going to be pretty busy without figuring out the makes and models of the light switches generating the traffic, yeah do i need to go find the screenshot of the aws support posting where the guy was crying about their home care monitoring infrastructure being down because aws made an api change or something?
|
# ¿ Mar 15, 2017 05:52 |
|
okay, but if your iot doorbell is participating in a botnet and so your glucose monitor fails to upload your stats and trigger an alarm, and you go into a diabetic coma, have we come up with a sufficiently obtuse example where iot device security becomes a consumer safety issue?
|
# ¿ Mar 15, 2017 05:58 |
|
Subjunctive posted:no more so than an ISP error, power outage, or misplaced backhoe, IMO, so probably not. I'm not likely to be called as an expert witness though and i'm not likely to be writing consumer safety policy for the FTC, so i think we're both in the clear
|
# ¿ Mar 15, 2017 06:07 |
|
that's how the conversation started, the ftc made a statement washing their hands of responsibility for iot cyber security issues, saying they needed to see what threats would emerge before they could say if they had any standing on the issue
infernal machines fucked around with this message at 06:32 on Mar 15, 2017 |
# ¿ Mar 15, 2017 06:11 |
|
to be more succinct, i think iot security is a consumer safety issue as long as things like smoke/co alarms, stoves, and fridges are being connected to the internet. webcams in a botnet are a bit of a red herring, it's just a convenient example since it's been in the news
|
# ¿ Mar 15, 2017 07:07 |
|
anthonypants posted:who's culpable? the manufacturer, who can claim ignorance? the consumer, who was """""""notified""""""" about the vulnerability but neglected to patch the device or take it offline? the consumer's isp, who allowed their customers to participate in a botnet? the botnet doesn't matter, it's a convenient example of compromised devices. who's liable if your smoke alarm doesn't go off while your house burns down because someone hacked it for lulz? being part of a botnet can prevent devices from functioning, but the same access methods can be used to modify their behaviour in other ways, the fact that they're vulnerable to remote intrusion is the problem specifically the manufacturer's problem infernal machines fucked around with this message at 08:23 on Mar 15, 2017 |
# ¿ Mar 15, 2017 08:18 |
|
|
# ¿ May 21, 2024 04:18 |
|
man, i can't wait until they make .local a public tld
|
# ¿ Mar 15, 2017 16:11 |