|
D. Ebdrup posted:is there a difference between disclosing accidentally and irresponsible disclosure?
|
# ? Dec 6, 2019 19:37 |
|
|
# ? Jun 18, 2024 05:58 |
|
D. Ebdrup posted:is there a difference between disclosing accidentally and irresponsible disclosure? i guess if you didn't actually know what you were doing like swiftonsec clearly fuckin doesnt then maybe that would be accidental disclosure. however they've since tried to explain it away as blah blah blah and have still milked the coverage so gently caress em don't get me wrong, atlassian can suck twelve bags of dicks but swiftonsec is overdue on a reality check taqueso posted:Intent I guess, so next time you want to be responsible make sure you act kinda ignorant. swiftonsec had no intent because they didn't know what they were looking at
|
# ? Dec 6, 2019 19:44 |
|
Pile Of Garbage posted:swiftonsec had no intent because they didn't know what they were looking at That lines up. They typically don't know what they're talking about either.
|
# ? Dec 6, 2019 19:50 |
|
cinci zoo sniper posted:take your pick that last one should be space goatman
|
# ? Dec 6, 2019 20:08 |
|
Shame Boy posted:it makes perfect sense if passwords are considered PII and you don't want to / can't store PII That said, there's still no reason they shouldn't be hashing the password, and it's also obviously bad to send the existing password by email rather than sending a temporary link to reset the password, so they're dumb. It's also pointless to have a wacky authentication flow like this just to prevent password reuse, because if they are really concerned with security they should just force people to use some form of 2FA. mystes fucked around with this message at 20:15 on Dec 6, 2019 |
# ? Dec 6, 2019 20:10 |
|
mystes posted:There is sort of some logic to it. One of the reasons for hashing passwords is to provide some protection for users who are illadvisedly reusing passwords on multiple sites when there's a data breach. That reason ceases to be relevant If they generate a random password for you because it completely prevents password reuse. Also, although it's unconventional for them to generate a password for you, I don't think it's inherently problematic. it makes a data breach where someone steals a password way harder to notice, and also they make the password unchangeable so if something does happen to compromise your password you're hosed
|
# ? Dec 6, 2019 20:25 |
BangersInMyKnickers posted:that last one should be space goatman surely a space goose rather
|
|
# ? Dec 6, 2019 20:26 |
|
honked again!
|
# ? Dec 6, 2019 20:26 |
|
There's no way the pentest lab cleartext is real That's parody right?
|
# ? Dec 6, 2019 21:35 |
|
Potato Salad posted:There's no way the pentest lab cleartext is real I hope so, because otherwise its really badly done.
|
# ? Dec 6, 2019 21:41 |
|
|
# ? Dec 6, 2019 22:30 |
|
accounts cant be compromised if they were never secured to begin with
|
# ? Dec 6, 2019 22:32 |
|
Pile Of Garbage posted:honked again!
|
# ? Dec 6, 2019 22:42 |
|
BangersInMyKnickers posted:accounts cant be compromised if they were never secured to begin with there we go
|
# ? Dec 6, 2019 23:58 |
|
univbee posted:it makes a data breach where someone steals a password way harder to notice, and also they make the password unchangeable so if something does happen to compromise your password you're hosed
|
# ? Dec 6, 2019 23:58 |
|
if the people running it are saying things that mean they don't know the difference between encryption and hashing it has to be a troll ...right?
|
# ? Dec 7, 2019 03:39 |
|
Achmed Jones posted:if the people running it are saying things that mean they don't know the difference between encryption and hashing it has to be a troll have you looked at the service they offer? it's "teach me to hack" branded like it's being targeted to it pros
|
# ? Dec 7, 2019 04:03 |
|
accounts can have a little compromise
|
# ? Dec 7, 2019 06:12 |
|
guys give them a break password storage is an industry that’s ripe for disruption they’re just innovating
|
# ? Dec 7, 2019 06:29 |
|
graph posted:accounts can have a little compromise
|
# ? Dec 7, 2019 07:07 |
|
graph posted:accounts can have little a compromise
|
# ? Dec 7, 2019 13:56 |
|
|
# ? Dec 7, 2019 15:23 |
|
graph posted:accounts can have a little compromise
|
# ? Dec 7, 2019 15:37 |
|
Authentication is a give-take relationship
|
# ? Dec 7, 2019 15:58 |
|
|
# ? Dec 7, 2019 18:18 |
|
graph posted:accounts can have a little compromise
|
# ? Dec 7, 2019 18:20 |
|
Cocoa Crispies posted:defending bad password practices on infosec twitter usually results in crowdsourced pentests, yes like this?
|
# ? Dec 7, 2019 19:43 |
|
is it a secfuck if the accounts and what you can access is useless and not worth protecting?
|
# ? Dec 7, 2019 22:41 |
|
they just should’ve used magic links in emails and noone would’ve complained
|
# ? Dec 7, 2019 22:48 |
|
Vomik posted:is it a secfuck if the accounts and what you can access is useless and not worth protecting? Yes. Confirmed emails + knowledge of source is always a good start to a throwaway phish campaign for organized cybercrime poo poo. Grab that poo poo via api, send out a few thousand emails, hand off the phished passwords to your scam farm.
|
# ? Dec 8, 2019 01:15 |
|
mystes posted:That reason ceases to be relevant If they generate a random password for you because it completely prevents password reuse for many years in the early 2000's my dad used the password our isp assigned us for the dialup service my family used in the late 1990's for various "family" accounts (and possibly some of his own). i think his reasoning was that it was a decently strong password that he and everyone else in the household had memorized anyway, or something.
|
# ? Dec 9, 2019 00:43 |
|
my dad used his license plate as his password for a long time, way too long. it was a custom license plate so it wasn't even random either
|
# ? Dec 9, 2019 02:32 |
|
please fix the typo in the thread title tia
|
# ? Dec 9, 2019 03:28 |
|
dragon enthusiast posted:please fix the typo in the thread a title tia
|
# ? Dec 9, 2019 04:40 |
|
dan luu had a long twitter fight with taviso about cpuids (hopefully this shows the thread who knows with twitter) https://twitter.com/taviso/status/1203740316735438848
|
# ? Dec 9, 2019 06:40 |
|
yeah, i saw that. i guess nacl was trying to guarantee cycle-level timing precision (to defend against timing attacks?), so google literally refused to let chrome run on cpus they hadn’t specifically tested honestly a perfect combination of security-programmer hubris and google-programmer engineering-ad-absurdio
|
# ? Dec 9, 2019 06:55 |
|
DuckConference posted:dan luu had a long twitter fight with taviso about cpuids owns, especially in a post-meltdown timeline
|
# ? Dec 9, 2019 06:57 |
|
i kind of agree with dan, like okay you can test with a few steppings of a few different models but I don't see how that can change your confidence in getting bit by an erratum on all processors from that brand
|
# ? Dec 9, 2019 07:38 |
|
rjmccall posted:yeah, i saw that. i guess nacl was trying to guarantee cycle-level timing precision (to defend against timing attacks?), so google literally refused to let chrome run on cpus they hadn’t specifically tested as far as I understood dan luu though, google didn't actually whitelist specific cpu's much less specific steppings - they just blanket whitelisted all Intel and AMD CPUs with the needed cpufeatures. to which taviso's argument seems to be "vendor says it's fine", I think???
|
# ? Dec 9, 2019 08:53 |
|
|
# ? Jun 18, 2024 05:58 |
|
TheFluff posted:as far as I understood dan luu though, google didn't actually whitelist specific cpu's much less specific steppings - they just blanket whitelisted all Intel and AMD CPUs with the needed cpufeatures. to which taviso's argument seems to be "vendor says it's fine", I think??? i get the feeling they're talking past each other a bit and tavis is thinking about something else and not the particular bit of code being discussed
|
# ? Dec 9, 2019 15:39 |