Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Shame Boy
Mar 2, 2010

favorite bit from the yearly security "training" i just "took": telnet, ftp and http are the "less secure" versions of ssh, sftp and https

i mean i guess that's correct in that completely insecure is less secure than secure

Adbot
ADBOT LOVES YOU

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

ssh, sftp, and https are not inherently secure and I'm guessing they're hedging their language because of that. seems appropriate

pseudorandom name
May 6, 2007

well if weíre going to be pedantic, ssh and sftp are unrelated to Telnet and FTP

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles

no that's just being a loving idiot

Shame Boy
Mar 2, 2010

turns out it was made internally by the junior IT guy, i chatted him up about it and he said he was just in a hurry and worded it a bit weird :shrug:

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug
Force him to SSH into Telnet.

Pile Of Garbage
May 28, 2007



CommieGIR posted:

Force him to SSH into Telnet.

*telnets to device on tcp/22, sees banner* yeah it works for me what's your problem?

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
code:
$ ssh [email]user@hostname.somethingawful.com[/email] -L 2222: hostname.somethingawful.com:23
secure telnet

[edit]

thanks radium

Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'
securitized telnet

Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'
credential default swaps

Volmarias
Dec 31, 2002

I'm sure I'll think of something.

Captain Foo posted:

credential default swaps

Too big to email

Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'

Volmarias posted:

Too big to email

kerberized debt obligations

30 TO 50 FERAL HOG
Mar 2, 2005



lol dell

https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/

Jabor
Jul 16, 2010

#1 Loser at SpaceChem
more like "root shell"

pseudorandom name
May 6, 2007

Mozilla let the Firefox extension signing certificate expire.

Schadenboner
Aug 15, 2011

by Shine

pseudorandom name posted:

Mozilla let the Firefox extension signing certificate expire.

I wish you are posting certificate expired!!!1!!!!

:mad:

30 TO 50 FERAL HOG
Mar 2, 2005





Schadenboner posted:

I wish you are posting certificate expired!!!1!!!!

:mad:

donít sign your posts

evil_bunnY
Apr 2, 2003

weíre in the middle of dealing with this and itís such a pita

Computer Serf
May 14, 2005
Buglord
:siren: /!\ everyone set your clocks back /!\ :siren:

jre
Sep 2, 2011

To the cloud ?




Thats a great write up

Pile Of Garbage
May 28, 2007



Computer Serf posted:

:siren: /!\ everyone set your clocks back /!\ :siren:

never ceases to amaze me how often and repeatedly orgs self-own themselves by not keeping on top of cert expiration/renewal. you'd think it'd be a solved problem by now

champagne posting
Apr 5, 2006

YOU ARE A BRAIN
IN A BUNKER

Pile Of Garbage posted:

never ceases to amaze me how often and repeatedly orgs self-own themselves by not keeping on top of cert expiration/renewal. you'd think it'd be a solved problem by now

current org has this lovely flow chart for updating certs:

take your nice and lovely cert, send it to a linux box, convert it to different formats with openssl, send it back to yourself, send the new certs to it-infrastructure who will take 2-5 business days to sign it, get signed cert back, upload to whereever

repeat for every server / webb app / whatever you have that needs cert

Powerful Two-Hander
Mar 10, 2004

Mods please change my name to "Tooter Skeleton" TIA.




ha, we use a similar basic "request source" check on an internal web service to validate that requests come from a legitimate requestor (one of two other internal webservers basically) and ive been trying to think of a way to make it more robust by adding extra auth layers/checks to it because it feels wrong and like there's a request spoofing/mitm vuln...though tbh if someone is spoofing on mitm'ing our internal network we're boned already regardless

anyway turns out i'm more security conscious than dell lmao

edit: the obvious answer would be "authenticate the account id of the calling process" but for some dumb reason our webserver accounts don't have normal identity profiles and the team that "manage" the iis hosts won't let us configure them to work around this

Powerful Two-Hander fucked around with this message at 11:50 on May 4, 2019

Pile Of Garbage
May 28, 2007



Boiled Water posted:

current org has this lovely flow chart for updating certs:

take your nice and lovely cert, send it to a linux box, convert it to different formats with openssl, send it back to yourself, send the new certs to it-infrastructure who will take 2-5 business days to sign it, get signed cert back, upload to whereever

repeat for every server / webb app / whatever you have that needs cert

hah that sounds just like the process at the last place i was at only without the magic openssl box. also if the cert was for a windows box and the it infra tech was the one who installed it then you can pretty much guarantee that they left the "mark private key as exportable" option checked when importing the PFX to the cert store

timick
Apr 7, 2016


All firefox extensions are disabled due to the expiration of a cert. https://bugzilla.mozilla.org/show_bug.cgi?id=1548973

I had forgeten how horrible the web was without an addblocker.

Pile Of Garbage
May 28, 2007



ya that's what we've been talking about. i've been using this workaround, works fine and i've only got one extension so not too painful: https://www.reddit.com/r/firefox/co...m=web2x&depth=1

timick
Apr 7, 2016


Pile Of Garbage posted:

ya that's what we've been talking about. i've been using this workaround, works fine and i've only got one extension so not too painful: https://www.reddit.com/r/firefox/co...m=web2x&depth=1

Thanks, that worked!

Vanadium
Jan 8, 2005

Hey so is the fact that my Firefox addon have been working just fine all along a secfuck in itself? I'm running Nightly but I didn't mess with the signing options.

simble
May 11, 2004

BIGFOOT EROTICA posted:

donít sign your posts

Chalks
Sep 30, 2009

Vanadium posted:

Hey so is the fact that my Firefox addon have been working just fine all along a secfuck in itself? I'm running Nightly but I didn't mess with the signing options.

i've not had any issues either and i'm just on the standard build. maybe it only validates when the browser starts and mine was loaded before it ticked over?

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.
mine was working until about 20 minutes ago then suddenly popped up that it had disabled add-ons, so i'm guessing it does periodic checks.

using the debugging side-load method works

Carbon dioxide
Oct 9, 2012

There is some sort of temporary fix that is supposedly applied if you enable "studies". Although it doesn't work for me and several others. https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

champagne posting
Apr 5, 2006

YOU ARE A BRAIN
IN A BUNKER

Pile Of Garbage posted:

hah that sounds just like the process at the last place i was at only without the magic openssl box. also if the cert was for a windows box and the it infra tech was the one who installed it then you can pretty much guarantee that they left the "mark private key as exportable" option checked when importing the PFX to the cert store

the real secfuck is that i have to install the certs themselves when getting them back from it infrastructure

Lutha Mahtin
Oct 10, 2010

Your brokebrain sin is absolved...go and shitpost no more!

Carbon dioxide posted:

There is some sort of temporary fix that is supposedly applied if you enable "studies". Although it doesn't work for me and several others. https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

"it may take up to six hours for the study to be applied to your browser" LOL

on the upside, this bug led me to discovering that on twitter there is firefox... ¡en español! :mexico::respek::spain:

encuentra la panda rojo aqui!!

Catpain Slack
Apr 1, 2014

BAAAAAAH

Lutha Mahtin posted:

"it may take up to six hours for the study to be applied to your browser" LOL

on the upside, this bug led me to discovering that on twitter there is firefox... ¡en español! :mexico::respek::spain:

encuentra la panda rojo aqui!!

encuentra mis huevos jajajajajaja

Lutha Mahtin
Oct 10, 2010

Your brokebrain sin is absolved...go and shitpost no more!

two "studies" installed for me and i was able to reinstall ublock origin. i then disabled the studies/telemetry checkboxes in the firefox settings, and so far ublock is still working

Violently Car
Dec 2, 2007

You are now entering completely darkness

Lutha Mahtin posted:

two "studies" installed for me and i was able to reinstall ublock origin. i then disabled the studies/telemetry checkboxes in the firefox settings, and so far ublock is still working

it'll probably turn off again at some point unless they fix it more properly

SIGSEGV
Nov 4, 2010


so firefox just shat itself bigtime. Apparently, you can disable addons signature checking to bypass that but it didn't work, i guess the brendan eichmann sleeper agents are good at their job

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.
you can use about:debug and sideload your addons if you need to, the xpi files are stored in the profile folder.

Adbot
ADBOT LOVES YOU

mystes
May 31, 2006

SIGSEGV posted:

so firefox just shat itself bigtime. Apparently, you can disable addons signature checking to bypass that but it didn't work, i guess the brendan eichmann sleeper agents are good at their job
I think on Windows it ignores that setting unless you're using a nightly build. It seems to be working on linux, though.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply