|
Zero day poo poo posting.
|
# ¿ Dec 27, 2018 03:29 |
|
|
# ¿ May 9, 2024 11:28 |
|
Captain Foo posted:One of my coworkers thought that password salting was doing things like p4$$w0rD 5@L+inG If I ever caught a coworker not using a salt and hash with bcrypt I would be so loving upset. Every modern language has a canned library to do that in usually one or two lines.
|
# ¿ Jan 13, 2019 07:24 |
|
Captain Foo posted:He wasn't rolling his own or anything, just misinformed on technical details That means he can't be arsed to Google for 10 seconds. Guillotine Cocoa Crispies posted:like, how would you even do that lmao How would you even do what? Salt, hash and crypt a password in 2 lines?
|
# ¿ Jan 13, 2019 18:24 |
|
Carbon dioxide posted:At least make it a haiku. Haikus have to be about the seasons.
|
# ¿ Jan 13, 2019 18:25 |
|
haveblue posted:
Beautiful!
|
# ¿ Jan 13, 2019 18:31 |
|
Apparently they don’t even hash/salt the PIN numbers.
|
# ¿ Jan 21, 2019 15:38 |
|
I ran sonarqube against our companies main product. there are 10 hardcoded username and passwords in our source code. Thanks, junior India developers! I had to drop everything I was doing to write a report and send it to the CFO. Luckily most of those were for demo purposes, but 4 of them were from production. But hey! We have TLS 1.3 support! It's like having a foot thick steel door next to an open window!
|
# ¿ Feb 14, 2019 14:34 |
|
Salt Fish posted:My friends want me to play apex with them which requires an EA account. An EA account password cannot be longer than 16 characters. I found this thread: But but but, if they are hashing and salting their passwords, then they should all be the same length in the database????
|
# ¿ Feb 17, 2019 14:03 |
|
my company issues a 1Password account to everybody.
|
# ¿ Feb 22, 2019 16:06 |
|
I really can't gage the correct spelling of gauge, or is it gage? Someone, please help me gauge this!
|
# ¿ Feb 23, 2019 18:27 |
|
UGGGGGHHHHH Amazon and it’s third party security auditing service. Them: “This device must have full disk encryption.” Us: “It’s in a locked box, no root user, a signed bootloader, custom SELinux contexts, and a TPM for update keys, we don’t have the man power to ssh into every device and unlock the disk in the event of a power outage.” Them: “No, this won’t pass without full disk encryption.” Us: “What if we auto-unlock the device on boot up?” Them: “That will work.” Thanks checkbox checking guy for the security theater!
|
# ¿ Feb 26, 2019 19:00 |
|
goddamnedtwisto posted:that's what tpm is for, surely? No. If you can power on the device, and the device unlocks itself on boot, the TPM is useless.
|
# ¿ Feb 26, 2019 22:16 |
|
Wiggly Wayne DDS posted:useless for a full physical compromise. it would allow partial compromises (e.g. stolen drive) to be mitigated The threat model is "Somebody walking away with the box and putting malware on it."
|
# ¿ Feb 26, 2019 22:25 |
|
BangersInMyKnickers posted:lol no Ok, let me be more clear: If you can power on the device, and the device unlocks itself on boot, the key stored in the TPM for encryption is useless. The TPM also stores the update binary key, which is still useful.
|
# ¿ Feb 27, 2019 00:19 |
|
ErIog posted:I have a secfuck question where I'm looking in the mirror and wondering if the secfuck is me. Grab the source RPM and rebuild it with a newer libxml2.
|
# ¿ Mar 8, 2019 16:44 |
|
|
# ¿ May 9, 2024 11:28 |
|
Midjack posted:motherfuckers act like they forgot about jre
|
# ¿ Mar 27, 2019 06:21 |