|
Flying Leatherman posted:Maybe I'm late on cipher discussions, but https://cipherli.st is a nice resource that I've used before that config is going to have some compatibility issues. it's not "bad" in any way, but test it for your particular use case and don't roll it out blindly or you're going to piss off people with legacy but still supported clients. also, AES256 has questionable security merits over AES128 but definable overhead. Probably won't mean much if you're not passing a lot of traffic, but AES128 is still more than secure and might be preferable for high-volume applications. Hopefully AES offload in hardware has made that largely moot but the differential is still there.
|
#
¿
Jan 6, 2017 22:44
|
|
|
|
| # ¿ May 4, 2024 22:27 |
|
|
lol, no 1.0 but 1.1. specs written by idiots.
|
|
#
¿
Jan 6, 2017 23:20
|
|
|
this number is not high enough! I require the slightly higher number! pay me six figures!
|
|
#
¿
Jan 6, 2017 23:20
|
|
|
please turn on ssl 2 and 3 as they are much larger than these puny 1.x protocols
|
|
#
¿
Jan 6, 2017 23:21
|
|
|
if you're worried about cbc attacks then you go 1.2-only. 1.1 is pre-gcm. and if you're worried about cbc then you give a cipher list, 1.2 supports plenty of bad ciphers as well.
|
|
#
¿
Jan 6, 2017 23:40
|
|
|
fishmech posted:counterpoint: trump is mama's little pissboy and loves to drinkos the peepee
|
|
#
¿
Jan 11, 2017 20:45
|
|
|
Number19 posted:yossec: who's a good ssl cert vendor in 2017? let's encrypt won't work for this. I've had a recommendation for alphassl but i want to see who else is decent these days. i need a wildcard cert for part of the project. everybody seems to be moving away from wildcard certs and the CAs are trying to push everything over to multi-domain and just swapping out with a new one with more SANs jammed on it. Any particular reason for using a wildcard over multi-domain?
|
|
#
¿
Jan 11, 2017 20:46
|
|
|
darkforce898 posted:How would you go about issuing valid certificates on hundreds of devices that change their public IP address daily? without knowing more about the details of the hardware in question I might throw up a dnssec server in the dmz, get client certs deployed on the end devices when they go out in the field, and then use the cert based auth against dns server to handle automagically getting the IPs updated. alternatively, some kind of agent on the endpoint that does a similar job and can handle applying new certs if they ever need to be replaced. either way, the key to this is getting certs deployed on to all the endpoints to use as an auth mechanism.
|
|
#
¿
Jan 11, 2017 20:51
|
|
|
there's not a terribly compelling to use PKI-trusted certs for that application if you're just phoning back to your own stuff. stand up your ca, load your certs on them and in to the root trusts, do what you need to from there. PKI certs are only going to be good for 3 years max out of box, with your own certs you can do something arbitrary to match the expected service life of the equipment + a year or two to give yourself wiggle room. device gets a new cert when its replaced or hits the end of the service life.
|
|
#
¿
Jan 12, 2017 00:56
|
|
|
Deep Dish Fuckfest posted:set it to something like "february 31" and no one will ever be able to guess it. it's genius 4/20/69, the combination for my luggage
|
|
#
¿
Jan 17, 2017 00:16
|
|
|
OSI bean dip posted:I have had my Samsung washer leak from having a sock in the gasket. I cannot wait to have it gush all over the floor when it gets owned or gets a faulty update. those don't usually support a full IP stack, just an interface for a zigbee thing. and it basically relays a signal to the appliance telling it either if electric rates are on off-peak so your appliance can schedule cycles during that time or if there is brown-out risk it has the option to obey a command to defer the cycle until the event is over. people blow that poo poo out of proportion
|
|
#
¿
Jan 17, 2017 17:18
|
|
|
Chalks posted:Also somehow notifying them without utilising power... small battery pack in the zigbee modem, relays to the smart meter which has a cell modem and small backup battery. the engineers designing this stuff did actually think the use cases through
|
|
#
¿
Jan 17, 2017 17:20
|
|
|
the meter knows if the house has lost power, not the appliance, dumbass. look up peak load and stop being stupid.
|
|
#
¿
Jan 17, 2017 17:27
|
|
|
ate all the Oreos posted:anyway target was selling smart bulbs for a reasonable price so i got a two pack to gently caress around with, good thing too cuz i accidentally fried one of them trying to get some debug output on a serial port i found you should buy bulbs off aliexpress they are gr8 and go for around $4/ea shipped. Look for the "edison" style LED and make sure they support 110/120VAC and they're spitting out around 100lum per watt. Some of the shittier ones only do around 60~ which is crap.
|
|
#
¿
Jan 17, 2017 20:54
|
|
|
Chalks posted:The whole thing about delaying the spin cycle that fishmech posted does sound pretty clever. this is going to happen in conjunction with peak/off-peak rates and smart meter tech is going to help your appliances know to run their heavy energy cycles (driers, spins, car charging, freezer defrost, dishwasher drying, whatever) once the grid hits off peak which will save you money. You'll probably have the option to opt out of a smart meter and peak rate billing but then they'll just assess your rates at the peak utility charge plus a bit more because they have to send someone out to your house to read the meter
|
|
#
¿
Jan 17, 2017 20:57
|
|
|
ate all the Oreos posted:that's why it needs always-on internet connectivity to run, you're not thinking like a proper IoT designer I don't think I've seen a single system that full shuts off systems. In extreme situations things like AC setpoints will get dialed up to 80 or whatever and defrost cycles won't run. Maybe an electric drier won't run, depends on the appliance. Keep in mind that this is just a broadcast to the device telling it that something is going on. It's up to the device to decide how it responds, if at all
|
|
#
¿
Jan 17, 2017 20:59
|
|
|
Ur Getting Fatter posted:can't wait for the state-sponsored malware that infects the smartgrid and marks the hottest day of the year as "off-peak". nationwide panic as millions of washers and dryers start their spin cycles simultaneously and bring down the whole grid no device will turn on from a smart grid anything
|
|
#
¿
Jan 17, 2017 21:01
|
|
|
ate all the Oreos posted:are we talking about the same smart meters they're already installing, because afaik nobody's allowed to opt out of poo poo here and there were a bunch of right-wingers protesting the durned gubmint spying meters being forced on them going to depend on your utility and state but most are making legislation that allows opting out or disabling the "smart" functionality at a minimum, with obvious billing penalties
|
|
#
¿
Jan 17, 2017 21:16
|
|
|
Chalks posted:Presumably you could have a smart meter but not plug any of your appliances into it and get the convenience of online meter readings without your appliances sometimes deciding not to run when you tell them to. I'm not too sure when off peak times are for electricity - presumably industrial and residential electricity use is all coming from the same source so during working hours won't necessarily be off peak. This makes me think that off peak will probably be during the night and I sure as hell don't want my washing machine scheduling itself to start when I'm trying to sleep. that's fine and you'll have these options if you are a neurotic weirdo
|
|
#
¿
Jan 17, 2017 21:17
|
|
|
Chalks posted:Really though, what appliances are you happy to decide by themselves when they should run? If I turn an appliance on it's usually 'cause I need it to do its thing. I don't care if my fridge and freezer times its defrost cycle for off-peak. I don't care if my electric car default only charges off-peak and I have to manually override if I am in a rush. I don't care if my AC has a different setpoint for on and off-peak, and a third higher one for grid emergencies. I don't care if my washer, dryer, or washing machine delay cycles to off-peak to save me money or help load shed, and I will still have a manual override. You're tilting at windmills, man
|
|
#
¿
Jan 17, 2017 21:31
|
|
|
Chalks posted:You could make a fridge or freezer defrost over night with a clock. that's not what a defrost cycle is and you are still an idiot
|
|
#
¿
Jan 17, 2017 21:51
|
|
|
Trabisnikof posted:But yeah smartgrid stuff is also going to be filled with secfucks oh yeah it's going to be a clusterfuck based on the scale of deployment alone though there are some pretty clear signs that they have learned some good lessons from all the mistakes in the scada sector and severely limiting the protocol from full control to more basic signalling should hopefully mitigate a lot of the impact.
|
|
#
¿
Jan 17, 2017 23:03
|
|
|
ate all the Oreos posted:all the people who learned from their mistakes have been replaced by cheaper people or had their jobs contracted out to whoever can deliver x, y, and z features in the fastest amount of time the protocol straight up doesn't support the kinds of things that make scada super scary. its cheap poo poo by design but with the short range of the wireless signalling network and a plethora of manufacturers and models being rolled out all over the place the likelihood of a single wide-spread impact isn't that high. the intelligence lives in the device itself and I would liken it to the appliance hearing a tornado siren and then deciding what to do, if anything, in response. this is not traditional command and control
|
|
#
¿
Jan 17, 2017 23:10
|
|
|
ate all the Oreos posted:the protocol undoubtably supports buffer overflows once implemented which means it supports basically everything did you even think through this attack scenario or just mash your rear end on the keyboard until words came out? you have two realistic attack scenarios: either you send valid signaling to manipulate the response to signalling of devices or your attack them to modify the hardware to do something new. either way, you first need to compromise the meter network. Not impossible, sometimes relatively easy depending on how lovely the utility did their deployment, but you're going to leave a lot of evidence sitting around so cover your tracks real good on that. you're not going to blast malicious zigbee traffic directly to the devices for more than a few blocks without erecting a massive, easy to find mast. Okay, now you're on the zigbee network. Great. Good Job! So now you're lie to devices and tell them that either the peak/off-peak rates are inverted to generate extra load on peak so the utility has to fire up more peaking plants or buy off adjacent regions which costs them money and pisses them off, or maybe you put everyone's house in rolling brownout mode so all their AC dials back and the drier stops or something and you... minorly inconvenience people? Or perhaps you are the ultra l33t hacker and find a vuln in their zigbee code that allows for arbitrary execution or firmware re-write in which case how many devices do you really think you have a chance of effecting at once? are you going to be able to actually do anything with the device or just brick it? every manufacturer, model, and model year of device presents another fragmentation point that makes widespread compromise not very realistic. and then you have to consider exactly how they integrate the zigbee radio and internal controls that can limit its ability to interact with the control logic of the device which would often make that type of attack impossible hobbesmaster posted:which protocols are they actually using? zigbee? Lora? something else? a smartgrid variant of the zigbee spec for everything past the meter from what I have seen on everything. utility to the meter is either some kind of signaling over the mains, embedded cell, or some kind of wireless scada signaling (bad bad bad).
|
|
#
¿
Jan 17, 2017 23:32
|
|
|
Chalks posted:Alright angry about fridges guy, relax. I don't see what a smart network could tell my fridge about off peak hours that a clock telling it when it's 1 am couldn't. the precursor to smart grid appliances were ones that use RCC signaling to clock sync but that's utc so you have to set the time zone and people barely tolerate programming their microwave and stove so who the hell is going to do it on their fridge. and that does absolutely nothing for providing signalling for on/off peak rates to save you money or responding to brown out scenarios. are you actually interested in learning anything or are you just going to continue down this road?
|
|
#
¿
Jan 17, 2017 23:39
|
|
|
Trabisnikof posted:Do CANBUS next! CANBUS I am more concerned about because there's a much more real potential impact for health and safety, there are fewer manufacturers/models/designs carried year to year so you're likely to be able to affect more things with higher impact at once, and once you break through the head unit and on to the canbus its pretty much open season for throwing the throttle wide open/locking up the brakes/whatever. but even that I don't think is super likely beyond isolated incidents. with that said, I'm grateful for researchers looking in to potential weaknesses in all of this stuff and forcing them to constantly update existing equipment and modify designs since it creates a moving target (har har) that makes it more difficult to cause widespread destruction
|
|
#
¿
Jan 17, 2017 23:44
|
|
|
coordinated scada attacks on power generation/transmission infrastructure is the holy grail for crippling a country and I am surprised we haven't seen more of it beyond that incident in ukraine a year or two back
|
|
#
¿
Jan 17, 2017 23:46
|
|
|
Lutha Mahtin posted:do you really think it is likely that all those devices will use different chips and totally unique custom software stacks? even across different manufacturers i would (again) bet money that we are going to see the exact same poo poo we've been seeing for years now in consumer routers and iot crap: they will all use cheapo misconfigured software stacks full of old non-updated FOSS stuff written in unsafe languages like C. "oh but the protocol is pretty limited"! sure that's great but even if it's very locked down, it will mean jack if these devices have any alternate communication modes, or if other devices (like laptops or iot crap) have the ability to talk to the appliances via that protocol, because then all it will take is someone to discover a flaw in the 7-year-old version of linux that all these things are running, or a misconfiguration that exists across the software stacks of the 3 most popular smart-grid middleware providers. and on that point, i have a hard time believing that appliance makers can resist the temptation to add in features like "manage your kenmore appliances from ANYWHERE IN THE WORLD with the kenmore app!" and bolting on some kind of wi-fi interface which is of course then managed by the same main CPU/SoC that also does the locked-down smart-grid protocol stuff I think the likely outcome is that for the sake of security the zigbee/whatever radio module will be kept as its own discrete component from the main control/firmware of the device with extreme limits on what can be passed between the two effectively neutering any ability to compromise it in a way beyond blasting garbage on the wireless link
|
|
#
¿
Jan 18, 2017 03:13
|
|
|
ErIog posted:I know this thread is for insufferable assholes who think they know better (me included), but please everybody just listen to Fishmech and Shaggar for once. One's good cop, one's bad cop.. they both agree! I am not shaggar but I will accept the comparison in this case
|
|
#
¿
Jan 18, 2017 15:45
|
|
|
hey windows comes with the best and easiest to configure crypto stack baked in to the os but lets gently caress that all up with some linux garbage
|
|
#
¿
Jan 18, 2017 17:45
|
|
|
The drums on Sarnsung washers will fail after 3-5 years because the spider flanges that support it and connect to the motor assembly are made out of raw cast aluminum instead of stainless like everything else in the machine and detergent destroys it. Because what the gently caress do morons at samsung know about making washing machines? they're still shipping units like this to this day, its a known problem and they are not correcting the design. https://www.youtube.com/watch?v=BAsFb-_k0Hk good news is if you know what you are doing you can pick up a broken one for cheap/nothing, order the part, get it powder coated, and its a p.good washing machine after that fix
|
|
#
¿
Jan 18, 2017 18:26
|
|
|
Captain Foo posted:it does the same poo poo on ios, zdziarski was going through it on twitter earlier ios doesn't allow all of those application rights and you have the ability to block it from accessing specific things when it attempts
|
|
#
¿
Jan 20, 2017 00:15
|
|
|
android.
|
|
#
¿
Jan 20, 2017 00:15
|
|
|
Shaggar posted:stuxnet was so cool. the best part was how absolutely none of the other vendors took it seriously for years because "we're not seimens why should we care"
|
|
#
¿
Jan 20, 2017 15:39
|
|
|
Shaggar posted:my bro was telling me about some of the PLCs at a plant he was managing and he was telling me they have a separate internet connection (DSL, lol) for letting the vendor on to do work. It didn't occur to him that leaving this open all the time was a bad idea cause he didn't realize that theres effectively no security on the PLCs. the best control I've seen on them that's basically idiot-proof is a turn key on each to put them in program, off, or run mode and it will refuse to accept modifications unless in program mode where it can't execute. I wish more vendors did that, but its seen as a undesirable feature for large-scale deployments where people don't want to walk across the floor to unlock a plc to make changes
|
|
#
¿
Jan 20, 2017 16:45
|
|
|
OSI bean dip posted:Isn't there a limit to the number AD users and groups? not really. you don't want any one object enrolled in too many groups because you can have problems with the tokens becoming too large but at the end of the day its just a database and you can scale that thing like crazy just throw more hardware at it
|
|
#
¿
Jan 23, 2017 20:07
|
|
|
spankmeister posted:Also while Azure AD would be a decent choice, price concerns notwithstanding, Australian citizens might object to hosting their PII in the US or on systems possibly controlled by a US company under the Patriot Act. MS has gotten pretty good about being able to make guarantees that your tenant will only be hosted out of the geographic area you specify and considering the relatively small amount of bandwidth going in and out of that country I would have to imagine there's already a substantial datacenter presence in the country. higher ed does similar things with guarantees that they're tenant will only be hosted inside the continental US
|
|
#
¿
Jan 23, 2017 20:10
|
|
|
Chalks posted:I wonder if the small hard disk check is born of an outdated idea of how people use virtual machines. If you're using an older VM system and don't have much hard disk space yourself, you may well have very small hard disks on the VMs (especially XP ones) but with technology like differencing disks and dynamically expanding disks coupled with how cheap storage is I very much doubt anyone uses a fixed 50GB hard disk on a VM these days. I am yet to see a way to shink a virtual disk and actually reclaim the space without spending a huge amount of ops doing it. Growing is no problem and can happen on the fly, you're much better setting smaller disks and dealing with people bumping in to the limits and cleaning up at that point before expanding allocations than letting idiocy or a malfunctioning application brim a drive with garbage which then cascades in to your storage replication and backup sets.
|
|
#
¿
Jan 24, 2017 23:21
|
|
|
Probably just a random guess. VMware/Hyper-V defaults the OS disk to 40-50gb and encourages you to split that in to other disks for data vols so they can be tiered differently, apply ssd caching, whatever. It's a pretty good giveaway for a VM and potentially an analysis sandbox, especially if you are checking for the disk size and not the volume size since I don't think you can get anything smaller than 60gb ssd's in a normal desktop these days. As for overhead for thin provisioning, you get a little bit of a write penalty as the virtual disk inflates and writes to new blocks (typically allocated in chunks of a couple MB) but there's not a lot of scenarios where this will have quantifiable impact in most use cases
|
|
#
¿
Jan 24, 2017 23:52
|
|
|
|
| # ¿ May 4, 2024 22:27 |
|
|
Dylan16807 posted:in virtualbox at least it's easy to set it so guest OS TRIM commands cause the disk file to shrink. that works on babby's first vm running on a single ssd. do that against a real storage array and youre back to disk ops city
|
|
#
¿
Jan 25, 2017 14:46
|
|