|
BangersInMyKnickers posted:Tavis Ormandy turned his terrible gaze towards Symantec and hit paydirt. Expect big rounds of emergency patching in the next 3 months if you're running their products. Or maybe they don't do anything and you get some 0day CVEs when he goes public. But AV is a good idea because reasons!
|
# ¿ Apr 29, 2016 18:22 |
|
|
# ¿ Apr 26, 2024 23:28 |
|
doctorfrog posted:Is that the sort of thing where you're vulnerable because you're running a Symantec product? You'd be safer with nothing? Symantec.txt
|
# ¿ Apr 29, 2016 18:42 |
|
But who are we to not trust AV.
|
# ¿ Apr 29, 2016 23:55 |
|
co199 posted:I wouldn't replace AV, that's the point - I'd use it in conjunction with other tools. You didn't answer the question, you just asked another one. Why do you think using AV makes it cheaper?
|
# ¿ Apr 30, 2016 00:20 |
|
Paul MaudDib posted:How are you defining effectiveness? this is the dumbest thing I've ever read and you have no idea what you're talking about.
|
# ¿ May 1, 2016 02:20 |
|
Paul MaudDib posted:Way to beg the question. In the real world, posts like this are why in TYOOL 2016 security is such a joke of an industry.
|
# ¿ May 1, 2016 03:32 |
|
andrew smash posted:What's an ideal approach to security for a home machine mostly used to play video games and browse the forums? I'm curious and would like to make sure I'm not doing anything stupid. At baseline, I keep windows updated, keep UAC on, don't open email attachments, etc. Keep your stuff up to date, dont run random poo poo off torrents.
|
# ¿ May 1, 2016 03:39 |
|
Paul MaudDib posted:Why? It's just YOSPOS having some drunken weekend anal leakage. You've got OSI Bean Dip, the Internet Antivirus Expert who once interned at Symantec or something, who just keeps asking someone to explain antivirus to him and who thinks the NSA is going after grandma's cat pictures (the explanation he gave in the thread he linked for why antivirus sucked, after I got past all the "under construction" paragraphs), and a bunch of white noise posters. The YOSPOS crowd here has you far out paced when it comes to security credentials, have you done any work in security?
|
# ¿ May 1, 2016 23:16 |
|
Paul MaudDib posted:For real though I appreciate that antivirus is a layer that can have its own vulnerabilities, but the number of critical vulnerabilities in a given antivirus package is much less than the number of vulnerabilities in software that is corralled within an AV perimeter. There's been like what, 2 escalation or escape attacks within a year? Versus how many exploits of software installed on client endpoints? It's probably less than a half-dozen total. I'm afraid this hasn't been true for at least 5 years, if not a whole lot longer. The problem is that if you're a security person who can write solid, correct, secure code you're in extreme demand and you're not going to stick around at an AV company getting paid trash for boring work. Operating systems have improved extremely since what you learned starting out in tech and they've long surpassed in quality the AV software that claims to protect them.
|
# ¿ May 2, 2016 07:30 |
|
Paul MaudDib posted:Not disagreeing with you directly but can you provide some comparative numbers on this? Like critical/severe vulnerabilities in client software versus the AV layers? Keep in mind that vulnerability counts are not a great metric for security (1 remote code is as good as 20), what scope are you talking? "The client software" is pretty vague, and you need to kind in mind that most malware doesn't actually need exploits to do anything on a lot of platforms where AV is common (aka Windows). If you'd like details on the AV side of horrible vulns I recommend looking into Project Zero and Tavis Ormandy's continued thrashing of all AV platforms out there, there are many vulns there are demonstrably make the device worse off than if the AV wasn't there at all.
|
# ¿ May 2, 2016 07:45 |
|
Paul MaudDib posted:Thrashing any given platform doesn't prove that it's more vulnerable than an unthrashed platform. I highly encourage you to consider the medical problem of detection rates of (eg) thyroid nodules versus actual cancerous nodules. A vulnerability is not the same thing as a virus, just the same as a benign nodule is not the same as a cancerous nodule. What vulnerabilities in any platform does AV close off? None. You're again conflating malware with vulnerabilities, and that's not correct, most malware does not exploit any vulnerability. BangersInMyKnickers posted:Microsoft is doing gently caress-all to effectively protect the user session. Keep crap out of system or stop rootkits? Sure, but you don't need system to run a botnet client if the same user is on all the time and you're blocking system sleep. The integrity level scheme with UAC is a nice start but its not consistently used and plugins often give an easy escape path. Window's model's greatest failure is the complete lack of sandboxing anything from anything. The amount of bullshit one random program can do another is just sad. apseudonym fucked around with this message at 16:45 on May 2, 2016 |
# ¿ May 2, 2016 16:18 |
|
Subjunctive posted:This is very important. Please read this text. Vulnerabilities are how malware get installed, not how malware does its dirty work. And the network-facing software like browsers are increasingly pointless for scale attackers (vs directed) to use, because they get patched too quickly. Except Java, but plugins are dying soon too, and Java is basically unnecessary for the web today anyway. (We have some vendor finance apps at work that need browser Java, so the people who need them get VMs to run them on. The VMs are wiped and recreated after every session, even though they're network-constrained to not leave the corporate network. Java: eternally vigilant.) I'm not sure I'd go so far as to say that vulns are how malware get installed/executed. Often times it's us, the user, that executes the malware.
|
# ¿ May 2, 2016 19:25 |
|
online friend posted:lack of education/awareness is a vulnerability by definition If the security of your system depends on users(or IT admins or whatever) being smart and constantly vigilant about security then it is an unfixable system.
|
# ¿ May 2, 2016 21:07 |
|
online friend posted:i never said that, all i said was that it is a vulnerability.
|
# ¿ May 2, 2016 21:28 |
|
ItBurns posted:I didn't buy your av. I was going to swap mine with yours until I saw that someone had beaten me to the punch. You know this though. I'll make good on it, I promise. quote:Revealing metadata is a clear reversal of what was stated by the lauded and accepted and unquestionable expert of all things whatsapp. Facebook now has potentially uniquely identifiable hardware fingerprints, contacts, archives of encrypted messages for the last X years, and complete control over the entire protocol and ownership over all data transmitted through whatsapp regardles of mode or privilege. You need to at some level trust Whatsapp (and Facebook) not to gently caress you or your encryption. They could easily push an update tomorrow that exfils cleartext or keys if they were so inclined.
|
# ¿ Aug 26, 2016 02:58 |
|
ItBurns posted:This was proven to be verifiably false within five minutes. There's nothing stoping the poisoned version from going to just you, if you want to get all tinfoil hat, so lots of other people doesn't help. You're not actually going to reverse engineer it every time you get an update, nor will you probably notice everytime you do. Anything that requires constant vigilance by the user is hosed by design. Besides, even if you did just looking at the network output is not sufficient to be certain. How do you know you're more clever than the person trying to do bad things to you?
|
# ¿ Aug 26, 2016 03:45 |
|
pr0zac posted:Rowhammer is cool as hell and a lot of fun to play with if you have hardware it'll work on. It's also going to remain irrelevant for anyone in this thread that's not protecting nation state level secrets as long as most people still have terrible passwords and use SMS for 2fa. Let them dream man.
|
# ¿ Sep 3, 2016 04:34 |
|
FeloniousDrunk posted:On the topic of password managers, I rolled my own crypto! Basically for people who don't trust LastPass etc. It runs entirely in the browser, no local storage, randomized per instance (unless choices have been made by the user). A password generator I have to inspect the source code for everytime I open it seems kinda pointless. Also your randomness is garbage
|
# ¿ Sep 4, 2016 07:16 |
|
Pie Colony posted:I'm currently working as a software engineer. It's cushy as all hell, I'm making amazing bank (esp. for a 26 y/o), but I'm incredibly bored. It's not particularly challenging and I have to work with mostly poo poo code all day. Basically I have 3 options: Good software engineers that understand security are worth their weight in gold, its really hard to find security people that can build stuff and its rewarding as gently caress work, can't recommend it enough.
|
# ¿ Oct 20, 2016 06:56 |
|
Biowarfare posted:What would be the easiest way to roll my own crypto? PHP/Python/Java server-side, JS in browser client-side. Why in the world do you want it not to meet any standard?
|
# ¿ Oct 24, 2016 01:25 |
|
ming-the-mazdaless posted:
I get quoted in articles as a senior engineer that's kinda
|
# ¿ Nov 4, 2016 20:07 |
|
Subjunctive posted:They just mean that you're old. I'm 26 and look 16 if I shave
|
# ¿ Nov 5, 2016 00:47 |
|
My business cards list my job as ¯\_(ツ)_/¯
|
# ¿ Nov 5, 2016 06:04 |
|
BangersInMyKnickers posted:Pretty much everything client-side if its been patched within the last year is going to require 3DES as a minimum, downgrade attacks won't get you far. DES/RC4/null is disabled on most everything that isn't some legacy server-side garbage. Cert fuckery is going to require admin rights on the target machine to allow for easy MITM interception without every website and application throwing cert errors. They're talking about ssl strip, not a protocol downgrade, and that only works on things that default to http (aka poo poo you type into the browser that's not on an HSTS list). Applications besides browsers are generally unaffected unless they're dumb and relying on the http -> https redirect.
|
# ¿ Nov 23, 2016 22:48 |
|
Relying on common sense is as dumb as relying on AV, even the best people make mistakes. Common sense helps, but it's no replacement for secure by default systems.
|
# ¿ Dec 14, 2016 01:40 |
|
OSI bean dip posted:I'll write a book on herding cats if this were to ever work. Systems are markedly better than they used to be (but still a long way to go), people remain as prone to loving up as ever.
|
# ¿ Dec 14, 2016 01:45 |
|
flosofl posted:Well, no. But I'm concerned with stopping them from being self-destructive idiots, not factoring them in as a layer of security. I don't think you can remove them completely as a layer, they're still a (failable) part of any reasonable model.
|
# ¿ Dec 14, 2016 01:56 |
|
OSI bean dip posted:Just another reminder that AV vendors are (generally) idiots. Yet more ammunition for my "MitMs are bad never MiTM" crusade. Stop MiTMing god dammit. Having written something that does similar caching (for an attack tool so the certs shouldn't be trusted in the first place, but it runs on a router and needs to not be generating certs constantly) this made me laugh. It's kind of annoying to do the caching correctly with alt names and friends but not very hard.
|
# ¿ Jan 3, 2017 23:33 |
|
Jowj posted:I've got questions regarding powershell use as a company that has to pay a great deal of attention to potential attacks. I work in sysops. Our infosec team is trying to get powershell (as an interactive console) blocked via our AV in order to reduce risk if we get attacked. You are correct and they are being dumb and hurting productivity without giving any useful increase in security. As for convincing them they're wrong? Good luck.
|
# ¿ Feb 2, 2017 06:48 |
|
OSI bean dip posted:Still using LastPass? Shruggie is really the spirit emoticon for security
|
# ¿ Mar 16, 2017 06:25 |
|
apropos man posted:. Why do you think that?
|
# ¿ May 3, 2017 08:13 |
|
apropos man posted:The first thing that comes to mind is that the eBay app started attempting to retrieve my passwords without any warning or input from me. I don't knowingly have any passwords stored with Google, so this failed. If I did have passwords stored with Google then there's some kind of password retrieval protocol which could theoretically be hacked. Smart lock is better, trust me apseudonym fucked around with this message at 21:22 on May 3, 2017 |
# ¿ May 3, 2017 21:19 |
|
EVIL Gibson posted:So that Intel bug was worse. That's not an accurate description of the bug. The bug was they were comparing only up to the attack supplied length. The truth is funnier.
|
# ¿ May 6, 2017 17:47 |
|
CLAM DOWN posted:2) Smart Lock is the Android location or Bluetooth based unlock mechanism
|
# ¿ May 8, 2017 00:49 |
|
22 Eargesplitten posted:Is it possible to make the fingerprint scanner unlock to just a still image of Goatse/Pain.whateverthefucktheeextensionwas? Most sensors are capacitive but besides that it should be possible.
|
# ¿ Jul 31, 2017 00:01 |
|
I like how quick we went from "OMG he's been disappeared the USA is the worstest" to "he's literally being held in the exact place you would expect for someone arrested by the FBI in Las Vegas". Twitter remains a stupid as gently caress source of breaking news. Opinions bad. News at 11. E: phone posting spelling fixes apseudonym fucked around with this message at 04:32 on Aug 4, 2017 |
# ¿ Aug 4, 2017 04:08 |
|
Cross posting from yospos: Your Android phone isn't completely owned. All networks are untrusted and if you have an open network in your network list this literally changes nothing for your security. Even then if your poo poo isn't end to end secure it's insecure full stop, trusting WiFi security for absolutely anything beyond packets from your device to the router is stupid.
|
# ¿ Oct 16, 2017 19:03 |
|
anthonypants posted:Does android still do that thing where if you install a root certificate, like you might for a VPN, it leaves a notification forever that your phone's network activity is being monitored? There were at least two threads about it on the Google issue tracker, but that was a while ago and they've been disappeared. If you install it and confirm your lockscreen credentials no, if its installed via API yes or you have no/clear the lockscreen as well. You shouldn't install a CA into the device wide user added CA set for a VPN, if you do you're doing something wrong, the builtin legacy VPNs dont require it and any VPN app will let you provide there so its only trusted for what it should be trusted for.
|
# ¿ Oct 17, 2017 16:17 |
|
fyallm posted:right, proxy and other things, but was curious who people used for vpn.. private internet access, expressvpn, nord? Proxies also don't annonymize things either. What are you trying to do? Also keep in mind if there's one place heavily monitored on the Internet it's the exit from VPN services sold for anonymity.
|
# ¿ Oct 18, 2017 18:13 |
|
|
# ¿ Apr 26, 2024 23:28 |
|
Mr. Crow posted:As I just looked I this, AWS and other cloud services are prohibitively expensive for most users/uses. The cheapest usable machine I could make for it was about $600 a month not including bandwidth, but even if you just use an AMI or something it was around a hundred (unless you do a micro which gives you 750 hours a month free, but back to potatoe network speeds). I run a VPN on gce as part of my MiTM security testing setup and it's not even $15 a month with bandwidth.
|
# ¿ Oct 18, 2017 20:46 |