|
geonetix posted:in other news i just bought some domain names that make sense to me, any ideas how to get internet rich out of this? you can make an install pushing fake video codec updaters on your visitors
|
# ¿ Jun 27, 2017 03:34 |
|
|
# ¿ May 5, 2024 00:45 |
|
if you can pretend to be a female popstar and not melt down on twitter about once a month there's a vacancy going
|
# ¿ Jun 27, 2017 03:39 |
|
Avenging_Mikon posted:I wanna come back to this because I would like to know, what's the best way to handle something like this (user generated urls that you don't get to know in advance)? I get wildcard certs are bad and evil, but is the only other options really "URL gets submitted to you, and you manually update relevant certs"? doesnt have to be manual. you can automate the process of getting a cert from LE and pushing it to whatever handles your tls termination in under a minute
|
# ¿ Jul 6, 2017 20:38 |
|
Lain Iwakura posted:
What's "0 day" about this, it looks like some run of the mill macro poo poo
|
# ¿ Jul 7, 2017 04:13 |
|
nought-day
|
# ¿ Jul 8, 2017 00:11 |
|
someone probably tried to turn on strict origin cert CN validation in cloudflare https://crt.sh/?id=168610427
|
# ¿ Jul 8, 2017 04:11 |
|
fair enough. richard wont get very far with that one though
|
# ¿ Jul 8, 2017 04:39 |
|
yeah fb can't do normal totp without a phone any more, i got caught out by this recently, it's lame
|
# ¿ Jul 8, 2017 22:58 |
|
yeah it disables itself when you remove your phone number
|
# ¿ Jul 8, 2017 23:59 |
|
Thanks Ants posted:you can disable facebook sms huh mine has the disable button but when i click it:
|
# ¿ Jul 9, 2017 16:25 |
|
public transport apps are pretty lovely in my experience last year i reverse engineered the one used by a ton of different companies here and someone less honest than me could theoretically have been using a fake app ever since without anyone realising https://twitter.com/hilare_belloc/status/715585400933392384 https://twitter.com/hilare_belloc/status/715586306986917888
|
# ¿ Jul 21, 2017 19:01 |
|
maskenfreiheit posted:so I'm at Defcon. Well i'm bored in vegas, got no plans till an early dinner meetup tonight and already got my defcon badge so i will answer questions till my mifi is nearly out of batteries to be clear, jello, you insipid loving backwoods redneck moron, i banned business catte because i had people at work being tracked down to be asked questions about me by the yospos irc sewing circle and frankly i didn't need that much internet in my real life. i still don't, so i'll ban this account too when my batteries get low and you can go back to being constantly wrong for another year. you kids proved that you aren't capable of being even vaguely grownup about people being honest in here about who they are or what they do, so i can't leave the two connected btw i'm not answering anything about work that is either obvious trolling or over the line with poo poo i shouldn't/can't talk about, or poo poo i just don't feel like answering, but other than that let er rip
|
# ¿ Jul 30, 2017 03:58 |
|
ShadowHawk posted:Hey everyone, turns out I'm the main culprit of my very own CVE! are you kidding me with this poo poo
|
# ¿ Jul 30, 2017 04:26 |
|
spankmeister posted:A straight religious clothing ban would be discrimination, can't have that of course tell it to french workers in public-serving roles
|
# ¿ Aug 2, 2017 22:57 |
|
algo is pretty nice but - the strongswan network-manager applet for linux doesnt support split tunnelling so it breaks connectivity to your lan - if you use pppoe or something then you might have to gently caress with your mtu to get it to work properly openvpn otoh works fine and is pretty easy to set up
|
# ¿ Aug 4, 2017 04:01 |
|
grsecurity are suing bruce perens for writing this https://perens.com/blog/2017/06/28/warning-grsecurity-potential-contributory-infringement-risk-for-customers/ filing here https://regmedia.co.uk/2017/08/03/grc_lawsuit.pdf
|
# ¿ Aug 4, 2017 04:08 |
|
certified kali linux child
|
# ¿ Aug 29, 2017 17:23 |
|
Lain Iwakura posted:if you want to attack tor, just start memory dumping the tor daemon while you're acting as an hsdir you're conflating attacks on end users with attacks on onion services with the way hidden service descriptors currently work you can, at best, knock them offline (this is fixed in prop 224)
|
# ¿ Sep 6, 2017 17:40 |
|
yoloer420 posted:Did anyone here implement the malicious hsdir thing for tor hidden service discovery? I'd appreciate any info you might have, does it still work etc? read this https://donncha.is/2013/05/trawling-tor-hidden-services/ it still works in the current stable version of tor prop224 fixes the problem and initial support for this is included in 0.3.2.1-alpha, released earlier this week
|
# ¿ Sep 22, 2017 19:12 |
|
Subjunctive posted:you encrypt, not sign. same difference
|
# ¿ Sep 22, 2017 23:38 |
|
Volmarias posted:No but now I'd like to know more
|
# ¿ Oct 5, 2017 23:19 |
|
infernal machines posted:so how long ago did she open it? rack em
|
# ¿ Oct 8, 2017 18:36 |
|
cant believe glenn greenwald replaced morgan m-b with 2 brazilian orphans
|
# ¿ Oct 13, 2017 21:04 |
|
there's a similar thing in the UK, but it's even worse because it's used for payments the four uk mobile phone operators have conspired with the 12 companies listed here http://www.payforit.org/api/ to provide a one-click "charge it to my phone" service this has two parts: - "header enrichment", in which the telco intercepts traffic destined for the partner payment processors, and injects the visitor's mobile phone number into the http headers. that's the theory anyway. they also sometimes gently caress up and inject it into every request to every website https://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/ - a private api which the payment processors can use to put a charge on a phone bill, given a phone number and amount. they are supposed to only issue charges through this api when the phone owner has given them explicit permission to do so however at least one of the companies (txtnation) has/had a bug in their code that lets retailers circumvent the "are you sure" payment confirmation. as recently as last year, this was being exploited in the wild via rogue ads to hit people with charges without any confirmation when a payment goes through, your mobile phone operator sends an sms receipt. there are two problems with this: - it looks scammy as gently caress and people will likely not understand the message and ignore it - if you can't receive sms's - e.g. if you're using a mobile internet dongle on a laptop - you never see the sms so you don't even know you've been hit. (because the header enrichment occurs on the upstream network, this scam can be triggered through normal desktop browsing too, you don't have to be using a mobile phone just the mobile phone network) in summary mobile phone operators are loving scum
|
# ¿ Oct 15, 2017 18:55 |
|
exactly, he's being sarcastic
|
# ¿ Oct 19, 2017 18:16 |
|
halifax is part of lloyds banking group, they all use the same website with different branding (as do bank of scotland)
|
# ¿ Oct 29, 2017 23:37 |
|
Powaqoatse posted:im saying maybe "fighting words" dont have to be in person you wanna take this outside buddy
|
# ¿ Nov 4, 2017 05:17 |
|
the long tweets are just links that didnt get an <a href> put round them when displayed for whatever reason. hidden somewhere in the middle of one was ".cc/"
|
# ¿ Nov 5, 2017 00:39 |
|
minato posted:I don't know if this counts as a security fuckup, but I was talking to an Uber engineer today who told me a couple of interesting scams they encountered the past couple of years. razor and blade spotted
|
# ¿ Nov 5, 2017 07:15 |
|
imagine i photoshopped the uber app onto that screen
|
# ¿ Nov 5, 2017 07:16 |
|
Main Paineframe posted:and every site that did that kind of thing got banned from the Twitter API they went further, and looked up all the api keys created by the same person as the offending one, then looked at the accounts using those keys to tweet i had a couple of private accounts with 0 followers keeping tabs on people's deleted tweets and they got shut down at the same time as a big public one i ran
|
# ¿ Nov 5, 2017 23:10 |
|
nothing but the streaming api gives you notifications about deleted tweets (their ID only, not the text itself) in real time which is very appealing
|
# ¿ Nov 6, 2017 01:48 |
|
yeah level3 leaked more specific versions of prefixes belonging to comcast and got overwhelmed
|
# ¿ Nov 7, 2017 01:47 |
|
flakeloaf posted:and facebook can't let people hash teh photos themselves and just send them the hashes becaaaaaaaaaause Midjack posted:someone in the bubble thread had the idea to scrape reddit and 4chan for memes and upload them to get hashed and added to the banlist
|
# ¿ Nov 8, 2017 06:04 |
|
the russians? they used a pencil.
|
# ¿ Nov 13, 2017 00:51 |
|
classic Mr Hands
|
# ¿ Nov 21, 2017 00:32 |
|
Subjunctive posted:the document on this phenomenon is likely even findable from Edge you got a link to this doc please
|
# ¿ Dec 17, 2017 21:00 |
|
cheese-cube posted:wtf? good to know that Keeper made the same mistake as that guy in sh/sc who wrote his own password manager that runs its js in the context of the page youre trying to log into
|
# ¿ Dec 21, 2017 00:34 |
|
hobbesmaster posted:linus probably saw one too many root access allows you to run arbitrary commands vulns and blew up at them whats painful is that hes too pigheaded to hire spender so instead gets people to reimplement his work, poorly
|
# ¿ Dec 21, 2017 17:48 |
|
|
# ¿ May 5, 2024 00:45 |
|
Inexplicable Humblebrag posted:genuine asking-from-ignorance question - what should they be doing? Cocoa Crispies posted:there's no generally cross-browser-compatible way https://caniuse.com/#feat=getrandomvalues
|
# ¿ Dec 21, 2017 23:25 |