|
code:
join us on irc: irc.synirc.net #yossec useful news resource for information security professionals: http://reddit.com/r/netsec/ risky business podcast is worth listening to and yospos has been mentioned in it before here are some old threads that haven't been archived: Security Fuckup Megathread - v15.1 - Stop!!! I Kill You Researcher (jan-apr 2018) Security Fuckup Megathread - v14.1 - Hello, is this a delivery order? (jun 2017-jan 2018) Security Fuckup Megathread - v13.69 - plugins may violate privacy (jan-jun 2017) Security Fuckup Megathread - v12.2 - you have slammed your dick in the car door (apr 2016-jan 2017) Security Fuckup Megathread - v11.4 - who u gonna snitch to pussy bitch gently caress u (apr 2015-apr 2016) Security Fuckup Megathread - v10.1 (Hackers can turn your gas station into a bomb) (nov 2014-apr 2015) Security Fuckup Megathread - v7.69 (stay safe security ghost) (aug-nov 2014) Security Fuckup Megathread - v7.2 "BoringSFM" (jun-aug 2014) Alereon posted:seriously though people dont post anything that would allow a lurker from gbs to gently caress with anything Lain Iwakawa posted:HERE IS A FORUM FOR YOU D&D WANNABES THAT WELCOMES CHAT ABOUT AMERICAN FOREIGN POLICY AND ITS UTTER FAILURE just a reminder: this is for sec gently caress ups. if you want to talk about telecoms or politics (including wikileaks), make a new thread
|
# ? May 2, 2018 18:59 |
|
|
# ? Jun 13, 2024 04:47 |
|
Lain has spoken. edit for content: I don't get the Tavis shower joke
|
# ? May 2, 2018 19:01 |
|
ChubbyThePhat posted:Lain has spoken. I think it re: LastPass. He had a flash of inspiration while taking a shower and discovered a major exploit. EDIT: YEP https://twitter.com/taviso/status/845717082717114368?s=20
|
# ? May 2, 2018 19:03 |
|
glad i finally got around to switching to 1password
|
# ? May 2, 2018 19:04 |
|
in the interest of disclosure, i should point out that i didn't remember the exact context of it either and so now i have "tavis ormandy shower" in my google search history
|
# ? May 2, 2018 19:05 |
|
ground floor, ecuador i like the advisories we get that start with four pages of fluff before vaguely alluding to some threat i read about on twitter two days ago
|
# ? May 2, 2018 19:08 |
|
github was apparently doing plaintext logging of some passwords https://twitter.com/SwitHak/status/991416974252167169
|
# ? May 2, 2018 19:09 |
|
Someone in the previous thread asked if you can use dns challenges with let's encrypt. The answer is yes. I've done it a bunch of times and it works great. I think the original question was something about getting certs for a not-internet-exposed host. Let's encrypt with dns challenges should work fine.
|
# ? May 2, 2018 19:14 |
|
security is hilarious i am here for this thank god i have no actual duties or accountability in my job, all i gotta do is point + laugh
|
# ? May 2, 2018 19:18 |
|
How do you automate LE with DNS challenges, though? What sets the DNS record in response to the challenge?
|
# ? May 2, 2018 19:20 |
|
Ground floor postin'
|
# ? May 2, 2018 19:22 |
oh-floor posting
|
|
# ? May 2, 2018 19:27 |
|
we did it, we solved security
|
# ? May 2, 2018 19:28 |
|
EssOEss posted:How do you automate LE with DNS challenges, though? What sets the DNS record in response to the challenge? Yeah you'll have to write the automation yourself. I'm only dealing with one domain so I just do it manually every few months.
|
# ? May 2, 2018 19:29 |
|
ground
|
# ? May 2, 2018 19:46 |
|
|
# ? May 2, 2018 19:51 |
|
Ciaphas posted:glad i finally got around to switching to 1password keychain is the only good password manager because it signals to the world you dont have to touch the bad operating systems in any capacity
|
# ? May 2, 2018 19:58 |
|
speaking of signals, I dont recall this being posted - amazon and google are both dictator lovers and threatened to drop signal unless they stop censorship circumvention https://twitter.com/josephmenn/status/991408871955513344?s=21
|
# ? May 2, 2018 20:02 |
|
AWS told them to stop domain fronting using domains they don't own through cloudfront. not really a surprise if its adding risk to other AWS customers.
|
# ? May 2, 2018 20:10 |
|
Bulgogi Hoagie posted:keychain is the only good password manager because it signals to the world you dont have to touch the bad operating systems in any capacity No, they still make me poop-touch through parallels
|
# ? May 2, 2018 20:13 |
|
EssOEss posted:How do you automate LE with DNS challenges, though? What sets the DNS record in response to the challenge? you need an internet connection to request a cert from LE so presumably from that same host?
|
# ? May 2, 2018 20:13 |
|
necrotic posted:AWS told them to stop domain fronting using domains they don't own through cloudfront. not really a surprise if its adding risk to other AWS customers.
|
# ? May 2, 2018 20:15 |
|
Bulgogi Hoagie posted:speaking of signals, I dont recall this being posted - amazon and google are both dictator lovers and threatened to drop signal unless they stop censorship circumvention amazon and google are in the right here, despite this being useful and convenient for signal
|
# ? May 2, 2018 20:15 |
|
necrotic posted:AWS told them to stop domain fronting using domains they don't own through cloudfront. not really a surprise if its adding risk to other AWS customers. I wonder if there are any discussions going on about evolving the TLS/SNI standard to be censor proof
|
# ? May 2, 2018 20:16 |
|
obligatory "0 day, 1 floor, 2 towers" comment also keep rear end suits my password management needs
|
# ? May 2, 2018 20:47 |
|
i hope vacation tavis means more good tweets from him
|
# ? May 2, 2018 20:59 |
|
AggressivelyStupid posted:i hope vacation tavis means more good tweets from him i hope it means nothing for a month and then some bomb rear end tweets shortly afterwards
|
# ? May 2, 2018 21:06 |
|
EssOEss posted:How do you automate LE with DNS challenges, though? What sets the DNS record in response to the challenge? Supports the APIs of many popular DNS providers as well as screen scraping solutions for others, and can automatically install certs in to many popular servers. Also sets up a cron job to automate renewals.
|
# ? May 2, 2018 21:12 |
|
Jonny 290 posted:amazon and google are in the right here, despite this being useful and convenient for signal thats the essence of whats wrong with modern tech corps tho https://twitter.com/filosottile/status/991775401340035072?s=21 https://twitter.com/filosottile/status/991776382719025153?s=21
|
# ? May 2, 2018 21:30 |
|
Bulgogi Hoagie posted:thats the essence of whats wrong with modern tech corps tho I mean: yes. But on the other hand, if your security model requires that your providers don't enforce RFCs then that's probably not a great long-run strategy? E: Obviously, gently caress AWS and GCloud for ing for goddamn Russia (" Schadenboner fucked around with this message at 21:38 on May 2, 2018 |
# ? May 2, 2018 21:34 |
|
Bulgogi Hoagie posted:thats the essence of whats wrong with modern tech corps tho lmao @ its gonna get people killed. amazon is correct and signal should never have relied on a hack to make their system work.
|
# ? May 2, 2018 21:51 |
|
you do not gently caress with the rozkomador
|
# ? May 2, 2018 21:54 |
|
Jonny 290 posted:you do not gently caress with the rozkomador giving out the orders for fun
|
# ? May 2, 2018 21:58 |
|
Don't be frontin
|
# ? May 2, 2018 22:01 |
|
Jonny 290 posted:you do not gently caress with the rozkomador rozkomador me amadaeus
|
# ? May 2, 2018 22:06 |
|
picking up a thing from the closed threadErIog posted:I got passed some code for security audit, and now the dev is arguing he doesn't need to validate this user input at all (for what should be an all-caps alphanumeric string) because the framework is making sure it's safe. It doesn't matter that this is being passed to things outside the dependency which don't check input at all. I should just sign off on it because, you see, this web framework said it was good input and that means you can drop it to the shell or just put it in a SQL query or do whatever with it. that's 9 more lines than you should need but this dude is still completely in the right. you do not need to re-validate things the framework has validated for you. this is half the value of a web framework. if you insist on doing things that the framework has already done for you, why even bother using it
|
# ? May 2, 2018 22:08 |
|
https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/ cool
|
# ? May 2, 2018 22:08 |
|
necrotic posted:AWS told them to stop domain fronting using domains they don't own through cloudfront. not really a surprise if its adding risk to other AWS customers. what risk is it adding to other aws customers exactly
|
# ? May 2, 2018 22:09 |
|
Rufus Ping posted:what risk is it adding to other aws customers exactly losing 150 million potential browsers and their accompanying revenue?
|
# ? May 2, 2018 22:10 |
|
|
# ? Jun 13, 2024 04:47 |
|
Rufus Ping posted:what risk is it adding to other aws customers exactly i assume it's that the agencies in question are perfectly willing to block all of aws or google or whoever if they don't comply, and their other customers who don't give a poo poo about signal don't want to get blocked
|
# ? May 2, 2018 22:12 |