|
Just run fstrim or whatever the windows equivalent is IMO.
|
# ¿ Sep 20, 2017 16:56 |
|
|
# ¿ Apr 26, 2024 05:04 |
|
Subjunctive posted:I thought the point of TRIM was that it didn't touch the data on the blocks, and just marked them as free, which is why it was good for wear and performance. I'm a little out of it today, though. You're right. A TRIM call just schedules cells for wiping. Also, apparently wiping isn't the same as zeroing, which is why zeroing a SSD will do nothing to fix performance. So uhh. Write zeroes to disk until full, then delete? That said, as Double Punctuation said, fstrim or similar commands will start wiping your empty space immediately, as far as I know.
|
# ¿ Sep 20, 2017 17:09 |
|
wrong thread lol
|
# ¿ Sep 22, 2017 13:25 |
|
I had this happen just the other day on one of our websites at a semi-large client. They ran some poo poo, it found 404 pages, tacked a bunch of GET parameters onto the end and said "this is now a blind sql injection". The comedy is, even our CMS doesn't use GET parameters for anything beyond flushing current page cache for convenience when changing stuff, which you also can't do unless you're logged in as admin (which you can't do from outside the network, /admin just drops a 403). But anyway, that's besides the point, the 404 pages are static html So I had to do a long writeup about why their findings are bullshit because our CMS doesn't work that way at all and their vuln scanner software thing is bad because it makes poo poo up and why static html pages can't have SQL injections, because they kept sending mails about ARE SECURITY every 5 loving minutes.
|
# ¿ Oct 5, 2017 18:08 |
|
Nothing, except the part where they found a bunch of SQL injections in it.
|
# ¿ Oct 5, 2017 18:54 |
|
They gave the sample requests, I ran them and the things their tool said happened, didn't. It's a fairly simple php cms, and nothing in the get parameters ever gets anywhere near a database. I could maybe give them the benefit of the doubt if the 404 url in question was an url that tried to inject SQL (since url is the thing that ends up being in a query to get the page for that location), but that part also gets sanitized before it's anywhere near the db.
|
# ¿ Oct 5, 2017 19:08 |
|
Yeah the admin only things are only for clearing disk cache or similar maintenance work, they're not special pages, nor do they do anything relating to the db, thankfully. I know web apps can be really lovely, and that's why I really like our current framework. It has its problems and has been mighty lovely some years ago, but security wise it's been very sturdy lately. Only 5 security issues this year, with quick hotfixes, and they all required admin backend access in the first place to work.
|
# ¿ Oct 5, 2017 20:18 |
|
Imagine the minds blown, when they figure out STARTTLS also works with SSL.
|
# ¿ Oct 11, 2017 17:31 |
|
https://twitter.com/mrgretzky/status/919883806475194368
|
# ¿ Oct 16, 2017 16:10 |
|
I use strongswan and don't get that I think.
|
# ¿ Oct 17, 2017 16:25 |
|
Klyith posted:are you positive? the writing about this made it seem to me like the bug can only read kernel memory. If you can read kernel memory, getting root access is probably only a matter of jumping through some hoops.
|
# ¿ Jan 3, 2018 21:11 |
|
You can probably find a private key that'll let you have root eventually, when you can read literally anything in memory.
|
# ¿ Jan 3, 2018 21:36 |
|
computers were a mistake
|
# ¿ Jan 3, 2018 23:41 |
|
ufarn posted:The Infosec Thread: Nice Meltdown, Dude lol
|
# ¿ Jan 4, 2018 00:38 |
|
Subjunctive posted:If they don’t type `https` then it’s an HTTP URL and there’s nothing to downgrade. But no, AFAIK HSTS can only upgrade. What sequence do you have in mind? probably that if you're mitm, you can suppress the hsts header
|
# ¿ Jan 9, 2018 14:06 |
|
Yeah, if your server just unconditionally 301s all http network to https (which it should), I don't think there's a way to downgrade that in any way.
|
# ¿ Jan 9, 2018 14:36 |
|
Thermopyle posted:Though, probably useful is the wrong word. you, an internet poster: "how is where our staff are jogging every single morning useful info??" also you: " "
|
# ¿ Jan 29, 2018 03:10 |
|
you could go to the effort of doing all that poo poo, but on the other hand, you're an errorist in afghanistan, so you just go to strava.com and circumvent all that
|
# ¿ Jan 29, 2018 03:17 |
|
You can also sync keepass db over scp. Also, the problem with lastpass isn't that they got caught with bugs, it's that they got caught doing really loving stupid poo poo, repeatedly. All software has bugs, but some exploits manifest from bugs, others out of incompetence. The kind of poo poo lastpass keeps producing is the latter ones. Maybe they've fixed their poo poo recently, but we'll only know it when there's no more extremely dumb poo poo going on in their thing for the next 3 years.
|
# ¿ Feb 16, 2018 17:24 |
|
I'm in love with GDPR, it's already generating tears and it's not even in effect yet.
|
# ¿ Feb 22, 2018 13:14 |
|
Potato Salad posted:Now that's something I'll admit I've never seen in court -- does a properly functioning registration process imply authorization to access data, especially on a site where data sharing is the MO? if it doesn't, registering on amazon.com would be just as illegal.
|
# ¿ Mar 27, 2018 12:34 |
|
Yeah sftp and scp are basically the same thing at this point. The only tragedy here is k2a not supporting ssh key auth
|
# ¿ Apr 16, 2018 08:17 |
|
It seems to be the best email reading protocol, OP.
|
# ¿ Jul 24, 2018 17:20 |
|
goddammit, this poo poo was bad enough when it was a figurative security theatre. is every lovely dos vuln gonna come with months of embargo and codenames now?
|
# ¿ Aug 6, 2018 15:08 |
|
rafikki posted:if you're not trending on twitter what even is the point https://twitter.com/GNUr000t/status/1025939641206272000
|
# ¿ Aug 6, 2018 15:47 |
|
Re: KeepAss sync: it supports the scp protocol, even on windows as long as winscp is installed, though I think a plugin is needed? KeepAss can also act as a ssh agent so if your key is in your vault you don't need to log in either.
|
# ¿ Sep 13, 2018 13:45 |
|
the problem isn't people using gmail, the problem is admin accounts that aren't connected to a tesla-controlled email.
|
# ¿ Nov 18, 2018 09:02 |
|
at one point, steam said something like 90% of its users has a 1/1 birthday lmao
|
# ¿ Jan 2, 2019 22:41 |
|
Cup Runneth Over posted:They don't store this information though they used to have a birthday check for age limited games, and they probably stored how many times people clicked each?
|
# ¿ Jan 4, 2019 03:44 |
|
exclusive locking in general is a big old clusterfuck on windows. "no, you can't play/open/close/delete/write/copy this resource or file. someone, somewhere has it open"
|
# ¿ Feb 6, 2019 15:59 |
|
Speaking of pwmgrs, KeepAss is amazing for my use case of "can sync over ssh", but it has basically zero team features. I need a preferably opensauce option for that, is hashicorp vault good? Anyone have any experiences with that?
|
# ¿ Jul 26, 2019 11:30 |
|
Mustache Ride posted:If you need something robust to do password storing for a team, try Thycotic (if you have deep pocketbooks), AWS KMS if you're an AWS customer, or whatever Azure calls their vault product if you're an Azure customer. All of these have a web front end you can log in and store passwords. They're much easier to use than Hashi's Vault if you're only planning on using it as a password management system. Unfortunately, I don't have pockets deep enough for any of those lmao. OTOH, on thycotic's website: "The free version of DevOps Secrets Vault manages up to 250 secrets and never expires." This *might* actually be enough to use, i work at a fairly small shop. Thanks!
|
# ¿ Jul 26, 2019 14:43 |
|
wolrah posted:Am I the only one who's had more problems getting hardware working in Windows than Linux in the last few years? if by "last few years" you mean "last 15 years" then no, no you're not
|
# ¿ Sep 25, 2019 09:34 |
|
yeah sni is lovely like that, i honestly couldn't believe how it worked when i first encountered it in the wild i get why it exists (because ipv4 just won't die), but it's stupid.
|
# ¿ Nov 11, 2019 16:50 |
|
a firewall does not need to be a router, but a router has to be a firewall, is the point here i think
|
# ¿ Mar 6, 2020 20:34 |
|
wolrah posted:While firewalls and routers can be the same, neither has to be part of the other. Standalone firewalls are becoming less common these days but standalone routers are still very much a thing. Most layer 3 switches are just routing, not firewalling, likewise for internet backbone routers. yeah sorry, i meant in the context of a NAT router. by default a NAT router will drop incoming connections, because it has no idea where to point them, which is the firewally choice. not an amazing thing in any way, except for home users who don't know poo poo. NAT really saved the world a ton of hurt there IMO, you mostly have to attack browsers now instead of people's publicly accessible, unpatched RDP ports. because i'm sure we all know if every ip was public, consumer routers would just blindly forward everything by default e: and yeah, DMZ on consumer routers is a big lol of a misnomer.
|
# ¿ Mar 12, 2020 06:54 |
|
Kazinsal posted:If you can be successfully sued for it despite covering your rear end and doing it in good faith, you don't do it in America. over here the company in question just tells the cops you hacked and stole something from them and they put you in jail if it's large enough lol balkan ftw
|
# ¿ Aug 25, 2020 12:45 |
|
CLAM DOWN posted:I am far far too elite to fall prey to your petty whaling schemes Cup Runneth Over posted:But there's hot in {YOUR_AREA}
|
# ¿ Aug 29, 2020 10:03 |
|
|
# ¿ Apr 26, 2024 05:04 |
|
keepass has separate save and sync functions. you're supposed to have a copy of the db you open, and then a "sync file" in a separate location, which you then copy around with syncthing. keepass has a trigger system that lets you automate syncing every time you hit save, so it's not a bother either once set up. i've edited keepass on my laptop, work pc, and phone while at my desk at work simultaneously and then saved and nothing was ever lost. just have to hit save again on the 2 that didn't sync last to get the last changes
|
# ¿ Feb 17, 2021 14:08 |