|
Sheep posted:Have an HP laptop with a Conexant audio device? How do you feel about having all of your keystrokes logged to disk? I always wish I could talk to the people who implemented these stupid things and find out what the hell they were thinking.
|
#
¿
May 11, 2017 18:14
|
|
|
|
| # ¿ Apr 23, 2024 16:48 |
|
|
Theres also the webautotype plugin which will match against the url of the page displayed in the browser. Can use regex against the url as well. I'm conflicted about whether the security implications of taking on yet another devs code is worth it, but I do use it.
|
|
#
¿
May 20, 2017 18:45
|
|
|
Anyone have any thoughts about CKP? It's a Chrome extension that accesses your KeePass DB stored on GDrive or Dropbox or whatever. The main reason I would want to use it is for using on a Chromebook. It's a real hassle looking up passwords on my phone and typing a 32 character password in on my chromebook. On the other hand, decrypting my keepass database in the browser just feels horrible.
|
|
#
¿
Jun 1, 2017 16:15
|
|
|
Furism posted:Why would you want a Chromebook over a Linux laptop? Genuinely interested to understand the use case. The other posts have answered a lot of this, but what pushes it over the top for me is that over the years, more and more of my computing has been in the browser exclusively. When I'm at my desktop 95% of my usage is covered by IDEs, text editors, games, and Chrome. I can't stand programming without multiple monitors so I'm not going to need the IDEs or text editors on a laptop. Ditto for gaming. That leaves Chrome being what the vast majority of what I use on a laptop. It has word processors, spreadsheets, instant messaging, and all the rest of the web. Couple that with the other stuff mentioned like basically zero janitoring and it was a no-brainer for me.
|
|
#
¿
Jun 3, 2017 18:52
|
|
|
Powered Descent posted:The only things ChromeOS can run out of the box come from the Chrome store. There's also an extremely limited CLI, which 99% of users will never even see. But you can get a vastly improved, bash-like shell just by putting the thing into developer mode. Once there, you can do any command line tricks you like for do-it-yourself compression and/or encryption of files. You can just install one of the apps from the Chrome store that unzip 7zip files.
|
|
#
¿
Jun 3, 2017 21:55
|
|
|
Furism posted:https://twitter.com/0x09AL/status/879731559976378369 Isn't rundll32.exe part of windows?
|
|
#
¿
Jun 27, 2017 18:05
|
|
|
That doesn't seem right either. I'm not a windows developer but I feel like lots of things run rundll32.exe?
|
|
#
¿
Jun 27, 2017 18:12
|
|
|
SinineSiil posted:Check if you can find that process in your task manager. I sure can't. Yes I can. according to Process Explorer the "scan to PC" function of my HP scanner uses rundll32.exe to run a DLL.
|
|
#
¿
Jun 27, 2017 18:18
|
|
|
rundll32.exe is used to "run" DLL files which aren't normally runnable like exe files. So, while it's possible some malware is being run this way, rundll32.exe being present isn't necessary and sufficient to say you've got some ransomware. You've got to check for that scheduled task he's talking about : https://twitter.com/0x09AL/status/879739959942553600 It seems wrong to say "you're probably infected" if you see it in your process list, but I'm not positive about how common it is to run DLL's in this fashion. Some Googlin' leads me to believe it's pretty common, but I'm not sure.
|
|
#
¿
Jun 27, 2017 18:22
|
|
|
What if the only thing I care about is the 10 minutes between a random thief or losing it and me locking/deleting it?
|
|
#
¿
Jul 30, 2017 22:48
|
|
|
Yeah, but how often does a program handle objects in memory?
|
|
#
¿
Aug 9, 2017 18:33
|
|
|
https://arstechnica.com/?p=1145961 Proof of concept: Encode malware into DNA. Sequence DNA. Infect computer running DNA analysis software. Of note, they didn't go out and find vulnerable software, they made a version of some software with an exploit,
|
|
#
¿
Aug 12, 2017 20:49
|
|
|
I'm not sure data security regulations are a good idea, but maybe those are worth a try and this fuckup will prompt some action on that front.
|
|
#
¿
Sep 8, 2017 14:55
|
|
|
I have little doubt that I'm a different person now than I would have been without the internet over the past 30 years. It seems like the hard part is to make intentional (particularly social / psychological / behavioral) changes in people with technology, though.
|
|
#
¿
Sep 8, 2017 16:48
|
|
|
Subjunctive posted:Yeah, our lives would be different without electricity as well. That's not quite where I was headed. I know, I wasn't disagreeing with you, I was just contributing to the conversation.
|
|
#
¿
Sep 8, 2017 17:11
|
|
|
Subjunctive posted:Yeah, sorry. Sick and cranky today. It happens to everyone!
|
|
#
¿
Sep 8, 2017 18:14
|
|
|
Furism posted:After all, if I leave my door open (or don't put enough locks on it, even) my home insurance isn't going to compensate me when somebody breaks in. This is the exact same thing. According to this post thats not exactly the case: Thomamelas posted:They treat them exactly the same as burglary claims made because someone forgot to lock the door. They try to nickle and dime you over the replacement value of the items lost and then cut a check. Very few home owners insurance policies require forced entry. And something like 40% of all burglaries don't involve forced entry. They also pay out if you leave the keys in the ignition and the car is stolen. The claims adjuster might try to screw you more but that's a personal choice on their part rather than a legal one.
|
|
#
¿
Sep 8, 2017 18:41
|
|
|
Three-Phase posted:These guys might make SSN+Birthday+Name as the digital master key completely worthless overnight. It would cause complete chaos but might be for the better in the long run. I don't think there's any "might" to it. It would definitely be better in the long run. There's like a 100 entities out there who have my SSN/Birthday/Name for legit reasons.
|
|
#
¿
Sep 10, 2017 00:22
|
|
|
I've never heard of innovis. All the articles out now about freezing your credit don't mention them...
|
|
#
¿
Sep 10, 2017 23:44
|
|
|
anthonypants posted:It's not even new. Yeah, sites serving miners in their JS has been around for awhile.
|
|
#
¿
Sep 23, 2017 23:51
|
|
|
I did something similar years ago with the power led on a foscam ip camera just for fun. I used another foscam ip camera pointed at it and the blinked the user-controllable power led in morse code (again, just for fun) and picked the LED out with OpenCV on the feed from the 2nd camera.
|
|
#
¿
Sep 25, 2017 17:36
|
|
|
D. Ebdrup posted:The ways people find to exfiltrate data are absolutely fascinating - reminds me a bit of Ted Unangst describing how to exfiltrate data via receive timing and request timing, although it only manages 8bps it's almost undetectable by commonly used methods. I like how Chrome doesn't trust his certificate authority. 
|
|
#
¿
Sep 25, 2017 19:15
|
|
|
Furism posted:Why morse? Is that lighter than binary? No particular reason other than I (for some reason I don't recall) thought it was funny.
|
|
#
¿
Sep 25, 2017 19:58
|
|
|
Good news, you guys will have work forever until all of us software engineers switch over to TLA+ or other provable software dev techniques. Sucks that that means everyone else gets hosed. Well I guess infosec guys are people as well so you get hosed but compensated somewhat by having more work.
|
|
#
¿
Sep 27, 2017 18:22
|
|
|
Bah, the USPS thing wants me to come into the post office to verify my identity because it can't do it from the questions is asks me.
|
|
#
¿
Oct 1, 2017 20:41
|
|
|
It's amazing the number of emails I get directed at other people. Every day I get a couple. The dot-able nature of gmail addresses seems to mess people up or something.
|
|
#
¿
Oct 5, 2017 15:16
|
|
|
It seems like for sms 2-factor to be compromised you have to be personally targeted, no?
|
|
#
¿
Oct 8, 2017 05:48
|
|
|
My 2-factor sms accounts go to my Google Voice number. No carrier fuckery there. Of course, who knows what vulnerabilities exist in that system...
|
|
#
¿
Oct 8, 2017 14:34
|
|
|
EssOEss posted:I recommend KeePass with Google Drive cloud sync of the password database. FolderSync works great on Android for this (the Drive app sync was pretty broken last time I tried it). No browser integration, just auto-type and clipboard on PC and the KeePass keyboard on Android. KeePass2Android syncs to Drive or Dropbox automatically, no need for another program to do it.
|
|
#
¿
Oct 9, 2017 14:51
|
|
|
EssOEss posted:I remember I tried it but there was some reason I did not use the builtin stuff but I have totally forgotten what it was. Did it perhaps require network connectivity (it did not sync, just downloaded from Drive)? It works offline and when it has connectivity it does a sync. I always had problems with using it and Drive though. I don't remember the exact issue, but I think it had something to do with how Drive handles changes to files whose names haven't changed. There's something you should do if you ever edit your database on your phone. (maybe the problems I was having with Drive were before I set up the triggers mentioned in that above link...I honestly can't recall what was going on now) The best part about using KeePass is that with the KeeAgent plugin, I can store my SSH keys in KeePass. When putty needs to connect to a server, KeePass asks for my KeePass password and automatically provides the key to putty. Thermopyle fucked around with this message at 16:31 on Oct 9, 2017 |
|
#
¿
Oct 9, 2017 16:28
|
|
|
I seem to remember some of these anonymizing VPN providers being bad at keeping you actually anonymous but I can't remember any details or what the actual problem is (was?). Anyone know what I'm talking about? I'm asking because the following post in another thread made me think that I remembered something but I'm not sure... tzirean posted:I'm probably wrong, but this seems worse for privacy than typical VPNing. Instead of tracking your IP to a VPN service that doesn't keep specific logs, it's tracked to a cloud service that can happily hand over your exact details as the only user who could possibly have been at that IP at that time. Am I an idiot?
|
|
#
¿
Oct 10, 2017 20:11
|
|
|
Thermopyle posted:I seem to remember some of these anonymizing VPN providers being bad at keeping you actually anonymous but I can't remember any details or what the actual problem is (was?). I was just reading through my RSS feeds and funnily enough this popped up. quote:Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,
|
|
#
¿
Oct 10, 2017 20:48
|
|
|
I have a lot of confidence that there will be some real regulatory help and/or legal consequences for poo poo IoT security. hahahahhahaha
|
|
#
¿
Oct 11, 2017 18:25
|
|
|
Proteus Jones posted:I imagine consumer devices are going to be hit harder in terms of getting timely fixes. Or any at all since many of them may be past end-of-life. Those are devices people tend to use until they break. I ended up buying my brother a modern wireless router when he casually mentioned he was still using some 2.4GHz only abomination. Even if they got updates, good luck getting people to update them.
|
|
#
¿
Oct 16, 2017 01:20
|
|
|
people check linkedin?
|
|
#
¿
Oct 16, 2017 18:38
|
|
|
I use strongswan for my vpn app on Android and the network-activity-monitored notification is so irritating.
|
|
#
¿
Oct 17, 2017 16:21
|
|
|
The Fool posted:This article links to Streisand, which I had heard about but forgotten the name of. The problem with Streisand is that it installs a poo poo ton of services. Try algo instead. (says guy who used to use Streisand and moved to algo) algo guys say about Streisand: quote:Good concept. Poor implementation.
|
|
#
¿
Oct 18, 2017 20:26
|
|
|
Mr. Crow posted:As I just looked I this, AWS and other cloud services are prohibitively expensive for most users/uses. The cheapest usable machine I could make for it was about $600 a month not including bandwidth, but even if you just use an AMI or something it was around a hundred. I transfer like a terabyte per month through my DigitalOcean-hosted VPN which costs me $5/month. Thermopyle fucked around with this message at 20:46 on Oct 18, 2017 |
|
#
¿
Oct 18, 2017 20:32
|
|
|
Mr. Crow posted:Can you post details? What's your peak bandwidth? What sort of encryption are you running? I just posted a link to the thread where I describe it up thread a few posts. It's the one to the thread about algo.
|
|
#
¿
Oct 19, 2017 05:12
|
|
|
|
| # ¿ Apr 23, 2024 16:48 |
|
|
Docjowles posted:
This is why algo is good. (at least seemingly...im not qualified to really judge it) Unfortunately, on Android you need a client app to use algos ipsec VPN.
|
|
#
¿
Oct 21, 2017 15:00
|
|