|
Make sure you wrap your connection with SSL to stay safe.
|
# ¿ Nov 22, 2017 21:24 |
|
|
# ¿ May 22, 2024 08:12 |
|
Chalks posted:You'd have expected these guys to have done at least a bit of penetration testing. Their bug bounty didn't pay enough to catch anything.
|
# ¿ Nov 22, 2017 21:27 |
|
rafikki posted:Nothing we didn't all know or suspect but an interesting write up: https://theintercept.com/2017/11/24/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps/ "Clandestine Tracking" seems rather dishonest since half the article is discussing effectively cookies and backend correlation.
|
# ¿ Nov 25, 2017 16:12 |
|
Grassy Knowles posted:not me, couldn't be Then who?
|
# ¿ Nov 25, 2017 18:59 |
|
The tweet linked is gone, please tell me it's real I need it to be real.
|
# ¿ Nov 28, 2017 23:42 |
|
minato posted:makes sense, Santa is an anagram of @nsa It took me too long to get this
|
# ¿ Nov 29, 2017 04:51 |
|
All your favorite software has security bugs.
|
# ¿ Nov 29, 2017 07:43 |
|
karoshi posted:That page contains the word (trigger warning) "vendor" 12 times. There will be multiple vendor/ODM partitions that survive a system upgrade. Those are a juicy target. "SHIP IT!" vendor implementations will make those juicy targets easy to hit. It's an abstraction layer for vendor code, of course it loving includes the word vendor. It also separates out vendor code and allows us to better isolate it, it's an all around good thing.
|
# ¿ Nov 29, 2017 19:43 |
|
karoshi posted:Sir, this is the SecLOL thread, not the sensible software architecture thread. No, the vendor code cannot inject a tracking dll into apps.
|
# ¿ Nov 29, 2017 19:45 |
|
wolrah posted:There's an important distinction between physical access and physical control. Destructive v non destructive is also an important distinction for stuff like evil maid
|
# ¿ Nov 29, 2017 23:28 |
|
Lain Iwakura posted:oh. i am much, much happier now than say a year ago and even a decade ago. i have my own challenges to deal with but i am not losing my mind all the time anymore <3
|
# ¿ Nov 30, 2017 17:06 |
|
Lain Iwakura posted:there's a defcon 604 meet once a month that may or may not be good. i have been interested in attending but because i haven't been before i am unsure how much fun i'll have considering other events' gender imbalances. it's really annoying because there are good people but i've always gotten on better with women than men and i feel like that this may be a challenge for me I've completely given up on in person security groups and its done a lot for my sanity and faith in humanity.
|
# ¿ Dec 1, 2017 03:43 |
|
Grassy Knowles posted:So you're not going to the 2600 meeting tomorrow Never been to one. I've had a lot of bad experiences with people really dont know what they're talking about and people who manage to be super creepy (and I'm honestly not as perceptive as I could wish) to want to go to security meetups.
|
# ¿ Dec 1, 2017 04:36 |
|
Subjunctive posted:I believe that it means that if you open a visio file it can grab a payload and execute it, hidden with visio's benign-looking process I too am scared of interpreters.
|
# ¿ Dec 4, 2017 20:16 |
|
Wiggly Wayne DDS posted:https://twitter.com/HaifeiLi/status/938842714342174720 Lol av
|
# ¿ Dec 7, 2017 22:43 |
|
anthonypants posted:it points to localhost. if you have the blizzard app open https://localbattle.net:22885 in a web browser That cert should get revoked so hard. I'm sure Ryan will have fun https://twitter.com/sleevi_/status/939574006759424006
|
# ¿ Dec 9, 2017 20:35 |
|
pseudorandom name posted:chrome feeds your entire browsing history into google adsense No, they don't.
|
# ¿ Dec 15, 2017 20:45 |
|
Suspicious Dish posted:linus thinks bugs are bugs, and that includes security bugs, and would rather fix the bugs through careful engineering than add protection layers. Spender is far worse than Linus, which says a lot, if he weren't such a toxic jerk in his interactions with others and actually worked to get his changes upstream instead of screaming about how right he is we might actually have those hardening changes in devices instead of angry Twitter posts about how right he is.
|
# ¿ Dec 21, 2017 21:05 |
|
cheese-cube posted:unrelated but what's the go with HPKP? i seem to recall some recent discussion about it being abandoned due to lacklustre uptake? is it worth configuring still? It's a big foot gun and you should be really careful.
|
# ¿ Dec 23, 2017 07:28 |
|
So... A spyware app?
|
# ¿ Dec 23, 2017 23:53 |
|
Bulgogi Hoagie posted:spyware for the people NSA Wizard?
|
# ¿ Dec 23, 2017 23:59 |
|
Partycat posted:Would it be worse to put the Snowden app on your phone , knowing it would open you up to FSB backdoors - if it also locked out CIA backdoors ? But it doesn't lock out anything...
|
# ¿ Dec 24, 2017 06:45 |
|
I'm not going to defend Uber but the first one is pretty dumb (and dumb on Uber making not having pinning a security bug).
|
# ¿ Dec 24, 2017 20:54 |
|
canis minor posted:This is fun - gain access to Lastpass without loging in This article is bullshit, HTH.
|
# ¿ Dec 28, 2017 02:10 |
|
Lutha Mahtin posted:so did ccc fix their rape problem yet, or Are they still hosting/supporting Appelbaum? I don't know why that guy still gets the amount of support he gets
|
# ¿ Dec 30, 2017 08:35 |
|
graph posted:hello posting pals The industry is the biggest sec gently caress of all
|
# ¿ Dec 31, 2017 02:12 |
|
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
|
# ¿ Jan 3, 2018 23:35 |
|
Failed speculative executions need to be indistinguishable from them not happening at all Else sadness
|
# ¿ Jan 4, 2018 01:05 |
|
Number19 posted:maybe it’s harder to exploit on VMware for some reason. it seems weird to not have them marked critical Do they reserve critical for host OS execution as opposed to info leak?
|
# ¿ Jan 4, 2018 01:36 |
|
James Baud posted:This is the single biggest case of "fix worse than the disease" I can remember for everyone who isn't a hosting platform/shared system. This is the single biggest misunderstanding of worst case performance impact I can remember.
|
# ¿ Jan 4, 2018 04:18 |
|
Notorious b.s.d. posted:figuring out where the interesting bytes are is typically why i want to leak a bunch of kernel memory, no? ASLR defeating Info leaks are extremely common and the early version of this work was against KASLR, putting a lot of reliance of ASLR this day in age is pretty risky. This is less about getting a kernel address so you can set up your rop gadgets and more "gently caress it give me those crypto keys without bothering to get exec"
|
# ¿ Jan 4, 2018 19:03 |
|
akadajet posted:this poo poo again? Lol Apple
|
# ¿ Jan 10, 2018 21:59 |
|
Proteus Jones posted:LOL. FBI still trying to wage a "woe is me" PR war against encryption. First they said we helped pedophiles with encryption and now they just call us jerks
|
# ¿ Jan 11, 2018 20:15 |
|
mrmcd posted:If u think about it, I bet Lowtax has access to all my shitposts and PMs. But not your good posts
|
# ¿ Jan 12, 2018 02:47 |
|
mrmcd posted:I'm the poster that thinks "national intelligence and leo agencies are WATCHING ME" but also thinks they go "hmmm this encrypted traffic is all going to an IP at HostingShack LLC. Whelp I guess I've finally been bested. Guess another one got away, those foxes!" Nation state actors are both incredibly powerful and incredibly incompetent adversaries at the same time. Also no one ever MiTMs anything beyond the first hop, VPN services definitely dont mine your data like mad.
|
# ¿ Jan 12, 2018 05:19 |
|
mrmcd posted:Personally though, I have a VPN box in France because my two kinks are EU cookie warnings and making my nsa case officer deal with French bureaucrats all day. Dirty
|
# ¿ Jan 12, 2018 06:30 |
|
Wiggly Wayne DDS posted:
Criminals are in it for not for exploiting hot new vulns, which the security bug hype doesn't really match up with.
|
# ¿ Jan 19, 2018 19:04 |
|
|
# ¿ May 22, 2024 08:12 |
|
Wiggly Wayne DDS posted:i'm this entire thread The cyberpunk future we deserve
|
# ¿ Jan 28, 2018 01:00 |