|
fortunately we’re starting to see things like zigbee only thermostats which you can at least limit access to from outside of your network
|
#
?
Mar 30, 2022 19:48
|
|
|
|
| # ? May 4, 2024 20:55 |
|
|
ate poo poo on live tv posted:What's wrong with an old honeywell mercury switch thermostat? You set it to the temperature you want, and then leave it alone. Easy peasy. mine works, i adjust it twice a year. i also have radiant heat and no ac, so there's very little for it to do obviously this isn't for everyone
|
|
#
?
Mar 30, 2022 19:50
|
|
|
There are plenty of programmable thermostats without IOT. Mine even has a color touch screen. The schedule isn't that useful since we are WFH.
|
|
#
?
Mar 30, 2022 19:53
|
|
|
lol classic nerd line of “works for me so everyone should have to do it”
|
|
#
?
Mar 30, 2022 20:04
|
|
|
I really wish there was some sort of non-stupid standard way to handle IOT devices in a secure way that wasn't reliant on being supported by the companies making them.
|
|
#
?
Mar 30, 2022 20:08
|
|
|
mystes posted:I really wish there was some sort of non-stupid standard way to handle IOT devices in a secure way that wasn't reliant on being supported by the companies making them. simply maintain a multi vlan network with a robust firewall ruleset at home op.
|
|
#
?
Mar 30, 2022 20:11
|
|
|
also, host all your own services on-premises
|
|
#
?
Mar 30, 2022 20:12
|
|
|
mediaphage posted:shouldnt be too hard, isn't it just a web server with a mongodb in the background?
|
|
#
?
Mar 30, 2022 20:12
|
|
|
mystes posted:I really wish there was some sort of non-stupid standard way to handle IOT devices in a secure way that wasn't reliant on being supported by the companies making them. you know what they say, wish in one hand, request a 2FA token to flush your smart toilet with the other
|
|
#
?
Mar 30, 2022 20:12
|
|
|
i can't get into my garage because my oauth provider is having dns issues
|
|
#
?
Mar 30, 2022 20:13
|
|
|
Requiring biometric authentication to only allow myself to adjust the thermometer. Child harvests blood and feeds it into the console to raise temp to f76
|
|
#
?
Mar 30, 2022 20:30
|
|
|
mediaphage posted:fortunately we’re starting to see things like zigbee only thermostats which you can at least limit access to from outside of your network ecobee started with their first thermostats having zigbee along with wi-fi, not anymore though.
|
|
#
?
Mar 30, 2022 20:31
|
|
|
mystes posted:I really wish there was some sort of non-stupid standard way to handle IOT devices in a secure way that wasn't reliant on being supported by the companies making them. isn't that the point of HomeKit?
|
|
#
?
Mar 30, 2022 20:57
|
|
|
pseudorandom name posted:isn't that the point of HomeKit?
|
|
#
?
Mar 30, 2022 21:09
|
|
|
https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html
|
|
#
?
Mar 30, 2022 21:40
|
|
|
Celexi posted:ecobee started with their first thermostats having zigbee along with wi-fi, not anymore though. aha i thought this was true but then i didn’t see it listed, that’s why anyway that sort of thing could be very secure imo, put a zigbee hub on the network, ban it from accessing outside, and bing bong
|
|
#
?
Mar 30, 2022 21:43
|
|
|
HELLOMYNAMEIS___ posted:https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html It's spring4shell folks. Start getting your 5 hour energies lined up for another month of all-nighters.
|
|
#
?
Mar 30, 2022 21:46
|
|
|
akadajet posted:the best part is that the people who stole the buttcoins made short calls on the entity they stole from in order to profit more from the news, but it took the operators much too long to figure it out and news to break so they lost money on those short bets lol
|
|
#
?
Mar 30, 2022 21:47
|
|
|
Achmed Jones posted:can i get a transcript or written version or something, i ain't gonna watch that but i wanna know the facts
|
|
#
?
Mar 30, 2022 21:56
|
|
|
HELLOMYNAMEIS___ posted:https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html So, the actual CVE is listed as medium sev - https://tanzu.vmware.com/security/cve-2022-22963. Anyone got some more insight into how painful this really is?
|
|
#
?
Mar 30, 2022 21:58
|
|
|
rafikki posted:So, the actual CVE is listed as medium sev - https://tanzu.vmware.com/security/cve-2022-22963. Anyone got some more insight into how painful this really is? Or maybe that CVE is unrelated - https://www.flashpoint-intel.com/blog/what-is-springshell-what-we-know-about-the-springshell-vulnerability/
|
|
#
?
Mar 30, 2022 22:23
|
|
|
rafikki posted:So, the actual CVE is listed as medium sev - https://tanzu.vmware.com/security/cve-2022-22963. Anyone got some more insight into how painful this really is? only time will tell my son
|
|
#
?
Mar 30, 2022 23:10
|
|
|
https://twitter.com/wdormann/status/1509225394561507333
|
|
#
?
Mar 31, 2022 00:57
|
|
|
spring4shell seems potentially like a case of pr and panic winding each other up. not stopping our green security guy from spazzing out about it though. not my problem (yet)
|
|
#
?
Mar 31, 2022 00:58
|
|
|
yeah, I’m trying to sift through the noise to figure out how seriously to take all this
|
|
#
?
Mar 31, 2022 01:00
|
|
|
https://venturebeat.com/2022/03/30/spring-core-vulnerability-doesnt-seem-to-be-log4shell-all-over-again/
|
|
#
?
Mar 31, 2022 01:02
|
|
|
mystes posted:I really wish there was some sort of non-stupid standard way to handle IOT devices in a secure way that wasn't reliant on being supported by the companies making them. there is: throw them in the trash alongside my posts.
|
|
#
?
Mar 31, 2022 03:26
|
|
|
Well several services are warning me state sponsored actors trying to get into my stuff. Why me lol?
|
|
#
?
Mar 31, 2022 03:52
|
|
|
Celexi posted:Well several services are warning me state sponsored actors trying to get into my stuff. Why me lol? The local thespian's guild wants to know why you haven't paid your taxes
|
|
#
?
Mar 31, 2022 04:23
|
|
|
Asleep Style posted:you know what they say, wish in one hand, request a 2FA token to flush your smart toilet with the other https://twitter.com/atdanwhite/status/1508578360217292802?s=21&t=r0QhmYsCvTsJGXfHKuf3Zw
|
|
#
?
Mar 31, 2022 05:17
|
|
|
number 2 factor authentication
|
|
#
?
Mar 31, 2022 05:53
|
|
|
just wait til we're making GBS threads on the blockchain! oh wait, we do~
|
|
#
?
Mar 31, 2022 06:03
|
|
|
RCE exploit in spring core. https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html Just ran this against a spring boot app in tomcat 9 and it worked
|
|
#
?
Mar 31, 2022 06:14
|
|
|
Amethyst posted:RCE exploit in spring core. now run... your eyeballs up the thread a few posts, bud!!!
|
|
#
?
Mar 31, 2022 06:18
|
|
|
i think that particular link has other information that wasn't posted so its not entirely fair but i wanted to make that joke so 
|
|
#
?
Mar 31, 2022 06:20
|
|
|
this random hackernews comment is the clearest technical explanation i've found so far https://news.ycombinator.com/item?id=30862953
|
|
#
?
Mar 31, 2022 06:29
|
|
|
Wait, so the Spring POJO mapper sees you write "class" in the string to locate a particular subfield and says "why yes, I will call getClass() and continue digging around in that as though it were part of the POJO instead of an underlying JVM thing"? And to "fix" this back in 2010 the Spring maintainers decided that yes rooting around in the Class object is totally fine and they would allow you to keep doing that, all they really needed to do was not let you access the classloader?
|
|
#
?
Mar 31, 2022 07:03
|
|
|
yeah they disallowed "class.classloader" as a whole but not "class" in general, which seems like a terrible idea.
|
|
#
?
Mar 31, 2022 07:13
|
|
|
mapping directly to pojos like that is a bad idea anyway given how dangerous deserialization is
|
|
#
?
Mar 31, 2022 07:17
|
|
|
|
| # ? May 4, 2024 20:55 |
|
|
Really does seem like endpoints should only be interested in the data fields of your pojos and reject/ignore anything else. Serializing a class instead of "some data" across http query params seems kind of hosed up and not that interoperable anyway.
|
|
#
?
Mar 31, 2022 07:39
|
|
