|
CRIP EATIN BREAD posted:the other big problem with FIPS 140-2 (besides it being bad) is that vendors need to pay an exorbitant
|
#
?
Jun 14, 2018 17:17
|
|
|
|
| # ? Jun 1, 2024 05:10 |
|
|
Chris Knight posted:ah this is great this just put the biggest smile on my face and it doesn't seem to be going away help
|
|
#
?
Jun 14, 2018 17:50
|
|
|
virtual public network
|
|
#
?
Jun 14, 2018 18:12
|
|
|
Deep Dish Fuckfest posted:this just put the biggest smile on my face and it doesn't seem to be going away help if this condition lasts more than four hours, consult a doctor. i'll be right there with you.
|
|
#
?
Jun 14, 2018 19:10
|
|
|
Cocoa Crispies posted:hosed up but true: I know all those acronyms it’s been several days after this reply and I was sitting at a bar and realized all the acronyms I know are ridiculous.
|
|
#
?
Jun 15, 2018 02:43
|
|
|
Plorkyeran posted:virtual public network
|
|
#
?
Jun 15, 2018 09:06
|
|
|
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ Side channel attack against ECDSA and DSA in opessl and other libs.
|
|
#
?
Jun 15, 2018 09:37
|
|
|
timick posted:https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ Using side channels to own the crypto libs.
|
|
#
?
Jun 15, 2018 13:35
|
|
|
lol who the hell is using DSA
|
|
#
?
Jun 15, 2018 14:03
|
|
|
Plorkyeran posted:virtual public network i am going to use this when people ask me about which vpn service to use
|
|
#
?
Jun 15, 2018 14:24
|
|
|
Lain Iwakura posted:i am going to use this when people ask me about which vpn service to use Here U Go https://www.zerotier.com
|
|
#
?
Jun 15, 2018 14:28
|
|
|
mrmcd posted:Using side channels to own the crypto libs. 
|
|
#
?
Jun 15, 2018 15:27
|
|
|
https://twitter.com/TinkerSec/status/1007605774422544389
|
|
#
?
Jun 15, 2018 16:29
|
|
|
mrmcd posted:Using side channels to own the crypto libs. quote:Side-channel attacks are explicitly excluded from Cryptlib's threat model.
|
|
#
?
Jun 15, 2018 16:31
|
|
|
physical secfuck https://twitter.com/lockpickinglwyr/status/1007613178249965569
|
|
#
?
Jun 15, 2018 21:21
|
|
|
Are spammers able to spoof US short code numbers to send SMS? I just got a text from number "43386" that I suspect is spam. I very very rarely ever do promotional SMS stuff, so I doubt it's that. And anyway, the particulars smell funny to me. I tried finding who owns the number and I couldn't find that number with a few minutes of casual searching. Nothing turned up in Google search results, and a couple of random "short code directory" sites didn't turn anything up either. These sites differed on whether this number was even registered or not. The text of the message is suspicious to me, too. It presents itself as a promo/coupon for a product at a store, but the store's web site says their promo text code is a different number. It would be a super lazy way to target the spam, since this area code has a number of these stores and the company is actively expanding and advertising here. The text also includes a link to what looks like a URL shortener, but when I go to the domain in my browser (just the "name.tld" address, not the full one from the message) it just has a short generic-looking 404 message, white background, text in default font. I did a whois at the TLD's nic site and it didn't turn up much, just contact info for GoDaddy and a creation date of a month ago (i'm not super hip with whois so maybe more can be found elsewhere) should i bother contacting anyone about this? godaddy? the store? my carrier? if it's helpful i'll do it 
Lutha Mahtin fucked around with this message at 22:56 on Jun 15, 2018 |
|
#
?
Jun 15, 2018 22:52
|
|
|
Lutha Mahtin posted:Are spammers able to spoof US short code numbers to send SMS? I just got a text from number "43386" that I suspect is spam. I very very rarely ever do promotional SMS stuff, so I doubt it's that. And anyway, the particulars smell funny to me. Telcos don't give a poo poo so don't bother them. The others, maybe.
|
|
#
?
Jun 15, 2018 23:15
|
|
|
I think you can put whatever as a sender of an SMS, it's easy to spoof.
|
|
#
?
Jun 15, 2018 23:15
|
|
|
Chris Knight posted:physical secfuck i can't wait to see more great and security products
|
|
#
?
Jun 16, 2018 01:05
|
|
|
Chris Knight posted:physical secfuck "yeah well what if someone doesn't have a screwdriver, idiot? betcha didn't think of that one"
|
|
#
?
Jun 16, 2018 02:43
|
|
|
|
|
#
?
Jun 16, 2018 07:12
|
|
|
quote:We methodically test our extracted database of AT commands against eight Android devices from four different vendors through their USB interface  Doesn't mention whether they're able to bypass lock controls via emergency dialer, the only realistic route if USB debugging wasn't enabled
|
|
#
?
Jun 16, 2018 12:52
|
|
|
yes i'm sure anroid running on those devices is up to date and locked up tight
|
|
#
?
Jun 16, 2018 15:20
|
|
|
Last Chance posted:yes i'm sure anroid running on those devices is up to date and locked up tight I'm not sure what that has to do with this particular thing.
|
|
#
?
Jun 16, 2018 16:20
|
|
|
+++at+cgact=0,1
|
|
#
?
Jun 16, 2018 16:49
|
|
|
Last Chance posted:yes i'm sure anroid running on 99% of devices is up to date and locked up tight
|
|
#
?
Jun 16, 2018 19:28
|
|
|
Volmarias posted:I'm not sure what that has to do with this particular thing. most Android device manufacturers don't ship many updates after they launch a device. this is bad for the security of those devices
|
|
#
?
Jun 16, 2018 19:46
|
|
|
Last Chance posted:yes i'm sure anroid is up to date and locked up tight
|
|
#
?
Jun 16, 2018 21:23
|
|
|
Just don't let the keyboard update 
|
|
#
?
Jun 16, 2018 22:10
|
|
|
Lutha Mahtin posted:most Android device manufacturers don't ship many updates after they launch a device. this is bad for the security of those devices Ok, already understood. This isn't news. When is the last time that a retail device from a known manufacturer shipped with USB debugging enabled by default? I know everyone loves circle jerking "lol anroid" but this is like one of those "you can gain access to a user's files with this exploit! Step 1: be root" exploits. If I'm misunderstanding this and it's actually a viable exploit against a phone shipped sometime in the last 5 years, please correct me. Is this basically "dialer codes work from emergency dialer and aren't stripped by the baseband" because if not I'm in the dark on how this could be a legitimate concern
|
|
#
?
Jun 16, 2018 23:06
|
|
|
Volmarias posted:Ok, already understood. This isn't news. When is the last time that a retail device from a known manufacturer shipped with USB debugging enabled by default? it looks like this is an upcoming talk at blackhat 2018 so details about it may be unknown. i would hope that it isn't one of those dumb "start with X, gain access to Y which you already have because you started with X" exploits. i have never heard of AT commands before this but a little searching turned up a paper (PDF) with a similar idea. skimming it a bit, it looks like they found flaws in some device manufacturers' android implementations and customizations, where bugs in the AT command system(s) allow an attacker to gain root by someone plugging their phone's USB into a malicious device coincidentally this is a real-world example of why people were cringing the other day itt about that journalist plugging his android into some random USB keyboard at the USA/NK summit edit: also, this 2013 article wowwwwww quote:Our evaluation results are worrisome: vendor customizations are significant on stock Android devices and on the whole responsible for the bulk of the security problems we detected in each device. Specifically, our results show that on average 85.78% of all pre-loaded apps in examined stock images are overprivileged with a majority of them directly from vendor customizations. In addition, 64.71% to 85.00% of vulnerabilities we detected in examined images from every vendor (except for Sony) arose from vendor customizations. In general, this pattern held over time -- newer smartphones, we found, are not necessarily more secure than older ones. Lutha Mahtin fucked around with this message at 00:00 on Jun 17, 2018 |
|
#
?
Jun 16, 2018 23:51
|
|
|
Lutha Mahtin posted:it looks like this is an upcoming talk at blackhat 2018 so details about it may be unknown. i would hope that it isn't one of those dumb "start with X, gain access to Y which you already have because you started with X" exploits. i have never heard of AT commands before this but a little searching turned up a paper (PDF) with a similar idea. skimming it a bit, it looks like they found flaws in some device manufacturers' android implementations and customizations, where bugs in the AT command system(s) allow an attacker to gain root by someone plugging their phone's USB into a malicious device Both those papers are super old and outdated though, if you get your information about the state of Android devices from papers written in 2013 and lovely tech press articles you're gonna be pretty far from reality
|
|
#
?
Jun 17, 2018 00:06
|
|
|
apseudonym posted:Both those papers are super old and outdated though, if you get your information about the state of Android devices from papers written in 2013 and lovely tech press articles you're gonna be pretty far from reality
|
|
#
?
Jun 17, 2018 00:12
|
|
|
I hate security related tech press so much, its mostly just blatant marketing and yet lots of people in the community believe it.
|
|
#
?
Jun 17, 2018 00:18
|
|
|
apseudonym posted:I hate security related tech press so much, its mostly just blatant marketing and yet lots of people in the community believe it.
|
|
#
?
Jun 17, 2018 01:01
|
|
|
anthonypants posted:it's a good thing that android device manufacturers push updates to their customers' devices then, isn't it More than you think do, but even if they didn't the majority of devices are still newer than 2014. Your unpatched phone from 2014 is still more trustworthy than your laptop 
|
|
#
?
Jun 17, 2018 01:15
|
|
|
is the theory that if these devices were running something other than Android then they would be more likely to update? is that what history tells us?
|
|
#
?
Jun 17, 2018 01:16
|
|
|
apseudonym posted:Both those papers are super old and outdated though, if you get your information about the state of Android devices from papers written in 2013 and lovely tech press articles you're gonna be pretty far from reality
|
|
#
?
Jun 17, 2018 02:27
|
|
|
apseudonym posted:Both those papers are super old and outdated though, if you get your information about the state of Android devices from papers written in 2013 and lovely tech press articles you're gonna be pretty far from reality if you get your information about relational databases from papers written in 1970 and lovely tech press articles you're gonna be pretty far from reality if you get your information about the halting problem from papers written in 1936 and lovely tech press articles you're gonna be pretty far from reality if you get your information about algorithms from books written in the 9th century and lovely caliph town criers you're gonna be pretty far from reality 
|
|
#
?
Jun 17, 2018 02:42
|
|
|
|
| # ? Jun 1, 2024 05:10 |
|
|
apseudonym posted:Your unpatched phone from 2014 is still more trustworthy than your laptop
|
|
#
?
Jun 17, 2018 02:50
|
|