Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Absurd Alhazred
Mar 27, 2010

I'm the babyliberal, gotta love me!


https://twitter.com/SwiftOnSecurity/status/1385558743715180546

Don't convict on your own Infosec!

Adbot
ADBOT LOVES YOU

Thomamelas
Mar 11, 2009


The Iron Rose posted:

I still don’t know what “industry vertical” means. Isn’t it literally just the industry type? Could you not just say “industry”? Why in god’s green earth do we call powerpoints decks????


These are the questions that keep me up at night.

Industry verticals are niches in an industry. So tire making is an industry, but it would have verticals for truck tires, car tires, motorcycle tires, lawnmower tires, and so on. Some of them will have some overlap like motorcycle tire and car makers. But much less overlap than making tiny push mower tires.

spankmeister
Jun 15, 2008








The Iron Rose posted:

I still don’t know what “industry vertical” means. Isn’t it literally just the industry type? Could you not just say “industry”? Why in god’s green earth do we call powerpoints decks????


These are the questions that keep me up at night.

We used to use literal decks of literal slides and a projector for presentations.

Hope that helps you sleep comrade.

jaegerx
Sep 10, 2012

Maybe this post will get me on your ignore list!



Security dudes. Millions of the Pentagon’s dormant IP addresses sprang to life on January 20 https://news.ycombinator.com/item?id=26924883

What are your thoughts? Apparently alibaba and China used these addresses on their internal network.

apseudonym
Feb 25, 2011



jaegerx posted:

Security dudes. Millions of the Pentagon’s dormant IP addresses sprang to life on January 20 https://news.ycombinator.com/item?id=26924883

What are your thoughts? Apparently alibaba and China used these addresses on their internal network.

Using old dormant things not in the actual private space for private things is an endless source of surprise breakages for people being dumb. It's probably not a grand scheme

Sirotan
Oct 17, 2006

Sirotan is a seal.





I run this service for my org and it was super fun to come back to work after some days off last week to find this out. We are not impacted. Clickstudios statement on this is pretty bad and they also took down their support forums, which is a totally cool and normal thing to do after a major incident.

Cup Runneth Over
Aug 8, 2009

Life's too short to worry
Life's too long to wait
Life's too short not
To love everybody
Life is too long to hate




[ support team sitting on the edge of their seats ]

[ Maury comes out w/ envelope ]

Sirotan posted:

We... are not impacted.

[ everyone starts hugging and dancing, attacker folds arms on the other side of the room ]

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

Another day, and another dev I have to explain to that, no, converting a password to hex and seeding with a flat key is not valid encryption, because for one thing I don't want you to be able to recall the password, for another you just made up your own bastardized version of Blowfish and bcrypt was RIGHT THERE ALL ALONG.

God drat it, don't roll your own crypto.

Cup Runneth Over
Aug 8, 2009

Life's too short to worry
Life's too long to wait
Life's too short not
To love everybody
Life is too long to hate




lol remembering arguing with a dev for like an hour to convince him that SHA256 was inadequate for storing passwords in a database and he needed to switch to bcrypt

at least its more than the SHA1 they were using elsewhere

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

Cup Runneth Over posted:

lol remembering arguing with a dev for like an hour to convince him that SHA256 was inadequate for storing passwords in a database and he needed to switch to bcrypt

at least its more than the SHA1 they were using elsewhere

"I MD5'ed the MD5 of the password, it should be secure!"

An actual conversation that gave me a violent twitch.

Powered Descent
Jul 13, 2008

We haven't had that spirit here since 1969.



CommieGIR posted:

"I MD5'ed the MD5 of the password, it should be secure!"

An actual conversation that gave me a violent twitch.

I once worked on an old legacy website which, long ago, had kept all its user passwords in plaintext in a database. At some point it was upgraded to store salted hashes instead. However, at the login screen, entering that hash value itself as the password would also be accepted. It was apparently done this way so that the admins could still log in as any particular user for troubleshooting, without having to actually code in a way to do that properly.

The general attitude about this at the time I arrived on the scene was basically: "Yes, it's horrifying, we know. But we're sunsetting this whole platform and it'll be gone in six months anyway, so it's not worth fixing." (And it was indeed shut off for good... five years later.)

Absurd Alhazred
Mar 27, 2010

I'm the babyliberal, gotta love me!


Powered Descent posted:

The general attitude about this at the time I arrived on the scene was basically: "Yes, it's horrifying, we know. But we're sunsetting this whole platform and it'll be gone in six months anyway, so it's not worth fixing." (And it was indeed shut off for good... five years later.)



Nothing's more long-term than the temporary.

Kazinsal
Dec 13, 2011






CommieGIR posted:

"I MD5'ed the MD5 of the password, it should be secure!"

An actual conversation that gave me a violent twitch.

drat, now instead of taking one nanosecond per guess, it takes TWO. Time to wrap up the mass cracking effort.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

Kazinsal posted:

drat, now instead of taking one nanosecond per guess, it takes TWO. Time to wrap up the mass cracking effort.

Yeah, and not only did we force them to fix it, I wrote a small script to show how easy it was to decrypt.

https://twitter.com/silascutler/status/1387162874150326273?s=20

CommieGIR fucked around with this message at 23:00 on Apr 27, 2021

Jiro
Jan 12, 2004




I've used Cellebrite equipment when I was studying for my Digital Forensics associate degree, it's super loving clunky battery life on the UFED is absolute poo poo, the touchscreen is garbage. It's a wonder how they've cornered the market so hard. Their poo poo just sucks so loving hard.

Volguus
Mar 3, 2009


Powered Descent posted:

I once worked on an old legacy website which, long ago, had kept all its user passwords in plaintext in a database. At some point it was upgraded to store salted hashes instead. However, at the login screen, entering that hash value itself as the password would also be accepted. It was apparently done this way so that the admins could still log in as any particular user for troubleshooting, without having to actually code in a way to do that properly.

The general attitude about this at the time I arrived on the scene was basically: "Yes, it's horrifying, we know. But we're sunsetting this whole platform and it'll be gone in six months anyway, so it's not worth fixing." (And it was indeed shut off for good... five years later.)

I had to, once, add a feature in an web application I was working on to allow an administrator (a user with ADMIN role) to impersonate another user. Again, for troubleshooting purposes, I suppose. Now, no impersonated user's password were needed, was just asking for the admin's password again, and the token was set to expire after 30 minutes but man, I never felt so ... walking on thin ice before. It looked safe enough, I couldn't see any security holes, at least not obvious ones, but even today I still think sometimes "what if I missed something?".
Oh well, the web app is still up and running for years now, I left the company quite some time ago and nobody contacted me yet about problems the "feature" has caused. But I still think about it.

Volmarias
Dec 31, 2002


Jiro posted:

It's a wonder how they've cornered the market so hard. Their poo poo just sucks so loving hard.

This but basically every industry specific product, and the answer is "because there is no one else there to compete with them"

Mr. Crow
May 22, 2008

Snap City mayor for life


Jiro posted:

I've used Cellebrite equipment when I was studying for my Digital Forensics associate degree, it's super loving clunky battery life on the UFED is absolute poo poo, the touchscreen is garbage. It's a wonder how they've cornered the market so hard. Their poo poo just sucks so loving hard.

It's amazing what markets you can corner when you have no morals

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

Mr. Crow posted:

It's amazing what markets you can corner when you have no morals

And based on the fact they coded the entire thing in .NET, no decency.

BonHair
Apr 28, 2007

Welcome to the machine

Volguus posted:

I had to, once, add a feature in an web application I was working on to allow an administrator (a user with ADMIN role) to impersonate another user. Again, for troubleshooting purposes, I suppose. Now, no impersonated user's password were needed, was just asking for the admin's password again, and the token was set to expire after 30 minutes but man, I never felt so ... walking on thin ice before. It looked safe enough, I couldn't see any security holes, at least not obvious ones, but even today I still think sometimes "what if I missed something?".
Oh well, the web app is still up and running for years now, I left the company quite some time ago and nobody contacted me yet about problems the "feature" has caused. But I still think about it.

Eh, it's a useful tool to have in certain applications. Just be sure to log every loving thing and maybe put done multifactor on it. Preferably with one factor being another person.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

Kazinsal posted:

drat, now instead of taking one nanosecond per guess, it takes TWO. Time to wrap up the mass cracking effort.

"I used ROT13 twice!"

Defenestrategy
Oct 24, 2010

Worst decision I ever made.


Cup Runneth Over posted:


"The completely unrelated
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. " -Linked Article

Are there any legal ramifications to pushing files to a host with basically the express purpose of interfering with other apps that open said file? I'm guessing no?

Volmarias
Dec 31, 2002


Defenestrategy posted:

Are there any legal ramifications to pushing files to a host with basically the express purpose of interfering with other apps that open said file? I'm guessing no?

I'm not a lawyer, but I assume that since it's his product, he's pretty publicly announcing this, and the onus is on Celebrate to fix their poo poo, they have no leg to stand on. In the other hand, their clients are cops so he might get raided and have his entire everything ransacked and stolen as revenge and then be shot for "resisting arrest" so who knows.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

Volmarias posted:

I'm not a lawyer, but I assume that since it's his product, he's pretty publicly announcing this, and the onus is on Celebrate to fix their poo poo, they have no leg to stand on. In the other hand, their clients are cops so he might get raided and have his entire everything ransacked and stolen as revenge and then be shot for "resisting arrest" so who knows.

Given how a lot of these companies react to even responsible disclosure, this one feels most likely.

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

Defenestrategy posted:

Are there any legal ramifications to pushing files to a host with basically the express purpose of interfering with other apps that open said file? I'm guessing no?

At what point has he ever said the files will interfere with anything?

Defenestrategy
Oct 24, 2010

Worst decision I ever made.


Biowarfare posted:

At what point has he ever said the files will interfere with anything?

I'm fairly certain the "I'm not touching you" defense is only useable by dudes trying to skirt ATF regulations.

evil_bunnY
Apr 2, 2003



There’s no regulation mandating you keep your apps compatible with g-man’s software.

SMEGMA_MAIL
May 4, 2018


THUNDERDOME LOSER 2021





Signal is probably a big enough company and has enough lawyer that they won’t be subject to moon logic rulings used agains the poor

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

Got a really clever Spear Phishing email where it was a fake invoice for a McAfee security suite and only 12 hours to call this number and cancel for a refund.

Literally pretending your company bought from from a radioactive security company to compromise your security.

CyberPingu
Sep 15, 2013


https://twitter.com/adventureloop/status/1387447008609308672?s=09


https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/

Cup Runneth Over
Aug 8, 2009

Life's too short to worry
Life's too long to wait
Life's too short not
To love everybody
Life is too long to hate




https://twitter.com/WolfieChristl/status/1387894894597971971

Subjunctive
Sep 12, 2006

sparkle and shine



SMEGMA_MAIL posted:

Signal is probably a big enough company and has enough lawyer that they won’t be subject to moon logic rulings used agains the poor

Signal is a pretty small 501c3, fewer than 50 people.

trashy owl
Aug 23, 2017



Subjunctive posted:

Signal is a pretty small 501c3, fewer than 50 people.

Sure, but they have that sweet sweet State Department funding.

SMEGMA_MAIL
May 4, 2018


THUNDERDOME LOSER 2021





Subjunctive posted:

Signal is a pretty small 501c3, fewer than 50 people.

Yeah but “can afford a good lawyer” puts you outside of the range of poorlaw where “turns out your property is suspected in a crime and property has no rights! Thank you for your home and bank account. Also unrelated to you the bank is legally a person with rights” stuff.

Strawberry Pyramid
Dec 12, 2020


I may have two machines that are affected by the Dell driver issue, but they've both long since had their drives wiped and stock Win10 installed on them. Do I need to download the util and run it on them anyway?

And no, throwing the machines away is Not An Option.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

^ This is something I'm unsure about too

BlankSystemDaemon
Mar 13, 2009

System Access Node Not Found



If you've done a clean install of Windows 10 without the OEM nonsense, it shouldn't apply to you.
If you've used Dell-supplied installation media or downloaded any of their automatic driver installation tools, probably.

evobatman
Jul 30, 2006

it means nothing, but says everything!

Pillbug

Strawberry Pyramid posted:

I may have two machines that are affected by the Dell driver issue, but they've both long since had their drives wiped and stock Win10 installed on them. Do I need to download the util and run it on them anyway?

And no, throwing the machines away is Not An Option.

Do you work with me? Because I have a couple of coworkers whose only option when there is something they don't know the answer to is "THROW IT AWAY!"

Can't set the correct resolution on an old monitor on a Windows 10 computer? Oh poo poo, we have 50 of those monitors, better throw them all away!

Can't PXE-boot a laptop on the first try? Throw it away!

Can't find the LAN dongle for a laptop without an ethernet port? Computer is useless now, get rid of it!

Strawberry Pyramid
Dec 12, 2020


evobatman posted:

Do you work with me? Because I have a couple of coworkers whose only option when there is something they don't know the answer to is "THROW IT AWAY!"

Can't set the correct resolution on an old monitor on a Windows 10 computer? Oh poo poo, we have 50 of those monitors, better throw them all away!

Can't PXE-boot a laptop on the first try? Throw it away!

Can't find the LAN dongle for a laptop without an ethernet port? Computer is useless now, get rid of it!

It's more the machines in question are both over a decade old and it's only my own due diligence and replacing almost everything but the mobo/pros in them several times over that has kept them in service this long. If it weren't for the chip shortage I might consider finally replacing them.

Adbot
ADBOT LOVES YOU

KozmoNaut
Apr 23, 2008

Happiness is a warm
Turbo Plasma Rifle


evobatman posted:

Do you work with me? Because I have a couple of coworkers whose only option when there is something they don't know the answer to is "THROW IT AWAY!"

I hate those types of people, unless I can convince them to just give all their "junk" to me.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply