|
https://twitter.com/SwiftOnSecurity/status/1385558743715180546 Don't convict on your own Infosec!
|
# ? Apr 24, 2021 02:59 |
|
|
# ? Apr 24, 2024 14:16 |
|
The Iron Rose posted:I still don’t know what “industry vertical” means. Isn’t it literally just the industry type? Could you not just say “industry”? Why in god’s green earth do we call powerpoints decks???? Industry verticals are niches in an industry. So tire making is an industry, but it would have verticals for truck tires, car tires, motorcycle tires, lawnmower tires, and so on. Some of them will have some overlap like motorcycle tire and car makers. But much less overlap than making tiny push mower tires.
|
# ? Apr 24, 2021 03:37 |
|
The Iron Rose posted:I still don’t know what “industry vertical” means. Isn’t it literally just the industry type? Could you not just say “industry”? Why in god’s green earth do we call powerpoints decks???? We used to use literal decks of literal slides and a projector for presentations. Hope that helps you sleep comrade.
|
# ? Apr 24, 2021 08:36 |
|
Security dudes. Millions of the Pentagon’s dormant IP addresses sprang to life on January 20 https://news.ycombinator.com/item?id=26924883 What are your thoughts? Apparently alibaba and China used these addresses on their internal network.
|
# ? Apr 25, 2021 19:37 |
|
jaegerx posted:Security dudes. Millions of the Pentagon’s dormant IP addresses sprang to life on January 20 https://news.ycombinator.com/item?id=26924883 Using old dormant things not in the actual private space for private things is an endless source of surprise breakages for people being dumb. It's probably not a grand scheme
|
# ? Apr 25, 2021 20:16 |
|
I run this service for my org and it was super fun to come back to work after some days off last week to find this out. We are not impacted. Clickstudios statement on this is pretty bad and they also took down their support forums, which is a totally cool and normal thing to do after a major incident.
|
# ? Apr 26, 2021 16:24 |
|
[ support team sitting on the edge of their seats ] [ Maury comes out w/ envelope ] Sirotan posted:We... are not impacted. [ everyone starts hugging and dancing, attacker folds arms on the other side of the room ]
|
# ? Apr 26, 2021 19:00 |
|
Another day, and another dev I have to explain to that, no, converting a password to hex and seeding with a flat key is not valid encryption, because for one thing I don't want you to be able to recall the password, for another you just made up your own bastardized version of Blowfish and bcrypt was RIGHT THERE ALL ALONG. God drat it, don't roll your own crypto.
|
# ? Apr 27, 2021 16:37 |
|
lol remembering arguing with a dev for like an hour to convince him that SHA256 was inadequate for storing passwords in a database and he needed to switch to bcrypt at least its more than the SHA1 they were using elsewhere
|
# ? Apr 27, 2021 17:45 |
|
Cup Runneth Over posted:lol remembering arguing with a dev for like an hour to convince him that SHA256 was inadequate for storing passwords in a database and he needed to switch to bcrypt "I MD5'ed the MD5 of the password, it should be secure!" An actual conversation that gave me a violent twitch.
|
# ? Apr 27, 2021 19:12 |
|
CommieGIR posted:"I MD5'ed the MD5 of the password, it should be secure!" I once worked on an old legacy website which, long ago, had kept all its user passwords in plaintext in a database. At some point it was upgraded to store salted hashes instead. However, at the login screen, entering that hash value itself as the password would also be accepted. It was apparently done this way so that the admins could still log in as any particular user for troubleshooting, without having to actually code in a way to do that properly. The general attitude about this at the time I arrived on the scene was basically: "Yes, it's horrifying, we know. But we're sunsetting this whole platform and it'll be gone in six months anyway, so it's not worth fixing." (And it was indeed shut off for good... five years later.)
|
# ? Apr 27, 2021 20:42 |
|
Powered Descent posted:The general attitude about this at the time I arrived on the scene was basically: "Yes, it's horrifying, we know. But we're sunsetting this whole platform and it'll be gone in six months anyway, so it's not worth fixing." (And it was indeed shut off for good... five years later.) Nothing's more long-term than the temporary.
|
# ? Apr 27, 2021 20:49 |
|
CommieGIR posted:"I MD5'ed the MD5 of the password, it should be secure!" drat, now instead of taking one nanosecond per guess, it takes TWO. Time to wrap up the mass cracking effort.
|
# ? Apr 27, 2021 20:51 |
|
Kazinsal posted:drat, now instead of taking one nanosecond per guess, it takes TWO. Time to wrap up the mass cracking effort. Yeah, and not only did we force them to fix it, I wrote a small script to show how easy it was to decrypt. https://twitter.com/silascutler/status/1387162874150326273?s=20 CommieGIR fucked around with this message at 00:00 on Apr 28, 2021 |
# ? Apr 27, 2021 21:32 |
|
I've used Cellebrite equipment when I was studying for my Digital Forensics associate degree, it's super loving clunky battery life on the UFED is absolute poo poo, the touchscreen is garbage. It's a wonder how they've cornered the market so hard. Their poo poo just sucks so loving hard.
|
# ? Apr 28, 2021 00:41 |
|
Powered Descent posted:I once worked on an old legacy website which, long ago, had kept all its user passwords in plaintext in a database. At some point it was upgraded to store salted hashes instead. However, at the login screen, entering that hash value itself as the password would also be accepted. It was apparently done this way so that the admins could still log in as any particular user for troubleshooting, without having to actually code in a way to do that properly. I had to, once, add a feature in an web application I was working on to allow an administrator (a user with ADMIN role) to impersonate another user. Again, for troubleshooting purposes, I suppose. Now, no impersonated user's password were needed, was just asking for the admin's password again, and the token was set to expire after 30 minutes but man, I never felt so ... walking on thin ice before. It looked safe enough, I couldn't see any security holes, at least not obvious ones, but even today I still think sometimes "what if I missed something?". Oh well, the web app is still up and running for years now, I left the company quite some time ago and nobody contacted me yet about problems the "feature" has caused. But I still think about it.
|
# ? Apr 28, 2021 02:19 |
|
Jiro posted:It's a wonder how they've cornered the market so hard. Their poo poo just sucks so loving hard. This but basically every industry specific product, and the answer is "because there is no one else there to compete with them"
|
# ? Apr 28, 2021 02:59 |
|
Jiro posted:I've used Cellebrite equipment when I was studying for my Digital Forensics associate degree, it's super loving clunky battery life on the UFED is absolute poo poo, the touchscreen is garbage. It's a wonder how they've cornered the market so hard. Their poo poo just sucks so loving hard. It's amazing what markets you can corner when you have no morals
|
# ? Apr 28, 2021 04:56 |
|
Mr. Crow posted:It's amazing what markets you can corner when you have no morals And based on the fact they coded the entire thing in .NET, no decency.
|
# ? Apr 28, 2021 05:22 |
|
Volguus posted:I had to, once, add a feature in an web application I was working on to allow an administrator (a user with ADMIN role) to impersonate another user. Again, for troubleshooting purposes, I suppose. Now, no impersonated user's password were needed, was just asking for the admin's password again, and the token was set to expire after 30 minutes but man, I never felt so ... walking on thin ice before. It looked safe enough, I couldn't see any security holes, at least not obvious ones, but even today I still think sometimes "what if I missed something?". Eh, it's a useful tool to have in certain applications. Just be sure to log every loving thing and maybe put done multifactor on it. Preferably with one factor being another person.
|
# ? Apr 28, 2021 08:44 |
|
Kazinsal posted:drat, now instead of taking one nanosecond per guess, it takes TWO. Time to wrap up the mass cracking effort. "I used ROT13 twice!"
|
# ? Apr 28, 2021 16:35 |
|
Cup Runneth Over posted:
Are there any legal ramifications to pushing files to a host with basically the express purpose of interfering with other apps that open said file? I'm guessing no?
|
# ? Apr 28, 2021 16:45 |
|
Defenestrategy posted:Are there any legal ramifications to pushing files to a host with basically the express purpose of interfering with other apps that open said file? I'm guessing no? I'm not a lawyer, but I assume that since it's his product, he's pretty publicly announcing this, and the onus is on Celebrate to fix their poo poo, they have no leg to stand on. In the other hand, their clients are cops so he might get raided and have his entire everything ransacked and stolen as revenge and then be shot for "resisting arrest" so who knows.
|
# ? Apr 28, 2021 17:25 |
|
Volmarias posted:I'm not a lawyer, but I assume that since it's his product, he's pretty publicly announcing this, and the onus is on Celebrate to fix their poo poo, they have no leg to stand on. In the other hand, their clients are cops so he might get raided and have his entire everything ransacked and stolen as revenge and then be shot for "resisting arrest" so who knows. Given how a lot of these companies react to even responsible disclosure, this one feels most likely.
|
# ? Apr 28, 2021 17:53 |
|
Defenestrategy posted:Are there any legal ramifications to pushing files to a host with basically the express purpose of interfering with other apps that open said file? I'm guessing no? At what point has he ever said the files will interfere with anything?
|
# ? Apr 28, 2021 17:54 |
|
Biowarfare posted:At what point has he ever said the files will interfere with anything? I'm fairly certain the "I'm not touching you" defense is only useable by dudes trying to skirt ATF regulations.
|
# ? Apr 28, 2021 17:58 |
|
There’s no regulation mandating you keep your apps compatible with g-man’s software.
|
# ? Apr 28, 2021 18:08 |
|
Signal is probably a big enough company and has enough lawyer that they won’t be subject to moon logic rulings used agains the poor
|
# ? Apr 28, 2021 18:31 |
|
Got a really clever Spear Phishing email where it was a fake invoice for a McAfee security suite and only 12 hours to call this number and cancel for a refund. Literally pretending your company bought from from a radioactive security company to compromise your security.
|
# ? Apr 28, 2021 20:00 |
https://twitter.com/adventureloop/status/1387447008609308672?s=09 https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/
|
|
# ? Apr 29, 2021 15:16 |
|
https://twitter.com/WolfieChristl/status/1387894894597971971
|
# ? Apr 30, 2021 02:33 |
|
SMEGMA_MAIL posted:Signal is probably a big enough company and has enough lawyer that they won’t be subject to moon logic rulings used agains the poor Signal is a pretty small 501c3, fewer than 50 people.
|
# ? Apr 30, 2021 02:50 |
|
Subjunctive posted:Signal is a pretty small 501c3, fewer than 50 people. Sure, but they have that sweet sweet State Department funding.
|
# ? Apr 30, 2021 03:21 |
|
Subjunctive posted:Signal is a pretty small 501c3, fewer than 50 people. Yeah but “can afford a good lawyer” puts you outside of the range of poorlaw where “turns out your property is suspected in a crime and property has no rights! Thank you for your home and bank account. Also unrelated to you the bank is legally a person with rights” stuff.
|
# ? Apr 30, 2021 12:54 |
|
I may have two machines that are affected by the Dell driver issue, but they've both long since had their drives wiped and stock Win10 installed on them. Do I need to download the util and run it on them anyway? And no, throwing the machines away is Not An Option.
|
# ? May 5, 2021 04:22 |
|
^ This is something I'm unsure about too
|
# ? May 5, 2021 15:01 |
If you've done a clean install of Windows 10 without the OEM nonsense, it shouldn't apply to you. If you've used Dell-supplied installation media or downloaded any of their automatic driver installation tools, probably.
|
|
# ? May 5, 2021 18:10 |
|
Strawberry Pyramid posted:I may have two machines that are affected by the Dell driver issue, but they've both long since had their drives wiped and stock Win10 installed on them. Do I need to download the util and run it on them anyway? Do you work with me? Because I have a couple of coworkers whose only option when there is something they don't know the answer to is "THROW IT AWAY!" Can't set the correct resolution on an old monitor on a Windows 10 computer? Oh poo poo, we have 50 of those monitors, better throw them all away! Can't PXE-boot a laptop on the first try? Throw it away! Can't find the LAN dongle for a laptop without an ethernet port? Computer is useless now, get rid of it!
|
# ? May 6, 2021 07:22 |
|
evobatman posted:Do you work with me? Because I have a couple of coworkers whose only option when there is something they don't know the answer to is "THROW IT AWAY!" It's more the machines in question are both over a decade old and it's only my own due diligence and replacing almost everything but the mobo/pros in them several times over that has kept them in service this long. If it weren't for the chip shortage I might consider finally replacing them.
|
# ? May 6, 2021 08:25 |
|
|
# ? Apr 24, 2024 14:16 |
|
evobatman posted:Do you work with me? Because I have a couple of coworkers whose only option when there is something they don't know the answer to is "THROW IT AWAY!" I hate those types of people, unless I can convince them to just give all their "junk" to me.
|
# ? May 6, 2021 09:25 |