|
negromancer posted:screenshot or didn't happen You're taking that too literally, the fingerprints are hex, unless that's a really dumb winscp placeholder message. Bearing in mind that it could also be a ecdsa or ed25519 key and client side changes can alter the priority & thus get you a warning (without MITM), the following command gets you the fingerprint on the server: $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub Maybe they were using an old DSA host key and the server no longer supports it. edit: You may need to insert a "-E md5" (after ssh-keygen) to get old-style fingerprints - apparently OpenSSH changed from md5 to sha256 by default in v6.8 (March 2015) and I haven't had to do a careful fingerprint examination in that long. James Baud fucked around with this message at 11:14 on Jan 9, 2017 |
# ¿ Jan 9, 2017 10:30 |
|
|
# ¿ May 2, 2024 14:34 |
|
Cybernetic Vermin posted:they also have no excuse in that their entire business proposition is to be a repository of peoples data. not being able to keep peoples data does put a bit of a dent in the plan This failure only took out the free tier, the enterprise 'on your premises' (40-200/user/year) / hosted customer instances (80-800/mo) survived. So doing a crappy job on the free tier surely just convinces people to give them money, right? (Likewise, the value of any user who walks away forever over outage / data loss is close to zero)
|
# ¿ Feb 1, 2017 08:00 |
|
I'm surprised the duress fingerprint which forces re-entry of the PIN (since that occasionally happens anyway, at least on Android) isn't already a thing. Bonus points if it flushes memory contents, but baby steps.
|
# ¿ Feb 12, 2017 17:31 |
|
a witch posted:can't you just turn the phone off? iOS requires a pin after boot before fingerprints start working Yes, but let's say you didn't do that and are being compelled to fingerprint unlock... Darn, it asked for the PIN anyway even though I complied.
|
# ¿ Feb 12, 2017 17:47 |
|
Subjunctive posted:is that going to be interpreted as destruction of evidence? My theory goes: "indistinguishable from regular behavior" (as you do get occasional PIN prompts despite fingerprint), but I'm basing that on how the Nexus 5x and Pixel work, dunno about other phones.
|
# ¿ Feb 12, 2017 18:24 |
|
Cloudflare just announced support for generic TOTP 2FA apps, beyond the sole option available previously (Authy), specifically naming Google Authenticator... Probably some sort of bypass issue related to that change.
|
# ¿ Feb 18, 2017 06:14 |
|
ratbert90 posted:Today in non-sec fuckups I made a tool that chunks through all of the packages in Buildroot and if it's hosted on GitHub or PyPI it checks to see if there's an update and if so auto-generates a patch to submit to the Buildroot team. I thought you'd been doing embedded stuff for a while? Who wants the web programmer-y moving target APIs that keeping all those packages current for "author bumped a version" reasons alone would introduce? My first thought is of that "Calibre" ebook software whose author obnoxiously (because it nags) does a release or two every week and has sustained that pace for a decade. A one-time catch-up, people can maybe handle, but oh man maintenance...
|
# ¿ Feb 19, 2017 20:51 |
|
Diva Cupcake posted:Here's the Google blog post... "Today, 10 years after of SHA-1 was first introduced" ........... Odd place to make a mistake like that, and I don't mean the extra word/typo.
|
# ¿ Feb 23, 2017 15:34 |
|
Truga posted:in real cia news, they're apparently the original creators of polarssl, now known as mbedssl and used in pretty much everything. I glanced around for this and didn't see it, please tell me there's more in support of it than people misunderstanding "Building PolarSSL on Solaris x86 and SPARC"..?
|
# ¿ Mar 7, 2017 18:02 |
|
OSI bean dip posted:so this came up in the sh/sc help thread 50/50 odds of enthusiast / budding child pornographer.
|
# ¿ Mar 7, 2017 20:05 |
|
infernal machines posted:3DO will also read burned discs without modification, although it's very selective about what type of burned discs it will reliably read. Yeah, years after I'd shelved my (unmodded Panasonic) 3DO I was able to play some games on it that I could never get my hands on, "in the day", by burning them myself. Didn't know it could be picky, may have just been lucky.
|
# ¿ Mar 14, 2017 18:36 |
|
Doom Mathematic posted:If you've got the vulnerability there, why not just port calc.exe to Mac and then inject and run it? Running a familiar harmless binary already on the target computer is totally different than injecting arbitrary code that "looks" like it's harmless. See every game crack ever.
|
# ¿ Mar 21, 2017 19:46 |
|
Look at the bright side, by next week every lastpass user is that much safer against world class attackers.
|
# ¿ Mar 22, 2017 09:58 |
|
Security thread posters wrong again, nonstandard port for something that doesn't need to be accessed by general public keeps your logs cleaner (a good thing) and also saves you from most low-effort untargetted attacks which, every once in a blue moon, do target 0-days. Sure, you're no more secure, but you outran the other guy so the bear ate him, etc. Poul-Henning Kamp has a few good bits about the "security through obscurity isn't" canard and its overly anal adherents. You're never 100% secure anyway, so why pretend?
|
# ¿ Apr 19, 2017 22:12 |
|
ate all the Oreos posted:note the key phrase of "improves security" If it dodges 99% of low-effort attacks, it is "improving" security. Re: the latter, administrative hassle is a biggy
|
# ¿ Apr 19, 2017 22:23 |
|
OSI bean dip posted:because he's probably a pissant IT worker who doesn't know anything Aw, look who's doing the cute "assume everyone is just like himself a couple years ago" thing.
|
# ¿ Apr 19, 2017 23:07 |
|
You know, you've actually met me at an industry thing, but the bar to get into those is pretty low.
|
# ¿ Apr 19, 2017 23:12 |
|
So I didn't read the full report / write-up, but how did they justify calling malicious javascript wormable?
|
# ¿ May 9, 2017 18:30 |
|
haveblue posted:it can be triggered by automated inbound data like email bodies, IMs, etc I was thinking that made it a bit of a reach on servers, but I guess Exchange does exist and has the option of automatic AV scanning. I think it was slightly oversold between wormable and default install... Because things like that have happened before to fully patched systems, granted not in ~15 years.
|
# ¿ May 9, 2017 18:55 |
|
|
# ¿ May 2, 2024 14:34 |
|
Subjunctive posted:if you're on XP, you want Direfox because it indeed does still update Barely - some security fixes might get there but not many... although if you're just running XP in a VM, whatever. https://support.mozilla.org/en-US/kb/end-support-windows-xp-and-vista Last update March 28, 2017 unless there are newer ones missing release notes. https://www.mozilla.org/en-US/firefox/52.0.2/releasenotes/
|
# ¿ Jun 21, 2017 02:52 |