|
Migishu posted:Security Fuckup Megathread - v13.0.1 - looks like them secfuck boys are at it again
|
# ¿ Jan 5, 2017 16:48 |
|
|
# ¿ May 2, 2024 07:12 |
|
ratbert90 posted:Gonna leave this here: This is great, I hope it happens.
|
# ¿ Jan 5, 2017 17:38 |
|
center for strategic and int'l studies wizard policy task force. has the wizard glasses to prove it 2017 is going to be a very good year for wizard security, i can tell already
|
# ¿ Jan 5, 2017 19:35 |
|
Segmentation Fault posted:you can still get a free upgrade if you jump through some sort of user accessibility hoop, I don't know anything about that specifically You have to pinky swear you'll use accessibility features (like, say, hotkeys) when using windows, and you can still install it from here: https://www.microsoft.com/en-us/accessibility/windows10upgrade That's it. Also, lol that microsoft themselves don't offer a torrent of their iso, it's a much better protocol for downloading large files than http if your internet isn't very fast (so, majority of the world that doesn't have win10 yet). Are there even any browsers out there that can resume http downloads today? Winkle-Daddy posted:Hey sec fuckup thread! I know I've seen some awesome posts about what cipher suites should be enabled...does anyone have a config or can link to an ideal nginx SSL config? Specifically for ssl_protocols and ssl_ciphers? My personal procedure is to use https://www.ssllabs.com/ssltest/analyze.html until it shows A or A+. It says what the problematic ciphers are if you have them enabled.
|
# ¿ Jan 6, 2017 17:46 |
|
however, if you have to pr0zac posted:no one should be running windows 7 when win10 is a free upgrade windows 10 installer will take a windows 7 product key even on a fresh install in my experience, even after the period ended.
|
# ¿ Jan 6, 2017 17:58 |
|
ratbert90 posted:Random question: Get a 50 year certificate But no, I don't think you can. What you can do is allow the customer to add their own certificate, and they can either suck or get one from their own internal CA E: welp i can't scroll
|
# ¿ Jan 6, 2017 23:53 |
|
And enjoy your house fire when the fridge decides it's time to set its temperature to 2 billion degrees because it couldn't resolve dumbfridge.samsung.co.kr. No, the way of going about this is to buy dumb appliances. They're probably still cheaper at this point, even.
|
# ¿ Jan 10, 2017 12:29 |
|
honestly, this is great brb dumping all blu ray encryption keys LastInLine posted:for now thats an option but just like tvs what will happen is that "premium" sizes or featuresets will eventually be smart only then ones with relatively mundane features like everything with an ice maker or a timer on the oven and then it will just be the lovely rental unit ones that arent smart and everything else will be smart i'll be the idiot paying idiot hipster tax for dumb fridges in 2030, if (lomarf) iot is still a shitshow. Truga fucked around with this message at 13:57 on Jan 10, 2017 |
# ¿ Jan 10, 2017 13:54 |
|
and thus begins the fall of ransomware
|
# ¿ Jan 11, 2017 13:01 |
|
security pissup megathread - much hacking, hacking is bad, shouldn't be done
|
# ¿ Jan 11, 2017 17:33 |
|
trump's obercybergrandpa
|
# ¿ Jan 13, 2017 03:03 |
|
Powaqoatse posted:goddamn youre amazing
|
# ¿ Jan 17, 2017 09:52 |
|
Ur Getting Fatter posted:waSSHing machine
|
# ¿ Jan 17, 2017 14:42 |
|
OSI bean dip posted:Isn't there a limit to the number AD users and groups? depends, which samba version is it running on?
|
# ¿ Jan 23, 2017 15:50 |
|
guess i'm safe, all my paths contain anime
|
# ¿ Jan 26, 2017 15:45 |
|
snowden died in vain https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-unitedquote:Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information. if you're not a us citizen get your poo poo out of us services. probably if you're us citizen too
|
# ¿ Jan 26, 2017 16:22 |
|
Subjunctive posted:How so? Legal residents and visitors to the US enjoy the full protection of law. Well, yeah, but now it's also legal. Until now there was that safe harbour replacement thing: http://fortune.com/2016/02/02/looks-like-data-will-keep-flowing-from-the-eu-to-the-u-s-after-all/
|
# ¿ Jan 26, 2017 16:34 |
|
Subjunctive posted:So how is this the same as it's been then? it's the same since i'm pretty sure they'd do it if they wanted to do it in other words: flakeloaf posted:to the extent that the law can be flexed, for compelling reasons like "because we can" and "gently caress you" also, this fuels my paranoia nicely, and it feels good. my antivirus anecdote is that windows defender runs in the background automatically and users don't know it's av since it's windows and thus don't complain about av slowing their pc. probably might as well not exist, but it satisfies the antivirus requirement some people give so i'll take it e: oh, i also run clamav on mail gateways for the same reason and get a few mails every year about it catching this or that 10 year old infected .doc or troyan
|
# ¿ Jan 26, 2017 17:36 |
|
oh, that's even worse then
|
# ¿ Jan 26, 2017 17:41 |
|
nah, you're right hijacking a browser or the iot poo poo is great and all, but there's a lot of things they can't do. obviously you don't bother attacking av when making your kickass anime botnet because the potential amount of targets is an order of magnitude smaller but if you're going to do espionage, sabotage, that sort of poo poo, figuring out what av your target office uses (often just telneting to their mail server and sending to a bogus address will send you a reply with SCANNED BY OUR SUPERSCANNER 9000) and attacking that is probably one of the better courses of action, because 2 posts up
|
# ¿ Jan 27, 2017 21:39 |
|
your operating system is printing owned sheets.
|
# ¿ Feb 4, 2017 20:09 |
|
Subjunctive posted:I also somewhat doubt that we have clean backups. nice av/post combo there
|
# ¿ Feb 6, 2017 13:39 |
|
denuvo isn't always online, but it does stop working if it can't get online for more than 5 days, presumably to get new keys.
|
# ¿ Feb 6, 2017 17:14 |
|
The_Franz posted:so it's likely that the cracking group just has it figured out at this point either that or it has something to do with https://twitter.com/alt_kia/status/818609521928998912?ref_src=twsrc%5Etfw if you have full debug access to your cpu, hahahaha drm? lol nope.
|
# ¿ Feb 6, 2017 17:46 |
|
LeftistMuslimObama posted:the grey forum sure is mad that firefox is getting rid of the older more insecure extension framework. how will they get a "sane" tabs-under-url ui without classic theme restorer? the old firefox extension framework is also real loving good though, and allows for a lot of things the lovely js one can't do i don't give a poo poo where the url bar is, because my url bar doesn't exist, but if the only extensions that are keeping firefox users on firefox break, most will just use chome instead. i'm sure google would love that, but i'm not sure mozilla will.
|
# ¿ Feb 7, 2017 15:12 |
|
cheese-cube posted:NPAPI support : firefox :: register_globals : PHP nobody is bothered by NPAPI being gone, it's never worked in 64bit firefox anyway people are bothered with the webextensions framework being a shitshow, though at least they seem to be working hard on extending it finally hopefully they'll have most of the functionality down by the time they force xul off for everyone e;fb and no, it's nothing like npapi at all.
|
# ¿ Feb 7, 2017 15:39 |
|
yeah, I'm not going to defend xul in any way because it's a gigantic mess, and i purposefully avoided writing poo poo in it even though i've used firefox since the first beta releases. writing applications with xml ughhhh but webextensions right now can't replace quite a bit of things xul extensions do for firefox. webextensions is very good though and mozilla has been working hard on extending it to the point where it'll hopefully do most of the things xul does now. there's some things that won't ever be possible I'm sure, but I don't know any extensions that would need more than webextensions is theoretically capable of providing plus, it's more secure, since it runs inside the browser sandbox afaik. if you install a malicious firefox extension it probably can do some real damage right now
|
# ¿ Feb 7, 2017 16:03 |
|
gonna be a lot of bits when that condom ruptures
|
# ¿ Feb 7, 2017 16:38 |
|
Meat Beat Agent posted:universal serial butt
|
# ¿ Feb 7, 2017 16:44 |
|
https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/ owns quote:Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher.
|
# ¿ Feb 9, 2017 12:07 |
|
https://www.vusec.net/projects/anc/ aslr
|
# ¿ Feb 15, 2017 11:37 |
|
just download some lovely windows 7 pro iso and upgrade to windows 10, jeez
|
# ¿ Feb 19, 2017 12:00 |
|
https://wycd.net/posts/2017-02-21-ibm-whole-cluster-privilege-escalation-disclosure.htmlquote:This is a disclosure of a privilege escalation vulnerability I found in the IBM Data Science Experience product, which was patched on Feb 15th, 2017. It was a misconfiguration vulnerability with very severe consequences. In short, they left all the Docker TLS keys in the container ayyyy lmao
|
# ¿ Feb 22, 2017 10:00 |
|
i'm currently in the process of deploying openshift through our infrastructure and butts and it's going to own and be the best thing ever, but yes, i agree
|
# ¿ Feb 22, 2017 14:26 |
|
the main problem of docker is the ease of access i bet. you click or paste a few things and are developing the app in a production like environment! another few clicks and it's running on production in a ha cluster! it's like magic you're supposed to have a sysadmin and/or devops guys handling all the configuration poo poo, but lol if a manager will hire a dude he doesn't explicitly need to push his project into production, when he could raise his own salary by pushing out more project faster, cheaper if a secfuck happens, the dev will be the one getting hosed anyway
|
# ¿ Feb 22, 2017 15:47 |
|
OSI bean dip posted:a year now will be a month in few years case in point, from the amd thread: maybe amd will finally be good again and the rate of progress will increase, as intel/nvidia get off their collective butts tangentially related, there's bound to be good bugs in early zen, a completely new arch waiting to be exploited. especially seeing how they're basically soc now, there's barely anything off the package. can't wait
|
# ¿ Feb 23, 2017 20:13 |
|
ate all the Oreos posted:christ you have a lot of plugins why you got so many plugins plugin man that's what my chome looked like when i had chomeos
|
# ¿ Feb 24, 2017 15:30 |
|
some password manager did send their passwords in the clear through cloudflare tho. was it lastpass again? those guys just keep loving up
|
# ¿ Feb 24, 2017 15:55 |
|
no, over https. just not, you know, like normal people do password managers - in an encrypted container that only you know the secret to unlock
|
# ¿ Feb 24, 2017 16:13 |
|
|
# ¿ May 2, 2024 07:12 |
|
in other news: https://www.wired.com/2017/02/malware-sends-stolen-data-drone-just-pcs-blinking-led/ first disk clicking, then fan speeds, now blinken lights, lmao
|
# ¿ Feb 24, 2017 16:26 |