|
ratbert90 posted:Oh good; my new bank's online password system is hosed. the character limit is odd but may be just because they know they have usability issues and more calls if they allow excessively long passwords. the invalid characters can often be because they are not base64ing the password field before posting it through the https session so those characters break poo poo. still not excusable but less bad
|
# ? Oct 18, 2019 03:07 |
|
|
# ? Apr 29, 2024 14:36 |
|
rjmccall posted:putting the length at the beginning of a string is a terrible design because you can't form substrings without copying the string constantly, which is in fact much worse than repeatedly scanning it to compute the length. the right design is to pass around the length separately from the pointer, which was not obvious in the 70s you gotta reclaim storage at some point and also figure out what's mutable
|
# ? Oct 18, 2019 03:16 |
|
i like how the two joke proposals for len-first are incompatible widths
|
# ? Oct 18, 2019 03:26 |
|
If C had stored the length of strings, we’d just have had another class of errors based on overflow of the length byte. Because you jut know they would have stored the length as a byte to save space and instead include another incompatible string with a word length for John Galt speeches and the like. And that word would be machine dependent but in the 90s redefined to be 16 bits and all the way up until 2013 some puritans would keep it as 32 bits (because that is a proper word size) while Microsoft would have STRING16 and STRING32 while GCC would use __str2 and __str4, and in 2003 some brain genius would start defining strings with 64 bit lengths while a competing effort would use strings of arbitrary length based on a coding scheme similar to, but different from the UTF8 encoding of Unicode code points. NUL termination is not great but probably better than the alternatives a clusterfuck like C wold be able to define.
|
# ? Oct 18, 2019 03:35 |
|
duz posted:php has been able to read server and environment variables for a long time, people are just lazy being able to read env variables doesn't help you when you don't have any way to set them
|
# ? Oct 18, 2019 03:40 |
|
put a variable-length length behind the pointer and a NUL-terminated string in front
|
# ? Oct 18, 2019 03:59 |
|
duz posted:php has been able to read server and environment variables for a long time, people are just lazy Yeah I'm thinking more abstract, like having a worker process that handles delegated permissions to perform things on the webserver's behalf rather than just passing around creds. I've come to the conclusion that the dev is just an inexperienced php coder who has a hammer and sees everything as a nail. I'm going to make them redevelop it in dotnet or just buy a goddamn tool which actually integrates with windows. e: the results of my in-depth static code analysis $ cat *.php | grep shell_exec | wc -l 201 $ cat *.php | grep escapeshell | wc -l 0 ewiley fucked around with this message at 12:40 on Oct 18, 2019 |
# ? Oct 18, 2019 10:15 |
|
align strings at 16bit boundaries and use the remaining bits for length
|
# ? Oct 18, 2019 12:42 |
|
ewiley posted:Yeah I'm thinking more abstract, like having a worker process that handles delegated permissions to perform things on the webserver's behalf rather than just passing around creds. It's not even this hard. I feel like a lot of the attempts to be clever with hiding credentials places eventually ends up with the creds being leaked through some channel that wasn't anticipated. You don't have to be that clever. The `.ssh` folder for linux users is pretty safe. It's just files protected by permissions, but it's considered pretty safe. If you do something profoundly stupid with it then that can also be leaked, but you don't have to do that. The top priority for literally every security implementation should be a sanity check as to whether or not it really adds anything over the existing filesystem permissions. If not, then you should just throw it away. Keep creds outside Git repos and web server roots. If you can't do that much then you've already hosed up. ErIog fucked around with this message at 13:10 on Oct 18, 2019 |
# ? Oct 18, 2019 12:56 |
|
When you're doing k8s and containers , do you trust that infra enough to put your creds and secrets in environment variables? Do you go with file mounts and encrypted vaults or ...? I honestly don't know if a traversal or a variable dump are more likely exploits, but I feel like either of those things means in you're in a bad place. I don't really want to go down the slippery slope of having the app pull the cred into memory via an API call behind 7 proxies and 512 bit EC certs
|
# ? Oct 18, 2019 15:21 |
infernal machines posted:well this is fun, a remotely exploitable bug in the realtek wifi driver can cause a buffer overflow in the linux kernel
|
|
# ? Oct 18, 2019 15:29 |
|
Partycat posted:When you're doing k8s and containers , do you trust that infra enough to put your creds and secrets in environment variables? Do you go with file mounts and encrypted vaults or ...? I honestly don't know if a traversal or a variable dump are more likely exploits, but I feel like either of those things means in you're in a bad place. I don't really want to go down the slippery slope of having the app pull the cred into memory via an API call behind 7 proxies and 512 bit EC certs depends on who owns the metal, who it's talking to, and how expensive losing the credentials would be ofc if it's a root aws key and it's living on some discount k8s host then if it's per-instance or even per-dc credentials limited to some service that you roll monthly and it's on a fortune 500 public cloud (azure, aws, salesforce), sure, those motherfuckers are paranoid about control plane poo poo and they're probably willing to talk liability if you're waving a big enough wad of bills at them if it's some internal thing, make sure it's firewalled off the normal workstation network before you put information that could lead to the arrest of hillary clinton in the environment variables
|
# ? Oct 18, 2019 16:48 |
Embargo'd paper/presentation on TPM timing and lattice attacks probably means secfuck since it's got 9 months of embargo, so look forward to that, I guess?
|
|
# ? Oct 18, 2019 18:32 |
|
https://twitter.com/JaneLytv/status/1185234246471958528
|
# ? Oct 18, 2019 18:53 |
|
|
# ? Oct 18, 2019 18:55 |
|
of course they did. of course they did.
|
# ? Oct 18, 2019 19:22 |
|
I was thinking maybe it was an internal portal that wasn't exposed to the internet, but nope the next tweet says it was.
|
# ? Oct 18, 2019 19:24 |
|
JFC how was this not a referral for prosecution for gross neglige- oh right, money.
|
# ? Oct 18, 2019 19:45 |
|
Unfortunately it turns out that capitalism is p2w.
|
# ? Oct 18, 2019 19:51 |
|
Thought that aspect of the Equifax breach had been known since around when the story first broke? https://www.miamiherald.com/news/nation-world/world/article173136746.html Sept 2017.
|
# ? Oct 18, 2019 19:56 |
|
mystes posted:Unfortunately it turns out that capitalism is p2w.
|
# ? Oct 18, 2019 20:19 |
|
FungiCap posted:Thought that aspect of the Equifax breach had been known since around when the story first broke? yeah but i just learned about it now
|
# ? Oct 18, 2019 20:26 |
|
Partycat posted:When you're doing k8s and containers , do you trust that infra enough to put your creds and secrets in environment variables? Do you go with file mounts and encrypted vaults or ...? I honestly don't know if a traversal or a variable dump are more likely exploits, but I feel like either of those things means in you're in a bad place. I don't really want to go down the slippery slope of having the app pull the cred into memory via an API call behind 7 proxies and 512 bit EC certs You should used the built in K8s secrets management with a host that isn't a dumpster fire.
|
# ? Oct 18, 2019 21:12 |
|
Winkle-Daddy posted:You should used the built in K8s secrets management with a host that isn't a dumpster fire. You shouldn't use the built in for anything important because it's not implemented well from those docs posted:Caution: Think carefully before sending your own ssh keys: other users of the cluster may have access to the secret. Use a service account which you want to be accessible to all the users with whom you share the Kubernetes cluster, and can revoke if they are compromised. quote:Currently, anyone with root on any node can read any secret from the apiserver, by impersonating the kubelet. It is a planned feature to only send secrets to nodes that actually require them, to restrict the impact of a root exploit on a single node.
|
# ? Oct 18, 2019 21:24 |
|
I secure my servers with admin user and admin password, you saying thats not secure op?
|
# ? Oct 18, 2019 22:05 |
|
jre posted:You shouldn't use the built in for anything important because it's not implemented well uh...what? It's fine for most use cases. quote:Caution: Think carefully before sending your own ssh keys: other users of the cluster may have access to the secret. Use a service account which you want to be accessible to all the users with whom you share the Kubernetes cluster, and can revoke if they are compromised. quote:Currently, anyone with root on any node can read any secret from the apiserver, by impersonating the kubelet. It is a planned feature to only send secrets to nodes that actually require them, to restrict the impact of a root exploit on a single node. But seriously, unless you have a drat good reason not to, I don't see a problem. It's what we used for secret management on the k8s control plane and all things related to it for the K8s provider I used to work for ¯\_(ツ)_/¯ Winkle-Daddy fucked around with this message at 22:40 on Oct 18, 2019 |
# ? Oct 18, 2019 22:37 |
|
why is everyone talking about AMD K8s in here
|
# ? Oct 19, 2019 00:50 |
|
jre posted:You shouldn't use the built in for anything important because it's not implemented well on the other hand, it might get implemented well in the future our bespoke secret storage methods will never be implemented well
|
# ? Oct 19, 2019 03:15 |
|
Unless you have someone type a password in somewhere everytime you deploy or restart a service it's unreasonable to try and secure secrets against anyone who has already gained root access to the system.
|
# ? Oct 19, 2019 03:29 |
|
to be clear, the exact scenario is that if anyone reads the certs to any kubelet in the cluster, they then have access to all secrets across all namespaces in that cluster if this is a problem then you can use vault or smth that’s external to store secrets
|
# ? Oct 19, 2019 03:31 |
|
abigserve posted:Unless you have someone type a password in somewhere everytime you deploy or restart a service it's unreasonable to try and secure secrets against anyone who has already gained root access to the system. remember doing that (or more likely using expect) for first-gen https cert management
|
# ? Oct 19, 2019 03:37 |
|
cancelled the 1pass subscription, the remainder of the subscription ends in a day or two moved logins into bitwarden and totp codes into authy now the totp codes are actually a second factor again, and i no longer have to deal with 1pass steadfastly refusing to acknowledge anything that isnt osx* * except for browser plugins, which im moving away from on account of how regularly they get popped in general. pretty convinced at this point that the safest route is to just keep any password managing in a separate process
|
# ? Oct 20, 2019 07:25 |
|
the russians just used keep rear end
|
# ? Oct 20, 2019 07:53 |
|
does keep rear end have a sync option these days?
|
# ? Oct 20, 2019 08:24 |
|
Yeah you can just put the kbdx on an cloud
|
# ? Oct 20, 2019 08:30 |
|
Progressive JPEG posted:does keep rear end have a sync option these days? It's had a sync option since forever. Sync from URL expects the keepass file to sync with to be accessible over http or ftp. I never used it so I'm not sure how it works. Sync with file works as advertised. It's quite good diff merging, for every password entry, if it was changed in one of the two files it will update the other, if an entry was deleted in one of the two, it will delete it in the other, if added in one, it will be added in the other, and if a record was changed in different ways in the two files I believe it keeps both of them and puts them in a special folder within the keepass files so you can sort them out manually. It is a manual thing though, I don't think you can auto-sync your local copy with the copy on a server or wherever you put it.
|
# ? Oct 20, 2019 08:34 |
|
You can just save the file to your cloud folder and open that one, easy!
|
# ? Oct 20, 2019 08:39 |
|
https://twitter.com/haveibeenpwned/status/1185668262538838016 People are gonna get in trouble.
|
# ? Oct 20, 2019 09:25 |
|
Bestialities were my least favorite mortal kombat moves
|
# ? Oct 20, 2019 11:36 |
|
|
# ? Apr 29, 2024 14:36 |
|
Carbon dioxide posted:It is a manual thing though, I don't think you can auto-sync your local copy with the copy on a server or wherever you put it. you can use the triggers system to do a sync every time you save or whatever, the doc has an example of how to set up that exact behavior https://keepass.info/help/kb/trigger_examples.html#dbsync kinda dumb that they require you to configure it all from scratch instead of including a prebuilt template that just needs the right values plugged in, but whatever. no one ever accused keepass of being simple and user-friendly
|
# ? Oct 20, 2019 11:45 |