|
ate all the Oreos posted:wife just linked me this: i'm 100% implementing this at some point
|
# ¿ Jun 26, 2017 23:34 |
|
|
# ¿ May 2, 2024 04:25 |
|
surebet posted:on being completely, utterly owned by a font choice: How the Calibri font could take down Pakistan’s prime minister Microsoft’s default font is at the centre of an ongoing corruption investigation Microsoft’s Calibri is a fairly innocuous font, used by default on countless numbers of Word, Excel and Powerpoint documents. The inoffensive lettering could soon topple Pakistan’s prime minister, however, after being placed at the heart of a corruption investigation. Pakistan’s supreme court is currently deliberating a case against Nawaz Sharif, the head of the country’s government. As Al Jazeera reports, a Joint Investigative Team (JIT) encompassing police, military officials and financial regulators has been gathering evidence about the prime minister’s family’s assets. This follows a judgment by investigators that there were "significant gap[s]" in Sharif's family's ability to explain their assets and means of income. The investigation stems from the 2016 Panama Paper leak, which named three of Sharif's children as beneficiaries of offshore companies. Sharif’s political opponents claim that his properties in London were obtained through corrupt means. Okay, so where does Calibri come in? Well, to prove her father’s innocence, Sharif’s daughter Maryam Nawaz Sharif has produced a document – allegedly from 2006 – which claims to show certain declarations of income. The JIT report, however, notes that the documents are written in Calibri, which was not made commercially available by Microsoft until 2007. The investigators say this means that the declarations are therefore incorrectly dated, and were likely created at some later point in time. https://twitter.com/frooq/status/884494782306889730 The investigation is ongoing, so it’s too soon to tell if a misused font is enough to undermine Sharif’s case, but it certainly isn’t going to do the precariously placed politician any favours. Still, at least it wasn’t Comic Sans.
|
# ¿ Jul 12, 2017 09:21 |
|
mrmcd posted:Microsoft should change the default font on Word every year just to gently caress with really dumb forgers. too obvious; figure out what the 100 most statistically likely pairs of consecutive characters are and encode original document creation date w/ other metadata through very subtle fractional em spacing fuckery no one except for the most attentive designer is going to notice, and their not going to be using word anyway
|
# ¿ Jul 12, 2017 15:45 |
|
ate all the Oreos posted:did anyone ever get a reason why? i want to poo poo talk about lovely US politics but D&D seems to be full of awful people and "ironic" unironic i'd be mega down for a new thread that follows the model of the first one, with alternating opsec fuckups & us polchat i need a place to stare in disbelief at current events and while i do read a few pages of trumpchat in d&d, lol at the idea of keeping up with that thread my bitter bi rival posted:Calibri more like Sans Sharif ThePeavstenator posted:I shot the Sharif, but I did not shoot the Calibri. ratbert90 posted:They say it was a Capital offense! jfc nice!
|
# ¿ Jul 12, 2017 22:59 |
|
Jimmy Carter posted:my girlfriend just started as IT person #1 at an office of like 60 and they are apparently freaking out that they don't 'have a firewall' yet late, but have her take a look at the log on the ap and do a quick audit of what's allowed to connect and what connected recently. if the number of recent unique clients is anything above a rounding error of authorized laptops + phones + whatever stupid iot poo poo's in the office, burn everything down and re-issue, then have management make it an actionable offence to share creds to visitors or whatever if you have any significant amount of visitors that require conectivity, you're already well into outsourcing asap territory, especially if you're running a flat network have management green light funds for contractors & gear yesterday
|
# ¿ Jul 13, 2017 03:53 |
|
re: unaltered windows, there's a bunch of stuff on my precision that's not handled natively and requires dell spec drivers. just off the top of my head my quadro outright rejects stock nvidia drivers & ddp stuff i'm not sure i can even talk with my biometrics oems providing drivers installed is fine even if a reference copy of windows can make sense of the hardware imho, as long as the extra content is of actual use and not bullshit bloatware. in my ideal world, a new machine would submit a manifest of what's been hosed with by the oem, with clear this is a driver & this is ~bonus additional content~ that requires a user to opt into. i mean i do use a couple non-critical things from dell like their more granular (wrt hardware options) power manager & their precision optimizer thing, had i had the choice i would've opted in to at least check them out running on an opt-in system wouldn't even be a financial hit for oems, since even if you lose 10-20% of the user yield they can still look advertisers right in the eye and say "this is the deal now, get hosed if you don't like it". they get paid for delivery, maybe with a bonus for conversion, but the same people that would opt out are already uninstalling anyway re: users installing windows on arrival, at this point installing windows is literal child's play, but as a consumer i'd expect my thing to arrive at my door ready to run out of the box, even as a weirdo that'll still do a clean install and re-image regularly i'm also 90% sure you have to ship systems with the os installed to qualify for the massive oem discount, ms stopped issuing actual serials for oem licences somewhere around win7 or 8
|
# ¿ Jul 13, 2017 04:19 |
|
FAT32 SHAMER posted:the main issue would be all the smaller Chinese and Korean companies that are super ok with only making $5-$15/unit to Americans who don't understand that buying a $200 piece of poo poo every two years is more expensive than buying a $600 computer every six years there's a non trivial amount of people that'll buy $1000 cars (if even), $200 laptops and $50 prepaid phones; i can't say what the ratio of "straight up poverty" to "doesn't care/understand" is, but those $200 computers allow a whole bunch of people who would otherwise be priced out to have access to basic internet & computing. $600 is out of reach for a whole bunch of people, even if it's the superior choice per any other metric imaginable. the cheap, quickly replaced hardware market is also good money because of the volume & velocity, i don't see oems getting out of it any time soon because that would just be giving the market to china/used sales agreed that anyone else able to spend a bit more should, i spent a fair amount of time in 2015-2016 successfully arguing with family members & friends for who i run computer janitor services to double up on their expected spend for their next replacement, and if by magic the number of calls i had to field in 2017 dropped by 80%, plus they get to actually run stuff released in the 2010s
|
# ¿ Jul 13, 2017 04:50 |
|
yosmas 2017 suggestion: http://enigmamuseum.com/replica/
|
# ¿ Jul 13, 2017 04:51 |
|
Jimmy Carter posted:The current wifi solution for the office has been discovered: they're using the combo router/AP that FiOS comes with lemme guess, there's nothing between that and the server that stores all the proprietary, financial & hr stuff? lol time to show up at the office and smash that ap with a fire extinguisher, it's the only way to make sure they put out that garbage fire your gf needs to immediately with these responsibilities if management isn't game to throw money at this right now
|
# ¿ Jul 13, 2017 06:56 |
|
goddamnedtwisto posted:Any idea how much that would cost? i'm guessing "way too much for a toy" just because of the sheer amount of labour required, but man i'd love to have an enigma machine i'm kinda curious too, there's an email at the bottom to inquire but i don't want to bother the dude just to do some tire kicking i'd have to assume it's well into the four figgies and tbh five wouldn't surprise me
|
# ¿ Jul 13, 2017 10:15 |
|
you can get digital kits for a more reasonable price: http://www.stgeotronics.com/Enigma-Replica_c3.htm not the same as old school analog tech, but i'd still argue it's a neat demo of many principles
|
# ¿ Jul 13, 2017 10:40 |
|
Carbon dioxide posted:Several weeks ago I got a letter from my housing company, informing me that they had made a new website (subdomain of their main site) with a secure environment where their customers, (tenants), could login to view their personal information and update it online. The letter assured me that the website was double checked by some security company and deemed safe. the site has obviously been compromised and the email you sent was received by whoever is in control. alerted by your snooping, they just added a cert temporarily and in about a week once you'll never visit that site again they'll just revert the change and resume passive capture of the data & credentials since anyway the scrub tier bottom-of-the-barrel ~web developer~ your housing company contracted the work to will eventually have to respond to the multiple daily, panic filled voice mails left by their client. he'll leap into action and reset the credentials of the account, stored in the web server he runs in his basement. it's an older machine, but it's still able to run that cracked copy of adobe cs6 he got off of thepiratebay. slightly concerned about the integrity of his client's data, he'll copy over the plain text file in which client info & financials are stored to the always plugged in thumb drive. "good, that's taken care of", he thinks, as he starts writing an excuse filled email to the client, explaining how he was super busy over the last couple weeks but how he also spent a ton of time doing advanced threat analysis and that his bill for this month will be a bit higher. meanwhile, unaware that your info has already been sold over and over again, you decide to treat yourself and buy that thing you wanted off of ebay. you place the order, but strangely a couple days later you get an email mentioning the order was cancelled. "bah, no biggie, the seller must've ran out, i'll shop for the thing again when i have a moment next weekend". since you're a busy guy, you forget about the whole thing and a few weeks later the police show up at your door; they'd like to ask you a few questions about your recent suspicious activity, turns out the gift card was purchased with a stolen credit card.
|
# ¿ Jul 15, 2017 01:59 |
|
yoloer420 posted:It emulates a keyboard to pop your browser and enter a url. So it isn't a flash drive or whatever. i've seen a usb-drive-in-a-pet-collar at my local store, i'm not 100% sure why you wouldn't just get an engraved medal with your phone number but whatever. you could get a bunch of the cutest kittens and puppies from your local shelters, strap them with malware drives and start dropping them in and around your target's building. i mean, what kind of monster wouldn't try to get a lost pet home? please don't do this
|
# ¿ Jul 15, 2017 02:23 |
|
https://www.youtube.com/watch?v=DMNSvHswljM
|
# ¿ Jul 15, 2017 03:59 |
|
actual security research question: i'm getting curious about how those free flashlight apps & ad infested games on android work and i've started to pull a couple apart with apktool, sniffing traffic with wireshark & even had some limited success loving around with ida one thing that i'm still struggling with is a bunch of files with an xml extension; androidmanifest.xml files get extracted correctly by apktool, but a bunch of other xml files (if they're even xml, but in the case of the app i'm having issues with nothing else seems obfuscated so v0v) are coming out as complete gibberish i seem to be lacking the correct words to google my way through this issue as usual. pretty much anything i try to describe as "apktool * broken xml" refers back to axmlprinter, which apparently only works on manifest files. i gave dex2jar a go, but i'm not interested in the code of the app as much as those resource files any ideas how i should hit this next?
|
# ¿ Jul 15, 2017 10:57 |
|
FAT32 SHAMER posted:but yeah best success ive had is with classyshark oh man, that hits the spot perfectly. thanks guys!
|
# ¿ Jul 15, 2017 19:16 |
|
cinci zoo sniper posted:here we just get hosed because from any of workstations in my dept you can access full records of every customer [of a company subject to strict regulatory compliance of bunch of countries including us of a] ha, try working in small accounting shops; all of the regulatory burden, none of the money to hire people who know what the gently caress a computer is we had an archival box that was setup by the friend of a friend of one of the kids of someone who left 5 years ago or something and no one had the admin credentials, and only one account's credential escaped the sands of time so pretty much everyone was using that it was accessible remotely from inside and outside the network, so the second you checked the external ip there was nothing preventing you from remoting in from a starbucks and doing whatever i did an internship there so i was gone after 12 weeks, but man, that whole thing scared the bejesus out of me
|
# ¿ Jul 19, 2017 13:35 |
|
cinci zoo sniper posted:we have like four different structural entities dealing with compliance and regulatory affairs another, significantly larger place (~100 users) i worked at issued credentials with the same default password. i know for a fact that most of them kept the default password because most of them had it on a post-it on their monitor. "only" client addresses in this case (manufacturing & sales company), externally accessible, most often heard response to "what the poo poo, why?" was "i don't have anything to hide"
|
# ¿ Jul 19, 2017 21:13 |
|
any defcon streams expected this year? i'd love to watch a few talks, i hope i don't have to wait months for them to show up on youtube
|
# ¿ Jul 20, 2017 12:35 |
|
cinci zoo sniper posted:hackers can turn your segway into a bomb man, hackers sure hate those hoverboards
|
# ¿ Jul 20, 2017 19:40 |
|
password chat: i'm sure i'm not the first one to think of this, but since i'm not able to convince some people to use unique, long & complex passwords w/ managers, how good/bad would it be to tell them to change their current creds to something like the password typed 5x times in a row? i know they use super short creds (not hard to count types when they go at it 2 fingered) and i'm pretty sure they're the kind of people who'll use the same pass everywhere; they also use the same [first name].[last name]@ on their personal & corp accounts, so i have concerns about people doing paypal/ebay/amazon/linkedin corroboration being able to pop accounts eventually i'd hope to get those people onboarded into password managers & generally better opsec, but for now i'm looking for an easy concession to get from people on who i have no authority
|
# ¿ Jul 24, 2017 17:57 |
|
flakeloaf posted:i'd imagine it depends on the attack you're trying to mitigate i guess at this stage just preventing password reuse, or rather encouraging users to double down on it, since i'm pretty sure their creds are floating out there unfortunately, this client subcontracted their it stuff and the people i need to risk manage are the ones telling the third party dudes to gently caress off with complexity reqs, so beyond telling them they should get it together i can't do much multiples of their current passwords would both make them harder to throw gpus at and also prevent an intrusion because their ashley madison creds are in the wild baby steps...
|
# ¿ Jul 24, 2017 20:42 |
|
maskenfreiheit posted:fun reverse of this story: Amex wouldn't let me create a username unless it had at least 2 #s. my bank still forces people to use their debit card # as the userid and limits the password to 8 characters letters and numbers only the mobile app doesn't support biometrics 2fa isn't a thing on any personal accounts to my knowledge
|
# ¿ Aug 21, 2017 21:05 |
|
pretty sure the other major canadian banks' apps allow you to finger your way in
|
# ¿ Aug 21, 2017 21:33 |
|
well this sure is a novel take on the good ol' reply all issue https://www.theverge.com/platform/amp/2017/8/30/16226028/essential-customer-email-drivers-license-phishing quote:On Aug 29, 2017, at 9:23 PM, Customer Care customercare@essential.com wrote: quote:Dozens of customers replied with their personal information, but those emails didn’t just go to Essential; they went out to everybody who had received the original email. That means that an unknown number of Essential customers are now in possession of each other’s drivers license, birth date, and address information.
|
# ¿ Aug 31, 2017 01:59 |
|
Schadenboner posted:E: We really need a red-hatted :MAGAsay:.
|
# ¿ Sep 1, 2017 00:13 |
|
goddamnedtwisto posted:hard drives are actually pretty loving sturdy, they dumped it through a concrete crusher too and it was still kinda recongisable obligatory defcon talk: https://www.youtube.com/watch?v=-bpX8YvNg6Y hard drives are weird; one the one hand i've had some brand new enterprise ones fail because gently caress you, that's why, but i've also dropped a couple by accident in a stairwell and the cases were a bit banged up but they were happy to run well past their mbtf
|
# ¿ Sep 1, 2017 00:20 |
|
Lain Iwakura posted:i plan to plastidip the magnets so i figured this was going to be fun. i'll probably keep the platters for something later. the rest can be trashed if you're scrounging for components this is fine, but doing this kind of work at scale is going to be crazy labor intensive i forget who i did business with in montreal (maybe shred-it or iron mountain, not sure), but they had a big ol' truck that would show up a couple times a year and destroy documents and media on site (because i didn't want to trust a third party chain of custody for client financial info and also chucking whole banker boxes in a gently caress off huge shredder is kinda fun) and they absolutely destroyed hard drives might not make sense just to dispose of small assets like only hard drives, but i'm sure your buddies down in accounting have a bunch of stuff to destroy that they're probably just putting in their recycling bins pretty much any medium sized office or above generates enough confidential crap to justify the $10/box or $100/bin they charge and it's a great talking point to open up a conversation about larger physical sec issues
|
# ¿ Sep 1, 2017 04:13 |
|
while we're on the subject, is ram disposal still a thing? we try to donate our old towers (which aren't overly powerful but are still miles ahead of the usual stuff they'd get from gov't surplus, i think we're surplussing gen 2/3 i5 boxes now) to local orgs and we're pulling drives and memory; drives i get but memory?
|
# ¿ Sep 1, 2017 05:36 |
|
counterpoint: our surplus stuff spends at least a few months in a locker somewhere, powered off i'm like 90% sure there's a pretty short window where which data can be recovered via freezing, iirc you need to dunk the chips while the system is on or very recently powered off
|
# ¿ Sep 1, 2017 06:29 |
|
so what i'm hearing is "stop burdening local orgs getting computers with added costs of ram purchases", right?
|
# ¿ Sep 2, 2017 13:36 |
|
unfortunately drive removal is mandated by audit reqs but i think someone just started trashing ram sticks when they saw gov't surplus auctions with them removed i don't mind the cargo cult-y stuff when it's harmless but it's costing time on our end to pull sticks and money on the other to replace them, so i'll talk to people
|
# ¿ Sep 2, 2017 14:24 |
|
wolrah posted:This one's always struck me as a matter of what threats you're trying to secure against. yeah but a pin will keep randos out just fine, without giving people a false sense of security in other contexts
|
# ¿ Sep 5, 2017 19:48 |
|
spankmeister posted:Biggest downside to fingerprint unlock imo is that it's able to be done without your consent same for facial, and i guess rubber-hose cryptanalysis (or more realistically detention until compliance) renders the consent issue a bit moot for the average user w/ a pin
|
# ¿ Sep 5, 2017 22:47 |
|
maskenfreiheit posted:not sure i want to jam my hands in my pocket when getting pulled over by a police officer hostile enough that i don't trust them to physically force me to open my iphone you indeed shouldn't be loving around with your pockets if you're being held at gunpoint, but at that point you're probably going to get tackled by cops #2 through #7 within the next moments, so focus on following the instructions given and get through the poo poo that's coming your way. if you're in a tsa line and you see them doing random phone checks, hit that home button a bunch. if you're held but not arrested by a cop that asks you for your device, cooperate, state that you're reaching in your left/right pocket and give that home button the ol' 5 poke as you take it out if you've been arrested, unless they have the presence of mind of swiping the phone against your finger while also immobilizing you, you'll have to touch the device to unlock it even if you're in handcuffs also please don't pull this poo poo unless you have some real good reason, because if they figure out what you just did and you refuse to comply with providing them a pin, i'm sure there's a slew of obstruction of justice or evidence tampering charges they can slap you with. ianal of course
|
# ¿ Sep 6, 2017 04:14 |
|
https://twitter.com/_grendan/status/905844826771476480
|
# ¿ Sep 7, 2017 19:24 |
|
sell at average and buy the dip, easy 10-20% profit if you discount the possibility of getting reamed by the feds
|
# ¿ Sep 8, 2017 08:18 |
|
@taviso is also pretty solid
|
# ¿ Sep 8, 2017 16:28 |
|
my bitter bi rival posted:im dumb and not very familiar with large ransomware stories so: would some sort of insurance policy that equifax has cover a ransom like that? i'm also dumb and not super familiar with insurance case law, but i'd guess this isn't a standard risk covered and even with an additional insurance rider that covers wizardsec stuff you still need to pass a due diligence audit prior to any kind of payout, which i'd have to assume they'd fail hard
|
# ¿ Sep 9, 2017 06:04 |
|
|
# ¿ May 2, 2024 04:25 |
|
please tell me they'll send you a confirmation email around the time you ask for this lol
|
# ¿ Sep 9, 2017 13:58 |