|
D. Ebdrup posted:(password) Oh cool, let's see if it works for me LowtaxH4zHugeB4llz
|
#
?
Mar 14, 2019 21:19
|
|
|
|
| # ? Apr 18, 2024 20:41 |
|
|
The Fool posted:Oh cool, let's see if it works for me Don't doxx me please.
|
|
#
?
Mar 14, 2019 21:19
|
|
|
Please stop posting old bash.org jokes That's actually my passphrase, let's see if it works for them too!
|
|
#
?
Mar 14, 2019 22:52
|
|
|
Volmarias posted:Please stop posting old bash.org jokes 
|
|
#
?
Mar 14, 2019 22:58
|
|
|
If only bash did it too 
|
|
#
?
Mar 15, 2019 02:31
|
|
|
Volmarias posted:Please stop posting old bash.org jokes That's my very secure password.
|
|
#
?
Mar 15, 2019 11:20
|
|
|
And now for a non-waste of bytes: A really loving interesting article about shellcode en-/de-coders, their history and even a brief mention of FreeBSD.
|
|
#
?
Mar 15, 2019 21:20
|
|
|
dougdrums posted:Every once in a while I'll do the ol: It hasn't actually happened, but I live in constant fear of Slack stealing focus and making me dump important credentials into a public channel. When I'm typing a password I always triple check that the correct app has focus out of total paranoia. Teammates have definitely done it and immediately had to change passwords. The worst I've done is :q :wq ZZ gently caress
|
|
#
?
Mar 17, 2019 02:44
|
|
|
Docjowles posted:It hasn't actually happened, but I live in constant fear of Slack stealing focus and making me dump important credentials into a public channel. When I'm typing a password I always triple check that the correct app has focus out of total paranoia. Some sales manager did this in our national SPOC room once and their password had the bonus of being really misogynistic. It's not often you get to see someone accidentally torpedo their job like that in front of a bunch of director-level folks across the country.
|
|
#
?
Mar 17, 2019 05:14
|
|
|
ChubbyThePhat posted:I've typed domain and enterprise admin passwords in username fields before. Never uploaded one to a public repo though.... not yet. Fortunately, I did not make this mistake in prod. It was just my home servers IPMI credentials hardcoded in a script(I have since started using a prompt to get the password at runtime for everything I write)
|
|
#
?
Mar 17, 2019 05:24
|
|
|
Coxswain Balls posted:Some sales manager did this in our national SPOC room once and their password had the bonus of being really misogynistic. It's not often you get to see someone accidentally torpedo their job like that in front of a bunch of director-level folks across the country.  Thanks for sharing that
|
|
#
?
Mar 17, 2019 05:53
|
|
|
Docjowles posted:
He needs to now share the password in question. This is important for Sunday hilarity reasons. The guy has obviously changed it. Please.
|
|
#
?
Mar 17, 2019 08:00
|
|
|
apropos man posted:He needs to now share the password in question. This is important for Sunday hilarity reasons. The guy has obviously changed it. Please. 
|
|
#
?
Mar 17, 2019 12:47
|
|
|
Docjowles posted:It hasn't actually happened, but I live in constant fear of Slack stealing focus and making me dump important credentials into a public channel. When I'm typing a password I always triple check that the correct app has focus out of total paranoia. Only really good for windows OS, but KeepAss’ auto type feature is loving fantastic. You pick a target window in the database entry for that credential, and then next time you log in, Ctrl-alt-a auto types the credentials when you have the correct window or login url pulled up. 
|
|
#
?
Mar 17, 2019 14:19
|
|
|
Hey, why is this log full of "Penis1"? Me to dev lead: "Hey, one of your guys put their debugging statement into prod here." Oh, wait. Those are POST bodies, Penis1 is somebody's password. "Uh, Penis1 isn't a thing they typed, but they still need to fix that."
|
|
#
?
Mar 17, 2019 16:08
|
|
|
Guy Axlerod posted:Hey, why is this log full of "Penis1"? are you saying someones password hashed to Penis1?
|
|
#
?
Mar 18, 2019 04:36
|
|
|
RFC2324 posted:are you saying someones password hashed to Penis1? I think they're saying it didn't
|
|
#
?
Mar 18, 2019 04:43
|
|
|
RFC2324 posted:are you saying someones password hashed to Penis1? Are you saying you trust a client to handle hashing a password? The mistake is logging sensitive request bodies. There's nothing wrong with sending unhashed passwords over https, as long as you don't store them.
|
|
#
?
Mar 18, 2019 04:51
|
|
|
Cup Runneth Over posted:I think they're saying it didn't Space Gopher posted:Are you saying you trust a client to handle hashing a password? This is why I ask. Guy Axlerod posted:Penis1 isn't a thing they typed Logging passwords and trusting clients are yes, obviously bad.
|
|
#
?
Mar 18, 2019 05:12
|
|
|
My Dick 5 hash algorithm (TM)
|
|
#
?
Mar 19, 2019 13:51
|
|
|
Short and rarely used anymore, eh?
|
|
#
?
Mar 19, 2019 14:03
|
|
|
Docjowles posted:My Dick 5"
|
|
#
?
Mar 19, 2019 14:41
|
|
|
S-box had a backdoor
|
|
#
?
Mar 19, 2019 16:03
|
|
|
Docjowles posted:My Dick 5 hash algorithm (TM) Cup Runneth Over posted:Short and rarely used anymore, eh? 
|
|
#
?
Mar 21, 2019 00:06
|
|
|
My mother is old and wants a physical USB password-storing-and-entering fob so she doesn't have to write things on pieces of paper. I can't keep LastPass, KeePass, 1Pass, all that crap straight. I know most of them are bad, but not which or why. Help me infosec thread you're my only competent hope. (or just like, tell me what to google and I can make my own decision, but I figure I trust goons 100%)
|
|
#
?
Mar 21, 2019 18:41
|
|
|
DACK FAYDEN posted:My mother is old and wants a physical USB password-storing-and-entering fob so she doesn't have to write things on pieces of paper. I can't keep LastPass, KeePass, 1Pass, all that crap straight. I know most of them are bad, but not which or why. Help me infosec thread you're my only competent hope. If she's got random bits of paper you could get her a password book to replace them. It's like an address book but for websites with passwords. I got my mother one of these a few years back. Obviously it's bad physical security but it worked for her. As for the hardware device to enter passwords the only one I'm familiar with is the mooltipass. I've never used one but it had a lot of hackaday articles about its development a couple of years ago: https://www.themooltipass.com/
|
|
#
?
Mar 21, 2019 19:06
|
|
|
DACK FAYDEN posted:I can't keep LastPass, KeePass, 1Pass, all that crap straight. I know most of them are bad, but not which or why. Help me infosec thread you're my only competent hope. Is this part true? I've used LastPass and 1Password, would be nice to know if I shouldn't be
|
|
#
?
Mar 21, 2019 19:33
|
|
|
DACK FAYDEN posted:My mother is old and wants a physical USB password-storing-and-entering fob so she doesn't have to write things on pieces of paper. I can't keep LastPass, KeePass, 1Pass, all that crap straight. I know most of them are bad, but not which or why. Help me infosec thread you're my only competent hope. KeepAss and 1Password are both solid choices.
|
|
#
?
Mar 21, 2019 19:35
|
|
|
myron cope posted:Is this part true? I've used LastPass and 1Password, would be nice to know if I shouldn't be LastPass has a pretty bad security track record. KeePass is fussy to use but is otherwise fine and it's free. 1Password is fine.
|
|
#
?
Mar 21, 2019 19:38
|
|
|
Just get your mom a physical book. Have her choose long but easy to type passwords.
|
|
#
?
Mar 21, 2019 19:38
|
|
|
i plan to store my passwords by typing them into the facebook login box and retrieve them via GDPR request
|
|
#
?
Mar 21, 2019 19:39
|
|
|
myron cope posted:Is this part true? I've used LastPass and 1Password, would be nice to know if I shouldn't be I tell people to not use LastPass. They’ve had bad exploits, and typically show very little motivation unless they get publicly shamed by Tavis Ormandy. Also, given the nature and avoidability of some of these exploits, they show little interest in secure coding practices. Now they may have changed and/or improved, but I don’t care. Their historical record has placed me firmly in the DO NOT RECOMMEND category. I can’t say for KeePass, but 1Password devs are thoroughly involved with their users and very reactive regarding security and usability issues. Based on my, admittedly secondhand, knowledge of KeePass they have a similar reputation. evil_bunnY posted:Just get your mom a physical book. Have her choose long but easy to type passwords. This is a good recommendation as well. They make notebooks specifically for keeping track of IDs/passwords.
|
|
#
?
Mar 21, 2019 19:41
|
|
|
eames posted:i plan to store my passwords by typing them into the facebook login box and retrieve them via GDPR request That might be more valid than you meant when you typed this, unless this is what you were referencing. Facebook admits it stored ‘hundreds of millions’ of account passwords in plaintext https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/
|
|
#
?
Mar 21, 2019 19:52
|
|
|
Proteus Jones posted:This is a good recommendation as well. They make notebooks specifically for keeping track of IDs/passwords.
|
|
#
?
Mar 21, 2019 21:40
|
|
|
Good luck recovering if there's a fire though.
|
|
#
?
Mar 21, 2019 23:46
|
|
|
Just keep a secure copy of her email account details somewhere, and she can password reset the rest.
|
|
#
?
Mar 22, 2019 00:54
|
|
|
https://motherboard.vice.com/en_us/article/j573k3/spyware-data-leak-pictures-audio-recordings
|
|
#
?
Mar 22, 2019 22:27
|
|
|
Is there a thread for reverse engineering/vulnerability discovery/exploit development, especially in the context of Capture The Flag competitions?
|
|
#
?
Mar 23, 2019 01:35
|
|
|
The Scientist posted:Is there a thread for reverse engineering/vulnerability discovery/exploit development, especially in the context of Capture The Flag competitions? Not that I’m aware of, but I’ve done a few and collectively this seems to be about as good a place as any to post it. I just did one last week that was a USB pcap and I had to translate the hex into HID keyboard characters to get a pastebin url, which contained the base64 encoded flag. Last one I did before that was at codemash, and you had to find the login for a url and then use the browser tools to find the base64 flag hidden in the header. Once I finish up bandit my next step is hackthebox.eu, so I’m definitely interested in whatever ctf you’re doing. Also, as far as reverse engineering goes, ghidra was just released and is a fun one to install on a VM, and any.run is great for examining the execution of stuff. If it’s powershell you’re trying to deobfuscate, cyber chef (https://gchq.github.io/CyberChef/?recipe=%5B%7B%22op%22%3A%22XOR%22%252) is pretty rad
|
|
#
?
Mar 23, 2019 06:28
|
|
|
|
| # ? Apr 18, 2024 20:41 |
|
|
Cup Runneth Over posted:https://motherboard.vice.com/en_us/article/j573k3/spyware-data-leak-pictures-audio-recordings Given that it's spyware for parents and they mention nude images, there's a non trivial chance of child porn. It seems like contacting the FBI would get results.
|
|
#
?
Mar 23, 2019 13:49
|
|