secfuck v18.509 issuance of thread title with short validity period. update: we will not be revoking

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > secfuck v18.509 issuance of thread title with short validity period. update: we will not be revoking

«‹›936 »

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

mystes posted:

So after I just recommended zerotier in this thread, the developers are now asking Reddit to help them roll their own crypto for zerotier 2.0.

That�s ok. Zerotier 1.0 will always be older, and therefore better. That�s why I know it�s OK to stick a day-1 install of Windows XP on the internet too.

# ? Sep 5, 2019 22:27

Adbot: ADBOT LOVES YOU

# ? Apr 25, 2024 03:05

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

as we learned from bitcointalk, the first version of anything is always the most secure

# ? Sep 5, 2019 22:32

BlankSystemDaemon: Mar 13, 2009

Soricidus posted:

you�re kind of backwards here. the �new stuff should be presumed insecure until enough people have failed to attack it� thing works better for pure math than it does for code, where a product that�s been around for years with no serious cves could have a heartbleed level of vulnerability added to it at any time

like, even if you trust the ipsec protocol more than wireguard, how far can you trust any given ipsec implementation, or any given configuration of any given implementation?

attack surface is absolutely relevant here.

You have a very excellent point in asking about IPsec implementations and how far you can trust them - and, well that depends on whether or not they've been audited.
The KAME implementation has been audited (and is BSD licensed, so can be put anywhere and there's really no excuse for not using something that hasn't been audited), as has the one in FreeBSD. I would be very surprised if the on in Linux hasn't.
Wireguard looks insanely interesting from several points of view (both because it's faster than OpenVPN, and because it can be done in kernel which means you can use VTIs and the crypto can be integrated into OpenCrypto-like Frameworks so other things can use it) and I look forward to using it once other people have tried it once we've seen implementation audits and the work in progress warning disappears from the website.
That last part is kinda the sticking point for a lot of people I know, who're otherwise looking forward to using it.

# ? Sep 5, 2019 23:24

CommieGIR: Aug 22, 2006; The blue glow is a feature, not a bug; Pillbug

Potato Salad posted:

Few pages back, but I don't think you know what these are

I really stopped caring, thanks for your input.

# ? Sep 5, 2019 23:40

ate shit on live tv: Feb 15, 2004; by Azathoth

Rufus Ping posted:

I stand by what I wrote. Port knocking belongs in the dustbin of the early 2000s and it's a bit of a 'tell' when someone recommends it.

The scenarios where it confers an actual benefit are pretty contrived, and all require that something else isn't being done properly.

Out of curiosity CommieGIR, do you exclusively knock using UDP or have you granted your knock (hping, nmap, etc) client CAP_NET_RAW?

I use port knocking for my telnet sessions, of which I have many.

# ? Sep 6, 2019 00:58

James Baud: May 24, 2015; by LITERALLY AN ADMIN

867-5309-23!

# ? Sep 6, 2019 01:07

ewiley: Jul 9, 2003; More trash for the trash fire

Somewhere djb starts gently weeping and doesn't know why

# ? Sep 6, 2019 02:03

205b: Mar 25, 2007

Nomnom Cookie posted:

nah I think you got what I was trying to say, more or less. it was pretty dumb and then i doubled down

the point i wanted to make is like this: reduced attack surface is good, but it's not the same as a history of unsuccessful attacks. i don't think you can call something good unless it has history

to rehash what other posters already said, you're not completely wrong, just kind of backwards. I don't think anyone disagrees that all else being equal, it's better to use battle-tested software. but I'll take formal security/correctness guarantees over "nobody's figured out how to exploit this mess yet".

in this case, it's not a question of reducing attack surface - "our code that handles untrusted input is well-contained and audited and therefore probably safe" - but a question of whether we can say with certainty that wireguard doesn't have any e.g. use-after-free bugs, which we can if it doesn't dynamically free memory

anyway I'll shut up and let the thread get back on track

# ? Sep 6, 2019 07:33

spankmeister: Jun 15, 2008

ewiley posted:

Somewhere djb starts gently weeping and doesn't know why

It's because nobody uses his stupid mailserver

# ? Sep 6, 2019 07:34

ThePeavstenator: Dec 18, 2012; Establish the Buns

howabout this one: port-knockout game

# ? Sep 6, 2019 12:25

redleader: Aug 18, 2005; Engage according to operational parameters

ofc, wireguard should be written as a userspace module in rust

# ? Sep 6, 2019 13:00

redleader: Aug 18, 2005; Engage according to operational parameters

i figured it out: this thread is the boeing 737 max engineers

the entire rest of the world is boeing management

# ? Sep 6, 2019 13:01

champagne posting: Apr 5, 2006; YOU ARE A BRAIN
IN A BUNKER

redleader posted:

i figured it out: this thread is the boeing 737 max engineers

the entire rest of the world is boeing management

i can't see myself even coming close to being as rigorous as airplane software engineers. I'm closer to like tesla levels of competence, while if nothing else being aware that i'm terrible

# ? Sep 6, 2019 13:12

Shame Boy: Mar 2, 2010

Boiled Water posted:

i can't see myself even coming close to being as rigorous as airplane software engineers. I'm closer to like tesla levels of competence, while if nothing else being aware that i'm terrible

yeah i don't even feel comfortable comparing myself to an aircraft engineer as a joke :v:

# ? Sep 6, 2019 14:19

xtal: Jan 9, 2011; by Fluffdaddy

redleader posted:

ofc, wireguard should be written as a userspace module in rust

Is the joke that that already exists? https://github.com/cloudflare/boringtun

# ? Sep 6, 2019 16:09

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

hey. i am working on a semi-secret project and need some help. can y'all help me add to this list of RSS feeds that will provide me with infosec news? i specifically want infosec and even more so if they're often sensationalised. it helps if i do not need to add filters to parse out what is infosec and isn't

here is what i have right now from my own code

Python code:

sources = [
    'https://www.helpnetsecurity.com/view/news/feed/',
    'http://www.networkworld.com/category/security/index.rss',
    'http://www.infosecisland.com/rss.html',
    'https://www.scmagazine.com/home/security-news/feed/',
    'https://nakedsecurity.sophos.com/feed',
    'https://threatpost.com/feed/',
    'https://krebsonsecurity.com/feed/',
]

i'll be revealing more about this in a few days

# ? Sep 6, 2019 16:54

CRIP EATIN BREAD: Jun 24, 2002; Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T; Soiled Meat

add https://forums.somethingawful.com/showthread.php?threadid=3887592

# ? Sep 6, 2019 17:11

CommieGIR: Aug 22, 2006; The blue glow is a feature, not a bug; Pillbug

https://twitter.com/rootsecdev/status/1170005535934033922?s=20

Tried it on one of my lab machines.

# ? Sep 6, 2019 17:15

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

CRIP EATIN BREAD posted:

add https://forums.somethingawful.com/showthread.php?threadid=3887592

needs rss tho

# ? Sep 6, 2019 17:40

suffix: Jul 27, 2013; Wheeee!

Lain Iwakura posted:

hey. i am working on a semi-secret project and need some help. can y'all help me add to this list of RSS feeds that will provide me with infosec news? i specifically want infosec and even more so if they're often sensationalised. it helps if i do not need to add filters to parse out what is infosec and isn't

here is what i have right now from my own code
Python code:
sources = [
    'https://www.helpnetsecurity.com/view/news/feed/',
    'http://www.networkworld.com/category/security/index.rss',
    'http://www.infosecisland.com/rss.html',
    'https://www.scmagazine.com/home/security-news/feed/',
    'https://nakedsecurity.sophos.com/feed',
    'https://threatpost.com/feed/',
    'https://krebsonsecurity.com/feed/',
]
i'll be revealing more about this in a few days

https://www.theregister.co.uk/security/headlines.atom
https://www.schneier.com/blog/atom.xml

# ? Sep 6, 2019 17:41

CRIP EATIN BREAD: Jun 24, 2002; Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T; Soiled Meat

don't ask (it's for a project)

# ? Sep 6, 2019 17:42

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

eh screw it

https://twitter.com/HackerMovieBot/status/1170021834592440320

i am pairing random movie screenshots (really just anti-trust and hackers for now) with random infosec headlines

it's hit and miss on what it generates but it will get better as i start to put more images into the bot

# ? Sep 6, 2019 18:17

The Fool: Oct 16, 2003

add sneakers and the net to your movie list

# ? Sep 6, 2019 18:22

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

if anyone wants to submit some high-quality movie snapshots for this i'll happily take some. right now i am just grabbing my copies of movies, grabbing every 4 seconds, and then deleting whatever i don't want. some of the shots are intentionally non-sequitur

# ? Sep 6, 2019 18:22

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

The Fool posted:

add sneakers and the net to your movie list

it's in my queue to do

# ? Sep 6, 2019 18:22

BlankSystemDaemon: Mar 13, 2009

Lain Iwakura posted:

hey. i am working on a semi-secret project and need some help. can y'all help me add to this list of RSS feeds that will provide me with infosec news? i specifically want infosec and even more so if they're often sensationalised. it helps if i do not need to add filters to parse out what is infosec and isn't

here is what i have right now from my own code
Python code:
sources = [
    'https://www.helpnetsecurity.com/view/news/feed/',
    'http://www.networkworld.com/category/security/index.rss',
    'http://www.infosecisland.com/rss.html',
    'https://www.scmagazine.com/home/security-news/feed/',
    'https://nakedsecurity.sophos.com/feed',
    'https://threatpost.com/feed/',
    'https://krebsonsecurity.com/feed/',
]
i'll be revealing more about this in a few days

Well, I don't know if this is exactly what you're looking for, but SANS Internet Storm Center produces https://isc.sans.edu/rssfeed_full.xml which sometimes has some very good articles.
Then there's Ted Ungangsts (l)inks rss feed which contains both stuff he's interested in, as well as some of his own stuff like data exfiltration through receive timing (which I'm fairly sure I've linked before) and the recent article on implicit backdoors which is really loving devious and also impressive as all poo poo.
Also, there's https://lobste.rs/t/security.rss although that's kinda cheating as it's from an aggregator.

# ? Sep 6, 2019 18:24

Sniep: Mar 28, 2004; All I needed was that fatty blunt...

King of Breakfast

any shots out of those needed? (all full HD blu-ray rips, not re-encoded)

also reccos for more hacker movies welcome lol

# ? Sep 6, 2019 18:39

Farmer Crack-Ass: Jan 2, 2001; this is me posting irl

not exactly a "hacker movie" but maybe Colossus: The Forbin Project might be fitting?

# ? Sep 6, 2019 18:54

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Sniep posted:

any shots out of those needed? (all full HD blu-ray rips, not re-encoded)

also reccos for more hacker movies welcome lol

i would happily take all but hackers. even if they're just every 3-4 seconds i can curate them after the fact

Lain Iwakura fucked around with this message at 19:00 on Sep 6, 2019

# ? Sep 6, 2019 18:57

Powerful Two-Hander: Mar 10, 2004; Mods please change my name to "Tooter Skeleton" TIA.

add in The Core

~*~HACK THE PLANET~*~

# ? Sep 6, 2019 19:13

Kuvo: Oct 27, 2008; Blame it on the misfortune of your bark!; Fun Shoe

wrote a quick c# program a while back that went though a directory and for each video file it found it 1) extracted the softsub 2) parsed out all dialog lines 3) took screenshots of the movie with the line subtitled and 4) wrote the file name + line to a .txt for ez searching. lmk if you want the code

# ? Sep 6, 2019 19:21

Sniep: Mar 28, 2004; All I needed was that fatty blunt...

King of Breakfast

Lain Iwakura posted:

i would happily take all but hackers. even if they're just every 3-4 seconds i can curate them after the fact

on it.

Sniep fucked around with this message at 19:43 on Sep 6, 2019

# ? Sep 6, 2019 19:25

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Kuvo posted:

wrote a quick c# program a while back that went though a directory and for each video file it found it 1) extracted the softsub 2) parsed out all dialog lines 3) took screenshots of the movie with the line subtitled and 4) wrote the file name + line to a .txt for ez searching. lmk if you want the code

i might hit you up for that when i work on accessibility options

# ? Sep 6, 2019 19:26

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Sniep posted:

on it.

thank you!

# ? Sep 6, 2019 19:26

Wiggly Wayne DDS: Sep 11, 2010

https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/

quote:

A message about iOS security
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We�ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones �en masse� as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google�s post, issued six months after iOS patches were released, creates the false impression of �mass exploitation� to �monitor the private activities of entire populations in real time,� stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not �two years� as Google implies. We fixed the vulnerabilities in question in February � working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they�re found. We will never stop our tireless work to keep our users safe.

well that's the target confirmed
e: as a reminder since the media are now running with "well google were just hiding the android exploits in use" to apple's tune

Wiggly Wayne DDS posted:

https://twitter.com/itswillis/status/1168543167219716096

# ? Sep 6, 2019 19:43

Kuvo: Oct 27, 2008; Blame it on the misfortune of your bark!; Fun Shoe

https://twitter.com/n0rm/status/1169901032102457348

# ? Sep 6, 2019 19:48

CRIP EATIN BREAD: Jun 24, 2002; Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T; Soiled Meat

black cat hacker

# ? Sep 6, 2019 19:52

Mustache Ride: Sep 11, 2001

Lain Iwakura posted:

eh screw it

https://twitter.com/HackerMovieBot/status/1170021834592440320

i am pairing random movie screenshots (really just anti-trust and hackers for now) with random infosec headlines

it's hit and miss on what it generates but it will get better as i start to put more images into the bot

Might want to link to the original article as well. That'd make it easier to find them.

# ? Sep 6, 2019 20:02

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

Mustache Ride posted:

Might want to link to the original article as well. That'd make it easier to find them.

i considered it but i'd rather not. it's based on another bot idea and it doesn't link to them

# ? Sep 6, 2019 20:02

Adbot: ADBOT LOVES YOU

# ? Apr 25, 2024 03:05

Lain Iwakura: Aug 5, 2004; The body exists only to verify one's own existence.; Taco Defender

sometimes it almost gets it right

https://twitter.com/HackerMovieBot/status/1170050829732085765

# ? Sep 6, 2019 20:07

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > secfuck v18.509 issuance of thread title with short validity period. update: we will not be revoking

«‹›936 »