|
posting on the first page and all that and good lord we need to get some better resource links for newbies than r/netsec, like its good for a reddit but its still reddit pr0zac fucked around with this message at 18:24 on Jan 5, 2017 |
#
¿
Jan 5, 2017 18:22
|
|
|
|
| # ¿ May 2, 2024 06:58 |
|
|
cheese-cube posted:thankyou for doing the needful afreak. What are you up to currently and why wouldn't you wanna move? secops can be fun, get to play with a bunch of cool security tools cheese-cube posted:we're better than reddit by virtue of not being reddit meant it more for the industry as a whole as opposed to this thread, its kind of nuts that the best source for infosec news (wtf did i write newbies?) is a god drat subreddit wasnt meant as reddit hate either, though i did send that video to my brother over the holidays after he kept sending me stupid dumb reddit links
|
|
#
¿
Jan 5, 2017 18:38
|
|
|
Heresiarch posted:you still can't download a windows 7 ISO from MS afaict, but they even have a tool for downloading windows 10 no one should be running windows 7 when win10 is a free upgrade
|
|
#
¿
Jan 6, 2017 17:51
|
|
|
Heresiarch posted:the mobaxterm site is http and their download is http its https for me?   
|
|
#
¿
Jan 9, 2017 15:51
|
|
|
oh its cause i force https everywhere, looks like site defaults to http for some dumb reason you can switch it manually though!
|
|
#
¿
Jan 9, 2017 15:52
|
|
|
The mongodb ransomwares aren't working because the dbs are still open to the world after the data is dropped so copycats are rolling in, blowing away the original ransom note and putting in their own, and repeat nine times so there's no way to pay the attacker that actually has your data In other news, back a while I referenced fears that Russia had access to Telegram, but didn't have much more than speculation to back it up, one thing hidden in the trumppissgate docs is confirmation that yes, Russia has access to Telegram
|
|
#
¿
Jan 11, 2017 15:49
|
|
|
In other Telegram sucks news, nadim going to grad school has done good things https://twitter.com/kaepora/status/819181464369577984
|
|
#
¿
Jan 11, 2017 15:53
|
|
|
A Pinball Wizard posted:what is trumppissgate? Look man, if you're gonna do the joose and forget the last three days don't look at us to fill in the details (Trump likes watching hookers pee on each other, Russia has docs/video on this and other blackmail material, it is the only thing anyone on twitter, TV news, etc has been talking about the last couple days)
|
|
#
¿
Jan 11, 2017 16:18
|
|
|
spankmeister posted:Care to elaborate? Sorry, I'm on phone waiting for my wife's car to be fixed thus lack of details. http://www.theverge.com/2017/1/11/14237136/trump-leak-telegram-security-cracked-russia-encryption quote:An FSB [Russian secret service] cyber operative flagged up the ‘Telegram’ enciphered commercial system as having been of especial concern and therefore heavily targeted by the FSB, not least because it was used frequently by Russian internal political activists and oppositionists. His/her understanding was that the FSB now successfully had cracked this communications software and therefore it was no longer secure to use.
|
|
#
¿
Jan 11, 2017 17:31
|
|
|
anthonypants posted:everything in those highlighted printouts is bullshit This claim is just as unsupported and rejecting everything completely outright makes you just as much of a gullible idiot as anyone taking them as gospel.
|
|
#
¿
Jan 11, 2017 17:50
|
|
|
gonna just quote myself on twitter here then go rock climbing instead of arguing cause the people who want to assume facebook is mustache twirlingly evil will never be convinced otherwise https://twitter.com/pr0zac/status/819917881899155456
|
|
#
¿
Jan 13, 2017 15:47
|
|
|
ate all the Oreos posted:last night i had a dream that i clicked a random link in this thread and it zero-day'd my browser and changed my user avatar to pepe the frog and started automatically making a bunch of bad posts and i couldn't close the browser quoting this so once i quit my job and have freetime again i can go ahead and implement it
|
|
#
¿
Jan 13, 2017 18:46
|
|
|
apseudonym posted:The security community is dumb and people running around shouting "WhatsApp can't read your messages even if they want to" was dumb and primed this freakout. People thinking it's a backdoor and not an obvious feature (omg I switched phones and didn't get your messages yeah basically only very few sec people get that the only way to make encryption and privacy protections universal is to make them useable by regular people, sometimes this means trading off perfect security to a degree in favor of usability in order to make adoption possible and advance the norm this isn't a backdoor, its automating key exchange and verification because normal people don't understand what that is and wouldn't use it as a result, doing this means one billion people now have access to 90% of the benefit of e2e encryption, calling it a malicious backdoor is counter-productive to improving security for everyone the even more ridiculous paranoia version of this is people who refuse to use Signal because it integrates Google Play services to send notifications (not the messages) so much for my not talking about this more!
|
|
#
¿
Jan 13, 2017 19:21
|
|
) are just silly.
|
ate all the Oreos posted:are you talking about my dumb friend that i brought up in this thread before or do you also know someone who's that dumb go read the hn comments for the guardian whatsapp article, its filled with these idiots
|
|
#
¿
Jan 13, 2017 20:00
|
|
|
Munkeymon posted:makes a big difference to her i think for better or worse chelsea manning will have a pretty large number of job offers at non-profits and other orgs wanting to exploit her visibility when she gets out the major concern i have is that she gets the mental help she needs addressing the very real PTSD and other issues she's going to have after dealing with the last seven years
|
|
#
¿
Jan 18, 2017 03:56
|
|
|
fisting by many posted:krebs released his big expose on the mirai author lol anime child so hosed, don't be a wizard if you're over 18 in the usa
|
|
#
¿
Jan 18, 2017 19:57
|
|
|
Shaggar posted:enterprise agreements that anyone can get are like 30% off for a 1 year sub so I would bet Microsoft would be willing to give them something even better to be able to brag about hosting the identity management for the worlds largest prison. i dont think the refugees trapped in australias island death camps are going to be included in this AD install
|
|
#
¿
Jan 23, 2017 17:05
|
|
|
Wiggly Wayne DDS posted:they were always unusually insistent on saying they never analysed russian gov malware, even after the us dropped the iocs mentioning samples they had analysed prior I mean its prob hard to know youre analyzing gov malware until you actually start analyzing
|
|
#
¿
Jan 25, 2017 19:11
|
|
|
this is my new favorite tweet
|
|
#
¿
Feb 3, 2017 15:48
|
|
|
Shaggar posted:openssh has had plenty of vulnerabilities in the past and the idea you're presenting that because its linux its immune to attacks is absolutely retarded openssh isn't a linux toolset, pls don't disparage a good software as such, that its often installed on linux machines doesn't make it linux any more than it being often installed on windows makes it windows it also hasn't had a vulnerability that would allow an arbitrary attacker to get shell since definitely 2002 and MAYBE 2003 you might be getting it mixed up with openssl which is a completely different project and is actually a linux and very bad vulnerability wise
|
|
#
¿
Feb 3, 2017 18:32
|
|
|
Subjunctive posted:what are the regulatory constraints? windows update has the ability to execute commands given server instruction, as do all browsers with a decent update model same, don't doubt there's some crazy regulatory thing around lawyer stuff I don't know, am interested in what it is tho
|
|
#
¿
Feb 3, 2017 22:31
|
|
|
this is really smart for pretty much the same reason bug bounties are smart for regular companies surprised it didn't happen sooner
|
|
#
¿
Feb 6, 2017 18:12
|
|
|
dangling pointer posted:is there a general best practices guide for bug bounties? like how to write good, informative reports so I don't waste the reviewers time? some posts from a good friend of mine: https://medium.com/@collingreene/bug-bounty-5-years-in-c95cda604365#.qk9ip49db https://medium.com/@collingreene/to-the-bounty-hunters-9259b1544325#.91bslvtvp the one thing thats not mentioned in there, don't be an rear end in a top hat and don't do the bullshit where you argue non-stop that some reflected XSS in IE8 on a unauthed microsite is a SEVERE RCE there are actual people triaging your report, we remember the good reporters and the bad reporters and make very little claim towards being unbiased when deciding on payouts basically go try to be fin1te, he is probably the best bug bountier in the world right now and just generally a joy to work with, last time i talked to him he was making significantly more a year from bug bounties than his salary at facebook: https://twitter.com/fin1te https://whitton.io/
|
|
#
¿
Feb 8, 2017 18:04
|
|
|
WrenP-Complete posted:If you start a few pages back you'll get the gist: https://forums.somethingawful.com/showthread.php?threadid=3804685&userid=0&perpage=40&pagenumber=88 how does this thread have 90 pages of discussion i am so loving confused
|
|
#
¿
Feb 9, 2017 20:35
|
|
|
OSI bean dip posted:so we have a "hacking" scandal going on in the local provincial government gotta link w/ context on this?
|
|
#
¿
Feb 9, 2017 21:15
|
|
|
Sapozhnik posted:Right but I mean what difference is it going to make. i'm kinda confused what exactly the point you're trying to make is? like sure, for 99% of attack scenarios for 99% of people a SATA password is probably perfectly secure, this has nothing to do with it requiring NSA level ability to circumvent, simply that its usually just not worth the trouble for most people's data its definitely not as secure as FDE though, even if that fact is only being demonstrated theoretically, and using FDE isn't any more of a hassle so I don't really understand what you're making a stand about?
|
|
#
¿
Feb 20, 2017 19:00
|
|
|
ate all the Oreos posted:2000 indian guys running metasploit or w/e and auto-generating reports on literally everything their tools spit out and then probably 100 actually competent people lol the ratios aren't even that good signal/noise and the bad reporters aren't skilled enough to use metasploit, also india isn't actually the worst country reporter wise quote:i'd be lost in the sea of piss that is the first group since i don't think i'm cool hacker guy enough to be in the second group maybe you're not good enough to be in the second group (then again neither am I), but theres a lot of stuff you can do to not be in the first group either, for instance: don't be an rear end in a top hat and give reasonable risk assessments instead of insisting your IE8 only reflected XSS in a unauthenticated marketing microsite is a severe vulnerability
|
|
#
¿
Feb 22, 2017 15:53
|
|
|
https://twitter.com/dchest/status/834808975556239360 owns
|
|
#
¿
Feb 23, 2017 19:15
|
|
|
 we did it guys! https://github.com/pirate/sites-using-cloudflare
|
|
#
¿
Feb 24, 2017 15:24
|
|
|
ate all the Oreos posted:christ you have a lot of plugins why you got so many plugins plugin man you should see my firefox instances
|
|
#
¿
Feb 24, 2017 15:33
|
|
|
Phone posted:also laziness has paid off once more! I still don't have a password manager. their website using cloudflare does not in any way affect security of their password manager
|
|
#
¿
Feb 24, 2017 15:53
|
|
|
Truga posted:some password manager did send their passwords in the clear through cloudflare tho. lastpass doesn't use cloudflare and even if it did it wouldn't have affected security of their product either 1password is what you're referring to but they weren't sending passwords through cloudflare, they just used it for their website are there seriously people in this thread that think a prominent password manager company would have an implementation that would involve sending plaintext passwords over http to cloudflare?
|
|
#
¿
Feb 24, 2017 16:12
|
|
|
Phone posted:yeah tavis' post mortem explicitly says 1password alongside okcupid, uber, and fitbit had data and passwords exposed akadajet posted:https://twitter.com/LastPassStatus/status/835136572798431232 you idiots don't understand how password managers work Truga posted:no, over https. just not, you know, like normal people do password managers - in an encrypted container that only you know the secret to unlock https termination through cloudflare means an nontls http connection to cloudflare (see these forums for instance)
|
|
#
¿
Feb 24, 2017 16:19
|
|
|
spankmeister posted:u can still do tls between buttflare and the servers, i think it's what they recommend still requires cloudflare to end up with plaintext forms of the html to do their magic which would be unexceptable for password manager data zen death robot posted:actually we use the strict https implementation so it's using tls the whole way through i unconsciously clicked the NICE! button under your post, am liking having you around
|
|
#
¿
Feb 24, 2017 18:04
|
|
|
hifi posted:is that really surprising though? i read about how MS gives you access to everything once you join their brotherhood. and they had enough snoopware installed that they can figure it all out in the end Truga posted:just goes to show these places might actually be a nice place to work at tbh. agreed with both of these don't work anywhere that doesn't trust you enough to let you know whats going on across the company also don't work anywhere that trusts you enough to not keep an eye on what you do with that access
|
|
#
¿
Feb 24, 2017 18:11
|
|
|
teen vogue droppin that legit security knowledge http://www.teenvogue.com/story/how-to-keep-messages-secure
|
|
#
¿
Mar 3, 2017 03:32
|
|
|
Munkeymon posted:is the reward a shirt that confirms that your uncle does indeed work for Nintendo?
|
|
#
¿
Mar 3, 2017 18:13
|
|
|
spankmeister posted:Mine still does. its an option in settings you can turn off on android
|
|
#
¿
Mar 12, 2017 21:32
|
|
|
Lutha Mahtin posted:a lot of yosposters are fans of the NaCl crypto library, so i was reading up on it. the papers describing their thought processes in designing it are pretty cool, and i think the papers are readable by even novice programmers. but then i went and poked around the NaCl website and found the installation instructions... NaCl is the academic implementation, you want libsodium which has wrappers for multiple languages
|
|
#
¿
Mar 13, 2017 17:39
|
|
|
|
| # ¿ May 2, 2024 06:58 |
|
|
cinci zoo sniper posted:https://zcoin.io/language/en/important-announcement-zerocoin-implementation-bug/ The most annoying thing about these articles is having to go remind myself which is zcoin and which is zcash and what the differences are each time
|
|
#
¿
Mar 14, 2017 16:35
|
|