|
oh yeah I think it's just written unclearly. Probably they use the email text plus a standard list for email attachments and just use the standard list for files elsewhere. I guess you could interpret it to meant that they build a list of possible passwords from emails and apply that everywhere but it doesn't sound like that's what they're actually doing
|
#
?
May 16, 2023 02:54
|
|
|
|
| # ? Sep 30, 2023 03:43 |
|
|
i guess using a list is possible i wonder if they do that with any other archive formats then. relatedly, i wonder if there are any that will delete their contents after a brute-force attempt, and if so, would ms then be liable for data loss?
|
|
#
?
May 16, 2023 02:57
|
|
|
one drive is pretty integrated w/ email if you're using the full outlook client so its entirely possible that emails related to a onedrive hosted attachment are being scraped for passwords for the attachment.
|
|
#
?
May 16, 2023 02:59
|
|
|
Beeftweeter posted:i wonder if they do that with any other archive formats then. relatedly, i wonder if there are any that will delete their contents after a brute-force attempt, and if so, would ms then be liable for data loss?
|
|
#
?
May 16, 2023 02:59
|
|
|
Beeftweeter posted:i guess using a list is possible they're not liable for just straight up losing your data for any reason at all, and they explicitly tell you to have a backup outside of onedrive/sharepoint, so probably not
|
|
#
?
May 16, 2023 03:03
|
|
|
i would imagine deleting known malicious files is probably something mentioned in the terms of service that they do and on top of that its probably against tos to intentionally post those files to one drive.
|
|
#
?
May 16, 2023 03:04
|
|
|
yeah i don't mean necessarily malicious files. let's say you have a passworded archive that can somehow delete itself (or, idk, make its contents permanently inaccessible) after, idk, 10 password attempts you have no reasonable expectation that ms will ever try to access that data, but if they're brute forcing archive files then they might. them accessing it and it blanking itself could possibly get around anything they have in the TOS about simply losing data since they would trigger its "self-destruct" but either way that's entirely hypothetical since i'm not aware of any formats that are actually capable of this and don't see how an implementation would work anyway
|
|
#
?
May 16, 2023 03:08
|
|
|
infernal machines posted:they're not liable for just straight up losing your data for any reason at all, and they explicitly tell you to have a backup outside of onedrive/sharepoint, so probably not its fun seeing how many peopel say that they've "backed up their photos/files/wahtever" with onedrive, icloud, and other file sync services lol
|
|
#
?
May 16, 2023 03:14
|
|
|
Beeftweeter posted:yeah i don't mean necessarily malicious files. let's say you have a passworded archive that can somehow delete itself (or, idk, make its contents permanently inaccessible) after, idk, 10 password attempts i dont think a zip file can be self deleting like that
|
|
#
?
May 16, 2023 03:17
|
|
|
Last Chance posted:its fun seeing how many peopel say that they've "backed up their photos/files/wahtever" with onedrive, icloud, and other file sync services lol yeah, but for most people's purposes it's better than what they'd have otherwise (nothing at all). for business use, where actual money is involved? not so much, no. you should have another layer or two of backups
|
|
#
?
May 16, 2023 03:18
|
|
|
Beeftweeter posted:yeah i don't mean necessarily malicious files. let's say you have a passworded archive that can somehow delete itself (or, idk, make its contents permanently inaccessible) after, idk, 10 password attempts the bytes stored on disk don't change when you try to guess a password.
|
|
#
?
May 16, 2023 03:18
|
|
|
anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore
|
|
#
?
May 16, 2023 03:20
|
|
|
Beeftweeter posted:yeah i don't mean necessarily malicious files. let's say you have a passworded archive that can somehow delete itself (or, idk, make its contents permanently inaccessible) after, idk, 10 password attempts For a standard password protected file, there is no good mechanism to enforce maximum retries. Nothing gets around "copy this file somewhere else and try to unlock it" so no one bothers to implement anything like that. Now, something that has a 3rd party holding the keys in escrow (like a hardware device or key server, or even just drive or device firmware) is a different matter but then it would (or should, depending on implementation) be impossible for microsoft to just brute force.
|
|
#
?
May 16, 2023 03:23
|
|
|
Jabor posted:anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore at this point they may as well just use gpg or s/mime to encrypt the samples despite how annoying it is or just upload it to a central repository
|
|
#
?
May 16, 2023 03:25
|
|
|
Shaggar posted:i dont think a zip file can be self deleting like that afaik they can't Jabor posted:the bytes stored on disk don't change when you try to guess a password. sb hermit posted:For a standard password protected file, there is no good mechanism to enforce maximum retries. right, right. like i said it was entirely hypothetical. i don't see how something like that could be implemented in an ostensibly read-only environment either
|
|
#
?
May 16, 2023 03:40
|
|
|
Jabor posted:anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore they might have to start generating passwords and then sharing links to them on pastebin or something lol. presumably the scanning mechanism doesn't (presently) also follow urls
|
|
#
?
May 16, 2023 03:43
|
|
|
blockchain fixes this
|
|
#
?
May 16, 2023 03:48
|
|
|
I never quite cared enough to figure it out but realmedia files (yes, THAT realplayer) seemed to corrupt themselves after I played them back enough times. Knowing how much realplayer was some proprietary piece of poo poo, I would not be surprised if they updated metadata or something on playback and mistakes happen at some point. Or maybe my hard drive was going bad.
|
|
#
?
May 16, 2023 04:33
|
|
|
time to rot13 my email zip passwords
|
|
#
?
May 16, 2023 05:02
|
|
|
Is hunter2 on Microsoft’s zip file password list?
|
|
#
?
May 16, 2023 06:15
|
|
|
Jabor posted:anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore gmail has been doing this for at least 10 years now.
|
|
#
?
May 16, 2023 06:45
|
|
|
Isn't ZIP files password protection trivially easy to unlock? I remember 7zip clamoring their password protection being the sole decent implementation when it was new 
|
|
#
?
May 16, 2023 09:12
|
|
|
you could use decent encryption on a plain zip if you need to share samples via email for some reason
|
|
#
?
May 16, 2023 10:27
|
|
|
Jabor posted:anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore but actually lmao because just encrypt it instead using a dumb zip password.
|
|
#
?
May 16, 2023 11:08
|
|
|
SlowBloke posted:Isn't ZIP files password protection trivially easy to unlock? I remember 7zip clamoring their password protection being the sole decent implementation when it was new the classic algorithm, which I don’t think anything still uses, was cryptographically broken. modern zip files have to be brute forced, iirc they aren’t gpu resistant or anything but a strong enough password can be secure
|
|
#
?
May 16, 2023 11:14
|
|
|
is there some compression format that supports assymetric keys as encryption/authentication
|
|
#
?
May 16, 2023 11:30
|
|
|
.tar.xz.enc
|
|
#
?
May 16, 2023 12:31
|
|
|
I don't know whether using sharepoint to share malware samples is funny because lol imagine using sharepoint, or because that sounds like the actual peak use of it considering the psychic damage it inflicts on people
|
|
#
?
May 16, 2023 13:46
|
|
|
Soricidus posted:the classic algorithm, which I don’t think anything still uses, was cryptographically broken. modern zip files have to be brute forced, iirc they aren’t gpu resistant or anything but a strong enough password can be secure I think windows explorer still uses the old ZipCrypto method, not AES-256 like winzip or others.
|
|
#
?
May 16, 2023 14:44
|
|
|
Powerful Two-Hander posted:I don't know whether using sharepoint to share malware samples is funny because lol imagine using sharepoint, or because that sounds like the actual peak use of it considering the psychic damage it inflicts on people My eye just started twitching, thanks.
|
|
#
?
May 16, 2023 15:38
|
|
|
share point is mostly fine for me as a user IMO
|
|
#
?
May 16, 2023 15:39
|
|
|
kind of uncomfortable sounding that microsoft scans things like that, but seems obviously a not-secfuck in almost every case.
|
|
#
?
May 16, 2023 15:41
|
|
|
Flyndre posted:share point is mostly fine for me as a user IMO Its mostly fine, except Sharepoint just gets bastardized in most cases as the new shared drive.
|
|
#
?
May 16, 2023 15:42
|
|
|
what if I told u OneDrive is SharePoint
|
|
#
?
May 16, 2023 15:46
|
|
|
CommieGIR posted:Its mostly fine, except Sharepoint just gets bastardized in most cases as the new shared drive. it's called sharepoint, what else is it even for if not the point of share
|
|
#
?
May 16, 2023 15:49
|
|
|
a couple jobs ago i had to simultaneously integrate with both salesforce and sharepoint so they're intimately connected in my head even though they don't really have anything to do with each other the sharepoint integration was less of a pain in the rear end so it wins
|
|
#
?
May 16, 2023 15:50
|
|
|
Shame Boy posted:it's called sharepoint, what else is it even for if not the point of share Its supposed to be a collaboration platform. Again, there's nothing wrong with that, but it just usually gets used as a shared drive with a gui.
|
|
#
?
May 16, 2023 16:17
|
|
|
git apologist posted:is there some compression format that supports assymetric keys as encryption/authentication pretty sure gpg does a pass at compression before it encrypts anything
|
|
#
?
May 16, 2023 16:17
|
|
|
Cybernetic Vermin posted:kind of uncomfortable sounding that microsoft scans things like that, but seems obviously a not-secfuck in almost every case. wonder how much of that scanning is in the kernel!
|
|
#
?
May 16, 2023 16:25
|
|
|
|
| # ? Sep 30, 2023 03:43 |
|
|
SlowBloke posted:Isn't ZIP files password protection trivially easy to unlock? I remember 7zip clamoring their password protection being the sole decent implementation when it was new It depends. The original ZipCrypto is vulnerable to a known plaintext attack. So if there's a file in the zip that you know (part of) the content of, you can use that to decrypt the rest. There are other flaws but that's the big one. Newer implementations use AES and the security depends on the quality of the password like anything else.
|
|
#
?
May 16, 2023 17:58
|
|