|
how many applications would actually be negatively affected if Math.random() was a CSPRNG that read from the OS's /dev/urandom equivalent? like what fraction of webapps are sampling random numbers in a super-tight loop
|
# ¿ Jun 28, 2014 18:04 |
|
|
# ¿ Apr 29, 2024 02:49 |
|
minivanmegafun posted:it's probably worth mentioning that that part of the JavaScript stdlib dates back to the days when people were running Netscape on win16, which a) didn't have a PRNG device supplied by the os and b) would have been balls slow to generate securely random numbers on for playing video games were people actually making serious video james in javascript back then? i agree that making it use a real prng would've been silly though
|
# ¿ Jun 28, 2014 19:54 |
|
i don't see the fuckup like yes they don't show any signs of having researched existing solutions and there's literally no reason this needs to be related to bitcoin but i don't see the problem with the bit you quoted
|
# ¿ Jul 2, 2014 06:16 |
|
Peanut and the Gang posted:Add a backdoor in the RedHat codebase. get it renamed to Red Hate
|
# ¿ Jul 2, 2014 17:52 |
|
suffix posted:the main issue is that they are concatenating the uri and body without any length information or delimiter welp this is why i don't design security protocols!
|
# ¿ Jul 2, 2014 23:28 |
|
ChickenOfTomorrow posted:how is http request formed DELETE /mother?type=instain HTTP/1.1
|
# ¿ Jul 3, 2014 17:11 |
|
ChickenOfTomorrow posted:bsafe RSA ghost i don't get it
|
# ¿ Jul 5, 2014 01:48 |
|
quote:British sceptics started regarding the system as proof that the German pilots were not as good as their own, who they believed could do without such systems. It was Lindemann himself who proved this wrong, when aerial reconnaissance systems started returning photographs of the RAF bombing raids, showing that they were rarely, if ever, anywhere near their targets.[12]
|
# ¿ Jul 5, 2014 02:23 |
|
syscall girl posted:the brits liked to bomb at night in a cowardly fashion iirc there was also a bunch of stuff after the allies had broken enigma and were using it to raid german supply lines etc. where the commanders were like 'they've totally broken our poo poo, we need to use new codes' but the higher-ups didn't believe them because nobody could possibly break the mighty ciphers of the third reich
|
# ¿ Jul 5, 2014 03:24 |
|
syscall girl posted:menschamphetamine
|
# ¿ Jul 5, 2014 04:51 |
|
Suspicious Dish posted:it's probably this debian patch that makes it overflow i get an abort on os x, don't feel like debugging further
|
# ¿ Jul 9, 2014 18:37 |
|
i wonder if anybody's ever actually been sued for violating one of those 'if you are not the intended recipient of this email you must format your hard drive' things they'd win because it's about as enforceable as 'by reading this you agree to pay me $1000' but i wonder if anybody was idiotic enough to try it
|
# ¿ Jul 9, 2014 19:16 |
|
another day, another bad intermediate CAquote:The intermediate CA certificates held by NIC were revoked on July 3, as noted above. But a root CA is responsible for all certificates issued under its authority. In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users:
|
# ¿ Jul 9, 2014 23:08 |
|
suffix posted:the more relevant examples are android and ios the most relevant example is the browser because 'randomly downloading and executing stuff from the internet' is just 'clicking on random links' and that's a security model they explicitly support
|
# ¿ Jul 10, 2014 01:18 |
|
my god fuSeWiRe Shaggar Was Right
|
# ¿ Jul 14, 2014 21:30 |
|
Heresiarch posted:False Intelligence Spreading Heuristic MECHanism
|
# ¿ Jul 14, 2014 21:59 |
|
Uncomfortable Gaze posted:if you need the opposite: i think this requires search b/c it doesn't work for me
|
# ¿ Jul 15, 2014 03:51 |
|
i only use lastpass for the dumb bullshit sites that i don't care about like the Something Awful Dot Com Internet Forums. stuff like my bank and amazon account are in keepass
|
# ¿ Jul 15, 2014 19:17 |
|
i don't bother with keyfiles and i store my keep rear end database in dropbox but i also use a diceware password and use enough rounds of key stretching that it takes a second to decrypt
|
# ¿ Jul 15, 2014 20:54 |
|
cheese-cube posted:lmao if you have lastpass/onepass/asspass and keep the creds for your email account to which everything is tied to in it and you dont have 2fa also yeah this my e-mail account password isn't written down anywhere
|
# ¿ Jul 15, 2014 21:51 |
|
Rufus Ping posted:https://twitter.com/Sc00bzT/status/487033083430846464 i can't tell if you're joking but cryptcat is something else
|
# ¿ Jul 19, 2014 04:50 |
|
|
# ¿ Jul 19, 2014 05:19 |
|
jony ive aces posted:idk though, if keepass can simulate keystrokes to fill a login form, could a malicious app change set its window title and then simulate pressing my hotkey? if you have a malicious app it could do a thousand different things to get your password out
|
# ¿ Jul 19, 2014 17:13 |
|
ultramiraculous posted:also lol @ everything in the part about about mdm configurations. if someone used an mdm configuration on your device, that phone probably doesn't belong to you. i thought the point was 'you can use an mdm configuration to disable some of these attacks' but if shipping the phone off to apple lets them work around it then why bother
|
# ¿ Jul 19, 2014 20:04 |
|
Mido posted:I'm no cryptographer but isn't it worse to put known characters (0x00) into a field of a now known and static length than it is to just leave it alone? why would that be worse
|
# ¿ Jul 20, 2014 01:54 |
|
ymgve posted:if your encryption algo gets weaker due to known plaintexts, get a better one yeah this crypto is all about hiding information and the length of a filename is information
|
# ¿ Jul 20, 2014 02:00 |
|
Mido posted:so am I on or off track with my intuition here, I'm gettin conflicting info here because it might be interesting that a file has a name that's really long, even if you don't know what that name is. if it's a long file name and a couple hundred megs in size, it's probably something like Hot_Blonde_MILF_Chick_Shitposts_All_Over_Green_Forum.mp4.mp4.mkv.exe.wmv
|
# ¿ Jul 20, 2014 02:12 |
|
quote:That's true of a key file with current asymmetric systems; but, presently if the passphrase of my GPG private key is compromised (e.g. by a hardware key logger), I only have to change the passphrase and ensure the old keyfiles are destroyed. under what circumstances are you going to get a compromise of your passphrase but not your key
|
# ¿ Jul 20, 2014 17:55 |
|
minivanmegafun posted:hardware keylogger? typing the passphrase to a remote machine over an insecure/MITM'd network connection? if someone has a hardware keylogger what makes you think your machine isn't completely hosed, and how often are you going to get an ssh connection MITMed
|
# ¿ Jul 20, 2014 18:09 |
|
minivanmegafun posted:as far as ssh goes, how do you know you can trust the computer you're remoting in from? good point
|
# ¿ Jul 20, 2014 18:13 |
|
Bloody posted:remind me - whats wrong with pgpg usability
|
# ¿ Jul 20, 2014 18:37 |
|
holy lol
|
# ¿ Jul 20, 2014 18:39 |
|
ultramiraculous posted:yes. because: there was also some site, i don't remember what, that would generate 'random' keys using Math.random() which is seeded from the current time in most browsers
|
# ¿ Jul 21, 2014 02:20 |
|
Cocoa Crispies posted:yeah it turns out using human-generated entropy is up there with plugging a flash drive you found in the parking lot of your nuclear materials factory into the production network i don't get why people are so averse to a loving diceware password anyway i use an 8-word diceware passphrase for my laptop, it's 8 random words and it took me like 2 minutes to memorize
|
# ¿ Jul 21, 2014 02:23 |
|
Cocoa Crispies posted:
yes those certainly look like passwords that are easy for someone to remember
|
# ¿ Jul 21, 2014 04:31 |
|
Cocoa Crispies posted:citation needed that modern dev random blocks after boot quote:~ $ cat /dev/random
|
# ¿ Jul 21, 2014 15:49 |
|
obfuscating your e-mail ityool2014 and not just letting your anti-spam software deal with it seems kind of silly
|
# ¿ Jul 24, 2014 20:44 |
|
Snapchat A Titty posted:i wonder how good the scraper bots are at deciphering bespoke obfuscation by now. Like "firstname dot lastname at provider dot com" is easy to parse, but ive seen people do insane poo poo like "email_DELETE_THE_NEXT_WORD_address@somewhere.com" or wtf sometimes i'll see people on SA put it in spoiler tags and it just baffles me. what are you even trying to prevent
|
# ¿ Jul 25, 2014 00:39 |
|
Snapchat A Titty posted:werent/arent spoilers filtered for guests? i just checked in an incognito window, they aren't
|
# ¿ Jul 25, 2014 00:58 |
|
|
# ¿ Apr 29, 2024 02:49 |
|
cookies over http is a bad idea, film at 11
|
# ¿ Jul 29, 2014 16:58 |