|
SQRL is absolutely intended to be 'everything you need' to both create accounts and sign in. It'll never actually be released, though.
|
# ? Feb 28, 2017 20:46 |
|
|
# ? Apr 28, 2024 13:49 |
|
OSI bean dip posted:SQRL is garbage: You should also point out that its crypto usage strictly requires a funny property of a couple curves: that you can consistently generate the same private key from a couple pieces of source material AND that there are weaknesses in those keys or key material exposed by doing so. Both of these properties are unusual and the latter is likely to erode over time with no good recourse available to users.
|
# ? Feb 28, 2017 22:02 |
|
https://arstechnica.com/security/2017/02/high-severity-vulnerability-in-edgeie-is-third-unpatched-msft-bug-this-month/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0037 https://bugs.chromium.org/p/project-zero/issues/detail?id=1011 A fun IE/Edge RCE that Google disclosed after 90 days of nothing from ms
|
# ? Feb 28, 2017 22:52 |
|
Cool, infosec thread was pretty activ-
|
# ? Mar 1, 2017 06:34 |
|
No news is quite literally good news in infosec.
|
# ? Mar 1, 2017 06:38 |
|
How do you guys deal with "black box" products going into your environments that are really just Linux based appliances? Enforcing hardening standards seems unfeasible since you typically have no visibility into the inner workings of the solution but just trusting a vendor to harden the device seems like a foolish thing to do. I'm fairly sure if I go to a vendor and say "we need this hardened to CIS level 2" they'll just reply "nope" so all of a sudden I have to create exceptions for my own policies and hope to put enough compensating controls around the black box. I'm getting a headache trying to figure out what kinds of questions to even ask short of just asking vendors to describe the security of their appliance to me which will likely result in a boilerplate PDF with buzzwords. This isn't even considering antimalware agents or HIDS.
|
# ? Mar 5, 2017 14:13 |
|
Martytoof posted:How do you guys deal with "black box" products going into your environments that are really just Linux based appliances? Enforcing hardening standards seems unfeasible since you typically have no visibility into the inner workings of the solution but just trusting a vendor to harden the device seems like a foolish thing to do. I'm fairly sure if I go to a vendor and say "we need this hardened to CIS level 2" they'll just reply "nope" so all of a sudden I have to create exceptions for my own policies and hope to put enough compensating controls around the black box. I'm getting a headache trying to figure out what kinds of questions to even ask short of just asking vendors to describe the security of their appliance to me which will likely result in a boilerplate PDF with buzzwords. Just assume that it's a ticking time bomb that will never ever receive security updates.
|
# ? Mar 5, 2017 15:02 |
|
Martytoof posted:How do you guys deal with "black box" products going into your environments that are really just Linux based appliances? Enforcing hardening standards seems unfeasible since you typically have no visibility into the inner workings of the solution but just trusting a vendor to harden the device seems like a foolish thing to do. I'm fairly sure if I go to a vendor and say "we need this hardened to CIS level 2" they'll just reply "nope" so all of a sudden I have to create exceptions for my own policies and hope to put enough compensating controls around the black box. I'm getting a headache trying to figure out what kinds of questions to even ask short of just asking vendors to describe the security of their appliance to me which will likely result in a boilerplate PDF with buzzwords. Very carefully. But seriously, try and segregate its comms on Layer 2+3 (May not be possible depending on what you got). Throw it in a DMZ of some sorts. Of course if you're dealing with an appliance like Qualys vuln scanner then it needs access to your entire network so you: Volmarias posted:Just assume that it's a ticking time bomb that will never ever receive security updates. and pray.
|
# ? Mar 5, 2017 15:06 |
|
Yeap, sounds about on par with my thinking. I'm working with a storage vendor right now to identify their hardening standards but after learning it was just based on a Linux distro, my initial thought was to isolate that thing so hard that it'll be drawing faces on volleyballs.
|
# ? Mar 5, 2017 15:33 |
|
MD5 is deader than dead. https://twitter.com/__spq__/status/838583044260904960
|
# ? Mar 8, 2017 00:46 |
|
Absurd Alhazred posted:MD5 is deader than dead. Nice
|
# ? Mar 8, 2017 00:53 |
|
Why do so devices/services/programs insist on masking passwords when I’m entering them, with no checkbox to display the password? I’m in my own home, setting up my printer to use my wifi network, with its lovely touch screen keyboard, and if I get it wrong I have to start all over. Now, printers are uniquely lovely, but even iOS does it. Let administrators force masking on managed devices, sure, but don’t force it on everyone. Shoulder surfing is less of a threat than the short passwords that typing difficulty encourages. That’s especially true because masking only foils in‐person snooping. If there’s a camera looking over my shoulder, it will record the password letter‐by‐letter.
|
# ? Mar 8, 2017 06:00 |
|
Platystemon posted:Why do so devices/services/programs insist on masking passwords when I’m entering them, with no checkbox to display the password? There's also streaming and OTA tech support. But that's why a lot of software lets you disable the masking, yeah.
|
# ? Mar 8, 2017 08:20 |
|
Unless there's some dumb compliance reason it all just comes down to developer inclination/laziness as to whether or not they implement a form control to disable masking on the password text-box.
|
# ? Mar 8, 2017 08:56 |
|
Is there a really good, in-depth, properly produced InfoSec podcast anyone would recommend?Platystemon posted:Why do so devices/services/programs insist on masking passwords when I’m entering them, with no checkbox to display the password? Probably the same reason why they prevent copy/pasting.
|
# ? Mar 8, 2017 10:51 |
|
On the plus side, we've started to see some sites/apps have a checkbox for "show my password" Mostly, it's because doing that checkbox requires additional development time, while just doing <input type="password"> gives them the bullets for characters for free and they can get on with writing new features.
|
# ? Mar 8, 2017 15:15 |
|
I know most people in this thread probably already know this, but it is one of my favorite things to show people to get them to understand security is important and non-trivial. If you open a debug console in your browser you can change the type of the input field from password to text and them be able to see / copy out the password if someone has already typed it in or saved it in the browser.
|
# ? Mar 8, 2017 15:39 |
|
Absurd Alhazred posted:MD5 is deader than dead. h- wh- how okay freggin how
|
# ? Mar 8, 2017 17:21 |
|
Postscript is turing complete so you can load the code to calculate the hash in to memory, execute it, and have it parse its own file on the filesystem
|
# ? Mar 8, 2017 18:01 |
|
Internet Explorer posted:I know most people in this thread probably already know this, but it is one of my favorite things to show people to get them to understand security is important and non-trivial. If you open a debug console in your browser you can change the type of the input field from password to text and them be able to see / copy out the password if someone has already typed it in or saved it in the browser. I used to have this on a flash drive on my key chain: http://www.nirsoft.net/utils/web_browser_password.html Nothing like running a 2 second utility to show a user their passwords for 20 different websites to scare them into thinking about security. Until about 2 minutes after I leave the room, then they forget everything
|
# ? Mar 8, 2017 18:05 |
|
BangersInMyKnickers posted:Postscript is turing complete so you can load the code to calculate the hash in to memory, execute it, and have it parse its own file on the filesystem I don't think a GIF can execute code, though.
|
# ? Mar 8, 2017 19:01 |
|
Double Punctuation posted:I don't think a GIF can execute code, though. https://www.cvedetails.com/cve/cve-2008-2934 quote:Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file that triggers a free of an uninitialized pointer.
|
# ? Mar 8, 2017 19:11 |
|
Potato Salad posted:h- wh- how Bit flipping until you get the hash. I am assuming that even though most of the colors are black and red, they aren't all exactly the same shade and how gif works you can force a frame to update a part that doesn't need to change. Update a red pixel with red while, usually, normal gif animation will automatically ignore that pixel update. Edit:Also gif has text metadata sections which can be messed with. http://forensicswiki.org/wiki/GIF EVIL Gibson fucked around with this message at 20:49 on Mar 8, 2017 |
# ? Mar 8, 2017 20:47 |
|
Absurd Alhazred posted:MD5 is deader than dead. GIF that owns itself
|
# ? Mar 8, 2017 20:50 |
|
What do you guys think about the CIA leaks? https://www.theregister.co.uk/2017/03/08/cia_exploit_list_in_full/
|
# ? Mar 9, 2017 09:02 |
|
Boris Galerkin posted:What do you guys think about the CIA leaks? Quite funny. Especially people going "the intelligence community aren't disclosing every zero day they find "
|
# ? Mar 9, 2017 09:05 |
|
Boris Galerkin posted:What do you guys think about the CIA leaks? It's an old/mostly outdated list, but it owns and is pretty hilarious.
|
# ? Mar 9, 2017 09:10 |
|
personally i'm shocked that spies have been spying on people
|
# ? Mar 9, 2017 09:28 |
|
Dex posted:personally i'm shocked that spies have been spying on people "First, though, a few general points: one, there's very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people." e: quote:In some good news for privacy advocates it appears that the CIA has had no luck in cracking the popular encrypted chat protocol created by Whisper Systems, which is used in Signal and WhatsApp. I'm proud of them, good job Whisper Systems Cup Runneth Over fucked around with this message at 10:11 on Mar 9, 2017 |
# ? Mar 9, 2017 09:46 |
|
Cup Runneth Over posted:"First, though, a few general points: one, there's very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people." yes, that's exactly the line i was posting about, good job
|
# ? Mar 9, 2017 12:00 |
|
I think the whole thing with the 'Vault 7' business is that it shows the CIA (and the NSA before it) can't seem to keep their tools under wrap. Not so much about the revelation that they are, in fact, spying (in the case of the CIA ; people were shocked for different reasons with the NSA). It didn't seem to happen so much (or in such huge proportions) in the past. When you have so much people working on projects that will fit on a few micro SD cards you can easily hide (and god knows what other means the CIA has to exfiltrate data) it's bound to happen, I guess.
|
# ? Mar 9, 2017 12:06 |
|
Dex posted:yes, that's exactly the line i was posting about, good job source your quotes
|
# ? Mar 9, 2017 12:16 |
|
Furism posted:I think the whole thing with the 'Vault 7' business is that it shows the CIA (and the NSA before it) can't seem to keep their tools under wrap. Not so much about the revelation that they are, in fact, spying (in the case of the CIA ; people were shocked for different reasons with the NSA). It didn't seem to happen so much (or in such huge proportions) in the past. When you have so much people working on projects that will fit on a few micro SD cards you can easily hide (and god knows what other means the CIA has to exfiltrate data) it's bound to happen, I guess. The CIA, at least in theory, is the HUMINT side of the US international spying apparatus, right? They focus more on identifying and working over individual flesh and blood actors, the NSA are the SIGINT guys whose job is to cast the huge data dragnets, at least as I understand it. Makes sense then the CIA's digital toolbox focuses more on techniques designed to bug and track already targeted individuals rather than broad, sweeping searches of data haystacks.
|
# ? Mar 9, 2017 12:21 |
|
Boris Galerkin posted:What do you guys think about the CIA leaks? Mild annoyance at the fact that the serial numbers disclosed in the leak are to software I already own. No taxpayer-funder IDA Pro key for me, I guess.
|
# ? Mar 9, 2017 12:43 |
|
Cup Runneth Over posted:source your quotes you already did that for me, thanks Martytoof posted:Mild annoyance at the fact that the serial numbers disclosed in the leak are to software I already own. No taxpayer-funder IDA Pro key for me, I guess. i haven't actually checked but i saw somebody on twitter saying that the windows keys were pirated anyway, lol if true
|
# ? Mar 9, 2017 13:03 |
|
Dex posted:you already did that for me, thanks you're welcome
|
# ? Mar 9, 2017 13:12 |
|
So this is basically a "water is wet" report? Nothing interesting or damaging like the Snowden leaks?
|
# ? Mar 9, 2017 14:47 |
|
There's interesting stuff, but nothing damaging or revealing as the NSA leaks, from what I understand.
|
# ? Mar 9, 2017 14:54 |
|
Dex posted:you already did that for me, thanks Seems like the obvious way to get a key that can't be traced to you.
|
# ? Mar 9, 2017 16:53 |
|
|
# ? Apr 28, 2024 13:49 |
|
The most damaging thing to come out of the leaks is the people claiming Signal and WhatsApp aren't safe because if someone owns the device they're on they can read your messages
|
# ? Mar 9, 2017 18:39 |