|
D. Ebdrup posted:I can see the future. A future in which a gently caress-up will happen because of the MITM on all HTTPS traffic in Kazakhstan. quote:Has the law changed to require such certificates to be installed, Eugene? I agree with the concept of disabling the CA certificates in Firefox after they've been installed, but Mozilla would have to be careful not to step on state toes and just get Firefox banned from the country.  stepping on the toes of a state that not only doesn't value privacy, but is actively attempting to circumvent it. We best pay attention to them rather then treat them as illegitimate.
|
#
?
Jul 18, 2019 23:07
|
|
|
|
| # ? Apr 26, 2024 01:10 |
|
|
Cocoa Crispies posted:it's probably commutative where if you depend on something with a high sev vuln you have one too yeah it's a sum of all the vulns in every package you depend on and every package they depend on and so on etc. idk how that explains why there's barely any low or medium ones though, maybe they only introduced the low levels later and defaulted all preexisting ones to high 
|
|
#
?
Jul 18, 2019 23:21
|
|
|
ate poo poo on live tv posted:
quote:I think it will be better to be banned (btw, how they can ban application?), than breaking privacy of end users. probably the same way they're forcing everyone to install a CA certificate
|
|
#
?
Jul 18, 2019 23:23
|
|
|
javascript was a mistake and node is very bad. i do like the fact that it constantly owns idiots and fucks over people too dumb to realize that hey, maybe the fact that you don't know what your doing is a clear indicator that your project shouldnt be pushed out into the wild
|
|
#
?
Jul 18, 2019 23:51
|
|
|
CRIP EATIN BREAD posted:javascript was a mistake and node is very bad. I don't know how limited it is, but I bet it's Not Enough
|
|
#
?
Jul 19, 2019 01:19
|
|
|
pseudorandom name posted:all you have to do to wrest Linux away from Linus is git clone and then ignore him And then you get to be responsible for it. I really doubt that would go well.
|
|
#
?
Jul 19, 2019 01:39
|
|
|
rjmccall posted:deep code review is a technical contribution, often a more important one than actually writing the code he doesnt do much of that either. its expected that by the time a patch makes it to Linus its already been reviewed. the work Linus does is valuable, but its coordinating and directing the work of others. hes management
|
|
#
?
Jul 19, 2019 02:32
|
|
|
i dunno, the rant (from 2017) that started this particular derail was based on a technical review. but i can totally believe that he mostly shows up for "architectural" decisions like high-level structure, inter-project dependencies/interactions, project philosophy, and so on; that's essentially all chris lattner has done for llvm for the last 5+ years
|
|
#
?
Jul 19, 2019 03:55
|
|
|
Ayin posted:the current edition of rpgmaker finally moved on from ruby... to javascript ow oof
|
|
#
?
Jul 19, 2019 06:26
|
|
|
Shame Boy posted:ok after running an update and getting everything to the latest minor version... there's still ~100 "high" vulns, that can only be fixed by updating major versions. ok whatever, updated the major versions of everything to the latest and... there's still 2 high vulns that npm has no idea how to deal with and just says "requires manual intervention" the manual intervention is to stop using npm and Javascript
|
|
#
?
Jul 19, 2019 11:44
|
|
|
CRIP EATIN BREAD posted:javascript was a mistake and node is very bad.
|
|
#
?
Jul 19, 2019 11:45
|
|
|
CRIP EATIN BREAD posted:Computers were a mistake
|
|
#
?
Jul 19, 2019 14:28
|
|
|
D. Ebdrup posted:I can see the future. A future in which a gently caress-up will happen because of the MITM on all HTTPS traffic in Kazakhstan. So I know everyone shits on geoIP as a security control, but anyone running an SSLVPN might consider blocking KZ connections. It's not likely to work and in the unlikely event that someone manages to hack their workstation to the point where they're accepting this MITM certificate, you probably don't want the connection anyway.
|
|
#
?
Jul 19, 2019 14:34
|
|
|
... explain ....
|
|
#
?
Jul 19, 2019 15:55
|
|
|
Wiggly Wayne DDS posted:... explain .... Ok, so if you're sure all the ISP's in a country are required by law to MITM your SSL connections, aren't you better off just blocking inbound connections from all those ISP's then running the risk that someone has MITM'd your VPN? I mean, client-side validation should catch this and not allow the connection to work, but relying on clients to correctly validate certs, especially against a foreign country who may have CA's included in OS's... Then again, how is this different from sitting in a starbucks while someone MITMs your traffic there? Something about a whole country doing this rather than some ad hoc makes it a worse threat, I guess? I dunno, maybe I'm wrong but even though it's Kazakhstan, it's still a full country doing some SSL fuckery that I just don't trust.
|
|
#
?
Jul 19, 2019 16:24
|
|
|
ewiley posted:Ok, so if you're sure all the ISP's in a country are required by law to MITM your SSL connections, aren't you better off just blocking inbound connections from all those ISP's then running the risk that someone has MITM'd your VPN? I mean, client-side validation should catch this and not allow the connection to work, but relying on clients to correctly validate certs, especially against a foreign country who may have CA's included in OS's... If they started using their trusted CA cert to give out intermediate certs to all the ISPs or something that would be a pretty bad security situation. mystes fucked around with this message at 19:10 on Jul 19, 2019 |
|
#
?
Jul 19, 2019 19:07
|
|
|
ewiley posted:I mean, client-side validation should catch this and not allow the connection to work, but relying on clients to correctly validate certs, especially against a foreign country who may have CA's included in OS's... Presumably an "SSL VPN" is doing tls mutual auth, so the VPN server would also reject a client's cert if it were being mitm'd Your proposal for blocking a country makes sense with https, where usually only the server presents a cert (and the client validates it), but not for vpns
|
|
#
?
Jul 19, 2019 20:08
|
|
|
To an extent you can still spot some mitm of TLS in the absence of mutual auth, as demonstrated by yospos's favourite mitm experts, cloudflare https://new.blog.cloudflare.com/monsters-in-the-middleboxes/
|
|
#
?
Jul 19, 2019 20:12
|
|
|
Lmao Roll20
|
|
#
?
Jul 19, 2019 20:34
|
|
|
ABC: Always Bcrypt Credentials
|
|
#
?
Jul 19, 2019 20:35
|
|
|
Potato Salad posted:ABC: Always Bcrypt Credentials
|
|
#
?
Jul 19, 2019 23:44
|
|
|
Potato Salad posted:ABC: Always Bcrypt Credentials
|
|
#
?
Jul 20, 2019 04:15
|
|
|
Potato Salad posted:ABC: Always Bcrypt Credentials
|
|
#
?
Jul 20, 2019 05:45
|
|
|
Always Base64encode Credentials
|
|
#
?
Jul 20, 2019 05:59
|
|
|
ACAB: All Credentials Are Bcrypted
|
|
#
?
Jul 20, 2019 06:00
|
|
|
always be crypt(1)ing ??
|
|
#
?
Jul 20, 2019 09:33
|
|
|
Do you have any idea how slow and memory intensive the bcrypt algorithm is? Ain't nobody got time for that.
|
|
#
?
Jul 20, 2019 10:35
|
|
|
Carbon dioxide posted:Do you have any idea how slow and memory intensive the bcrypt algorithm is? actually
|
|
#
?
Jul 20, 2019 11:20
|
|
|
Carbon dioxide posted:Do you have any idea how slow and memory intensive the bcrypt algorithm is? Also, speaking of Colin Percival, he'll be doing a bit of a retrospective on side-channel attacks, as he was one of the first ones to document and announce a security advisory to disable SMT all the way back in 2005. The talk will be at EuroBSDCon 2019 which this year is happening in Oslo, Norway.
|
|
#
?
Jul 20, 2019 12:27
|
|
|
Achmed Jones posted:ACAB: All Credentials Are Bcrypted FTP: gently caress Text, Plain
|
|
#
?
Jul 20, 2019 13:40
|
|
|
Carbon dioxide posted:Do you have any idea how slow and memory intensive the bcrypt algorithm is? meh it's 2019, it's fine
|
|
#
?
Jul 20, 2019 13:48
|
|
|
some serious whooshing in here
|
|
#
?
Jul 20, 2019 14:20
|
|
|
just use md5, the standard hash algorithm you can salt it if you like but be careful, too much salt is bad for your blood pressure
|
|
#
?
Jul 20, 2019 14:28
|
|
|
Subjunctive posted:some serious whooshing in here poe's law
|
|
#
?
Jul 20, 2019 14:39
|
|
|
yeah I like to bcrypt my passwords B C R Ystore Plaintext T
|
|
#
?
Jul 20, 2019 15:03
|
|
|
🅱️crypt
|
|
#
?
Jul 20, 2019 15:26
|
|
|
more like encraption am i right
|
|
#
?
Jul 20, 2019 15:29
|
|
|
all the standard "strong" encryption algorithms are backdoored by the nsa and the cia. that's why i've invented gooncrypt,
|
|
#
?
Jul 20, 2019 15:37
|
|
|
been doing network automation stuff recently with Ansible and i love it when i ask the network team for the credentials that they want me to deploy to IOS devices and they send me plain-text secrets 
|
|
#
?
Jul 20, 2019 15:50
|
|
|
|
| # ? Apr 26, 2024 01:10 |
|
|
Soricidus posted:all the standard "strong" encryption algorithms are backdoored by the nsa and the cia. that's why i've invented gooncrypt, I put all my passwords on the blockchain which make them completely secure because
|
|
#
?
Jul 20, 2019 16:58
|
|