|
Krankenstyle posted:can I turn my chair around when we 'get real'? yes, but if you have a cap you're obliged to wear it backwards as well
|
# ? Jul 22, 2019 19:20 |
|
|
# ? Apr 25, 2024 13:04 |
|
deal
|
# ? Jul 22, 2019 19:35 |
|
i usually work the situation like this: https://www.youtube.com/watch?v=x5dJb2YG7vU instead of cover sheets though it's things like keeping using appropriate ssl ciphers
|
# ? Jul 22, 2019 21:34 |
|
Lester speight is a god & all but you need a culture of talking about security and being easy to work with so people want to get your help on security poo poo, not tackling a motherfucker if they have the temerity to want something that's not what you want it's more work but it's how you get people interested in doing the right thing instead of hiding their minor fuckups until they become huge issues
|
# ? Jul 22, 2019 21:47 |
|
Trabisnikof posted:you need a chill-sec person and a security kraken. follow the chill-sec advice and you won’t attract the worm
|
# ? Jul 22, 2019 21:49 |
|
Cocoa Crispies posted:Lester speight is a god & all but this 100% being a security bad cop doesn't scale. you just end up with teams who go behind your back to get poo poo done rather than following the process and the more teams grow the more catch-up you have to play just to have a handle on what's going on, much less have the ability to remediate.
|
# ? Jul 22, 2019 23:02 |
|
it feels lame to post articles from the research group of my day job but everyone loves an AV fuckup right? https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67 quote:The signature check was simply bypassed however by….wait…let’s see if you can see the problem. Here is CmdAgent.exe resolving the COM client’s process name to later invoke a signature check from disk:
|
# ? Jul 23, 2019 00:59 |
|
we have no security-focused engineers for a software product that's designed to sit in the middle of the network path and offload authn/authz poo poo from upstream apps after several years, engineering has been convinced to stop storing admin credentials in plaintext (previously the rationale was that, if this was a concern for end users, they would encrypt database disk partitions)
|
# ? Jul 23, 2019 06:17 |
|
can everyone list their companies that require 24+ character passwords? I have an uh janitorial company and I’d love to offer them our services for cheap
|
# ? Jul 23, 2019 12:12 |
|
https://blog.ret2.io/2019/06/26/attacking-intel-tsx/quote:From what we could discern, Intel’s TSX implementation does not enlighten the instruction cache to the transactional read-sets, write-sets, or elided lock values. When the instruction decoding pipeline fetches from the instruction cache, it does not trap to the active transactional memory sets.
|
# ? Jul 23, 2019 13:14 |
|
that's wild as hell
|
# ? Jul 23, 2019 13:26 |
|
Intel TSX is such a garbage fire TBH, it was bugged in haswell/broadwell, side-channelled, and now this. It's not directly dangerous but I'm sure smarty pants will figure out way to further abuse it.
|
# ? Jul 23, 2019 13:38 |
|
tbf TSX isn’t supposed to be a sandboxing mechanism
|
# ? Jul 23, 2019 15:31 |
|
wasn't tsx the feature so lovely even lastpass stopped supporting it?
|
# ? Jul 23, 2019 15:39 |
Mark Ermolov & Maxim Goryachy have done a presentation on their newest work which will almost inevitably lead to secfuck in time: https://www.youtube.com/watch?v=Itml4Om5Q3Q
|
|
# ? Jul 23, 2019 15:53 |
|
what could go wrong? US attorney general William Barr says Americans should accept security risks of encryption backdoors https://techcrunch.com/2019/07/23/william-barr-consumers-security-risks-backdoors/ quote:He suggested that the “residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product.”
|
# ? Jul 23, 2019 16:55 |
|
CRIP EATIN BREAD posted:what could go wrong? Oh good, everyone's going to have the backdoor to major financial channels. Good job, Willie.
|
# ? Jul 23, 2019 16:58 |
|
pro read
|
# ? Jul 23, 2019 17:08 |
|
compromised expression schemes are hilarious because it’ll just end up with everyone but the US running the good stuff. if you think you’re getting the EU nations on board after actively ratfucking them using Echelon and successors you’ve got another think coming.
|
# ? Jul 23, 2019 17:09 |
|
evil_bunnY posted:compromised expression schemes are hilarious because it’ll just end up with everyone but the US running the good stuff. the eu already has their own intelligence agencies with backdoors why would they need the nsa’s
|
# ? Jul 23, 2019 17:38 |
|
if they really mean backdoor in the encryption and not the app, then the minute the government says "you HAVE to use encryption scheme/cipher X", everybody and their brother is going to be going over it with a fine-toothed comb to figure out what the exploit is.
|
# ? Jul 23, 2019 17:48 |
|
Vomik posted:the eu already has their own intelligence agencies with backdoors why would they need the nsa’s because you should always have a back up plan
|
# ? Jul 23, 2019 17:49 |
|
CRIP EATIN BREAD posted:if they really mean backdoor in the encryption and not the app, then the minute the government says "you HAVE to use encryption scheme/cipher X", everybody and their brother is going to be going over it with a fine-toothed comb to figure out what the exploit is. it'll be something like dual-ec-drbg where it's only exploitable if you were the one that generated the parameters and know how they're related
|
# ? Jul 23, 2019 18:02 |
|
CRIP EATIN BREAD posted:what could go wrong? this poo poo is infuriating
|
# ? Jul 23, 2019 18:30 |
|
CRIP EATIN BREAD posted:what could go wrong? he should tell us his social security number then
|
# ? Jul 23, 2019 19:58 |
|
nah it’s fine because the only people with the backdoors keys will be the nsa, and if you can’t trust the nsa to keep a secret then who can you trust? I mean sure there was the Snowden thing and then all the leaked hacking tools but im sure they’ve learned their lessons and we can trust them to keep their backdoors secret, starting now
|
# ? Jul 23, 2019 20:12 |
https://www.zdnet.com/article/remote-code-execution-vulnerability-in-vlc-remains-unpatched/ new day new vlc vuln
|
|
# ? Jul 23, 2019 21:02 |
|
At this point it would be news if VLC did not have a vulnerability...
|
# ? Jul 23, 2019 21:08 |
|
threat model: gently caress you same as law enforcement backdoors tbh
|
# ? Jul 23, 2019 21:17 |
|
all codecs are backdoored
|
# ? Jul 23, 2019 21:28 |
|
Holy gently caress
|
# ? Jul 23, 2019 21:34 |
|
cinci zoo sniper posted:https://www.zdnet.com/article/remote-code-execution-vulnerability-in-vlc-remains-unpatched/ new day new vlc vuln https://twitter.com/videolan/status/1153715138333220864 they're mad
|
# ? Jul 23, 2019 22:34 |
|
I really have my doubts that MITRE failed to report that to them...
|
# ? Jul 23, 2019 22:49 |
|
Okay VLC is clearly a clusterfuck. What are everyone's recommendations for the same level of "install it and forget about it" these days?
|
# ? Jul 23, 2019 23:33 |
|
Install PotPlayer and get hacked by Koreans? Edit: Looks like there was a similar CVE in PotPlayer for .wav file parsing last year, lol. My hunch is that any media application that handles tons of different formats is always going to be a secfuck because parsing is a secfuck and you can't support a ton of different formats and codecs without having a lot of parsers around. ErIog fucked around with this message at 23:41 on Jul 23, 2019 |
# ? Jul 23, 2019 23:39 |
|
you can run the parsers in a restricted sandbox though
|
# ? Jul 23, 2019 23:46 |
|
|
# ? Jul 23, 2019 23:49 |
|
god I hope there's a disclosure timeline with receipts.
|
# ? Jul 23, 2019 23:49 |
|
lol looks like someone hosed up lads, LMAO!
|
# ? Jul 23, 2019 23:59 |
|
|
# ? Apr 25, 2024 13:04 |
|
https://twitter.com/phillipcaudell/status/1153239364283056128
|
# ? Jul 24, 2019 00:02 |