|
Wiggly Wayne DDS posted:First Sednit UEFI Rootkit Unveiled by Frédéric Vachon (40:53) UEFI: turns out the only way to tell windows malware from windows commercial security software is reading the package lmao taming the chaos: the code flow integrity part of this talk is apparently fascinating! looking forward to watching this at work in a couple weeks
|
# ¿ Dec 28, 2018 01:17 |
|
|
# ¿ May 8, 2024 16:30 |
|
Wiggly Wayne DDS posted:day 1 continued (i even skipped some talks!): I played the junior CTF and went to whisk[e]yleaks, a good day 2 also got doom running on a LED display
|
# ¿ Dec 29, 2018 02:32 |
|
Shame Boy posted:lmao that you think they do code review also we hired you to write the code, it’s not unreasonable to expect you get it right the first time and don’t make mistakes
|
# ¿ Jan 2, 2019 10:37 |
|
Cybernetic Vermin posted:at least a reasonably battle-tested compiler and no doubt proper typing, there are worse outcomes possible yeah some ML from a grognard that’s not around is way less scary than actively-maintained C
|
# ¿ Jan 2, 2019 13:33 |
|
Mr. Nice! posted:i remember back in 2013 when i was still in the navy that you'd have to install a bunch of root certs to make most dod/navy websites functional. it was just a downloadable installer available on a .mil page, iirc. but yeah, without it most mil pages throw up errors and aren't really functional. and even worse, if you install it, most .mil pages don't throw up errors but aren't really functional anyways
|
# ¿ Jan 10, 2019 17:12 |
|
jit bull transpile posted:crocodile chop! https://www.youtube.com/watch?v=kR0gOEyK6Tg
|
# ¿ Jan 11, 2019 19:06 |
|
why is this in the secfuck thread tho
|
# ¿ Jan 12, 2019 22:45 |
|
ratbert90 posted:If I ever caught a coworker not using a salt and hash with bcrypt I would be so loving upset. Every modern language has a canned library to do that in usually one or two lines. like, how would you even do that lmao
|
# ¿ Jan 13, 2019 13:02 |
|
ratbert90 posted:How would you even do what? Salt, hash and crypt a password in 2 lines? I can’t be arsed to google for 10 seconds, but none of the bcrypt libraries I’ve used have documented functions to do anything beyond “turn password into digest” or “tell if password matches digest”
|
# ¿ Jan 13, 2019 23:51 |
|
florida lan posted:RSA is still a security conference? RSA is a product marketing conference.
|
# ¿ Jan 15, 2019 14:32 |
|
florida lan posted:all i learned from this is that great clips salon managers view industry conferences as an excuse to get drunk even more than tech people do a lot of tech people are really spoiled and in many workplaces “it’s 2pm and I’m at the office” is an excuse to drink
|
# ¿ Jan 16, 2019 13:26 |
|
CRIP EATIN BREAD posted:unfettered write access to a publicly available display seems like a infosec fuckup imho idk I wore one at both def con 2018 and 35c3 and there were a shitload of static ones at 35c3 and it was fine, most people just want to amuse themselves without hurting others the only obnoxious behavior is people trying to “win” instead of just doing weird poo poo
|
# ¿ Jan 16, 2019 20:26 |
|
jit bull transpile posted:i mean, the phrase sjw was literally created as an insult. it's stupid but that's where it came from. can be both wizard and warrior, you need the warrior so your party doesn't get overrun by kobolds
|
# ¿ Jan 17, 2019 22:02 |
|
I really wanna know how many lovely Wordpress pluggins there are that have exactly this same problem
|
# ¿ Jan 17, 2019 23:18 |
|
anyone going to shmoocon in d/c this weekend? I think I can get a ticket, and if not, I’ll be around for hallwaycon lol
|
# ¿ Jan 18, 2019 05:21 |
|
my brothers and I got our parents a smart lock for Christmas, I should see if I can get one and gently caress with it too
|
# ¿ Jan 21, 2019 15:09 |
|
bob dobbs is dead posted:Pin and tumbler locks are basically keycode locks where you don't need to remember the keycode and you don't need electricity. Anyone with the key pin lengths and knowhow can file a key. So that's why you're not supposed to take photos of keys, or at least keep photos of keys completely secure BangersInMyKnickers posted:I love how most of the master keys for major cities/regions public safety departments are openly called by some series of numbers which happens to be the pin sequence. Good opsec everybody yeah https://www.youtube.com/watch?v=AayXf5aRFTI https://www.youtube.com/watch?v=aVPSaKLKHd4 locks are important as a definite signal that access is forbidden in some cases, and that picking a lock is almost always something very explicit you're doing to access a space without authorization, which is a good thing to build legal frameworks on
|
# ¿ Jan 21, 2019 15:56 |
|
Bhodi posted:somewhere in that thread she says the management company is installing them in 40,000 units, and if it's considered a success (saves them money somehow) you better believe everyone else will adopt it as well WarDriver 40,000
|
# ¿ Jan 21, 2019 21:18 |
|
Shame Boy posted:it's the big one yes, though generally the package repository for php is… …the comment section of snack overflow
|
# ¿ Jan 22, 2019 04:19 |
|
spankmeister posted:It's also nice that they used their sponsor spot to just tell a story about a cool CTF challenge, instead of actively trying to push some product. trail of bits is a contractor doing fairly intensive research; what they're pushing is that it's cool to let them reap the difference between the fruits of your labor and your paycheck (by all reports they're a nice place to work)
|
# ¿ Jan 22, 2019 15:03 |
|
Proteus Jones posted:It's a bit of a stretch to call DEFCON a "professional" industry conference, but yeah. Still a bit much. yeah I’m a bit surprised that DEF CON furs is organized enough to have a budget and tax classification but it’s far from the first or last organization I’d expect to see at DEF CON less weird and off putting than the “stripper con” types
|
# ¿ Jan 25, 2019 13:13 |
|
cinci zoo sniper posted:the what now flyover dipshits that think Vegas is an adult playground instead of an over stimulating capitalist hell Proteus Jones posted:The cost of DEFCON is not out of reach for most people. I paid my own way for years. Then when I worked at $BIG_BANK, they sent me to Black Hat every year and I just stayed the extra days to go to DEFCON and expensed it. get work to pay for ccc events imo, they’re more fun than black hat
|
# ¿ Jan 25, 2019 19:16 |
|
cut g chat in to pieces this is my last hang out
|
# ¿ Jan 29, 2019 23:43 |
|
Shifty Pony posted:product idea: key holder (shelf, hooks, or mat) which operates on the same principle as these secure badge holders: how are you supposed to use the contact part of the smart card with that poo poo on it lol
|
# ¿ Jan 30, 2019 00:20 |
|
Phone posted:I fail to recognise the “bad practice” here. Researchers clearly asked for consent, in case of teens they have required parental consent as well, they have had clearly worded policy, they have generously paid for participation. ok subjunctive but have you considered that maybe companies shouldn't make monitoring the user experience of teenagers their business
|
# ¿ Jan 30, 2019 18:00 |
|
Shifty Pony posted:I think the question was more did Apple suspend the certificates for Instagram Inc and WhatsApp Inc as well or was Facebook only using Facebook Inc's enterprise certificate for all of their internal apps? if you're at fbook and making a lovely little app to track when the company bus picks you up from the gentrification district to ferry you to Menlo Park you're probably just gonna get it deployed with the normal enterprise cert flow instead of figuring out how to use some acquisition's long-expired dev account to get a new enterprise cert
|
# ¿ Jan 30, 2019 18:02 |
|
Shifty Pony posted:sure, but that article says that internal Instagram and Whatapp betas were affected. I'd guess that they do internal betas with the fbook enterprise cert and only have dev certs for instagram and whatsapp e: that way they don't have to juggle multiple enterprise certs for fbook employees that want to beta-test all these different apps
|
# ¿ Jan 30, 2019 18:12 |
|
pseudorandom name posted:they'd want to use the same dev cert for all their apps so the apps can access shared storage where they store the user tracking data why would you store tracking data on the phone instead of in the datacenter? the only thing you'd want to share on-device is a login token
|
# ¿ Jan 30, 2019 18:43 |
|
¯\_(ツ)_/¯ I don't use facebook and have never made an iOS app that stores data
|
# ¿ Jan 30, 2019 18:50 |
|
does stamos work at the Menlo Park water district now 'cause he's carrying a lot of water for facebook
|
# ¿ Feb 1, 2019 20:54 |
|
Salt Fish posted:DNA has 4 amino acids as it's alphabet, how do you encode an escape sequence? Like what the heck kind of processing is that lovely? "its" and also that's twice as many as computers got
|
# ¿ Feb 3, 2019 18:01 |
|
yeah it's from 2017
|
# ¿ Feb 3, 2019 20:07 |
|
we already knew malware could be encoded in DNA or RNA because viruses exist and kill people
|
# ¿ Feb 3, 2019 20:08 |
|
Notorious b.s.d. posted:when was the last time you saw a fat client for an lob app with the huuuuge caveat that despite everything about it electron doesn't count as "fat"
|
# ¿ Feb 3, 2019 20:32 |
|
Notorious b.s.d. posted:when was the last time you saw a fat client for an lob app also turn off your monitor
|
# ¿ Feb 3, 2019 20:32 |
|
CRIP EATIN BREAD posted:reading other peoples sexting is always awkward and cringe inducing. https://twitter.com/dril/status/638936294937227264
|
# ¿ Feb 8, 2019 16:27 |
|
Shame Boy posted:i want to get a job in "cyber engineering" or work at the "cyber range" yeah the entire dod and presumably other countries' cheaper yet no less stupid versions of dod just love to call computer-touching "cyber"
|
# ¿ Feb 8, 2019 17:42 |
|
haveblue posted:I'm the offensive cyber please don't post jeff bezos's sexts here
|
# ¿ Feb 8, 2019 17:49 |
|
*felix voice* the best part of waking up… is kashoggi got cut up
|
# ¿ Feb 8, 2019 23:00 |
|
|
# ¿ May 8, 2024 16:30 |
|
Good Sphere posted:i don't know if it warrants a class action lawsuit, but maybe this is the only motivating factor now that will make it change. also security questions - get rid of them a civil suit isn't necessarily punishment, it can be a customer support escalation that companies can't ignore
|
# ¿ Feb 12, 2019 20:50 |