|
Sagebrush posted:the little credit union where i first got a bank account when i was a child started doing online banking about 5 years ago it was something like this for the credit union i got my last car loan through. i didn't care though because it was my only account with them, so the only risk would have been if some hacker came along and wanted to pay off a used ford taurus
|
# ? May 9, 2019 03:00 |
|
|
# ? Apr 27, 2024 16:57 |
|
pseudorandom name posted:looks like there's also OS updates to go along with it and OS devs aren't happy that Lenovo leaked the CVE reveal dates. Any links?
|
# ? May 9, 2019 03:51 |
|
The Electronaut posted:Any links? The Lenovo leak, such that it is, is at https://download.lenovo.com/pccbbs/mobiles/n1cet75w.txt
|
# ? May 9, 2019 04:04 |
|
pseudorandom name posted:The Lenovo leak, such that it is, is at https://download.lenovo.com/pccbbs/mobiles/n1cet75w.txt code:
|
# ? May 9, 2019 04:28 |
|
pseudorandom name posted:The Lenovo leak, such that it is, is at https://download.lenovo.com/pccbbs/mobiles/n1cet75w.txt Thanks. Hmm, all three of the cves were reserved back in June. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 Curiosity got me. I wondered if anyone had extracted the update from the firmware to do diffs or the like, which led me to this tool: https://github.com/platomav/MCExtractor. The maintainer also maintains a repository: https://github.com/platomav/CPUMicrocodes. I pulled down the firmware and extracted the .bin from the archive, sending it through the MCE python script. The update to the microcode was released on 1 April 2019. Looking at that repo and the change log to the database there was a change adding this one (cpuid 406E3 rev CC) and others on the 4th of May. The awareness of the update (though no connection to the CVEs) appears to come in a Windows Insider/Fast Track update in mid April based on comments in a forum posting on Win-Raid.com.
|
# ? May 9, 2019 05:16 |
|
javascript card skimming via merchant services analytics in the wild
|
# ? May 9, 2019 13:32 |
|
yeah that's been active for a few years and has been very quietly effective
|
# ? May 9, 2019 13:47 |
|
i like that the exfiltration is just appending all the details to an image load request
|
# ? May 9, 2019 13:52 |
|
somewhere, Mark Miller is sighing with a combination of disappointment and smugness (everywhere)
|
# ? May 9, 2019 14:15 |
|
Subjunctive posted:I’m going to abuse my relationship with Lain to post a job description here. I don’t read YOSPOS anymore so PM me or sbjnctv@gmail.com if you’re a loser without plat. there's a decent vegan place near your work too
|
# ? May 9, 2019 14:21 |
|
Looks like some one hosed up. Lmao
|
# ? May 9, 2019 14:30 |
|
for the last 6 hours, one of the Estonian (+neighbors) national ID card web services is down. the id card is a smart card, enabling 2fa and mandatory for every citizen so naturally, over the past 20 years most important services like banks have migrated to using the ID card as the primary authentication mechanism because everyone has it. the secondary mechanism being a SIM card variant of the exact same thing, also down now because it works out to the same mechanism in a different package. the affected service appears to be one used to sign and validate documents. when russia tried to do its supposed cyberwar on Estonia back in 2008, perhaps they should have targeted this service instead of ddosing random government websites
|
# ? May 9, 2019 14:37 |
|
Subjunctive posted:I’m going to abuse my relationship with Lain to post a job description here. I don’t read YOSPOS anymore so PM me or sbjnctv@gmail.com if you’re a loser without plat. what kind of software is this developing, or at least what languages? it's not php is it also I have stories of fixing security fuckups but i feel they're not as good as other posters' stories because the place i was working was appallingly bad so it was stuff like "make it so you actually need a password to access this private server" or "replace unsalted MD5 with something less stupid" or my favorite, "discover that one of the main servers had been running an ancient version of tomcat that was vulnerable to literally everything and hadn't been updated in a decade and I was the first person to ever notice because everyone thought the dozens of different malwares that had been installed on it was just part of our software"
|
# ? May 9, 2019 15:13 |
|
those all sound like randomly-generated scam sites lighteningcornhole[.]com
|
# ? May 9, 2019 15:18 |
|
pseudorandom name posted:The Lenovo leak, such that it is, is at https://download.lenovo.com/pccbbs/mobiles/n1cet75w.txt so is this a staged rollout for different models? nothing new available for x1 carbons 3rd and 6th gen afaict e: or are those not affected?
|
# ? May 9, 2019 19:50 |
|
Lysidas posted:so is this a staged rollout for different models? nothing new available for x1 carbons 3rd and 6th gen afaict from what i understand nothing is supposed to be available yet and we only know something exists because that one leaked (that may have changed though, or, as likely, I've misunderstood)
|
# ? May 9, 2019 20:06 |
|
EssOEss posted:for the last 6 hours, one of the Estonian (+neighbors) national ID card web services is down. the id card is a smart card, enabling 2fa and mandatory for every citizen so naturally, over the past 20 years most important services like banks have migrated to using the ID card as the primary authentication mechanism because everyone has it. the secondary mechanism being a SIM card variant of the exact same thing, also down now because it works out to the same mechanism in a different package. afaik the ID card itself contains the certificates necessary for signing documents so this service is not essential for that part. it is just the public website where you can sign using a smart card reader - there is also an app for signing and encrypting documents locally. you can also validate the signatures locally but I am not sure if this actually requires connection to a government server (probably does) also what most people tend to use is the mobile id part of the whole solution. I do not use it personally because I am living abroad but essentially it is a 2fa tied to your phone SIM card and you get to do most necessary procedures without having to stick the card in the reader. that said it’s still lovely that servers are down
|
# ? May 10, 2019 00:43 |
|
Shame Boy posted:what kind of software is this developing, or at least what languages? it's not php is it we build AI business applications. languages are mostly Scala/python right now but I expect Rust to take some turf soon
|
# ? May 10, 2019 02:01 |
|
a russian cryptolocker author is really mad that somebody released a decrypter for his malware. "shoes you booze" indeed https://twitter.com/campuscodi/status/1126602241463308288
|
# ? May 10, 2019 03:26 |
|
Иiсэ меlтбоши ьгф
|
# ? May 10, 2019 13:02 |
|
Security Fuckup Megathread v18 - more than once I stroked Squirrel by the tail
|
# ? May 10, 2019 13:53 |
|
Shame Boy posted:what kind of software is this developing, or at least what languages? it's not php is it I should say that I don't care what languages you know already, because learning languages while working in a code base with co-workers to ask is not a tall order. I care how you think about security problems in the context of software, policy, tooling, product features, etc.
|
# ? May 10, 2019 14:16 |
|
Lutha Mahtin posted:a russian cryptolocker author is really mad that somebody released a decrypter for his malware. "shoes you booze" indeed Security fuckup megathread: you booze, you lose (your aes keys)
|
# ? May 10, 2019 14:16 |
|
sucks to your aeskeys
|
# ? May 10, 2019 14:29 |
|
Subjunctive posted:I should say that I don't care what languages you know already, because learning languages while working in a code base with co-workers to ask is not a tall order. I care how you think about security problems in the context of software, policy, tooling, product features, etc. yeah i think "be able to learn new languages" is something any developer should be able to do just as part of their job, i was more asking just out of curiosity cuz there are certainly some languages i enjoy working with more than others
|
# ? May 10, 2019 14:42 |
|
florida lan posted:Security Fuckup Megathread v18 - more than once I stroked Squirrel by the tail one hell of a post/av
|
# ? May 10, 2019 15:05 |
|
flakeloaf posted:sucks to your aeskeys
|
# ? May 10, 2019 15:18 |
|
Blow it out your aes
|
# ? May 10, 2019 15:26 |
|
Sereri posted:Blow it out your aes lmao
|
# ? May 10, 2019 16:32 |
|
Sereri posted:Blow it out your aes lol
|
# ? May 10, 2019 16:43 |
|
Sereri posted:Blow it out your aes poo poo this is way better
|
# ? May 10, 2019 16:54 |
|
Sereri posted:Blow it out your aes Wait do people pronounce AES as 'ace'?
|
# ? May 10, 2019 17:00 |
|
ewiley posted:Wait do people pronounce
|
# ? May 10, 2019 17:03 |
|
ewiley posted:Wait do people pronounce AES as 'ace'? we do now
|
# ? May 10, 2019 17:05 |
|
Lutha Mahtin posted:we do now Well ok then
|
# ? May 10, 2019 17:08 |
|
Lutha Mahtin posted:we do now
|
# ? May 10, 2019 17:31 |
|
Sereri posted:Blow it out your aes Yeah that one is better
|
# ? May 10, 2019 18:14 |
|
this new title is great
|
# ? May 10, 2019 18:37 |
|
https://twitter.com/BillyCorben/status/1126655402127577088
|
# ? May 10, 2019 18:52 |
|
|
# ? Apr 27, 2024 16:57 |
|
and by "hack" we almost definitely mean "find an unattended login, or type the password, which is the name of the school and the number of its civic address"
|
# ? May 10, 2019 18:53 |