|
big black turnout posted:Unrelatedly, what's the current best practice for identity verification and encryption for email? I know things like this exist for pgp/gpg https://pgp.mit.edu/ but my takeaway from this thread is that those aren't terribly good anymore? Is that true? get a client cert from a CA, set all your emails to sign by default with it, if you need to encrypt the message then have the other end get their client cert and once you've exchanged signed emails the first time you have each others public keys and now you can encrypt poo poo to each other. if you're worried about your private key then password protect it in the keystore.
|
#
?
Sep 8, 2016 22:10
|
|
|
|
| # ? Apr 28, 2024 05:40 |
|
|
Is there anything wrong with Enigmail for Thunderbird?
|
|
#
?
Sep 8, 2016 22:12
|
|
|
Squeegy posted:Is there anything wrong with Enigmail for Thunderbird? Apart from that time it had a bug that silently failed to actually encrypt messages when you told it to? And then the dev said it wasn't an issue
|
|
#
?
Sep 8, 2016 22:26
|
|
|
Rufus Ping posted:Apart from that time it had a bug that silently failed to actually encrypt messages when you told it to? And then the dev said it wasn't an issue Do tell 
|
|
#
?
Sep 8, 2016 23:28
|
|
|
Regarding vansec, how long do these meetups last? I'm totally prepped to go but waiting on a thing. This is probably a dumb post since anyone concerned is already there.
|
|
#
?
Sep 9, 2016 02:12
|
|
|
FeloniousDrunk posted:Regarding vansec, how long do these meetups last? I'm totally prepped to go but waiting on a thing. This is probably a dumb post since anyone concerned is already there. Usually until 9
|
|
#
?
Sep 9, 2016 02:32
|
|
|
On my way
|
|
#
?
Sep 9, 2016 02:40
|
|
|
Squeegy posted:Do tell https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ I'm wrong, it wasn't one of the devs who said people should cut them some slack over this, it was someone else
|
|
#
?
Sep 9, 2016 02:52
|
|
|
FeloniousDrunk posted:On my way I'm sitting in the corner next to the open window with some guy wearing a burgundy cap
|
|
#
?
Sep 9, 2016 03:00
|
|
|
the media will report it as a gas leak, but we'll know the real cause of the explosion was putting security and antisecurity in such close proximity realtalk good on you for taking the hits and deciding to learn more instead of hugboxing
|
|
#
?
Sep 9, 2016 03:07
|
|
|
Cheers Adix, found my guys. They are not currently trashing on me.
|
|
#
?
Sep 9, 2016 03:28
|
|
|
The latest SMBC is appropriate: The Infosec Thread: It's people! The security vulnerability is people!!
|
|
#
?
Sep 10, 2016 05:11
|
|
|
Absurd Alhazred posted:The latest SMBC is appropriate: https://www.youtube.com/watch?v=X4RuB3gT8t0
|
|
#
?
Sep 10, 2016 08:00
|
|
|
Can any of you thread readers recommend a good media contact who covers security and technology? Someone who writes about incidents well and hopefully understands at least some of the technical nuance of security/encryption? Mainly looking for good writing examples to show to other people.
|
|
#
?
Sep 18, 2016 17:04
|
|
|
Pryor on Fire posted:Can any of you thread readers recommend a good media contact who covers security and technology? Someone who writes about incidents well and hopefully understands at least some of the technical nuance of security/encryption? Mainly looking for good writing examples to show to other people. patrick gray of risky business (radio) matthew green bruce schneier joseph cox and lorenzo f-b of vice motherboard kevin poulsen of wired kashmir hill of fusion comedy option: violet blue
|
|
#
?
Sep 18, 2016 17:28
|
|
|
Sarah Jeong possibly? Her Twitter is mostly in-jokey stuff but her actual articles are good.
|
|
#
?
Sep 18, 2016 20:48
|
|
|
Brian Krebs usually does a good job with technical stuff: http://krebsonsecurity.com/
|
|
#
?
Sep 18, 2016 21:06
|
|
|
For less-serious coverage, @SwiftOnSecurity is pretty amusing and is generally self-deprecating about their actual expertise.
|
|
#
?
Sep 19, 2016 00:45
|
|
|
FeloniousDrunk posted:On the topic of password managers, I rolled my own crypto! Basically for people who don't trust LastPass etc. It runs entirely in the browser, no local storage, randomized per instance (unless choices have been made by the user). Is this just a coincidence? I made this in february. https://github.com/AnttiKurittu/pwx
|
|
#
?
Sep 19, 2016 11:32
|
|
|
computer toucher posted:Is this just a coincidence? I made this in february. I was going to say that this was the worst possible post to make, considering. But since no-one has ripped you apart in a couple of days, I gotta say that's a good choice of name. Just make sure your project doesn't get confused with mine
|
|
#
?
Sep 21, 2016 05:27
|
|
|
FeloniousDrunk posted:I was going to say that this was the worst possible post to make, considering. But since no-one has ripped you apart in a couple of days, I gotta say that's a good choice of name. Just make sure your project doesn't get confused with mine Lol if that's your attempt at humor
|
|
#
?
Sep 21, 2016 05:41
|
|
|
FeloniousDrunk posted:I was going to say that this was the worst possible post to make, considering. But since no-one has ripped you apart in a couple of days, I gotta say that's a good choice of name. Just make sure your project doesn't get confused with mine I think his thing is kinda dumb because it has the same big downside of a standard password manager*, extra restrictions that would be annoying in use**, and no upside that I can see. But it should be secure against anything but someone owning his machine. *must-have backups of a file or your passwords are 100% gone **no flexibility in password output if a site is retarded about requiring or rejecting characters, only way to change a password is to change your mnemonic "account name" or master password The other difference is that he put his thing on github with a disclaimer that people shouldn't use it and probably hasn't told anyone to use it. The thread should maybe be "don't roll your own crypto if anyone is gonna use it besides your dumb self" but that won't fit in a title.
|
|
#
?
Sep 21, 2016 11:01
|
|
|
Who's going to derbycon? If anyone is going to be there tomorrow morning by 8am, me and 10 others are going on a bourbon tour and there is a couple seats open from people not being able to attend. Stopping at 6 distilleries including buffalo trace hard hat tour which I keep hearing as being a really good tour.
|
|
#
?
Sep 21, 2016 13:11
|
|
|
FeloniousDrunk posted:I was going to say that this was the worst possible post to make, considering. But since no-one has ripped you apart in a couple of days, I gotta say that's a good choice of name. Just make sure your project doesn't get confused with mine Mine is clearly just a proof-of-concept level programming excercise for fun, though. I did make mine in february, and it's been public since, but you can have the name if you want. I don't really care at all.
|
|
#
?
Sep 22, 2016 20:54
|
|
|
computer toucher posted:Mine is clearly just a proof-of-concept level programming excercise for fun, though. I did make mine in february, and it's been public since, but you can have the name if you want. I don't really care at all. Yup. I can out myself further by saying I've made various prototypes for a couple of years, but a polished turd is still a turd and I accept that. No judgement on your project. I was just making a dad-style joke that hey we both chose the same name. I've denatured my effort to the point that I don't think anyone except me would use it. Also, trip report on vansec, it was good, I broke my wrist, I'll go again.
|
|
#
?
Sep 23, 2016 01:46
|
|
|
Mustache Ride posted:Brian Krebs usually does a good job with technical stuff: http://krebsonsecurity.com/ https://twitter.com/briankrebs/status/778404352285405188 https://twitter.com/briankrebs/status/779047286043185152
|
|
#
?
Sep 23, 2016 04:16
|
|
|
Cugel the Clever posted:Akamai's kicked him off their servers, because that's totally the appropriate response to incipient cyber-terrorism... They were offering him services pro bono.
|
|
#
?
Sep 23, 2016 07:23
|
|
|
And Cloudflare already volunteered to be stress tested next.
|
|
#
?
Sep 23, 2016 07:25
|
|
|
That's a pretty nice DDoS.
|
|
#
?
Sep 23, 2016 07:29
|
|
|
I'm the plasmatic scum
|
|
#
?
Sep 23, 2016 07:58
|
|
|
THIS is how I find out about Brangelina?!?!?
|
|
#
?
Sep 23, 2016 08:04
|
|
|
ming-the-mazdaless posted:They were offering him services pro bono. Ah. So much for my reading comprehension.
|
|
#
?
Sep 23, 2016 13:25
|
|
|
Yes, I see
|
|
#
?
Sep 23, 2016 16:21
|
|
|
Apparently he got banned for spamming that all over
|
|
#
?
Sep 23, 2016 18:06
|
|
|
Does any sort of open source two factor token exist? Or a project that can take advantage of readily available RSA tokens? I know using a cellphone is the most common 'token' but I am curious about fob that have a numerical display on them for TFA.
|
|
#
?
Sep 25, 2016 21:12
|
|
|
cr0y posted:Does any sort of open source two factor token exist? Or a project that can take advantage of readily available RSA tokens? I know using a cellphone is the most common 'token' but I am curious about fob that have a numerical display on them for TFA. the standard algorithms are TOTP and HOTP via phone apps like you said you can't reuse existing RSA fobs for your own application because each one has a shared secret burnt into it during manufacturing that you can't extract
|
|
#
?
Sep 25, 2016 21:43
|
|
|
For hardware tokens you have the Yubikey range as well
|
|
#
?
Sep 25, 2016 21:52
|
|
|
It's awesome/terrible/sad that these unprecedented DDoS attacks are coming from hordes of unsecured webcams and such (supposedly?) The Internet of Things is awesome
|
|
#
?
Sep 26, 2016 00:23
|
|
|
|
| # ? Apr 28, 2024 05:40 |
|
|
I deal mostly with bug bounty submissions. Am I allowed to drink with all you folks? (I need a drink.)
|
|
#
?
Sep 26, 2016 05:47
|
|
