|
animist posted:idk if anybody's posted this yet but lol webass is full of holes if you load a webassembly library in your code, you risk opening a xss vulnerability on your site ... how is this different from loading a bad version of a dll in your app? i understand that in such a scenario the os would mitigate the exploit with various stack and heap protection techniques , but seeing as webass is fully vm'ed, the stakes are not the same as the whole os getting compromised, no? show me a real exploit where one site is able to change the contents of another site! then i'll panic! i mean, anyone loading jquery could potentially add an xss vuln to their own site since any piece of js can do document.write or whatever. it seems to me like his conclusion should be that the attack surface is even smaller than traditional js go play outside Skyler fucked around with this message at 06:50 on Aug 19, 2020 |
#
?
Aug 19, 2020 06:48
|
|
|
|
| # ? Apr 20, 2024 01:27 |
|
|
go play outside Skyler posted:if you load a webassembly library in your code, you risk opening a xss vulnerability on your site ... how is this different from loading a bad version of a dll in your app? i understand that in such a scenario the os would mitigate the exploit with various stack and heap protection techniques , but seeing as webass is fully vm'ed, the stakes are not the same as the whole os getting compromised, no? i think you should view this as the attack *target* being unfettered access to the webpage, which is then the same as in traditional js. the issue is that the attack *surface* is typically way worse since webasm deployments tend to lack all kinds of security measures and mitigations which js does have. there being sandboxing to keep the exploits from breaking out into the broader system is small comfort if all the important stuff, e.g. your online banking, happens inside the sandbox. a bit of a classic pattern really, building a secure enclave, then having everything important (i.e. actual user data) move into the secure enclave, making breaking it largely irrelevant. think e.g. of exploits making it onto your user account but not to root, they'll still steal any relevant data (passwords, cookies, important documents) and encrypt it all for ransom. they don't care that they can't access system files, those have no value anyway.
|
|
#
?
Aug 19, 2020 07:32
|
|
|
how do i secure my cave
Computer Serf fucked around with this message at 10:43 on Aug 19, 2020 |
|
#
?
Aug 19, 2020 10:41
|
|
|
turn your monitor on
|
|
#
?
Aug 19, 2020 10:55
|
|
|
Computer Serf posted:how do i secure my cave Put out your smoke signal.
|
|
#
?
Aug 19, 2020 10:59
|
|
|
Computer Serf posted:how do i secure my cave just take out your mom's garbage every once in a while
|
|
#
?
Aug 19, 2020 11:35
|
|
|
Computer Serf posted:how do i secure my cave 
|
|
#
?
Aug 19, 2020 11:48
|
|
|
Today's whinge: a colleague added my Atlassian account to their Jira but I had to click a link in the phishing email to actually access their tenancy!
|
|
#
?
Aug 21, 2020 01:57
|
|
|
This was truly excellent bin laden fan fiction.
|
|
#
?
Aug 21, 2020 02:09
|
|
|
https://twitter.com/kateconger/status/1296517771216293889?s=21 This seems really bad.
|
|
#
?
Aug 21, 2020 02:11
|
|
|
We had at least three ex-Facebook security team posters in this thread including a couple (I think) who went to Uber... Is he the one who didn't flee across the border to Canada?
|
|
#
?
Aug 21, 2020 02:59
|
|
|
Sassafras posted:We had at least three ex-Facebook security team posters in this thread including a couple (I think) who went to Uber... Is he the one who didn't flee across the border to Canada? that dude is not Subjunctive if that's who you mean
|
|
#
?
Aug 21, 2020 05:38
|
|
|
nor is it pr0zac
|
|
#
?
Aug 21, 2020 05:49
|
|
|
mystes posted:This was truly excellent bin laden fan fiction. When we went to war with Cobra and this was Cobra Commander's secret mountain fortress playset
|
|
#
?
Aug 21, 2020 06:03
|
|
|
Subjunctive posted:nor is it pr0zac who's the third one :pitchforks:
|
|
#
?
Aug 21, 2020 17:46
|
|
|
I’m wondering the same thing, but I’m pretty sure Joe isn’t a goon (in the SA sense)
|
|
#
?
Aug 21, 2020 17:53
|
|
|
I just went for one of my free annual credit reports and one of verification questions was: Based on your birth date, which sign of the zodiac are you? [ ] Pisces [ ] Libra [ ] Sagittarius [ ] NONE OF THE ABOVE / DOES NOT APPLY
|
|
#
?
Aug 21, 2020 19:32
|
|
|
somebody do that "so true!" meme with FICO scores (I suppose the second layer of the joke is that everyone knows its bullshit but it still rules your life)
|
|
#
?
Aug 21, 2020 19:53
|
|
|
Hed posted:I just went for one of my free annual credit reports and one of verification questions was: where's the "idk i'm under 70 and don't give a poo poo about this horoscope voodoo stuff" answer
|
|
#
?
Aug 21, 2020 19:56
|
|
|
The_Franz posted:where's the "idk i'm under 70 and don't give a poo poo about this horoscope voodoo stuff" answer clearly that's "does not apply"
|
|
#
?
Aug 21, 2020 20:01
|
|
|
The_Franz posted:where's the "idk i'm under 70 and don't give a poo poo about this horoscope voodoo stuff" answer Got bad news for you re. under 25s
|
|
#
?
Aug 21, 2020 20:04
|
|
|
Hed posted:I just went for one of my free annual credit reports and one of verification questions was: That's easy to guess though, since you're posts show that you're Cancer
|
|
#
?
Aug 21, 2020 20:28
|
|
|
[x] all of the above, I AM ETERNAL
|
|
#
?
Aug 21, 2020 20:33
|
|
|
 "We were not hacked, a clever criminal convinced us to give him our data – Experian SA CEO" https://twitter.com/iamkoshiek/status/1296824738233360385
|
|
#
?
Aug 21, 2020 23:37
|
|
|
I find that people in regulated industries like banking and insurance don't care about security because "well, it would be against the regulations to hack us"
|
|
#
?
Aug 21, 2020 23:59
|
|
|
Security Through Bureaucracy
|
|
#
?
Aug 22, 2020 00:00
|
|
|
It's also probably cheaper not to bother with security as long as they don't lose their own money.
|
|
#
?
Aug 22, 2020 00:01
|
|
|
xtal posted:I find that people in regulated industries like banking and insurance don't care about security because "well, it would be against the regulations to hack us" same, but all of the industries because "there are no consequences"
|
|
#
?
Aug 22, 2020 00:04
|
|
|
xtal posted:I find that people in regulated industries like banking and insurance don't care about security because "well, it would be against the regulations to hack us"
|
|
#
?
Aug 22, 2020 00:10
|
|
|
Chris Knight posted:
SecFuck M/T v18.5 - Experian CEO: "We were not hacked, a clever criminal convinced us to give him our data"
|
|
#
?
Aug 22, 2020 03:47
|
|
|
the old “we were not hacked, we are just incompetent at our core business” defence
|
|
#
?
Aug 22, 2020 04:21
|
|
|
boggle, but for passwords: https://www.wired.com/story/dicekeys-cryptography/ idea is you do the boggle, scan the dice faces like a QR code with the website which then derives a long-rear end password that you can then use as the master password for your password manager (their suggestion). the boggle set then gets locked in place to serve as an offline backup for your password. seems a bit dumb imo. if the app website dealio explodes then good luck scanning your boggle set. also i'm pretty sure that anyone competent enough to use a password manager also knows how to generate sufficiently complex passwords.
|
|
#
?
Aug 22, 2020 09:00
|
|
|
then some family members come over, find an old game of Boggle in the closet to play, and suddenly your backup is gone
|
|
#
?
Aug 22, 2020 10:03
|
|
|
*extremely hank hill voice* boggle? I just wanted to log on to propane dot com
|
|
#
?
Aug 22, 2020 11:28
|
|
|
mellow greetings user weedlord bonerhitler, what is your boggle?
|
|
#
?
Aug 22, 2020 11:28
|
|
|
Powerful Two-Hander posted:mellow greetings user weedlord bonerhitler, what is your boggle? my boggle? https://www.youtube.com/watch?v=NbSXrH_CPKg e: the other thing that irked me about the boggle password is that the app website thing is one of those monstrosities with almost 5MB of JS: https://dicekeys.app/. i understand the guy who created it wants it so that it's all client side and nothing gets sent to any server which is fine but it appears to be an insane amalgamation of node.js and webasm. surely there's a better way... Pile Of Garbage fucked around with this message at 11:49 on Aug 22, 2020 |
|
#
?
Aug 22, 2020 11:44
|
|
|
Pile Of Garbage posted:boggle, but for passwords: https://www.wired.com/story/dicekeys-cryptography/
|
|
#
?
Aug 22, 2020 12:19
|
|
|
Cybernetic Vermin posted:i think you should view this as the attack *target* being unfettered access to the webpage, which is then the same as in traditional js. the issue is that the attack *surface* is typically way worse since webasm deployments tend to lack all kinds of security measures and mitigations which js does have. i have a strong suspicion we're gonna start seeing more server side webass as well (as people go "ugh docker images are so clunky, if only there was another way to package executables in a portable format"), so that's a big juicy target
|
|
#
?
Aug 22, 2020 13:01
|
|
|
read that as dickeyes.app
|
|
#
?
Aug 22, 2020 15:14
|
|
|
|
| # ? Apr 20, 2024 01:27 |
|
|
Achmed Jones posted:read that as dickeyes.app like chernoff faces, but all dongs and eyeballs
|
|
#
?
Aug 22, 2020 15:29
|
|