|
DoomTrainPhD posted:Those people don’t disclose anything and exploit the money for themselves. i mean that linked article leaves the impression that the 0day ended up being fixed instead of exploited maybe authors just were smart about it and quietly made a bunch of cash and never told anyone edit: in short i don’t think responsible disclose should be respected if the other side is irresponsibly destroying the planet besides what happened to code is law? 4lokos basilisk fucked around with this message at 08:17 on Nov 14, 2021 |
#
?
Nov 14, 2021 08:13
|
|
|
|
| # ? Apr 19, 2024 06:57 |
|
|
this app update showed up this week if it’s not familiar it’s a popular international brokerage that handles hundreds of billions of dollars (at least). actual dollars, not stupid crypto poo poo edit: to be clear, they are talking about a toggle on their login form where you enter your username and password. the toggle for ssl was off by default 
Feisty-Cadaver fucked around with this message at 09:20 on Nov 14, 2021 |
|
#
?
Nov 14, 2021 09:13
|
|
|
Main Paineframe posted:they made sure to take care of the really important stuff too The hacked the FBI but only managed to find five? Not that the FBI is particularly good at keeping track of heads, they slapped another fifty years on the JFK files because they couldn't find his.
|
|
#
?
Nov 14, 2021 13:51
|
|
|
Feisty-Cadaver posted:this app update showed up this week why in gently caress would you let the user choose whether they use SSL in the iPhone app?
|
|
#
?
Nov 14, 2021 16:16
|
|
|
Jim Silly-Balls posted:why in gently caress would you let the user choose whether they use SSL in the iPhone app?
|
|
#
?
Nov 14, 2021 16:31
|
|
|
hasn't ssl been mandatory for using http in app store apps for years
|
|
#
?
Nov 14, 2021 17:30
|
|
|
Lain Iwakura posted:hi. i am still doing cool stuff. i run a cyber security team now so i get to be responsible for gently caress ups i guess Hey, some of your posting in this thread helped inspire me to transition, so thanks
|
|
#
?
Nov 14, 2021 18:43
|
|
|
haveblue posted:hasn't ssl been mandatory for using http in app store apps for years yeah it hasn't, ever
|
|
#
?
Nov 14, 2021 18:50
|
|
|
Feisty-Cadaver posted:this app update showed up this week iirc the last time it came up the authentication is always over tls but the actual trades and data could be sent over tls or not. the thing is that a lot of their traders think that they’re doing high frequency trading or some poo poo by hand and the millisecond saved by their phone not having to decrypt stuff matters. doesn’t matter if it’s true if enough of their customers think they’re on a 486 on dial up in 2001 or something
|
|
#
?
Nov 14, 2021 19:22
|
|
|
hobbesmaster posted:the thing is that a lot of their traders think that they’re doing high frequency trading or some poo poo by hand and the millisecond saved by their phone not having to decrypt stuff matters. uhhh lmao
|
|
#
?
Nov 14, 2021 19:39
|
|
|
Reddit is there to explain this for you! https://www.reddit.com/r/interactivebrokers/comments/iwzho3/why_is_turning_ssl_off_even_an_option/ 
|
|
#
?
Nov 14, 2021 19:42
|
|
|
the other comment is quote:Some corporate networks still restrict SSL connections. Yes, even in 2020. The option exists for those clients.
|
|
#
?
Nov 14, 2021 19:48
|
|
|
Lmao
|
|
#
?
Nov 14, 2021 19:48
|
|
|
both more and less cursed than i thought
|
|
#
?
Nov 14, 2021 19:55
|
|
|
RFC2324 posted:Hey, some of your posting in this thread helped inspire me to transition, so thanks <3
|
|
#
?
Nov 14, 2021 20:19
|
|
|
some corporate networks do prevent security , so out of a desire for comity we allow you to bareback the wire
|
|
#
?
Nov 14, 2021 20:46
|
|
|
mystes posted:Reddit is there to explain this for you! 
|
|
#
?
Nov 14, 2021 20:50
|
|
|
mystes posted:Reddit is there to explain this for you! epic lomarf
|
|
#
?
Nov 14, 2021 21:01
|
|
|
Crime on a Dime posted:yeah it hasn't, ever ok, it's not a hard requirement but if you want to allow insecure http in an app that goes through review you have to give apple a good reason to let you do this. looks like this policy was introduced in 2017 https://developer.apple.com/documentation/security/preventing_insecure_network_connections#3138036 maybe they've been using one of the listed exceptions haveblue fucked around with this message at 21:48 on Nov 14, 2021 |
|
#
?
Nov 14, 2021 21:46
|
|
|
haveblue posted:ok, it's not a hard requirement but if you want to allow insecure http in an app that goes through review you have to give apple a good reason to let you do this. looks like this policy was introduced in 2017 based on that they probably have their own protocol
|
|
#
?
Nov 14, 2021 23:33
|
|
|
ROT13 is a protocol right
|
|
#
?
Nov 15, 2021 00:20
|
|
|
Raere posted:ROT13 is a protocol right yes, if you interface it via rot13://
|
|
#
?
Nov 15, 2021 00:50
|
|
|
mystes posted:Reddit is there to explain this for you! I mean SSL is obviously more robust security it's at what, 3.0? Why would you trust version 1.3 software.
|
|
#
?
Nov 15, 2021 04:05
|
|
|
Hed posted:I mean SSL is obviously more robust security it's at what, 3.0? Why would you trust version 1.3 software. I laughed and then frowned because this has been said to me before without irony.
|
|
#
?
Nov 15, 2021 04:22
|
|
|
Partycat posted:some corporate networks do prevent security , so out of a desire for comity we allow you to bareback the wire I was once a mobile app developer for a big stodgy company. All our poo poo was behind one of those data loss scanner appliances that strips SSL at the network edge, scans it, and re-encrypts it using an internal cert that is forcibly trusted on your machine courtesy of the MDM. We used cert pinning in our product so our customers would have our app fail to work under such an environment, but hey our employees couldn’t have security
|
|
#
?
Nov 15, 2021 05:08
|
|
|
kitten smoothie posted:All our poo poo was behind one of those data loss scanner appliances that strips SSL at the network edge, scans it, and re-encrypts it using an internal cert that is forcibly trusted on your machine courtesy of the MDM. Those things are great because they often don't verify certificates properly, actively worsening security.
|
|
#
?
Nov 15, 2021 09:51
|
|
|
spankmeister posted:Those things are great because they often don't verify certificates properly, actively worsening security. spying on employees is the important part, preserving information security is just a token gesture
|
|
#
?
Nov 15, 2021 15:42
|
|
|
rowhammer 2: electrical hammering https://arstechnica.com/gadgets/2021/11/ddr4-memory-is-even-more-susceptible-to-rowhammer-attacks-than-anyone-thought/
|
|
#
?
Nov 16, 2021 00:51
|
|
|
npm lol https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/quote:Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.
|
|
#
?
Nov 17, 2021 09:56
|
|
|
hobbesmaster posted:iirc the last time it came up the authentication is always over tls but the actual trades and data could be sent over tls or not. the thing is that a lot of their traders think that they’re doing high frequency trading or some poo poo by hand and the millisecond saved by their phone not having to decrypt stuff matters. a lot of institutions still continue to use plain old ftp for daily clearing jobs, it's pretty lame
|
|
#
?
Nov 17, 2021 19:00
|
|
|
ive been getting this error pretty consistently for a couple weeks. used to be only when i went to google books (which redirects me to https://books.google.dk when i click a result to see previews), but now it happens for gmail too. what gives?
|
|
#
?
Nov 18, 2021 14:54
|
|
|
first of all, let me just say that I laughed a bit at Google Bøger because I am a child Also, the certificate for google.dk it's giving me doesn't match the same expiration date as yours so maybe check that your certificate cache isn't out of date for some reason? 
|
|
#
?
Nov 18, 2021 15:35
|
|
|
thx ill try e: hmm i went into keychain and found an old TDC (danish telco) cert that i deleted and now it works even though that cert had nothing to do with google. i guess that caused a refresh?  e2: i mean gmail works but google books just errors out without even showing the cert e3: restarted safari and books works again lol Carthag Tuek fucked around with this message at 15:54 on Nov 18, 2021 |
|
#
?
Nov 18, 2021 15:50
|
|
|
|
|
#
?
Nov 18, 2021 15:54
|
|
|
anyone here with palo alto firewalls? the was a bunch of vulnerabilities that came out last week including this 9.8 one  https://security.paloaltonetworks.com/CVE-2021-3064
|
|
#
?
Nov 18, 2021 16:20
|
|
|
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
|
|
#
?
Nov 22, 2021 20:19
|
|
|
Bluecobra posted:anyone here with palo alto firewalls? like 9 months ago my pan rep laughed at us for still being on 8.1.x so we scheduled an upgrade to 9.1.x back then. good call i guess.
|
|
#
?
Nov 22, 2021 21:33
|
|
|
Do we still do OPSEC fuckups in here? https://www.washingtonpost.com/nation/2021/11/22/rent-a-hitman-website/ guy runs a website called rent a hitman, forwards serious inquiries to the police quote:The website bragged about complying with HIPPA, which it said was “the Hitman Information Privacy & Protection Act of 1964,”
|
|
#
?
Nov 22, 2021 22:10
|
|
|
Jenny Agutter posted:Do we still do OPSEC fuckups in here? are you saying you don't look for hippa compliance?!
|
|
#
?
Nov 22, 2021 22:20
|
|
|
|
| # ? Apr 19, 2024 06:57 |
|
|
lmao that it’s ostensibly run by a guy named “Guido” to lend some air of legitimacy
|
|
#
?
Nov 22, 2021 22:57
|
|