Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
codl
Jul 28, 2013

https://donjon.ledger.com/kaspersky-password-manager/

quote:

The seed used to generate every password is the current system time, in seconds. It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second. This would be obvious to spot if every click on the “Generate” button, in the password generator interface, produced the same password. However, for some reason, password generation is animated: dozens of random chars are displayed while the real password has already been computed.

This animation takes more than 1 second, so it is not possible to click several times on the “Generate” button within a second. That is definitely why the weakness had not been discovered before.

Adbot
ADBOT LOVES YOU

jesus WEP
Oct 17, 2004


”for some reason”

Cold on a Cob
Feb 6, 2006

i've seen so much, i'm going blind
and i'm brain dead virtually

College Slice

lollllll

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.

jesus WEP posted:

”for some reason”

just because you know the reason doesn't mean you can't say "for some reason"

brains
May 12, 2004


lmfao

Shame Boy
Mar 2, 2010

i clicked the wrong link in a Teams invite and got this weird-rear end page, hosted at dialin.teams.microsoft.com



is it just me or does that look a LOT like a domain squatter website, what the hell

Jabor
Jul 16, 2010

#1 Loser at SpaceChem
Looks like it's specifying a font you don't have and falling back to Times New Roman, lol

Xarn
Jun 26, 2015

and Microsoft, and ... :v:

BlankSystemDaemon
Mar 13, 2009



https://twitter.com/0xabad1dea/status/1412197703275233284

Antigravitas
Dec 8, 2019

Die Rettung fuer die Landwirte:
"unclear where it comes from" says anime person unaware of the amazing skill of looking up the ssh key format?

code:
printf "\0\0\0\x07ssh-rsa" | base64

Diva Cupcake
Aug 15, 2005

2 years ago. lmooooa
https://twitter.com/julianor/status/1412383696498348034

susan b buffering
Nov 14, 2016

Jabor posted:

Looks like it's specifying a font you don't have and falling back to Times New Roman, lol

something like that has definitely happened to me at seemingly random times on some azure pages

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.

Shame Boy posted:

i clicked the wrong link in a Teams invite and got this weird-rear end page, hosted at dialin.teams.microsoft.com



is it just me or does that look a LOT like a domain squatter website, what the hell

the teams dial-in stuff is pretty wacky. a lot of ut used to be configured through the now depreciated skype for business portal, so it's possible the ui is dragged over from some nth generation legacy system

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

The best part is that they solved this problem by adding an animation that takes > 1s per password generation, so you can't tell that's what it was doing, instead of fixing the actual issue, or even making it per ms

Kesper North
Nov 3, 2011

EMERGENCY POWER TO PARTY
https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee

Jonny 290
May 5, 2005



[ASK] me about OS/2 Warp
lol tho

https://twitter.com/UnderTheBreach/status/1412299945772785664

Shame Boy
Mar 2, 2010

im a communist and i like piss

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.

remember the last right-wing social network where every post including those marked private or supposedly deleted were fully accessible to anyone just by incrementing a url?

Vanadium
Jan 8, 2005

struggling to come up with an entity I'd trust less with building a password manager than an antivirus vendor.

Soricidus
Oct 21, 2010
freedom-hating statist shill

Vanadium posted:

struggling to come up with an entity I'd trust less with building a password manager than an antivirus vendor.

the nsa?

spankmeister
Jun 15, 2008






I honestly would trust the NSA way more to make a secure password manager. Their code review process would be legit and they don't have an incentive to backdoor something like that if they published it themselves.

Would have to be one heck of a backdoor if they expect nobody to find it while being combed over by half the infosec community.

if they make one as part of some operation and they publish it under a cover, that's another story altogether

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

spankmeister posted:

I honestly would trust the NSA way more to make a secure password manager. Their code review process would be legit and they don't have an incentive to backdoor something like that if they published it themselves.

Would have to be one heck of a backdoor if they expect nobody to find it while being combed over by half the infosec community.

if they make one as part of some operation and they publish it under a cover, that's another story altogether

Something something ECC

spankmeister
Jun 15, 2008






Volmarias posted:

Something something ECC

that's exactly it. they got caught with their hand in the cookie jar. anything they do now is scrutinized to hell and back.

For example: do you think they backdoored Ghidra?

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

spankmeister posted:

that's exactly it. they got caught with their hand in the cookie jar. anything they do now is scrutinized to hell and back.

For example: do you think they backdoored Ghidra?

I wouldn't be at all surprised if someone pulled a Trusting Trust with it either.

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

once everyone hears what happened the first time, a future frog should feel safe just hopping on a scorpion

Quackles
Aug 11, 2018

Pixels of Light.


spankmeister posted:

that's exactly it. they got caught with their hand in the cookie jar. anything they do now is scrutinized to hell and back.

For example: do you think they backdoored Ghidra?

I sure don't know, but I run it on an air-gapped computer anyway.

Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slægt skal følge slægters gang



Volmarias posted:

The best part is that they solved this problem by adding an animation that takes > 1s per password generation, so you can't tell that's what it was doing, instead of fixing the actual issue, or even making it per ms

that is baffling to me, it just seems like more work

i guess maybe if the guy who wrote the generation code was transferred and they only had UI guys left to finish the app??

tbh i think the animation was just some manager's stupid idea that accidentally hid the broken pw gen

Carthag Tuek fucked around with this message at 11:23 on Jul 7, 2021

ymgve
Jan 2, 2004


:dukedog:
Offensive Clock
it all makes sense if you assume generating predictable passwords was intentional

Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slægt skal følge slægters gang



ymgve posted:

it all makes sense if you assume generating predictable passwords was intentional

fair

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.
lol. ms pushed an out-of-band patch for print nightmare. notably, the description for kb5004945 mentions printnightmare by name but doesn't include the word "resolves" anywhere

Shame Boy
Mar 2, 2010

spankmeister posted:

I honestly would trust the NSA way more to make a secure password manager. Their code review process would be legit and they don't have an incentive to backdoor something like that if they published it themselves.

Would have to be one heck of a backdoor if they expect nobody to find it while being combed over by half the infosec community.

if they make one as part of some operation and they publish it under a cover, that's another story altogether

ignoring the whole "of course they'd backdoor it anyway lmao" angle, one incentive to backdoor it is it'd probably wind up being the tool that all the federal and state government agencies would be required to use, and it's always handy being able to break into them whenever you want without having to worry about pesky things like jurisdiction or having a valid reason

ZeusCannon
Nov 5, 2009

BLAAAAAARGH PLEASE KILL ME BLAAAAAAAARGH
Grimey Drawer

infernal machines posted:

lol. ms pushed an out-of-band patch for print nightmare. notably, the description for kb5004945 mentions printnightmare by name but doesn't include the word "resolves" anywhere

The number of "critical" patches that in no way resolve the issue this year has been high.

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat

Shame Boy posted:

ignoring the whole "of course they'd backdoor it anyway lmao" angle, one incentive to backdoor it is it'd probably wind up being the tool that all the federal and state government agencies would be required to use, and it's always handy being able to break into them whenever you want without having to worry about pesky things like jurisdiction or having a valid reason

all federal stuff goes through a mitm proxy with certs trusted by the machines, that is always decrypted and inspected (they do content filtering even on SSL), so those passwords are getting analyzed/sent as plaintext anyways.

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat
on cool thing that happens is they don't tell people that the new certs are being deployed ahead of time and they randomly change them and then every piece of software running in the environment managed/supplied by a vendor immediately breaks because someone has to go update deployments to trust the new certs

Shaggar
Apr 26, 2006
nice to know my pki is better than the feds

Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'

infernal machines posted:

lol. ms pushed an out-of-band patch for print nightmare. notably, the description for kb5004945 mentions printnightmare by name but doesn't include the word "resolves" anywhere

i hate everything about this

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.
"Updates a remote code execution exploit" is uh... ambiguous

Perplx
Jun 26, 2004


Best viewed on Orgasma Plasma
Lipstick Apathy
we fixed the expoit poc by blacklisting MyExploit.dll

haveblue
Aug 15, 2005



Toilet Rascal
the remote code execution was producing excessive log messages

Adbot
ADBOT LOVES YOU

frh
Dec 6, 2014

Hire Kenny G to play for me in the elevator.
https://twitter.com/patriottakes/status/1412553834132475905

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply