|
Kassad posted:My rental agency provides WiFi to all tenants in the building. I didn't trust them not to gently caress it up, so I kept my own subscription. When I picked up the keys, they gave me the password anyway. It's "11111". the ssid password strength has zero bearing on network security though. the password is just for authorization, I.e are you “allowed” to be on the network.
|
#
?
Aug 21, 2018 16:19
|
|
|
|
| # ? May 5, 2024 14:20 |
|
|
ate poo poo on live tv posted:the ssid password strength has zero bearing on network security though. the password is just for authorization, I.e are you “allowed” to be on the network. Yeah, but you know that password is not a good sign of things to come.
|
|
#
?
Aug 21, 2018 16:32
|
|
|
wpa pretty much requires 8 characters so that's wep right? 
|
|
#
?
Aug 21, 2018 16:38
|
|
|
ate all the Oreos posted:im the supercomputer that's heavily constrained on cpu resources hopefully one is ssh/scp'ing into the login nodes and not the compute nodes
|
|
#
?
Aug 21, 2018 17:09
|
|
|
ate poo poo on live tv posted:the ssid password strength has zero bearing on network security though. the password is just for authorization, I.e are you “allowed” to be on the network. i would suggest that being able to properly control who is and isnt allowed on the network has more than "zero bearing" on the security of said network someone figuring out the psk (then inducing and observing a 4 way handshake) is the equivalent of them plugging themselves into a network hub
|
|
#
?
Aug 21, 2018 17:11
|
|
|
Cocoa Crispies posted:NONE cipher with left-pad hachi machi
|
|
#
?
Aug 21, 2018 17:29
|
|
|
Cocoa Crispies posted:NONE cipher with left-pad 
|
|
#
?
Aug 21, 2018 17:38
|
|
|
quote:At PayPal, your security is a top priority. As part of our routine monitoring, we discovered a list of email addresses and passwords on the web. While the list is not related to PayPal, we know that it is common practice to use the same email and password across various websites. It is possible that your email and password may have been on the list. you couldn't, like, check...
|
|
#
?
Aug 21, 2018 19:23
|
|
|
Cocoa Crispies posted:NONE cipher with left-pad
|
|
#
?
Aug 21, 2018 20:01
|
|
|
ate all the Oreos posted:you couldn't, like, check... Please reply with your email and password so that we may eliminate you from said list.
|
|
#
?
Aug 22, 2018 02:23
|
|
|
root@paypal.com:12345, probably
|
|
#
?
Aug 22, 2018 02:40
|
|
|
similarly, github just asked me to change my pw as it had been found online (email+hash i guess?). it was from back when i used 3-4 "standard" passwords, before i had a pw manager. ive gradually been changing them over as i renew them can i still check which dump im in somewhere? Carthag Tuek fucked around with this message at 07:31 on Aug 22, 2018 |
|
#
?
Aug 22, 2018 07:29
|
|
|
Krankenstyle posted:similarly, github just asked me to change my pw as it had been found online (email+hash i guess?). it was from back when i used 3-4 "standard" passwords, before i had a pw manager. ive gradually been changing them over as i renew them check haveibeenpwned
|
|
#
?
Aug 22, 2018 07:37
|
|
|
Wiggly Wayne DDS posted:but my ham radio needs tls 1.3 with a null cipher, respect the fcc regs and put this into the standard already Oh man I thought you were joking but that's a real argument someone is making.
|
|
#
?
Aug 22, 2018 08:10
|
|
|
spankmeister posted:check haveibeenpwned thx  5 breaches, nothing important tho (lol i havent used linkedin in years)
|
|
#
?
Aug 22, 2018 08:34
|
|
|
mrmcd posted:I'm so confused by this post. Is it a pop culture reference I don't get or a new kind of steganography or what? evil_bunnY fucked around with this message at 08:41 on Aug 22, 2018 |
|
#
?
Aug 22, 2018 08:38
|
|
|
pairofdimes posted:Oh man I thought you were joking but that's a real argument someone is making. I mean for troubleshooting/validation purposes allowing NULL for the encryption of a TLS connection is fine and should be supported in the standard, imho. Obviously it shouldn't be allowed by default.
|
|
#
?
Aug 22, 2018 16:10
|
|
|
ate poo poo on live tv posted:I mean for troubleshooting/validation purposes allowing NULL for the encryption of a TLS connection is fine and should be supported in the standard, imho. Nah
|
|
#
?
Aug 22, 2018 16:29
|
|
|
ate poo poo on live tv posted:I mean for troubleshooting/validation purposes allowing NULL for the encryption of a TLS connection is fine and should be supported in the standard, imho. Obviously it shouldn't be allowed by default. Either debug in the application before it enters the tunnel or configure it to export its session key so Wireshark can read the pcap. Leaving old/insecure poo poo in has caused the world a huge amount of issues and TLS 1.3 is explicitly designed to minimize that by removing potentially bad configs as an option. You aren't going to change that.
|
|
#
?
Aug 22, 2018 16:36
|
|
|
pretty much all of history has shown that if you give people a gun labeled "for troubleshooting only" they will inevitably shoot themselves in the foot with it, no matter how complicated it is to load the bullets or how many hoops they have to jump through to pull the trigger
|
|
#
?
Aug 22, 2018 17:25
|
|
|
ate all the Oreos posted:pretty much all of history has shown that if you give people a gun labeled "for troubleshooting only" they will inevitably shoot themselves in the foot with it, no matter how complicated it is to load the bullets or how many hoops they have to jump through to pull the trigger hahaha, I wish I was this jaded. I'm still hopefully optimistic that people can read those warning signs
|
|
#
?
Aug 22, 2018 17:34
|
|
|
Just today I had to remediate a web server that was passing payment info over RC4 because the vendor neglected to provide an SSL config to tomcat and for whatever loving reason when you do that it defaults to RC4 over TLS 1.0 despite support 1.2 and a whole mess of AES ciphers
|
|
#
?
Aug 22, 2018 17:36
|
|
|
Janitor Prime posted:hahaha, I wish I was this jaded. I'm still hopefully optimistic that people can read those warning signs oh yeah to be fair i'm sure 99% of people can, but then there's always gonna be that guy with no training or experience, who somehow is working for a giant corporation either directly or through a few layers of contractors, and who just needs to get this ssl thing working with our [thing] already dammit the guy in charge of this kinda stuff at my last job (before me and a few other people were brought in and slowly turned all the poo poo around) was literally a bartender before he got that job and only got hired because he was the bartender at the CEO's old bar. there was so much unbelievably incompetent poo poo, though my favorite was the accessible to the internet Tomcat server that was a decade out of date and had been running with the default admin credentials for that entire time. it had so many obvious, completely-un-hidden backdoors installed on it by the time i got there i had trouble finding the actual software we were supposedly running
|
|
#
?
Aug 22, 2018 17:50
|
|
|
Janitor Prime posted:hahaha, I wish I was this jaded. I'm still hopefully optimistic that people can read those warning signs Stackoverflow exists I've MiTMd a lot of things over the last five years, probably 80% were a result of copying debug code to disable critical checks.
|
|
#
?
Aug 22, 2018 18:17
|
|
|
there's too many reasons even having a insecure cipher even for testing can resulting in secfuckups: designers: well this edge-case exists claiming they need it so we should give a tiny bit of leeway in the design spec to allow it <spec doesn't say MUST NOT use, but SHOULD rely be only allowed for testing purposes> implementers: okay the rfc says that null is allowed to exist only for these test codepaths, so let's add it as a cipher. recompiling to test sounds bad in practice though, so let's just not include it in the default ciphersuite <decade goes by and that segment of code is considered too fragile to modify> sysadmin: cool there's CFG_NULL_CIPHER_NO_SERIOSLY_DONT_USE, stackoverflow guide says its great for troubleshooting and i'm always needing to see why my code is not working <its always kept on in production now> application: ciphersuite? well i need to support all environments and not confuse users with technical settings... let's just put null at the bottom so it works for the devs we should always have a more secure cipher negotiated before then attacker: nah let's just keep downgrading them until they use the cipher we want user: finally i got onto somethingawful, the padlock's even green i'm safe tl;dr never give a insecure option the chance to ever exist
|
|
#
?
Aug 22, 2018 18:30
|
|
|
Counterpoint: All secure options will eventually be insecure.
|
|
#
?
Aug 22, 2018 18:53
|
|
|
Janitor Prime posted:hahaha, I wish I was this jaded. I'm still hopefully optimistic that people can read those warning signs lol reading
|
|
#
?
Aug 22, 2018 18:55
|
|
|
D. Ebdrup posted:Counterpoint: All secure options will eventually be insecure. how is that in any way a counterpoint?
|
|
#
?
Aug 22, 2018 18:56
|
|
|
Wiggly Wayne DDS posted:there's too many reasons even having a insecure cipher even for testing can resulting in secfuckups:
|
|
#
?
Aug 22, 2018 19:01
|
|
|
Subjunctive posted:how is that in any way a counterpoint? eventually we'll all be dead and the universe will diffuse into a forever-dark expanse of nothingness
|
|
#
?
Aug 22, 2018 19:02
|
|
|
ate all the Oreos posted:eventually we'll all be dead and the universe will diffuse into a forever-dark expanse of nothingness oh ok, back to hosts.equiv then
|
|
#
?
Aug 22, 2018 19:04
|
|
|
Subjunctive posted:oh ok, back to hosts.equiv then
|
|
#
?
Aug 22, 2018 19:06
|
|
|
Cool security fuckup. https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/ quote:A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999.
|
|
#
?
Aug 22, 2018 19:06
|
|
|
it’s not a security fuckup (yet) but being asked about how to rebuild a bunch of docker containers to enable the FIPS module for OpenSSL seems like it’s a start in the right direction.
|
|
#
?
Aug 22, 2018 19:09
|
|
|
also had a question from the sysadmin on the other side ask us if we can enable LUKS inside our containers. all this runs on AWS btw
|
|
#
?
Aug 22, 2018 19:10
|
|
|
ate poo poo on live tv posted:Cool security fuckup. quote:If this isn't an option and the OpenSSH client is the only way to connect to devices, sysadmins can disable OpenSSH's "public key authentication" method, which is where the vulnerable code resides. great advice thanks
|
|
#
?
Aug 22, 2018 19:13
|
|
|
turn off password auth and force everyone to use keys so even if they can use the exploit to know the user names they can't be used to brute force or dictionary attack? nah just turn off keys for everyone, way better
|
|
#
?
Aug 22, 2018 19:17
|
|
|
ate all the Oreos posted:eventually we'll all be dead and the universe will diffuse into a forever-dark expanse of nothingness #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES #define MBEDTLS_TEST_NULL_ENTROPY one weird trick to eliminate entropy! chemists hate it!
|
|
#
?
Aug 22, 2018 19:18
|
|
|
the good news is that on all the embedded poo poo that’s really hard to update there will tend to be fixed and known usernames, so not much is lost there
|
|
#
?
Aug 22, 2018 19:19
|
|
|
|
| # ? May 5, 2024 14:20 |
|
|
D. Ebdrup posted:Counterpoint: All secure options will eventually be insecure. thats a horseshit argument and you know it
|
|
#
?
Aug 22, 2018 19:22
|
|