|
ErIog posted:The misguided notion that you're going to do a better job checking certs than the cert system itself. It does make retarded kind of sense, but it also always ends up with them doing a far weaker implementation. They're not 100% wrong. If they were to do a good job and provide an extra layer in the cert chain then on a long enought timeline they could provde value. They're never going to do that, though. The impulse is understandable. The execution is unconscionable. i of course mention this as my friend is complaining that ESET has installed such a cert; weirdly enough it avoids overpowering the EV certs but it's still disconcerting to see "ESET SSL Scan" instead of say, "Let's Encrypt X3" e: horrible snype
|
# ? Mar 6, 2017 13:28 |
|
|
# ? Jun 5, 2024 04:32 |
|
ErIog posted:The misguided notion that you're going to do a better job checking certs than the cert system itself. It does make retarded kind of sense, but it also always ends up with them doing a far weaker implementation. They're not 100% wrong. If they were to do a good job and provide an extra layer in the cert chain then on a long enought timeline they could provde value. They're never going to do that, though. The impulse is understandable. The execution is unconscionable. They don't care so much about checking certs, they just want to inspect the content, and it's easier to just sit on the stream than have to integrate with a billion different browsers and apps that embed web views that all present the page in a different way (if at all).
|
# ? Mar 6, 2017 13:47 |
|
wolrah posted:I'm pretty sure I've seen a full IP-over-DNS solution implemented a while back as a way to bypass certain captive portals. iodine is what I use. Have yet to find a captive portal that blocks it.
|
# ? Mar 6, 2017 14:52 |
|
BillWh0re posted:They don't care so much about checking certs, they just want to inspect the content, and it's easier to just sit on the stream than have to integrate with a billion different browsers and apps that embed web views that all present the page in a different way (if at all). Feels pretty unnecessary/overreaching for them to do that even for this reason.
|
# ? Mar 6, 2017 15:02 |
|
Chalks posted:Feels pretty unnecessary/overreaching for them to do that even for this reason. no poo poo
|
# ? Mar 6, 2017 15:08 |
|
Malware isn't going to be giving you SNI data to inspect and doing a full MITM allows you to inspect/flag/block traffic to known malware c&c domain names in addition to IPs regardless of it matching a signature. It's a helpful control if executed correctly.
|
# ? Mar 6, 2017 15:08 |
|
BangersInMyKnickers posted:Malware isn't going to be giving you SNI data to inspect and doing a full MITM allows you to inspect/flag/block traffic to known malware c&c domain names in addition to IPs regardless of it matching a signature. It's a helpful control if executed correctly. maybe at the gateway level but on individual machines it seems like it would be pretty easy for the malware to just bypass it
|
# ? Mar 6, 2017 15:15 |
|
ate all the Oreos posted:maybe at the gateway level but on individual machines it seems like it would be pretty easy for the malware to just bypass it Depends on how you're doing it. The driver sits on the network stack and pulls all 443 traffic and does some additional sniffing to find connections on alternative ports. If you're doing alternate ports then you're going to have a harder time not going noticed rather than mixing your traffic in with all the other HTTPS connections.
|
# ? Mar 6, 2017 15:21 |
|
That seems like something the OS could provide access to in a way that wont break security quite so bad
|
# ? Mar 6, 2017 15:25 |
|
ErIog posted:The misguided notion that you're going to do a better job checking certs than the cert system itself. It does make retarded kind of sense, but it also always ends up with them doing a far weaker implementation. They're not 100% wrong. If they were to do a good job and provide an extra layer in the cert chain then on a long enought timeline they could provde value. They're never going to do that, though. The impulse is understandable. The execution is unconscionable. No, they don't think this at all. They just want to look into all the traffic so they can use their signatures on the unencrypted data. e: whoops new page
|
# ? Mar 6, 2017 15:28 |
|
Shaggar posted:That seems like something the OS could provide access to in a way that wont break security quite so bad That'll work for things using schannel but anything doing an embedded garbage pile openssl library is going to dance right around it. You could probably lock it down by blocking/prompting on anything attempting to do outbound TLS with their own libraries but that would just be one more dialog for a home user to click through blindly and you would still need to do MITM there or just let it go without inspection.
|
# ? Mar 6, 2017 15:39 |
|
I know your response is that everything should use schannel and that is Correct because it is The Best, but unfortunately there are people with bad brains who create garbage software on Windows
|
# ? Mar 6, 2017 15:40 |
|
yes everything should use schannel and anything that doesnt should be prevented from connecting with no bypass mechanism
|
# ? Mar 6, 2017 15:44 |
|
http://www.csoonline.com/article/3176433/security/spammers-expose-their-entire-operation-through-bad-backups.html lmao
|
# ? Mar 6, 2017 18:14 |
|
pwnt and all but tbh i don't remember the last piece of spam i got.
|
# ? Mar 6, 2017 18:22 |
|
BillWh0re posted:They don't care so much about checking certs, they just want to inspect the content, and it's easier to just sit on the stream than have to integrate with a billion different browsers and apps that embed web views that all present the page in a different way (if at all). long time no see
|
# ? Mar 6, 2017 18:47 |
|
BillWh0re posted:They don't care so much about checking certs, they just want to inspect the content, and it's easier to just sit on the stream than have to integrate with a billion different browsers and apps that embed web views that all present the page in a different way (if at all). sup buddy. you've been missed
|
# ? Mar 6, 2017 18:53 |
|
BangersInMyKnickers posted:Depends on how you're doing it. The driver sits on the network stack and pulls all 443 traffic and does some additional sniffing to find connections on alternative ports. If you're doing alternate ports then you're going to have a harder time not going noticed rather than mixing your traffic in with all the other HTTPS connections. i guess i was assuming most malware would get root and then be able to just undo whatever thing the AV/filter was doing if it were running on the same machine but that's not necessarily a given so e: root/system context/whatever windows does
|
# ? Mar 6, 2017 19:23 |
|
Maybe. It's a lot harder to get root on Windows these days compared to XP when it was completely trivial. Heuristics on any AV platform are sensitive to modification of system settings and is a good way to get your package noticed. Self-defense mechanisms may also alert the user to system level tampering of its analysis engine. Most of the value of a compromised endpoint can be realized inside a restricted user context; you can pull whatever personal data you're trying to harvest and still run whatever arbitrary code you want. Rooting can be good for extra persistence but when most systems have a single user who is always logged in you might not be gaining much from it and increasing your risk of detection.
|
# ? Mar 6, 2017 19:34 |
|
Thinking about learning about security with regards to computer
|
# ? Mar 6, 2017 19:47 |
|
tumor looking batty posted:Thinking about learning about security with regards to computer Dehumanize yourself and face towards malware
|
# ? Mar 6, 2017 19:53 |
|
BangersInMyKnickers posted:Malware isn't going to be giving you SNI data to inspect and doing a full MITM allows you to inspect/flag/block traffic to known malware c&c domain names in addition to IPs regardless of it matching a signature. It's a helpful control if executed correctly. Ah, I didn't really consider them blocking c&c ips due to their domain names. Presumably considerably easier than blocking the IPs if you've got a copy of the malware and can get a complete list of the ones it uses.
|
# ? Mar 6, 2017 20:26 |
|
Chalks posted:Ah, I didn't really consider them blocking c&c ips due to their domain names. Presumably considerably easier than blocking the IPs if you've got a copy of the malware and can get a complete list of the ones it uses. most malware uses infected computers for distributed c&c so ip-based blocking would be fairly pointless and time-consuming to keep updated - blocking a relatively small amount of domains is much easier i'm genuinely surprised more off-the-shelf security products don't use things like spamhaus for blocking, or at least flagging, outbound connections. seems a no-brainer, but there's always been this weird disconnect between anti-spam and the rest of the security community.
|
# ? Mar 6, 2017 20:40 |
|
DoJ drops Playpen case because they don't want to reveal what their "network investigative techniques" were. http://www.bbc.com/news/technology-39180204 quote:To get round this the FBI used what it called "network investigative techniques" and revealed people's identities. Actual filing: https://www.documentcloud.org/documents/3482329-Michaud-motion-to-dismiss.html#document/p2/a341591
|
# ? Mar 6, 2017 22:39 |
|
Volmarias posted:DoJ drops Playpen case because they don't want to reveal what their "network investigative techniques" were. I assume this means nobody has published the exploit yet?
|
# ? Mar 6, 2017 22:42 |
|
Edit: Nevermind, dumb idea.
|
# ? Mar 6, 2017 22:44 |
|
hobbesmaster posted:I assume this means nobody has published the exploit yet? that's entirely possible but its also possible the feds did something even worse and they don't want it to go public.
|
# ? Mar 6, 2017 23:05 |
|
Volmarias posted:DoJ drops Playpen case because they don't want to reveal what their "network investigative techniques" were. They're not dropping the whole of playpen, just against this guy. They're also keeping the option to prosecute in the future when they declassify the method.
|
# ? Mar 7, 2017 00:16 |
|
Volmarias posted:DoJ drops Playpen case because they don't want to reveal what their "network investigative techniques" were. It's probably because the NSA won't give the FBI any more exploits if they get burned all the time. At the moment they are prosecuting more cases they are having to drop with this exploit so it seems to be a sensible move if they feel it means more paedophiles end up in jail overall In other news wikileaks have dumped a bunch of CIA docs and tools https://wikileaks.org/ciav7p1/ quote:The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS. After infestation, Weeping Angel places the target TV in a 'Fake-Off' mode, so that the owner falsely believes the TV is off when it is on. In 'Fake-Off' mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server. The internet of poo poo is not just for botnets and injecting ads!
|
# ? Mar 7, 2017 14:24 |
|
I;m guessing they used a different NIT for that one particular pedophile otherwise they're going to be dropping a LOT of cases. They can continue using the NIT for now and then once they burn it then can grab the guy again within statue of limitations so I'm guessing that's their plan here. Also holy poo poo re: wikileaks
|
# ? Mar 7, 2017 14:30 |
|
why does a television need a microphone jesus christ MCDONALD'S!
|
# ? Mar 7, 2017 14:30 |
|
it was behind the picture. remain exactly where you are.
|
# ? Mar 7, 2017 14:41 |
|
Found a taviso shoutout on the "Articles on exploiting psp's", found the discussion of the equation group stuff interesting
|
# ? Mar 7, 2017 14:56 |
|
flakeloaf posted:MCDONALD'S! have it your way- citizen
|
# ? Mar 7, 2017 15:16 |
|
https://twitter.com/info_dox/status/839115278437003271
|
# ? Mar 7, 2017 15:21 |
|
flakeloaf posted:why does a television need a microphone jesus christ because it adds like 1 penny to the build cost but you can probably use it to charge $100 extra for some dumb feature no one will ever use.
|
# ? Mar 7, 2017 15:21 |
|
i don't think the cia is actually going to cut you a check though
|
# ? Mar 7, 2017 15:26 |
|
Don't use Tor, don't use Signal. https://twitter.com/HackingDave/status/839126978863239168
|
# ? Mar 7, 2017 15:55 |
|
"techniques" also known as keyloggers.
|
# ? Mar 7, 2017 16:05 |
|
|
# ? Jun 5, 2024 04:32 |
|
cloacaman
|
# ? Mar 7, 2017 16:07 |