|
https://twitter.com/justinsteven/status/1270113960021209088
|
# ? Jun 9, 2020 01:12 |
|
|
# ? Mar 28, 2024 16:13 |
|
apseudonym posted:It sounds like once it rotated it was OK but before then it was using 0 maybe I misinterpreted this tweet? https://twitter.com/__agwa/status/1270076719819558912
|
# ? Jun 9, 2020 01:20 |
|
Subjunctive posted:maybe I misinterpreted this tweet? Oh I didn't see that last one, you're right.
|
# ? Jun 9, 2020 01:59 |
|
My interpretation was that the master key was okay, but before the first rotation it was using all-0s as the ticket key. The issue with the rotation scheme that the gnu folks chose is that even if it were implemented correctly, it would provide no actual security - an attacker that gained access to the master key would be able to derive all previous ticket keys and use them to decrypt previously-captured data.
|
# ? Jun 9, 2020 02:05 |
|
Jabor posted:My interpretation was that the master key was okay, but before the first rotation it was using all-0s as the ticket key. TOTP is supposed to be protected against leaks of other keys not the master key (TOTP still makes no sense for this)
|
# ? Jun 9, 2020 02:35 |
|
apseudonym posted:TOTP is supposed to be protected against leaks of other keys not the master key (TOTP still makes no sense for this) Half the reason you rotate your ticket keys is so that someone who compromises your server can't use the information they discover to read every single message ever sent to it that they've got squirreled away in a datacenter somewhere - they only get the stuff proximate to when they compromised the server. That doesn't work if every single ticket key is trivially derived from the master key that the server also holds.
|
# ? Jun 9, 2020 02:41 |
|
Jabor posted:Half the reason you rotate your ticket keys is so that someone who compromises your server can't use the information they discover to read every single message ever sent to it that they've got squirreled away in a datacenter somewhere - they only get the stuff proximate to when they compromised the server. Yeah, TOTP doesn't make sense here
|
# ? Jun 9, 2020 02:57 |
|
GNU's Not Understanding Their Laughable Software
|
# ? Jun 9, 2020 04:15 |
|
Raere posted:GNU's Not Understanding Their Laughable Software
|
# ? Jun 9, 2020 04:58 |
|
Raere posted:GNU's Not Understanding Their Laughable Software gnu noodles
|
# ? Jun 9, 2020 05:52 |
|
It's absolutely amazing what you can uncover when a URL shortener has sequential IDs https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/ quote:Key Findings
|
# ? Jun 9, 2020 12:54 |
|
Raere posted:GNU's Not Understanding Their Laughable Software drat, son
|
# ? Jun 9, 2020 13:11 |
|
Raere posted:GNU's Not Understanding Their Laughable Software is gnu/tls included with gnu/linux?
|
# ? Jun 9, 2020 13:25 |
|
Mr. Nice! posted:is gnu/tls included with gnu/linux? https://www.youtube.com/watch?v=QXUSvSUsx80
|
# ? Jun 9, 2020 16:32 |
|
Raere posted:GNU's Not Understanding Their Laughable Software
|
# ? Jun 9, 2020 16:52 |
|
Shame Boy posted:when i got a new yubikey for my usb-c laptop (p sure that's a yubikey 5 model) i generated ed25519 keys on it and it's fine with that Good to know, thanks.
|
# ? Jun 9, 2020 17:03 |
Welp, crosstalk is meltre et al except this time it's across cpu core bounderies not per-core thread bounderies.
|
|
# ? Jun 9, 2020 18:28 |
|
Raere posted:GNU's Not Understanding Their Laughable Software
|
# ? Jun 9, 2020 18:31 |
|
D. Ebdrup posted:Welp, crosstalk is meltre et al except this time it's across cpu core bounderies not per-core thread bounderies. just avoid executing malicious code what's the big deal
|
# ? Jun 9, 2020 21:21 |
|
redleader posted:just avoid executing any code what's the big deal
|
# ? Jun 9, 2020 21:54 |
|
redleader posted:just avoid executing malicious code what's the big deal Your job offer from Apple is on its way
|
# ? Jun 9, 2020 22:01 |
|
redleader posted:just avoid executing malicious code what's the big deal gently caress i never brb, writing a conference talk
|
# ? Jun 9, 2020 22:03 |
|
I'm getting bored of Intel architectural vulnerabilities. C'mon give us something interesting
|
# ? Jun 9, 2020 22:49 |
|
Raere posted:I'm getting bored of Intel architectural vulnerabilities. C'mon give us something interesting apple doing their own chips will be good for some tremendous lols if that pans out.
|
# ? Jun 9, 2020 23:48 |
|
https://twitter.com/CrookedNuts/status/1270280225276993538
|
# ? Jun 10, 2020 00:26 |
|
powerful self-own energy
|
# ? Jun 10, 2020 00:47 |
|
Midjack posted:apple doing their own chips will be good for some tremendous lols if that pans out. apple's been designing its own chips since 2012
|
# ? Jun 10, 2020 01:55 |
|
i had to enable voice callback MFA for a single co-worker in a Duo account because the guy has a fuckin iPhone 5 in TYOOL 2020 which he can't install the app on. i deliberately disabled voice callback and SMS OTP in the account because they're less secure than push MFA smdh
|
# ? Jun 10, 2020 09:56 |
|
if it matters that much then buy them a work phone
|
# ? Jun 10, 2020 09:58 |
|
well yeah ideally my employer should do that but they don't
|
# ? Jun 10, 2020 10:03 |
|
https://www.phoronix.com/scan.php?page=news_item&px=RdRand-3-Percent Intel still footgunnin' themselves at any given opportunity. Progressive JPEG posted:if it matters that much then buy them a work phone
|
# ? Jun 10, 2020 10:21 |
|
It gets worse: https://twitter.com/marcan42/status/1270642703542317056?s=20
|
# ? Jun 10, 2020 10:24 |
|
the PoC of the leak this patches is hilariously simple too https://twitter.com/marcan42/status/1270570295884038145 intel: "sensitive data can share an internal register with non-sensitive data, right?"
|
# ? Jun 10, 2020 10:27 |
|
At what point does this start to move the needle for amd chips in servers?
|
# ? Jun 10, 2020 12:27 |
|
Being in mind that I haven't really read anything, why would this RDRAND mitigation be enabled by default on Linux, where rdrand gets mixed with every other source of entropy despite all that one Intel guy's campaigning years ago ... Instead of just lowering its entropy score a bit? Or is the mitigation not on by default and phoronix is just doing their thing?
|
# ? Jun 10, 2020 12:33 |
|
Kazinsal posted:the PoC of the leak this patches is hilariously simple too shared register can have a little sensitive data
|
# ? Jun 10, 2020 15:21 |
|
the mitigation is enabled by default because applications can use the RDRAND instruction directly
|
# ? Jun 10, 2020 15:21 |
|
Pile Of Garbage posted:i had to enable voice callback MFA for a single co-worker in a Duo account because the guy has a fuckin iPhone 5 in TYOOL 2020 which he can't install the app on. i deliberately disabled voice callback and SMS OTP in the account because they're less secure than push MFA smdh congrats you work with stymie
|
# ? Jun 10, 2020 20:33 |
|
Pile Of Garbage posted:i had to enable voice callback MFA for a single co-worker in a Duo account because the guy has a fuckin iPhone 5 in TYOOL 2020 which he can't install the app on. i deliberately disabled voice callback and SMS OTP in the account because they're less secure than push MFA smdh lmao your company fucks up the entire org's security posture to save $200 or was this just for his account and the rest are still disabled?
|
# ? Jun 11, 2020 00:08 |
|
|
# ? Mar 28, 2024 16:13 |
|
Achmed Jones posted:lmao your company fucks up the entire org's security posture to save $200 But doctor, the user with the iPhone5 is Domain Admin!
|
# ? Jun 11, 2020 03:21 |