Security Fuckup Megathread - v7.2 "BoringSFM"

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v7.2 "BoringSFM"

«‹›47 »

Dessert Rose: May 17, 2004; awoken in control of a lucid deep dream...

OSI bean dip posted:

minilock is getting a per user salt!

https://github.com/kaepora/miniLock/pull/45

(Thanks for not updating the README, I'd much rather this be left to me)

# ? Jul 24, 2014 05:21

Adbot: ADBOT LOVES YOU

# ? May 14, 2024 12:21

Dessert Rose: May 17, 2004; awoken in control of a lucid deep dream...

Wonderful. I think we all clearly agree that using emails as salt is the right way to proceed. Leave it to me, I'll work on this pull request and wrap it all in some UI magic! Watch the salt branch.

# ? Jul 24, 2014 05:28

Dessert Rose: May 17, 2004; awoken in control of a lucid deep dream...

what a pretentious gently caress

# ? Jul 24, 2014 05:28

ultramiraculous: Nov 12, 2003; "No..."; Grimey Drawer

i'm incredibly confused by the whole approach they're taking. why is the salt attached to the actual encryption key and not tacked onto the encrypted file like an iv or something?

# ? Jul 24, 2014 05:42

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Dessert Rose posted:

what a pretentious gently caress

# ? Jul 24, 2014 05:42

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

ultramiraculous posted:

i'm incredibly confused by the whole approach they're taking.

It is good to see your brain is properly functioning

# ? Jul 24, 2014 05:45

ultramiraculous: Nov 12, 2003; "No..."; Grimey Drawer

yeah i made the mistake of reading more about it. it's a train wreck top to bottom.

# ? Jul 24, 2014 06:16

ultramiraculous: Nov 12, 2003; "No..."; Grimey Drawer

it just hurts to try to piece everything together. it's roll-your-own-key-management that somehow manages to be both lazy and overwrought.

# ? Jul 24, 2014 06:21

Workaday Wizard: Oct 23, 2009; by Pragmatica

what amazes me about the new wave of roll your own crypto is that no one bothers to write the math on paper/latex

they just plug algos into each other as if they were legos

they could be writing f^-1(f(x)) and they have no idea

# ? Jul 24, 2014 09:09

Miley Virus: Apr 9, 2010

Dessert Rose posted:

what a pretentious gently caress

You're telling me? I really think we're onto something great here.

# ? Jul 24, 2014 10:20

bobbilljim: May 29, 2013; this christmas feels like the very first christmas to me

I read too far down that page. Are they all complete idiots. Could they not just randomly generate the salt evry time and not even show the user????
im so mad about this thing i will never use

# ? Jul 24, 2014 13:42

bobbilljim: May 29, 2013; this christmas feels like the very first christmas to me

When u get that many idiots agreeing with each other it really makes me question my sanity

# ? Jul 24, 2014 13:43

Pile Of Garbage: May 28, 2007

ChickenOfTomorrow posted:

definitely sounds like an infosec worker to me

cynicism and substance abuse are our core competencies

this but all of it

# ? Jul 24, 2014 13:47

Toad King: Apr 23, 2008; Yeah, I'm the best

Shinku ABOOKEN posted:

what amazes me about the new wave of roll your own crypto is that no one bothers to write the math on paper/latex

they just plug algos into each other as if they were legos

they could be writing f^-1(f(x)) and they have no idea

tbf im pretty sure they wouldn't understand what f^-1(f(x)) means anyway

# ? Jul 24, 2014 13:49

flakeloaf: Feb 26, 2003; Still better than android clock

Shinku ABOOKEN posted:

what amazes me about the new wave of roll your own crypto is that no one bothers to write the math on paper/latex

they just plug algos into each other as if they were legos

they could be writing f^-1(f(x)) and they have no idea

encryption legorithm

# ? Jul 24, 2014 14:06

Cyanide Sandwich: Oct 24, 2010

pr0zac posted:

off chance there are any non-olds in this thread the security team at facebook is doing a scholarship thing for defcon this year

so if you're a student or can convincingly pretend to be a student and want to get a thousand dollars to go to defcon and drink on facebook's dime pm me

i'd love to get in on that but i'm in america's ugly cousin canada

# ? Jul 24, 2014 14:08

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

flakeloaf posted:

encryption legorithm

# ? Jul 24, 2014 14:09

VAGENDA OF MANOCIDE: Aug 1, 2004; whoa, what just happened here?; College Slice

pr0zac posted:

i have no power at facebook and simply want that sweet sweet referral moneys

one of the application questions is "Provide an example of an information security project that you're particularly proud of and that relates to your future goals" which "goatseing the twitter wall" would be a quality answer for so api call girl you should probably just apply and figure out how to falsify student documentation later

score

# ? Jul 24, 2014 14:17

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

flakeloaf posted:

encryption legorithm

♬

Everything is awesome!
Everything is cool when you don't have a clue!
Everything is awesome... when you make crypto scream!
♬

Volmarias fucked around with this message at 15:05 on Jul 24, 2014

# ? Jul 24, 2014 15:02

Rooney McNibnug: Sep 2, 2008; "Life always hopes. When a definite object cannot be outlined, the indomitable spirit of hope still impels the living mass to move toward something--something that shall somehow be better."

flakeloaf posted:

encryption legorithm

# ? Jul 24, 2014 15:04

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

flakeloaf posted:

encryption legorithm

Mods

Rooney McNibnug posted:

Wait

# ? Jul 24, 2014 15:17

zonar: Jan 4, 2012; That was a BAD business decision!

Rooney McNibnug posted:

# ? Jul 24, 2014 15:29

kitten emergency: Jan 13, 2008; get meow this wack-ass crystal prison

pr0zac posted:

i have no power at facebook and simply want that sweet sweet referral moneys

one of the application questions is "Provide an example of an information security project that you're particularly proud of and that relates to your future goals" which "goatseing the twitter wall" would be a quality answer for so api call girl you should probably just apply and figure out how to falsify student documentation later

I wish I could have put something that cool on mine, maybe I should have said I know the person who goatse'd the Twitter wall at RSA

# ? Jul 24, 2014 15:39

ultramiraculous: Nov 12, 2003; "No..."; Grimey Drawer

flakeloaf posted:

encryption legorithm

# ? Jul 24, 2014 15:39

goddamnedtwisto: Dec 31, 2004; If you ask me about the mole people in the London Underground, I WILL be forced to kill you; Fun Shoe

bobbilljim posted:

When u get that many idiots agreeing with each other it really makes me question my sanity

this but everything pop-culture-related since like 1999

i'm old

# ? Jul 24, 2014 16:16

Suspicious Dish: Sep 24, 2011; 2020 is the year of linux on the desktop, bro; Fun Shoe

quote:

I think the fundamental problem is that we're trusting the user to handle key management period. Copying and pasting or transcribing 44+ character psuedorandom strings is the underlying shortcoming of the architecture, IMO.

Doing it once per recipient is annoying. Doing it once per recipient per use is broken.

It's almost like practical identity management and practical key management is the big security user experience problem we've been trying to solve for the last 30 years!

# ? Jul 24, 2014 16:26

flakeloaf: Feb 26, 2003; Still better than android clock

Rooney McNibnug posted:

mom won't buy me the useful bricks library so i have to make my own

# ? Jul 24, 2014 16:48

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

i posted this on FD a while ago but here's an interesting search

https://canary.pw/search/?q=GrenXParta

you can see when viewing 'related' that there are a lot of copycat 'dumps'

# ? Jul 24, 2014 17:20

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

# ? Jul 24, 2014 17:23

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

OSI bean dip posted:

cool, you should now kill yourself, and please don't attempt to make any more cryptography software

# ? Jul 24, 2014 18:14

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

this was shared on #yossec

https://github.com/kaepora/miniLock/commit/9185536eebd1120a8889d86968b3ff3afc8df997

# ? Jul 24, 2014 18:48

spankmeister: Jun 15, 2008

L

O

fuckin

L

# ? Jul 24, 2014 18:51

neutral milf hotel: Oct 9, 2001; by Fluffdaddy

ugh this encryption LEGO piece only comes in a 4x4 square and doesn't fit my bitchin' cat spaceship. I know, I'll just use a few 1x4 home brew pieces, put em here... and here and it'll work just fine :smuggo:

# ? Jul 24, 2014 19:00

flakeloaf: Feb 26, 2003; Still better than android clock

BeOSPOS posted:

ugh this encryption LEGO piece only comes in a 4x4 square and doesn't fit my bitchin' cat spaceship. I know, I'll just use a few 1x3 home brew pieces, put em here... and here and it'll work just fine

# ? Jul 24, 2014 19:02

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

OSI bean dip posted:

this was shared on #yossec

https://github.com/kaepora/miniLock/commit/9185536eebd1120a8889d86968b3ff3afc8df997

Glorious

# ? Jul 24, 2014 19:30

atomicthumbs: Dec 26, 2010; We're in the business of extending man's senses.

ugh just make a trusted platform module that communicates via nfc and can be implanted in the user's forehead

duh

# ? Jul 24, 2014 20:07

Pile Of Garbage: May 28, 2007

not so muchh a fuckup, just really kind of dumb, mlmp. the following is the mechanism which SamoaNIC use to obfuscate the contact email address on their website:

from index.dhtml:

code:

<script src="/decrypt.js" type="text/JavaScript" language="JavaScript"></script>

<script language="JavaScript"> 
<!--
document.write('<A HREF="mailto:'+ decrypt('ozcvyzuw@usmbs.au','wolqtnzfcvgumyhxibarspkjde') + '">' + decrypt('ozcvyzuw@usmbs.au','wolqtnzfcvgumyhxibarspkjde') +  '</A>');
-->
</script>

and here's decrypt.js:

code:

function decrypt(str, crypto) {

	//return str.length;
	var newstr = '';
	
	for (i = 0; i < str.length; i++) {
		if ((str.charAt(i) >= 'a') && (str.charAt(i) <= 'z')) {
			newstr = newstr + crypto.charAt(str.charCodeAt(i) - 0x61);
		}
		else {
			if ((str.charAt(i) >= 'A') && (str.charAt(i) <= 'Z')) {
				newstr = newstr + crypto.charAt(str.charCodeAt(i) - 0x41).toUpperCase();
			}
			else {
				newstr = newstr + str.charAt(i);
			}
		}
	}

	return newstr;
}

those samoans must really hate spam. it would probably help if that same email addy that they are going so far to obfuscate wasn't listed as the abuse contact on their whois records..

# ? Jul 24, 2014 20:15

Wayne Knight: May 11, 2006

cheese-cube posted:

not so muchh a fuckup, just really kind of dumb, mlmp. the following is the mechanism which SamoaNIC use to obfuscate the contact email address on their website:

eh, seems like an effective way to stop an automated tool.

heh, automated tool

# ? Jul 24, 2014 20:31