|
Nalin posted:CTRL+ALT+A autotype by default will look to see if any window titles contains the words of the entry's title. You don't HAVE to pick the specific window title in the entry unless you turn that option off or if you want different auto-type sequences for different individual windows. Both of which are good to know! I’ve never quite gotten it to work properly without setting it up individually, and I’ll have to give the browser plugin a shot. I need to play around with self hosting bitwarden and maybe make the migration if that works out. This might be more of a home lab question, but what all does everyone have setup on their home network for open source IDS, log analysis, etc? I was looking at installing snort on one of the new Pi 4s and setting up HELK on my ESXi nuc server just to play around with some different tools. I’d also like to set up a virtual appliance to do regular vulnerability management scans beyond cron jobbing a golismero openvas scan off my Ubuntu server, and wasn’t sure what might be best tool for local network stuff. I’d also like to set up some sort of port mirroring or inline capture engine to run a whole network packet capture, either tcpdump or some dedicated hardware. I’m not opposed to purchasing new or dedicated hardware to make all this happen if anyone has any specific recommendations they could share. Thanks in advance! E: Going to install the security onion virtual appliance and go from there. Any insight or other suggestions are very much appreciated! Catatron Prime fucked around with this message at 02:38 on Aug 23, 2019 |
#
?
Aug 19, 2019 18:39
|
|
|
|
| # ? Apr 26, 2024 16:15 |
|
|
https://twitter.com/laparisa/status/1164175663869247488
|
|
#
?
Aug 22, 2019 05:52
|
|
|
Oops.quote:Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. e: Are we having fun yet? https://twitter.com/GossiTheDog/status/1164536461665996800 Arsenic Lupin fucked around with this message at 19:16 on Aug 22, 2019 |
|
#
?
Aug 22, 2019 16:25
|
|
|
Dell presents VMware buys Carbon Black for 2B
|
|
#
?
Aug 22, 2019 23:13
|
|
|
Man I can’t keep up with this poo poo. The article also says VMware just acquired Pivotal. I thought Dell, EMC, VMware and Pivotal were all already merged since a couple years ago  Looks like it was spun out of VMware/EMC at some point and now they are buying it back? lol
|
|
#
?
Aug 23, 2019 01:22
|
|
|
https://www.hackingarticles.in/threat-detection-for-your-network-using-kfsensor-honeypot/ Neat little honeypotting tool.
|
|
#
?
Aug 23, 2019 01:39
|
|
|
Docjowles posted:Man I can’t keep up with this poo poo. The article also says VMware just acquired Pivotal. I thought Dell, EMC, VMware and Pivotal were all already merged since a couple years ago Yeah I thought I was in a time loop when I saw the news about Pivotal.
|
|
#
?
Aug 23, 2019 02:04
|
|
|
Arsenic Lupin posted:
someone needs to create a scanner that looks for misconfigured sonicwall ssl vpn servers because they can be run without auth (as in point a client at a host and hit connect and voila)
|
|
#
?
Aug 23, 2019 02:25
|
|
|
I know the first rule of Infosec fight club is don’t roll your own crypto. I totally get that. I’m looking to understand cryptography a lot more than this is a good protocol and this is a deprecated protocol level. I’d like to maybe understand cryptographic primitives, and modern cryptographic engineering. So with that said: Books? YouTube’s? White papers you think are a must? All is appreciated. Thanks!
|
|
#
?
Aug 23, 2019 09:18
|
|
|
https://cryptopals.com/ has a set of challenges that involve implementing a lot of simple crypto primitives then implementing an attack against them, and then builds on those primitives for a more complicated challenge. It's a good practical demonstration of how many different ways there are to get it wrong on a purely implementation level (ignoring things like side channel attacks).
|
|
#
?
Aug 23, 2019 11:38
|
|
|
robostac posted:https://cryptopals.com/ has a set of challenges that involve implementing a lot of simple crypto primitives then implementing an attack against them, and then builds on those primitives for a more complicated challenge. It's a good practical demonstration of how many different ways there are to get it wrong on a purely implementation level (ignoring things like side channel attacks). I can emphatically recommend this, especially if you want to use it as a way to learn a new tool or language.
|
|
#
?
Aug 23, 2019 15:16
|
|
|
LtCol J. Krusinski posted:I know the first rule of Infosec fight club is don’t roll your own crypto. I totally get that. I’m looking to understand cryptography a lot more than this is a good protocol and this is a deprecated protocol level. I’d like to maybe understand cryptographic primitives, and modern cryptographic engineering. So with that said: Books? YouTube’s? White papers you think are a must? All is appreciated. Thanks! I will nth cryptopals - its really good. Here's some other stuff that might not be covered in the typical responses to the question. This is stuff from my backlog of poo poo recommended from twitter / some poo poo i've actually read and liked: Colm MacCárthaigh is an incredible resource. A lot of his tweets are about his singer song-writer stuff but he's been involved in crypto for ages. Here's some collections i made (sorry for collections, its the only way to link tweets sanely): - How to learn crypto: https://twitter.com/Jowjoso/timelines/1037328324006240256 - (this is just a cool link rather than practical learning:) Colm was working for AWS when heartbleed dropped, here's a story about it: https://twitter.com/Jowjoso/timelines/1115082981121691653 LVH is a cloud security and cryptography guy for Latacora (a great company to follow if you are into security and crypto in particular: tqbf is the founder and he's rad) - lvh wrote a crypto 101 guide. Talk + a github book: https://www.youtube.com/watch?v=3rmCGsCYJF8 https://www.crypto101.io/ - This is a collection of recommendations that latacora published for different crypto use-cases. Putting it here even though its all latacora people: https://latacora.singles/2018/04/03/cryptographic-right-answers.html Schneier stuff: - if you're curious about crypto history he recommends: "The Codebreakers" by David Khan. I tried to read this and got BORED in the first chapter. I should really read it eventually. - Applied Cryptography is a deep dive. Its also old. I believe this is superceded by Cryptography Engineering, but I haven't read CE. Someone else in the thread? - Practical Cryptography is supposed to be akin to a c-level summary of AC. Haven't read it Books I can't speak to personally but have come up in threads before: - Handbook of Applied Cryptography by Menez, van oorschot, and vanestone - Security Engineering by Ross Anderson Oh, EDIT: For context I am not a crypto man, i'm just into it. I believe there are a few people in the sec threads who are actually knowledgeable about crypto who can hopefully chime in and correct any bad recommendations i made.
|
|
#
?
Aug 23, 2019 18:28
|
|
|
Jowj posted:
 For a lightweight intro, try Simon Singh's "The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography". Kahn himself wrote a fun biography of Herbert O. Yardley, "The Reader of Gentlemen's Mail". Yardley is notorious for (A) using his skills to break the Japanese diplomatic code in WWI (B) writing a book about it. The second part was not well-received. I haven't reread "The American Black Chamber" in years; it's self-aggrandizing, but a gripping yarn. "Cryptography" is a big subject; the part of it that interests me, and that I read about, is all the premodern stuff, up to say Venona. If anybody knows a good nonfictional overview of what's happened since computer cryptography became dominant, I'd love to hear about. Side note: VENONA is amazingly cool. It takes time to make one-time pads, and the Soviet company that made them was under enormous time pressure due to the needs of WWII. So they did what they had to do .... use duplicates. Which turns them into multi-time pads, which makes them decryptable. Between 1942 and 1945 (per Wikipedia) lots of Soviet traffic was encrypted using these duplicate pads. A cryptographer figured this out, and slowly the US became able to read bits of the traffic. The first successful break was in 1946, proving that there was Soviet espionage in the Manhattan project. VENONA wasn't shut down completely until 1980, although one suspects there wasn't a lot of enthusiasm in the later years. History is cool. Bonus fact: You notice that 1945 end date? Well, William Weissband, a Russian immigrant, worked closely with Army cryptanalysts, because they needed a fluent Russian speaker. Unfortunately, William Weissband was also working for the NKVD; in 1945, he found out about VENONA and told the NKVD about it. The Russians switched to sending useless information using those channels. And the NSA have put all their decrypts online! (To be precise, it's the English versions of their decrypts.) It's real live history there on your screen. P.S. The Rosenbergs were guilty as gently caress.
|
|
#
?
Aug 23, 2019 19:04
|
|
|
Remember those timecube-ish guys with the five-dimensional musical AI crypto who got laughed out of Black Hat a couple of weeks ago? They're suing the conference organizers, apparently for not forcing the audience to take their snake oil seriously. https://arstechnica.com/information-technology/2019/08/company-accused-of-crypto-snake-oil-sues-black-hat-anonymous-detractors/ 
|
|
#
?
Aug 23, 2019 21:20
|
|
|
Powered Descent posted:Remember those timecube-ish guys with the five-dimensional musical AI crypto who got laughed out of Black Hat a couple of weeks ago? They're suing the conference organizers, apparently for not forcing the audience to take their snake oil seriously. This is going to go well.
|
|
#
?
Aug 23, 2019 21:25
|
|
|
Rolling your own crypto is a great way to learn the primitives, just don't use it for production software. It's especially fun to write hash and encryption algos in a well-typed language like Idris or Rust, and you can experiment with things like constant time computation. Start with a test harness that says things like SHA256("butt") = baa9c153079197ea131ce56cc01d84a76c25746fee31890f2c60e95558b6a0f2 and then gently caress around until it works.
|
|
#
?
Aug 23, 2019 21:48
|
|
|
I'm the $25,000 USD speaking slot.
|
|
#
?
Aug 23, 2019 21:58
|
|
|
i'm the 5th dimension of quantum crypto AI
|
|
#
?
Aug 23, 2019 21:59
|
|
|
Arsenic Lupin posted:My dad was big into crypto and crypto history, with a well-stocked set of bookshelves, and I agree that The Codebreakers is just too drat big unless you're seriously, seriously into it. (Tried rereading it when I was there for his funeral. This is rad as poo poo. Thank you for the recommendations, I'll pick up those books!
|
|
#
?
Aug 23, 2019 22:13
|
|
|
The Code Book is insanely good and my first edition copy from 1999 is one of my most prized possessions
|
|
#
?
Aug 23, 2019 22:15
|
|
|
CLAM DOWN posted:i'm the 5th dimension of quantum crypto AI
|
|
#
?
Aug 23, 2019 22:17
|
|
|
I'm the cryptography based on mysticism
|
|
#
?
Aug 23, 2019 22:36
|
|
|
xtal posted:The Code Book is insanely good and my first edition copy from 1999 is one of my most prized possessions it's a good book
|
|
#
?
Aug 24, 2019 00:14
|
|
|
xtal posted:The Code Book is insanely good and my first edition copy from 1999 is one of my most prized possessions Is the 2016 one a reprint or an update or is it a lovely cash-in on a well-known title (MLMP)?
|
|
#
?
Aug 24, 2019 00:40
|
|
|
CommieGIR posted:I'm the cryptography based on mysticism In what I like to think of as late-life revenge, the Friedmans wrote SCE, examining each major system claiming to find hidden messages in Shakespeare. It's hilarious and devastating and mean; for several ciphers (all? I forget) the Friedmans used the purported systems to find their own secret messages in Shakespeare. One of the systems they debunked even they goggled at. You cut up all the pages of a First Folio reproduction, glue them to an enormous linen band, rotate the band, then use the first line of the text your eye stops at. Oh! I forgot a ripping yarn that is absolutely-drat-true. "Between Silk and Cyanide" is the memoir of Leo Marks, the man who became SOE (Special Operations Executive, the British WWII intelligence service)'s head of communications. He knew and outfitted the SOE operatives who were parachuted into Europe to help with the resistance; all too often they parachuted straight into the unloving arms of the Gestapo, thanks to the SOE's inability to follow its own protocols to determine whether an operative had been captured or turned, and to their fondness for cryptographic systems that were hard to use and easy to break. The title phrase stems from Marks's insistence that SOE switch to one-time pads printed on silk. He told the brass that they were making the choice "between silk and cyanide", meaning that they could either use Marks's one-time pads or ship the agents off with suicide pills. Marks went on to become a screenwriter, and it shows in the excellence of his storytelling. Arsenic Lupin fucked around with this message at 01:36 on Aug 24, 2019 |
|
#
?
Aug 24, 2019 01:26
|
|
|
Wonderful, I'll check it out. I really hope Black Hat learns a lesson from all this.
|
|
#
?
Aug 24, 2019 03:44
|
|
|
CommieGIR posted:Wonderful, I'll check it out. Never gently caress with crazy?
|
|
#
?
Aug 24, 2019 05:30
|
|
|
Arsenic Lupin posted:P.S. The Rosenbergs were guilty as gently caress. Julius: absolutely Ethel: debatable but very likely
|
|
#
?
Aug 24, 2019 23:40
|
|
|
BUG JUG posted:Julius: absolutely Ethel wasn't doing the spying but she absolutely (if you believe Venona) knew what he was doing. https://www.nsa.gov/Portals/70/documents/news-features/declassified-documents/venona/dated/1948/13aug_special_study.pdf
|
|
#
?
Aug 24, 2019 23:57
|
|
|
Chernobyl Season 3: Cryptomining the Spicy Rock: https://www.zdnet.com/article/employees-connect-nuclear-plant-to-the-internet-so-they-can-mine-cryptocurrency/ quote:Ukrainian authorities are investigating a potential security breach at a local nuclear power plant after employees connected parts of its internal network to the internet so they could mine cryptocurrency.
|
|
#
?
Aug 26, 2019 19:14
|
|
|
CommieGIR posted:Chernobyl Season 3: Cryptomining the Spicy Rock: 3.6 hashrate. not good, not terrible.
|
|
#
?
Aug 26, 2019 19:27
|
|
|
Basically the same as an ASIC
|
|
#
?
Aug 26, 2019 22:53
|
|
|
CommieGIR posted:Chernobyl Season 3: Cryptomining the Spicy Rock: Extremely disappointed by this misleading headline.
|
|
#
?
Aug 26, 2019 23:00
|
|
|
So uh, is NordVPN really that loving bad? I also have a VPN through my ISP which I primarily use, and NordVPN is a backup for that. I got the whole Lowtax/SA deal a year ago or so, seemed p reasonable. After skimming this thread though, well, gently caress. I'll be looking into Algo eventually when I'm not a broke joke
|
|
#
?
Aug 28, 2019 21:21
|
|
|
Really every single commercial VPN provider is scum. Literal scum. Shills, fake reviews, lies, everything end to end.
|
|
#
?
Aug 28, 2019 21:26
|
|
|
I have the NordVPN SA promo going because as said, all commercial VPN providers are poo poo and at least this one is cheap and has good performance for my desperate secretive need to watch US netflix
|
|
#
?
Aug 28, 2019 22:07
|
|
|
Re: the whole VPN thing, it basically depends on your threat model and who you want to prevent against. Have a lovely ISP that inlines ads into your web pages like many do these days (any plaintext HTTP is tampered with, ads are inserted, etc)? Don't use a VPN provided by that ISP. Want to torrent and watch US netflix and don't give a gently caress about security? Just pick whatever is cheapest and use the most-discounted coupon, they're all equally godawful poo poo, pick any of them. Want to secure public wifi traffic / get a static IP to access your servers and whitelist / etc? Set up your own on your own machines.
|
|
#
?
Aug 28, 2019 22:12
|
|
|
VPN services are just about moving security goal posts.
|
|
#
?
Aug 28, 2019 22:31
|
|
|
The narrow use case for VPNs is when you're doing something slightly illegal so it's better for sketchy hosts to spy on you instead of the local ISP. Anything less illegal and it's not worth the money and effort, anything more illegal and a VPN won't help you.
|
|
#
?
Aug 28, 2019 22:34
|
|
|
|
| # ? Apr 26, 2024 16:15 |
|
|
xtal posted:The narrow use case for VPNs is when you're doing something slightly illegal so it's better for sketchy hosts to spy on you instead of the local ISP. Anything less illegal and it's not worth the money and effort, anything more illegal and a VPN won't help you. Remember to specify if you're talking about a commercial VPN service or your own VPN. VPNs are very cool and good for when you want to access stuff on your home network when you're not there.
|
|
#
?
Aug 28, 2019 22:53
|
|
