|
Theris posted:What's wrong with MD5? I mean, it turns my street's name (why are you using license plate numbers instead of something easy to remember when you're stretching it into a good password anyway? We're trying to keep things simple here!) into "0904572d42fdd0ef1cd93fb1047fe2d0." That's a great password! Look how long and random it is! And without involving super complicated hard to learn software like Keepass. seems legit
|
# ¿ Nov 20, 2015 19:34 |
|
|
# ¿ Apr 24, 2024 23:21 |
|
poe's law
|
# ¿ Nov 20, 2015 19:45 |
|
It's really good
|
# ¿ Dec 22, 2015 05:10 |
|
If you're running linux without grsec (which renders this unexploitable) you're a bit of a mug imo Debian even has prebuilt grsec kernels now
|
# ¿ Jan 20, 2016 03:09 |
|
Mr Chips posted:what's the path to better kernel security look like if I'm heavily RHEL6-ified (including SELinux)? Is getting grsec into the mix feasible? I don't think there are any officially sanctioned grsec patched rpms so you'd have to build the kernel yourself, probably invalidating your support contract
|
# ¿ Jan 20, 2016 14:54 |
|
That's cloudflare you idiot
|
# ¿ Mar 21, 2016 00:02 |
|
Subjunctive posted:I do not understand this. I think he's suggesting someone might have an exposed e.g. GitLab installation running on their production servers and if it were vulnerable in some way then an attacker could pivot once inside
|
# ¿ Mar 21, 2016 04:55 |
|
Use TLS client auth
|
# ¿ Apr 6, 2016 22:51 |
|
^ you're thinking of BES It likely had nothing to do with PGP as such and was just an endpoint attack to either steal the plaintext or the keys
|
# ¿ Apr 21, 2016 13:22 |
|
oaok posted:What are some things that I should study to start learning sec related things? Also resources that would help a beginner/novice looking to get into the field of infosec. Books? Courses? Videos? I'm very interested in netsec and infosec but I don't know where to begin. I was looking at maybe bash/shell, different file encryption, scripts and things like that, but I feel I need some fundamental training on the whole lot of information for these subjects. Become a competent programmer and/or sysadmin first
|
# ¿ Apr 22, 2016 01:02 |
|
Why on earth would someone see whatsapp hiring moxie and immediately jump to the conclusion it's too good to be true and must be part of a nefarious plot nobody else has identified and that you'd better not use it? That's seriously loving stupid even by sh/sc standards
|
# ¿ Apr 22, 2016 04:41 |
|
Antillie posted:my cursory look at facebook's web site gives me the impression that they know what they are doing Same - I hadn't heard of Facebook before but after a quick poke around their home page they get my seal of approval
|
# ¿ Apr 22, 2016 18:47 |
|
Just looked them up on Lycos and it turns out they're a pretty big deal in the US - sorry!
|
# ¿ Apr 22, 2016 23:26 |
|
e: Wrong thread nvm
Rufus Ping fucked around with this message at 16:50 on Apr 28, 2016 |
# ¿ Apr 28, 2016 16:47 |
|
Antillie posted:Must be nice to work in an industry that isn't subject to PCI, HIPAA, GLBA, US Government Contracting, or UK Data Protection Act regulation. It must also be nice to not have any clients that are subject to any of those things either. Which part of the Data Protection Act mandates AV?
|
# ¿ Apr 30, 2016 19:07 |
|
That won't really help in any meaningful way - I think you underestimate just how vulnerable media codecs are if your conclusion is "keep VLC up to date" If you think getting your box popped via an anime mkv is a realistic scenario you need to guard against, you'd be better off installing EMET or watching everything in a VM
|
# ¿ May 4, 2016 05:13 |
|
Sharktopus posted:half serious/half comedy answer: tails, tor, public wifi, mixmaster, full-disclosure 100% this
|
# ¿ May 17, 2016 23:40 |
|
There have been various attacks on Tor users: - The CMU SEI / cancelled Black Hat talk took advantage of RELAY_EARLY cells to perform a traffic confirmation attack. This has been fixed - The watering-hole attack on Freedom Hosting exploited an already-patched vuln in Firefox 17 ESR. Users with an outdated Tor Browser Bundle were served a payload which attempted to phone home outside of Tor - The Operation Torpedo watering-hole attack took advantage of users whose browser settings automatically ran Flash embeds. This is not the default setting in the TBB. The payload was the old Metasploit decloaker - Tor is not designed to be safe against adversaries with a full view of the network. NSA/GCHQ have a sufficiently full view of the network to be able to perform statistical traffic analysis attacks In addition, use of Tor to access the normal internet (i.e. not hidden services) leaves you open to types of attack known to be used on the normal internet, like packet injection. In light of these points, you can help make your use of Tor safer in a few ways. Which are important depends on when and how you're using Tor. - Reduce your susceptibility to vulns by using the hardened build of TBB which is compiled with ASan. Take advantage of exploit mitigation techniques (e.g. grsec) and MAC (e.g. grsec rbac, apparmor) - Firewall yourself off so that non-Tor traffic cannot leak out and ensure these rules cannot easily be disabled. Tails and Qubes can do this automatically - Connect from someone else's network that cannot be linked to you easily
|
# ¿ May 18, 2016 01:51 |
|
Mr Chips posted:Generally speaking, is it a reasonable assumption that other AV software is likely to have similar design and implementation flaws? Mr Chips posted:Do other vendors do dumb poo poo like run things at ring0 that shouldn't be running there? His suggestion regarding AV: https://twitter.com/taviso/status/647409908967604224 https://twitter.com/taviso/status/676799692936581120
|
# ¿ May 18, 2016 02:07 |
|
dpbjinc posted:With Linux, you are either a user or an administrator, but you can run specific programs as an administrator even if you are a user. With Windows, you can hand out certain rights to users without giving them full administrative privileges in any application. this isn't true. Linux supports capabilities and MAC too
|
# ¿ Aug 21, 2016 14:28 |
|
ItBurns posted:Don't be obtuse. It's a relevant development and a significant reversal of their position (and a few poster's own positions) with regard to sharing identifying info with FB and by proxy advertisers and law enforcement where the (now) encrypted messages can be stored until/if an attack on the encryption is found. this was the assumed threat model all along - it is precisely because you don't trust all third parties not to do this that you're using e2e in the first place whatsapp and other third parties not having access to metadata etc was never in scope unfortunately
|
# ¿ Aug 26, 2016 00:36 |
|
Shumagorath posted:just buy Threema assuming you can afford 2.99 or use Signal, which uses exactly the same protocol as WhatsApp (and Google Allo's and Facebook Messenger's e2e modes), and is free, and is open source, and whose users aren't almost exclusively German
|
# ¿ Aug 27, 2016 02:52 |
|
FeloniousDrunk posted:On the topic of password managers, I rolled my own crypto! Basically for people who don't trust LastPass etc. It runs entirely in the browser, no local storage, randomized per instance (unless choices have been made by the user). Ah yes, 121, that well known prime number
|
# ¿ Sep 4, 2016 17:28 |
|
spot the mistake in his primality testcode:
|
# ¿ Sep 4, 2016 18:00 |
|
I've made a quick POC to show how a malicious site (or a site with malicious ads) can abuse that bookmarklet to steal people's passwords: https://rufoa.com/sa/poc.html Install that guy's bookmarklet then pretend to log into my site above (click the bookmarklet then the fill button)
|
# ¿ Sep 4, 2016 22:42 |
|
for those who can't be bothered running it themselves: here's a site I want to log into Load up the bookmarklet and click fill... whoops
|
# ¿ Sep 4, 2016 22:48 |
|
FeloniousDrunk posted:Yeah, I kind of think using the domain name isn't such a hot idea either. I'm going to take that out. Also have replaced the homegrown hashing. you've missed the point - the problem is that your bookmarklet relies on injecting secret information (the prng seed from which all passwords are derived) into untrusted third party pages you can mitigate this to some extent but you really need to go back and consider what problem you are attempting to solve here
|
# ¿ Sep 5, 2016 00:08 |
|
FeloniousDrunk posted:On the topic of password managers, I rolled my own crypto! Basically for people who don't trust LastPass etc. i mean seriously, if there are people out there who don't trust proper password managers but do trust some pile of poo poo w3schools-quality javascript bookmarklet written by local helpdesk janitor Tod McRetard, then your response shouldn't be to indulge their stupidity
|
# ¿ Sep 5, 2016 00:21 |
|
ming-the-mazdaless posted:Honest is not brutal. I like to think I provided a decent amount of actual feedback and criticism before taking the piss out of him
|
# ¿ Sep 5, 2016 15:18 |
|
Squeegy posted:Is there anything wrong with Enigmail for Thunderbird? Apart from that time it had a bug that silently failed to actually encrypt messages when you told it to? And then the dev said it wasn't an issue
|
# ¿ Sep 8, 2016 22:26 |
|
Squeegy posted:Do tell https://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/ I'm wrong, it wasn't one of the devs who said people should cut them some slack over this, it was someone else
|
# ¿ Sep 9, 2016 02:52 |
|
Pryor on Fire posted:Can any of you thread readers recommend a good media contact who covers security and technology? Someone who writes about incidents well and hopefully understands at least some of the technical nuance of security/encryption? Mainly looking for good writing examples to show to other people. patrick gray of risky business (radio) matthew green bruce schneier joseph cox and lorenzo f-b of vice motherboard kevin poulsen of wired kashmir hill of fusion comedy option: violet blue
|
# ¿ Sep 18, 2016 17:28 |
|
cr0y posted:Does any sort of open source two factor token exist? Or a project that can take advantage of readily available RSA tokens? I know using a cellphone is the most common 'token' but I am curious about fob that have a numerical display on them for TFA. the standard algorithms are TOTP and HOTP via phone apps like you said you can't reuse existing RSA fobs for your own application because each one has a shared secret burnt into it during manufacturing that you can't extract
|
# ¿ Sep 25, 2016 21:43 |
|
Sleeper Pimp posted:I deal mostly with bug bounty submissions. Am I allowed to drink with all you folks? (I need a drink.) can I answer this in the form of a 40 minute screencast where I highlight broken English in notepad word by word then alt-tab to something too small to read in Burp Suite
|
# ¿ Sep 26, 2016 23:38 |
|
OSI bean dip posted:I'd love to see what the LastPass apologists have to say about this. It's nothing to do with them I don't think
|
# ¿ Nov 8, 2016 17:22 |
|
Cup Runneth Over posted:couldn't you easily use quotes as something just as individual, secure, it wouldn't be because you're not choosing the words randomly. someone could do a dictionary attack seeded on a book of quotations https://www.google.co.uk/search?q=ce1194512322f2d9b1a85e11f6602c14
|
# ¿ Nov 14, 2016 18:25 |
|
apropos man posted:I didn't trust them to implement it properly if the best they can do is <30 character passwords, so I left it inactive. lol
|
# ¿ Dec 3, 2016 15:10 |
|
How often are you logging into dropbox that the additional 20 seconds to type a 2FA code is a hassle? Do you keep clearing your cookies or something?
|
# ¿ Dec 6, 2016 19:02 |
|
Harik posted:E: I may be remembering one incident as more than one. I'm thinking "TOR-PEDO" and silkroad investigation involved separate uses of TBB exploits but tor-pedo involved hijacking freedom hosting to put an exploit in every page and silkroad was done differently. the Torpedo and Freedom Hosting attacks were separate: - the attack on Freedom Hosting exploited an already-patched vuln in Firefox 17 ESR - the Operation Torpedo attack used the old Metasploit decloaker swf. iirc the TBB at the time didn't actually run Flash by default iirc the Silk Road court docs didn't claim to have caught individuals by pwning them but it did sound like they hacked into SR itself and then identified the hidden service's actual location (or it was all parallel construction)
|
# ¿ Dec 24, 2016 02:38 |
|
|
# ¿ Apr 24, 2024 23:21 |
|
If you need backup (rather than syncing) just use tarsnap. It's backed by s3
|
# ¿ Dec 28, 2016 15:40 |