|
Whoops, those suppliers you order and import from actually had a bill of lading attached to every order and technically it's public info. Just no one did the FOIA request and made a free portal to view it until now: https://www.importyeti.com/ (yes, there are commercial products for this, just not free ones)
|
#
?
Feb 24, 2021 20:43
|
|
|
|
| # ? Apr 24, 2024 15:17 |
|
|
bonus secfuck: scroll down and click on "What is ImportYeti" and you get a cloudflare 525 SSL handshake error lmao e: aw it doesn't do it again when i did it the second time
|
|
#
?
Feb 24, 2021 20:59
|
|
|
Shame Boy posted:bonus secfuck: scroll down and click on "What is ImportYeti" and you get a cloudflare 525 SSL handshake error lmao yeah it's dropping like a third of requests
|
|
#
?
Feb 24, 2021 21:13
|
|
|
my company isn't listed because we aren't in the US, but I learned that Facebook bought a noodle cutter and got it shipped from China
|
|
#
?
Feb 24, 2021 22:56
|
|
|
my company isn't listed even though we're in the us, which is weird because i know for a fact we have had stuff shipped to us from overseas
|
|
#
?
Feb 24, 2021 23:59
|
|
|
i found a company named "Big Daddy Huge Time" which has ordered exactly one thing, a periodic table
|
|
#
?
Feb 25, 2021 00:02
|
|
|
Shame Boy posted:i found a company named "Big Daddy Huge Time" which has ordered exactly one thing, a periodic table How big was the table though
|
|
#
?
Feb 25, 2021 00:05
|
|
|
Volmarias posted:How big was the table though not that large. very regular though
|
|
#
?
Feb 25, 2021 00:06
|
|
|
Workaday Wizard posted:seriously what the gently caress can you do when users receive malicious emails from approved business partners other than EDR and pray this is giving people at work a headache at the moment because various groups want "virtual data rooms" and most of them share by emailing a magic link and how the gently caress do you secure and identity proof that channel if them other party isn't already using MFA on your chosen platform?
|
|
#
?
Feb 25, 2021 00:29
|
|
|
Powerful Two-Hander posted:this is giving people at work a headache at the moment because various groups want "virtual data rooms" and most of them share by emailing a magic link and how the gently caress do you secure and identity proof that channel if them other party isn't already using MFA on your chosen platform? cloud is a gently caress
|
|
#
?
Feb 25, 2021 00:30
|
|
|
Workaday Wizard posted:cloud is a gently caress gonna submit this as evidence in my "list of concerns"
|
|
#
?
Feb 25, 2021 00:32
|
|
|
this is like, the third RCE in as many months for the SLP service, and its active in the wild
|
|
#
?
Feb 25, 2021 05:02
|
|
|
the solution is the workaround: disable excess plugins and leave them off
|
|
#
?
Feb 25, 2021 05:04
|
|
|
esxi installations should ship with those services off tbh. it you need something turn it on
|
|
#
?
Feb 25, 2021 05:50
|
|
|
Workaday Wizard posted:cloud is a gently caress world is a vampire 69420 silver linings
|
|
#
?
Feb 25, 2021 06:30
|
|
|
Shame Boy posted:i found a company named "Big Daddy Huge Time" which has ordered exactly one thing, a periodic table
|
|
#
?
Feb 25, 2021 14:27
|
|
|
30 TO 50 FERAL HOG posted:esxi installations should ship with those services off tbh. it you need something turn it on but how are you gonna sell vmware admin training programs with screenshots to show which checkboxes you can safely turn off screenshots with which checkboxes to turn on
|
|
#
?
Feb 25, 2021 14:32
|
|
|
30 TO 50 FERAL HOG posted:esxi installations should ship with those services off tbh. it you need something turn it on they could easily automatically configure iptables so that the host to host services are pinholed by default so other stuff on the subnet can't blast them with a malicious payload buuuuut they don't
|
|
#
?
Feb 25, 2021 14:55
|
|
|
i mean if your management interface isnt on a separate secured vlan thats also your fault but lol
|
|
#
?
Feb 25, 2021 17:26
|
|
|
Powerful Two-Hander posted:this is giving people at work a headache at the moment because various groups want "virtual data rooms" and most of them share by emailing a magic link and how the gently caress do you secure and identity proof that channel if them other party isn't already using MFA on your chosen platform? I read this as "a magic lime" and it made me very happy thinking of meetings passing around virtual limes like talking sticks.
|
|
#
?
Feb 25, 2021 18:02
|
|
|
yeah, why the gently caress don't people put management stuff on a vlan with 802.1x - they're one of the few things where PNAC is usually pretty well-supported
|
|
#
?
Feb 25, 2021 18:08
|
|
|
people, individually and as a group, are generally dumb
|
|
#
?
Feb 25, 2021 18:09
|
|
|
of course of course https://twitter.com/theregister/status/1365009177706434561?s=21
|
|
#
?
Feb 25, 2021 19:45
|
|
|
*clearing throat for 7 minutes straight* Ahem.... Last......rear end 
|
|
#
?
Feb 25, 2021 19:47
|
|
|
Arsenic Lupin posted:I read this as "a magic lime" and it made me very happy thinking of meetings passing around virtual limes like talking sticks. a magic lime works but only for logging in via citrus
|
|
#
?
Feb 26, 2021 00:32
|
|
|
evil_bunnY posted:of course of course what is keypass i only know KeepAss
|
|
#
?
Feb 26, 2021 01:08
|
|
|
BlankSystemDaemon posted:yeah, why the gently caress don't people put management stuff on a vlan with 802.1x - they're one of the few things where PNAC is usually pretty well-supported I mean vlan hopping is a thing but yeah, set up a jump box (hell you can virtualize it, whatever who cares) and use a red forest or keep it off the domain
|
|
#
?
Feb 26, 2021 01:43
|
|
|
Powerful Two-Hander posted:a magic lime works but only for logging in via citrus checks out
|
|
#
?
Feb 26, 2021 01:45
|
|
|
30 TO 50 FERAL HOG posted:I mean vlan hopping is a thing but yeah, set up a jump box (hell you can virtualize it, whatever who cares) and use a red forest or keep it off the domain
|
|
#
?
Feb 26, 2021 10:58
|
|
|
30 TO 50 FERAL HOG posted:I mean vlan hopping is a thing but yeah, set up a jump box (hell you can virtualize it, whatever who cares) and use a red forest or keep it off the domain BlankSystemDaemon posted:how're you gonna vlan hop if you haven't got the requisite username and password for eap-tls, which also requires a client-side certificate? Not to mention that "vlan hopping" isn't a thing anymore. If you have access to the switching infrastrucutre you can do some fun stuff, but a properly configured trunk port or access port will not allow you layer2 access to anything more then what is configured.
|
|
#
?
Feb 26, 2021 18:47
|
|
|
ate poo poo on live tv posted:Not to mention that "vlan hopping" isn't a thing anymore. If you have access to the switching infrastrucutre you can do some fun stuff, but a properly configured trunk port or access port will not allow you layer2 access to anything more then what is configured. oh word? i thought you could still double tag if a port had a pvid
|
|
#
?
Feb 26, 2021 21:47
|
|
|
ate poo poo on live tv posted:Not to mention that "vlan hopping" isn't a thing anymore. If you have access to the switching infrastrucutre you can do some fun stuff, but a properly configured trunk port or access port will not allow you layer2 access to anything more then what is configured. properly configured being the operative words here
|
|
#
?
Feb 26, 2021 22:43
|
|
|
PLC is a gently caress
|
|
#
?
Feb 26, 2021 23:39
|
|
|
I wonder if the CCNA still talks about VTP attacks like that's a thing people do in five years at this job working on primarily cisco switches I have seen exactly one customer that had VTP turned on and they followed the best practices for preventing VTP attacks
|
|
#
?
Feb 26, 2021 23:52
|
|
|
quote:The vulnerability, which is tracked as CVE-2021-22681, is the result of the Studio 5000 Logix Designer software making it possible for hackers to extract a secret encryption key. This key is hard-coded into both Logix controllers and engineering stations and verifies communication between the two devices. A hacker who obtained the key could then mimic an engineering workstation and manipulate PLC code or configurations that directly impact a manufacturing process. huh? that doesn’t sound like a 10/10
|
|
#
?
Feb 27, 2021 00:05
|
|
|
hobbesmaster posted:huh? that doesn’t sound like a 10/10 i don't know if i'm misreading, but "To successfully exploit this vulnerability, an attacker must first obtain the secret key and have the knowledge of the cryptographic algorithm being used in the authentication process" sounds like it just involves having either a controller or an engineering workstation to get it from. not necessarily the target's
|
|
#
?
Feb 27, 2021 00:08
|
|
|
basically are they trying to say “all controllers have the same key” or “private keys are burned into write once memory”
|
|
#
?
Feb 27, 2021 00:10
|
|
|
hobbesmaster posted:basically are they trying to say “all controllers have the same key” or “private keys are burned into write once memory” i think it's that first one
|
|
#
?
Feb 27, 2021 00:14
|
|
|
hobbesmaster posted:basically are they trying to say “all controllers have the same key” or “private keys are burned into write once memory” it's not really clear from either the writeup, or the CVE, but i'm assuming it's unclear because they don't want to outright say every device has the same key.
|
|
#
?
Feb 27, 2021 00:15
|
|
|
|
| # ? Apr 24, 2024 15:17 |
|
|
I'm sure security by obscurity will work real great for them now that everyone is paying attention to a 10/10 CVE
|
|
#
?
Feb 27, 2021 00:58
|
|
