Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«208 »
  • Post
  • Reply
The Fool
Oct 16, 2003



D. Ebdrup posted:

(password)

Oh cool, let's see if it works for me

LowtaxH4zHugeB4llz

Adbot
ADBOT LOVES YOU

ChubbyThePhat
Dec 22, 2006

Who nico nico needs anyone else


The Fool posted:

Oh cool, let's see if it works for me

LowtaxH4zHugeB4llz

Don't doxx me please.

Volmarias
Dec 31, 2002


Please stop posting old bash.org jokes

That's actually my passphrase, let's see if it works for them too!

The Fool
Oct 16, 2003



Volmarias posted:

Please stop posting old bash.org jokes

(password)


dougdrums
Feb 25, 2005

MORTAL KOMB---
Uh, never mind. You're basically tonguing a nuke's butthole right now.


If only bash did it too

D. Ebdrup
Mar 13, 2009



Volmarias posted:

Please stop posting old bash.org jokes

That's actually my passphrase, let's see if it works for them too!
Uhm actually I think you'll find that they're irc jokes, I say as I push up my glasses.

That's my very secure password.

D. Ebdrup
Mar 13, 2009



And now for a non-waste of bytes:
A really loving interesting article about shellcode en-/de-coders, their history and even a brief mention of FreeBSD.

Docjowles
Apr 9, 2009



dougdrums posted:

Every once in a while I'll do the ol:
code:
$ suod chown foo:bar baz
...
$ (password)
gently caress

It hasn't actually happened, but I live in constant fear of Slack stealing focus and making me dump important credentials into a public channel. When I'm typing a password I always triple check that the correct app has focus out of total paranoia.

Teammates have definitely done it and immediately had to change passwords. The worst I've done is :q :wq ZZ gently caress

Coxswain Balls
Jun 3, 2001



College Slice

Docjowles posted:

It hasn't actually happened, but I live in constant fear of Slack stealing focus and making me dump important credentials into a public channel. When I'm typing a password I always triple check that the correct app has focus out of total paranoia.

Teammates have definitely done it and immediately had to change passwords. The worst I've done is :q :wq ZZ gently caress

Some sales manager did this in our national SPOC room once and their password had the bonus of being really misogynistic. It's not often you get to see someone accidentally torpedo their job like that in front of a bunch of director-level folks across the country.

RFC2324
Jun 7, 2012

Http 418


ChubbyThePhat posted:

I've typed domain and enterprise admin passwords in username fields before. Never uploaded one to a public repo though.... not yet.

Fortunately, I did not make this mistake in prod. It was just my home servers IPMI credentials hardcoded in a script(I have since started using a prompt to get the password at runtime for everything I write)

Docjowles
Apr 9, 2009



Coxswain Balls posted:

Some sales manager did this in our national SPOC room once and their password had the bonus of being really misogynistic. It's not often you get to see someone accidentally torpedo their job like that in front of a bunch of director-level folks across the country.

Thanks for sharing that

apropos man
Sep 5, 2016

You get a hundred and forty one thousand years and you're out in eight!

Docjowles posted:

Thanks for sharing that

He needs to now share the password in question. This is important for Sunday hilarity reasons. The guy has obviously changed it. Please.

Schadenboner
Aug 15, 2011



apropos man posted:

He needs to now share the password in question. This is important for Sunday hilarity reasons. The guy has obviously changed it. Please.

OSU_Matthew
Aug 23, 2010


Gun Saliva

Docjowles posted:

It hasn't actually happened, but I live in constant fear of Slack stealing focus and making me dump important credentials into a public channel. When I'm typing a password I always triple check that the correct app has focus out of total paranoia.

Teammates have definitely done it and immediately had to change passwords. The worst I've done is :q :wq ZZ gently caress

Only really good for windows OS, but KeepAssí auto type feature is loving fantastic. You pick a target window in the database entry for that credential, and then next time you log in, Ctrl-alt-a auto types the credentials when you have the correct window or login url pulled up.

Guy Axlerod
Dec 29, 2008


Hey, why is this log full of "Penis1"?
Me to dev lead: "Hey, one of your guys put their debugging statement into prod here."
Oh, wait. Those are POST bodies, Penis1 is somebody's password.
"Uh, Penis1 isn't a thing they typed, but they still need to fix that."

RFC2324
Jun 7, 2012

Http 418


Guy Axlerod posted:

Hey, why is this log full of "Penis1"?
Me to dev lead: "Hey, one of your guys put their debugging statement into prod here."
Oh, wait. Those are POST bodies, Penis1 is somebody's password.
"Uh, Penis1 isn't a thing they typed, but they still need to fix that."

are you saying someones password hashed to Penis1?

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate



RFC2324 posted:

are you saying someones password hashed to Penis1?

I think they're saying it didn't

Space Gopher
Jul 31, 2006
BLITHERING IDIOT

RFC2324 posted:

are you saying someones password hashed to Penis1?

Are you saying you trust a client to handle hashing a password?

The mistake is logging sensitive request bodies. There's nothing wrong with sending unhashed passwords over https, as long as you don't store them.

RFC2324
Jun 7, 2012

Http 418


Cup Runneth Over posted:

I think they're saying it didn't

Space Gopher posted:

Are you saying you trust a client to handle hashing a password?

The mistake is logging sensitive request bodies. There's nothing wrong with sending unhashed passwords over https, as long as you don't store them.

This is why I ask.

Guy Axlerod posted:

Penis1 isn't a thing they typed

Logging passwords and trusting clients are yes, obviously bad.

Docjowles
Apr 9, 2009



My Dick 5 hash algorithm (TM)

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate



Short and rarely used anymore, eh?

Volmarias
Dec 31, 2002


Docjowles posted:

My Dick 5"

dougdrums
Feb 25, 2005

MORTAL KOMB---
Uh, never mind. You're basically tonguing a nuke's butthole right now.


S-box had a backdoor

OSU_Matthew
Aug 23, 2010


Gun Saliva

Docjowles posted:

My Dick 5 hash algorithm (TM)

Cup Runneth Over posted:

Short and rarely used anymore, eh?

DACK FAYDEN
Feb 25, 2013

Bear Witness

My mother is old and wants a physical USB password-storing-and-entering fob so she doesn't have to write things on pieces of paper. I can't keep LastPass, KeePass, 1Pass, all that crap straight. I know most of them are bad, but not which or why. Help me infosec thread you're my only competent hope.

(or just like, tell me what to google and I can make my own decision, but I figure I trust goons 100%)

Rexxed
May 1, 2010

Dis is amazing!
I gotta try dis!


DACK FAYDEN posted:

My mother is old and wants a physical USB password-storing-and-entering fob so she doesn't have to write things on pieces of paper. I can't keep LastPass, KeePass, 1Pass, all that crap straight. I know most of them are bad, but not which or why. Help me infosec thread you're my only competent hope.

(or just like, tell me what to google and I can make my own decision, but I figure I trust goons 100%)

If she's got random bits of paper you could get her a password book to replace them. It's like an address book but for websites with passwords. I got my mother one of these a few years back. Obviously it's bad physical security but it worked for her.

As for the hardware device to enter passwords the only one I'm familiar with is the mooltipass. I've never used one but it had a lot of hackaday articles about its development a couple of years ago:
https://www.themooltipass.com/

myron cope
Apr 21, 2009



DACK FAYDEN posted:

I can't keep LastPass, KeePass, 1Pass, all that crap straight. I know most of them are bad, but not which or why. Help me infosec thread you're my only competent hope.

Is this part true? I've used LastPass and 1Password, would be nice to know if I shouldn't be

Proteus Jones
Feb 28, 2013





Hair Elf

DACK FAYDEN posted:

My mother is old and wants a physical USB password-storing-and-entering fob so she doesn't have to write things on pieces of paper. I can't keep LastPass, KeePass, 1Pass, all that crap straight. I know most of them are bad, but not which or why. Help me infosec thread you're my only competent hope.

(or just like, tell me what to google and I can make my own decision, but I figure I trust goons 100%)

KeepAss and 1Password are both solid choices.

Dylan16807
May 12, 2010


myron cope posted:

Is this part true? I've used LastPass and 1Password, would be nice to know if I shouldn't be

LastPass has a pretty bad security track record.

KeePass is fussy to use but is otherwise fine and it's free.

1Password is fine.

evil_bunnY
Apr 2, 2003



Just get your mom a physical book. Have her choose long but easy to type passwords.

eames
May 9, 2009



i plan to store my passwords by typing them into the facebook login box and retrieve them via GDPR request

Proteus Jones
Feb 28, 2013





Hair Elf

myron cope posted:

Is this part true? I've used LastPass and 1Password, would be nice to know if I shouldn't be

I tell people to not use LastPass. Theyíve had bad exploits, and typically show very little motivation unless they get publicly shamed by Tavis Ormandy. Also, given the nature and avoidability of some of these exploits, they show little interest in secure coding practices. Now they may have changed and/or improved, but I donít care. Their historical record has placed me firmly in the DO NOT RECOMMEND category.

I canít say for KeePass, but 1Password devs are thoroughly involved with their users and very reactive regarding security and usability issues. Based on my, admittedly secondhand, knowledge of KeePass they have a similar reputation.

evil_bunnY posted:

Just get your mom a physical book. Have her choose long but easy to type passwords.

This is a good recommendation as well. They make notebooks specifically for keeping track of IDs/passwords.

AlternateAccount
Apr 25, 2005
FYGM

eames posted:

i plan to store my passwords by typing them into the facebook login box and retrieve them via GDPR request

That might be more valid than you meant when you typed this, unless this is what you were referencing.

Facebook admits it stored Ďhundreds of millionsí of account passwords in plaintext
https://techcrunch.com/2019/03/21/f...text-passwords/

D. Ebdrup
Mar 13, 2009



Proteus Jones posted:

This is a good recommendation as well. They make notebooks specifically for keeping track of IDs/passwords.
Not only that, but if you keep the book in a bookshelf with a lot of other varied books, what are the chances that someone's gonna steal it?

Volmarias
Dec 31, 2002


Good luck recovering if there's a fire though.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

Just keep a secure copy of her email account details somewhere, and she can password reset the rest.

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate



https://motherboard.vice.com/en_us/...udio-recordings

The Scientist
Nov 6, 2009



Fallen Rib

Is there a thread for reverse engineering/vulnerability discovery/exploit development, especially in the context of Capture The Flag competitions?

OSU_Matthew
Aug 23, 2010


Gun Saliva

The Scientist posted:

Is there a thread for reverse engineering/vulnerability discovery/exploit development, especially in the context of Capture The Flag competitions?

Not that Iím aware of, but Iíve done a few and collectively this seems to be about as good a place as any to post it. I just did one last week that was a USB pcap and I had to translate the hex into HID keyboard characters to get a pastebin url, which contained the base64 encoded flag. Last one I did before that was at codemash, and you had to find the login for a url and then use the browser tools to find the base64 flag hidden in the header. Once I finish up bandit my next step is hackthebox.eu, so Iím definitely interested in whatever ctf youíre doing.

Also, as far as reverse engineering goes, ghidra was just released and is a fun one to install on a VM, and any.run is great for examining the execution of stuff. If itís powershell youíre trying to deobfuscate, cyber chef (https://gchq.github.io/CyberChef/?r...3A%22XOR%22%252) is pretty rad

Adbot
ADBOT LOVES YOU

Volmarias
Dec 31, 2002



Given that it's spyware for parents and they mention nude images, there's a non trivial chance of child porn. It seems like contacting the FBI would get results.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«208 »