|
CRIP EATIN BREAD posted:it’s not a security fuckup (yet) but being asked about how to rebuild a bunch of docker containers to enable the FIPS module for OpenSSL seems like it’s a start in the right direction. yeah fips is crusty as hell. I'm glad they're thinking about it but you can do a lot better with a little effort
|
#
?
Aug 22, 2018 19:25
|
|
|
|
| # ? Apr 26, 2024 11:25 |
|
|
CRIP EATIN BREAD posted:also had a question from the sysadmin on the other side ask us if we can enable LUKS inside our containers.
|
|
#
?
Aug 22, 2018 19:26
|
|
|
CRIP EATIN BREAD posted:it’s not a security fuckup (yet) but being asked about how to rebuild a bunch of docker containers to enable the FIPS module for OpenSSL seems like it’s a start in the right direction. BangersInMyKnickers posted:yeah fips is crusty as hell. I'm glad they're thinking about it but you can do a lot better with a little effort itym fipsmode is the greatest
|
|
#
?
Aug 22, 2018 19:29
|
|
|
Cocoa Crispies posted:itym fipsmode is the greatest 
|
|
#
?
Aug 22, 2018 19:40
|
|
|
its hilarious because not only do they want fips enabled SSL, they want it on a postgres server, but also don't want to be bothered to maintain a CA or anything like that. they also do not know how x509 works, or how the certificates are used.
|
|
#
?
Aug 22, 2018 19:42
|
|
|
some interesting malware: https://twitter.com/matthieu_faou/status/1032256075821666304 https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf posted:Turla developers like to use less common or modified encryption algorithms in their backdoors:
|
|
#
?
Aug 22, 2018 19:57
|
|
|
I really hope more places start rolling app locker. Unsigned/arbitrary code is a nightmare
|
|
#
?
Aug 22, 2018 20:05
|
|
|
Subjunctive posted:the good news is that on all the embedded poo poo that’s really hard to update there will tend to be fixed and known usernames, so not much is lost there marketing at a recent presentation to sales: "top issues for iot buyers: 1. lack of a business model 2. lack of funding 3. lack of standards security was not a top issue"
|
|
#
?
Aug 22, 2018 20:13
|
|
|
BangersInMyKnickers posted:I really hope more places start rolling crypto locker. Unencrypted/arbitrary files are a nightmare
|
|
#
?
Aug 22, 2018 20:16
|
|
|
ate poo poo on live tv posted:Cool security fuckup. lol forever @ open sores "security"
|
|
#
?
Aug 22, 2018 20:33
|
|
|
they should also include an accuracy bar so you know when you're getting closer to guessing the username or password
|
|
#
?
Aug 22, 2018 20:36
|
|
|
BangersInMyKnickers posted:yeah fips is crusty as hell. I'm glad they're thinking about it but you can do a lot better with a little effort the only people i know* who still insist on fips are banks/financial companies whose csos still love using the words "military grade encryption". like you say, it's not actually a bad baseline but afaik still allows quite a lot of old broken poo poo through while disallowing newer, better stuff (does it still say "yeah 3des is fine"?) * admittedly i don't deal with us.gov, who i assume still at least pretend to use it?
|
|
#
?
Aug 22, 2018 20:45
|
|
|
BangersInMyKnickers posted:I really hope more places start rolling app locker. Unsigned/arbitrary code is a nightmare the implementation of applocker is terrible though. luv 2 linearly scan huge directories on every single process start without any form of caching or optimisation. I sure hope the security-related parts of it were designed with more thoughtful attention to detail
|
|
#
?
Aug 22, 2018 20:50
|
|
|
BangersInMyKnickers posted:they should also include an accuracy bar so you know when you're getting closer to guessing the username or password Perhaps the protocol could implement a mastermind like password retrieval system to help people that forget their passwords?
|
|
#
?
Aug 22, 2018 20:55
|
|
|
Soricidus posted:the implementation of applocker is terrible though. luv 2 linearly scan huge directories on every single process start without any form of caching or optimisation. I sure hope the security-related parts of it were designed with more thoughtful attention to detail do it by validating code signatures and its trivial. make your vendors sign their poo poo
|
|
#
?
Aug 22, 2018 20:57
|
|
|
Unrelated but since I'm going to australia I'm going to change all my passwords to this: ƐᄅƖpɹoʍssɐd According to esteemed security checking site https://howsecureismypassword.net it would take 8 quadrillion years to brute force.
|
|
#
?
Aug 22, 2018 20:58
|
|
|
goddamnedtwisto posted:the only people i know* who still insist on fips are banks/financial companies whose csos still love using the words "military grade encryption". like you say, it's not actually a bad baseline but afaik still allows quite a lot of old broken poo poo through while disallowing newer, better stuff (does it still say "yeah 3des is fine"?) the DISA STIGs for windows want it on c.f. https://iase.disa.mil/stigs/gpo/Pages/index.aspx but idk it's probably 100% dependent on if anyone actually checks the settings, and whatever cert & accreditation process they follow says that someone can sign for it if it's not enabled so w/e
|
|
#
?
Aug 22, 2018 21:04
|
|
|
goddamnedtwisto posted:* admittedly i don't deal with us.gov, who i assume still at least pretend to use it? 3DES is still secure from a technical standpoint and about as good as AES128. It's good enough and allows for backwards compatibility with XP/2003 (unless you installed the optional 2003 hot fix to install AES128) so it isn't going anywhere soon. Its slow compared to AES with -NI offload which is why RC4 was the primary backwards compatibility cipher for so long.
|
|
#
?
Aug 22, 2018 21:05
|
|
|
BangersInMyKnickers posted:3DES is still secure from a technical standpoint and about as good as AES128. It's good enough and allows for backwards compatibility with XP/2003 (unless you installed the optional 2003 hot fix to install AES128) so it isn't going anywhere soon. Its slow compared to AES with -NI offload which is why RC4 was the primary backwards compatibility cipher for so long. oh yeah, how could i forget? i wonder how much critical infrastructure around the world is still running on software old enough to vote?
|
|
#
?
Aug 22, 2018 21:10
|
|
|
all of it
|
|
#
?
Aug 22, 2018 21:29
|
|
|
goddamnedtwisto posted:oh yeah, how could i forget? i wonder how much critical infrastructure around the world is still running on software old enough to vote? hopefully less than before wannacry ... ok I’m not even fooling myself
|
|
#
?
Aug 22, 2018 21:36
|
|
|
https://www.zdnet.com/article/philips-reveals-code-execution-vulnerabilities-in-cardiovascular-devices/
|
|
#
?
Aug 22, 2018 21:40
|
|
|
Carbon dioxide posted:https://www.zdnet.com/article/philips-reveals-code-execution-vulnerabilities-in-cardiovascular-devices/ shame the name heartbleed was taken
|
|
#
?
Aug 22, 2018 21:42
|
|
|
ate poo poo on live tv posted:Cool security fuckup. Inadvertently my rear end. The commit message itself referenced a reasonably well known security researcher. Who decided to use that phrase in this article?
|
|
#
?
Aug 23, 2018 00:03
|
|
|
BlackHat is envious of the rest of the industy having secfucks, so it wants its own: https://ninja.style/post/bcard/ Here's a tidbit: quote:To my surprise, I was able to pull my attendee data completely unauthenticated over this API. quote:The rate at which we were able to brute force the API would mean that we could successfully collect all BlackHat 2018 registered attendees’ names, email addresses, company names, phone numbers, and addresses in only approximately 6 hours.
|
|
#
?
Aug 23, 2018 00:09
|
|
|
D. Ebdrup posted:BlackHat is envious of the rest of the industy having secfucks, so it wants its own: https://ninja.style/post/bcard/ black hat is part of the rest of the tech conference industry
|
|
#
?
Aug 23, 2018 01:08
|
|
|
ate all the Oreos posted:great advice thanks that advice is actively malicious holy poo poo "yeah a bug in openssh allows people to brute force usernames, what you should do is turn off the functionality that prevents them from brute forcing passwords as well"
|
|
#
?
Aug 23, 2018 02:03
|
|
|
https://twitter.com/hanno/status/1032510153273290754
|
|
#
?
Aug 23, 2018 07:16
|
|
|
*Still* with the Ghostscript?
|
|
#
?
Aug 23, 2018 10:49
|
|
|
James Baud posted:Inadvertently my rear end. The commit message itself referenced a reasonably well known security researcher. Who decided to use that phrase in this article? lol yea as I read it, the commit is intended to fix that very issue, like that is its entire purpose wtf does the article author think was the point Carthag Tuek fucked around with this message at 12:00 on Aug 23, 2018 |
|
#
?
Aug 23, 2018 11:57
|
|
|
followup https://twitter.com/hanno/status/1032612415068889090
|
|
#
?
Aug 23, 2018 14:05
|
|
|
that is a very distro thing to do
|
|
#
?
Aug 23, 2018 14:18
|
|
|
with compiled it with the -NoSecurity flag for your benefit
|
|
#
?
Aug 23, 2018 14:25
|
|
|
is there an easy way in redhat to interrogate if a process is using the nx bit?
|
|
#
?
Aug 23, 2018 14:27
|
|
|
Subjunctive posted:that is a very distro thing to do in gentoo i have to --funroll-loops and --no-security to get more juice out of my ricer mods, ubuntu just pre-packages all the rice
|
|
#
?
Aug 23, 2018 14:32
|
|
|
Truga posted:in gentoo i have to --funroll-loops and --no-security to get more juice out of my ricer mods, ubuntu just pre-packages all the rice i mean why wouldn't you want everything compiled with fun roll loops enabled, whee
|
|
#
?
Aug 23, 2018 14:59
|
|
|
BangersInMyKnickers posted:I really hope more places start rolling app locker. Unsigned/arbitrary code is a nightmare gonna be great when the new windows comes out and they have a level above enterprise that you have to purchase to use it
|
|
#
?
Aug 23, 2018 15:12
|
|
|
BIGFOOT EROTICA posted:gonna be great when the new windows comes out and they have a level above enterprise that you have to purchase to use it windows 10.1 enterprise pro
|
|
#
?
Aug 23, 2018 15:25
|
|
|
cinci zoo sniper posted:windows 10.1 enterprise pro For Business
|
|
#
?
Aug 23, 2018 15:26
|
|
|
|
| # ? Apr 26, 2024 11:25 |
|
|
Schadenboner posted:For Business 365
|
|
#
?
Aug 23, 2018 15:27
|
|