|
favorite bit from the yearly security "training" i just "took": telnet, ftp and http are the "less secure" versions of ssh, sftp and https i mean i guess that's correct in that completely insecure is less secure than secure
|
# ? May 3, 2019 15:35 |
|
|
# ? Apr 25, 2024 02:37 |
|
ssh, sftp, and https are not inherently secure and I'm guessing they're hedging their language because of that. seems appropriate
|
# ? May 3, 2019 15:40 |
|
well if we’re going to be pedantic, ssh and sftp are unrelated to Telnet and FTP
|
# ? May 3, 2019 15:51 |
|
no that's just being a loving idiot
|
# ? May 3, 2019 15:53 |
|
turns out it was made internally by the junior IT guy, i chatted him up about it and he said he was just in a hurry and worded it a bit weird
|
# ? May 3, 2019 17:29 |
|
Force him to SSH into Telnet.
|
# ? May 3, 2019 18:40 |
|
CommieGIR posted:Force him to SSH into Telnet. *telnets to device on tcp/22, sees banner* yeah it works for me what's your problem?
|
# ? May 3, 2019 18:55 |
|
code:
[edit] thanks radium
|
# ? May 3, 2019 23:47 |
|
securitized telnet
|
# ? May 3, 2019 23:48 |
|
credential default swaps
|
# ? May 3, 2019 23:48 |
|
Captain Foo posted:credential default swaps Too big to email
|
# ? May 3, 2019 23:50 |
|
Volmarias posted:Too big to email kerberized debt obligations
|
# ? May 3, 2019 23:52 |
|
lol dell https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/
|
# ? May 4, 2019 02:14 |
|
more like "root shell"
|
# ? May 4, 2019 03:43 |
|
Mozilla let the Firefox extension signing certificate expire.
|
# ? May 4, 2019 03:54 |
|
pseudorandom name posted:Mozilla let the Firefox extension signing certificate expire. I wish you are posting certificate expired!!!1!!!!
|
# ? May 4, 2019 03:58 |
|
Schadenboner posted:I wish you are posting certificate expired!!!1!!!! don’t sign your posts
|
# ? May 4, 2019 05:47 |
|
BIGFOOT EROTICA posted:lol dell
|
# ? May 4, 2019 07:20 |
|
/!\ everyone set your clocks back /!\
|
# ? May 4, 2019 07:39 |
|
BIGFOOT EROTICA posted:lol dell Thats a great write up
|
# ? May 4, 2019 10:47 |
|
Computer Serf posted:/!\ everyone set your clocks back /!\ never ceases to amaze me how often and repeatedly orgs self-own themselves by not keeping on top of cert expiration/renewal. you'd think it'd be a solved problem by now
|
# ? May 4, 2019 10:54 |
|
Pile Of Garbage posted:never ceases to amaze me how often and repeatedly orgs self-own themselves by not keeping on top of cert expiration/renewal. you'd think it'd be a solved problem by now current org has this lovely flow chart for updating certs: take your nice and lovely cert, send it to a linux box, convert it to different formats with openssl, send it back to yourself, send the new certs to it-infrastructure who will take 2-5 business days to sign it, get signed cert back, upload to whereever repeat for every server / webb app / whatever you have that needs cert
|
# ? May 4, 2019 11:05 |
|
BIGFOOT EROTICA posted:lol dell ha, we use a similar basic "request source" check on an internal web service to validate that requests come from a legitimate requestor (one of two other internal webservers basically) and ive been trying to think of a way to make it more robust by adding extra auth layers/checks to it because it feels wrong and like there's a request spoofing/mitm vuln...though tbh if someone is spoofing on mitm'ing our internal network we're boned already regardless anyway turns out i'm more security conscious than dell lmao edit: the obvious answer would be "authenticate the account id of the calling process" but for some dumb reason our webserver accounts don't have normal identity profiles and the team that "manage" the iis hosts won't let us configure them to work around this Powerful Two-Hander fucked around with this message at 11:50 on May 4, 2019 |
# ? May 4, 2019 11:38 |
|
Boiled Water posted:current org has this lovely flow chart for updating certs: hah that sounds just like the process at the last place i was at only without the magic openssl box. also if the cert was for a windows box and the it infra tech was the one who installed it then you can pretty much guarantee that they left the "mark private key as exportable" option checked when importing the PFX to the cert store
|
# ? May 4, 2019 11:49 |
|
All firefox extensions are disabled due to the expiration of a cert. https://bugzilla.mozilla.org/show_bug.cgi?id=1548973 I had forgeten how horrible the web was without an addblocker.
|
# ? May 4, 2019 12:15 |
|
ya that's what we've been talking about. i've been using this workaround, works fine and i've only got one extension so not too painful: https://www.reddit.com/r/firefox/co...m=web2x&depth=1
|
# ? May 4, 2019 12:40 |
|
Pile Of Garbage posted:ya that's what we've been talking about. i've been using this workaround, works fine and i've only got one extension so not too painful: https://www.reddit.com/r/firefox/co...m=web2x&depth=1 Thanks, that worked!
|
# ? May 4, 2019 13:15 |
|
Hey so is the fact that my Firefox addon have been working just fine all along a secfuck in itself? I'm running Nightly but I didn't mess with the signing options.
|
# ? May 4, 2019 14:27 |
|
BIGFOOT EROTICA posted:don’t sign your posts
|
# ? May 4, 2019 15:27 |
|
Vanadium posted:Hey so is the fact that my Firefox addon have been working just fine all along a secfuck in itself? I'm running Nightly but I didn't mess with the signing options. i've not had any issues either and i'm just on the standard build. maybe it only validates when the browser starts and mine was loaded before it ticked over?
|
# ? May 4, 2019 15:30 |
|
mine was working until about 20 minutes ago then suddenly popped up that it had disabled add-ons, so i'm guessing it does periodic checks. using the debugging side-load method works
|
# ? May 4, 2019 16:57 |
|
There is some sort of temporary fix that is supposedly applied if you enable "studies". Although it doesn't work for me and several others. https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/
|
# ? May 4, 2019 17:37 |
|
Pile Of Garbage posted:hah that sounds just like the process at the last place i was at only without the magic openssl box. also if the cert was for a windows box and the it infra tech was the one who installed it then you can pretty much guarantee that they left the "mark private key as exportable" option checked when importing the PFX to the cert store the real secfuck is that i have to install the certs themselves when getting them back from it infrastructure
|
# ? May 4, 2019 18:38 |
|
Carbon dioxide posted:There is some sort of temporary fix that is supposedly applied if you enable "studies". Although it doesn't work for me and several others. https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/ "it may take up to six hours for the study to be applied to your browser" LOL on the upside, this bug led me to discovering that on twitter there is firefox... ¡en español! encuentra la panda rojo aqui!!
|
# ? May 4, 2019 20:42 |
|
Lutha Mahtin posted:"it may take up to six hours for the study to be applied to your browser" LOL encuentra mis huevos jajajajajaja
|
# ? May 4, 2019 21:48 |
|
two "studies" installed for me and i was able to reinstall ublock origin. i then disabled the studies/telemetry checkboxes in the firefox settings, and so far ublock is still working
|
# ? May 4, 2019 21:48 |
|
Lutha Mahtin posted:two "studies" installed for me and i was able to reinstall ublock origin. i then disabled the studies/telemetry checkboxes in the firefox settings, and so far ublock is still working it'll probably turn off again at some point unless they fix it more properly
|
# ? May 4, 2019 22:07 |
|
so firefox just shat itself bigtime. Apparently, you can disable addons signature checking to bypass that but it didn't work, i guess the brendan eichmann sleeper agents are good at their job
|
# ? May 5, 2019 00:35 |
|
you can use about:debug and sideload your addons if you need to, the xpi files are stored in the profile folder.
|
# ? May 5, 2019 00:38 |
|
|
# ? Apr 25, 2024 02:37 |
|
SIGSEGV posted:so firefox just shat itself bigtime. Apparently, you can disable addons signature checking to bypass that but it didn't work, i guess the brendan eichmann sleeper agents are good at their job
|
# ? May 5, 2019 00:40 |