minivanmegafun posted:

it's probably worth mentioning that that part of the JavaScript stdlib dates back to the days when people were running Netscape on win16, which a) didn't have a PRNG device supplied by the os and b) would have been balls slow to generate securely random numbers on for playing video games

Peanut and the Gang posted:

Add a backdoor in the RedHat codebase.

suffix posted:

the main issue is that they are concatenating the uri and body without any length information or delimiter

so if you MITM a connection and they try to send something like:

POST /my/stuff?
donotdeleteallmydata=true

you can change it to

POST /my/stuff?donot
deleteallmydata=true

and the signature will still be valid.

you can also change a get request to put or post, change the content type header, etc.

here's the same thing done properly:
http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html

ChickenOfTomorrow posted:

how is http request formed

how database get pragnent

ChickenOfTomorrow posted:

bsafe RSA ghost

quote:

British sceptics started regarding the system as proof that the German pilots were not as good as their own, who they believed could do without such systems. It was Lindemann himself who proved this wrong, when aerial reconnaissance systems started returning photographs of the RAF bombing raids, showing that they were rarely, if ever, anywhere near their targets.[12]

syscall girl posted:

the brits liked to bomb at night in a cowardly fashion

americans were like yo it needs to be daytime to hit this factory and know you hit it and not the school/hospital/apartment building

syscall girl posted:

menschamphetamine

Suspicious Dish posted:

it's probably this debian patch that makes it overflow

http://sources.debian.net/src/make-dfsg/4.0-8/debian/patches/0009-handle_excessive_command_length-Patch-to-fix-large-c.patch

quote:

The intermediate CA certificates held by NIC were revoked on July 3, as noted above. But a root CA is responsible for all certificates issued under its authority. In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users:

gov.in
nic.in
ac.in
rbi.org.in
bankofindia.co.in
ncode.in
tcs.co.in

suffix posted:

the more relevant examples are android and ios

neither are really at the point of "randomly download and execute stuff from the internet". you'd need to tighten down the permission system a lot

OSI bean dip posted:

Heresiarch posted:

False Intelligence Spreading Heuristic MECHanism

Uncomfortable Gaze posted:

if you need the opposite:
http://forums.somethingawful.com/f/json/usercomplete?q=EMILY+BLUNTS&limit=1&timestamp=0

cheese-cube posted:

lmao if you have lastpass/onepass/asspass and keep the creds for your email account to which everything is tied to in it and you dont have 2fa

Rufus Ping posted:

https://twitter.com/Sc00bzT/status/487033083430846464

for gods sake nadim can you not even spell the name of your product correctly

Rufus Ping posted:

jony ive aces posted:

idk though, if keepass can simulate keystrokes to fill a login form, could a malicious app change set its window title and then simulate pressing my hotkey?

ultramiraculous posted:

also lol @ everything in the part about about mdm configurations. if someone used an mdm configuration on your device, that phone probably doesn't belong to you.

Mido posted:

I'm no cryptographer but isn't it worse to put known characters (0x00) into a field of a now known and static length than it is to just leave it alone?

ymgve posted:

if your encryption algo gets weaker due to known plaintexts, get a better one

Mido posted:

so am I on or off track with my intuition here, I'm gettin conflicting info here

it seems like having mostly zeros of a known length is bad but if good crypto makes this irrelevant then why is he even bothering to pad it

quote:

That's true of a key file with current asymmetric systems; but, presently if the passphrase of my GPG private key is compromised (e.g. by a hardware key logger), I only have to change the passphrase and ensure the old keyfiles are destroyed.

minivanmegafun posted:

hardware keylogger? typing the passphrase to a remote machine over an insecure/MITM'd network connection?

minivanmegafun posted:

as far as ssh goes, how do you know you can trust the computer you're remoting in from?

Bloody posted:

remind me - whats wrong with pgpg

OSI bean dip posted:

https://github.com/kaepora/miniLock/pull/14

ultramiraculous posted:

yes. because:

Cocoa Crispies posted:

yeah it turns out using human-generated entropy is up there with plugging a flash drive you found in the parking lot of your nuclear materials factory into the production network

Cocoa Crispies posted:

code:

> apg -m32 -n20
mesvawyusOkjaivHodtyrinnOojOrsh0
agsodWoawjainJachcupghaifMenHien
IrlObyakewCekilriTatsacyidmairg3
HubepdobfahuddyagEluryohygubGuct
urcUdirbejNisAbEtvevBeitguel1Gra
ReymuvkiphedidnuddEinidojUjAfHyn
joghyimEvdylmidjetgobrEvecOmtir4
eithIrnAkyawchEthorcEbKotLutowt"
DexDapmuAgdytchiupghabickhaudgej
wybMeggamAfjimRiftisFajlyebgebin
Neufweewv4obGodIssUndeunyujCyag6
apkogDeyRygtyijOcoynomvapFiacVav
wicJudodcoygcipsokAishbomLurdOrl
cegeckRakyanOmgeerf4QuejPyapkic&
MotbopondObcakushalyeijonmyopFac
SwauHocsOrmUnwircAbFedWyunchemKu
IckDogupdiOjMitjinRosarlyebAtNuc
5DejNuithgeeHufdekyu/GiftUtcivia
Mumat5opShagIbjaywrarroacAcThems
uddaGrenjensifbesdaHeelemujHyhyb

didn't even have to write anything

Cocoa Crispies posted:

citation needed that modern dev random blocks after boot

quote:

~ $ cat /dev/random
w{
Epľ��S���k�a�

Snapchat A Titty posted:

i wonder how good the scraper bots are at deciphering bespoke obfuscation by now. Like "firstname dot lastname at provider dot com" is easy to parse, but ive seen people do insane poo poo like "email_DELETE_THE_NEXT_WORD_address@somewhere.com" or wtf

Snapchat A Titty posted:

werent/arent spoilers filtered for guests?