|
Segmentation Fault posted:We went a year without pooptouching! Something we should all be proud of.
|
# ¿ Apr 8, 2016 21:24 |
|
|
# ¿ Apr 20, 2024 00:21 |
|
cheese-cube posted:i'll buy this tag for the next 10 ppl who quote this post (might take me a couple of days to do so, ive just moved house and have no internet yet)
|
# ¿ Apr 9, 2016 19:05 |
|
computer toucher posted:Yep. Best I can tell the bar for APT is things that malware was doing 10 years ago. But on an enterprise network.
|
# ¿ Apr 11, 2016 07:37 |
|
Not the cleverly named vuln we wanted but the one we deserved.
|
# ¿ Apr 12, 2016 18:47 |
|
anthonypants posted:apparently if you generated enough bit.ly urls you could get access to someone's onedrive until microsoft removed the feature http://www.wired.com/2016/04/researchers-cracked-microsoft-googles-shortened-urls-spy-people/ This is from a good friend and my old PhD advisor, the paper is worth a read for the laughs.
|
# ¿ Apr 15, 2016 07:42 |
|
jony ive aces posted:unless you get owned by bit.ly or whatever Skip the articles and just read paper: http://arxiv.org/pdf/1604.02734v1.pdf
|
# ¿ Apr 15, 2016 16:43 |
|
Subjunctive posted:that thread is bad and that guy is the worst I don't know why I have all the security related threads outside of this one bookmarked, reading them just makes me sad or angry.
|
# ¿ Apr 18, 2016 22:07 |
|
my SA password is ******
|
# ¿ Apr 19, 2016 02:34 |
|
If malware websites using HTTPS seems like a scary or notable change you've made some serious mistakes.
|
# ¿ Apr 20, 2016 22:07 |
|
Godaddy is my favorite for getting certs because even for the couple test DV certs I got they call me when they're getting close to expiring and I get to hear a live human being say "would you like to get a new certificate for dickbutt.<...>.su?"
|
# ¿ Apr 20, 2016 23:25 |
|
My favorite part is the part where Shaggar thinks getting a DV cert from anyone else is hard or requires stronger checks than what Let's Encrypt does.
|
# ¿ Apr 21, 2016 02:18 |
|
Shaggar posted:lets encrypt is the worst of them because they provide automated mechanisms for malware to get certs and their policy specifically states that they're ok with signing malware certs. What exactly concerns you with malware having certificates?
|
# ¿ Apr 21, 2016 02:29 |
|
Shaggar posted:ive already talked about it but normal users use certificate trust (aka the padlock in the address bar) as a sign that the site is ok. Yeah that's dumb. TLS needs to be the default, not some extra 'special' sauce. The idea that paying for a trusted SSL certificate helps against malware makes as much sense as saying paying for an account on SA prevents shitposting, but here we are arguing with Shaggar.
|
# ¿ Apr 21, 2016 02:37 |
|
Shaggar posted:oh hey look, the 10bux actually works really loving well. if someone keeps getting banned they gently caress off and don't come back. They can also get permabanned because their credit cards provide lowtax with atleast some level of identification. I don't think you understand what trust means in the context of TLS. Let's Encrypt certificates do give you as much confidence as any other DV cert that the owner of the domain owns the private key for the certificate presented. That's all certificate trust is there to tell you, not some moronic nonsense about malware. e: Rufus Ping posted:Subjunctive: Sounds like the kind of thing adrienne porter felt has probably looked into
|
# ¿ Apr 21, 2016 02:50 |
|
Shaggar posted:not actually true Even in the middle of this really awful article Trend admits the reality of certificates: quote:Domain-validation certificates only confirm that the relevant domain is under the control of the site recipient. If you believe certificates do more than that then you are wrong.
|
# ¿ Apr 21, 2016 02:56 |
|
Subjunctive posted:in 2010 when I joined the board of StopBadware (the clearinghouse for the Google safe-browsing list, among other things) malvertisers and other miscreants were already getting DV certs for any number of domains. when I raised it at CABForum with CA operators, nobody was interested in doing anything about it, including not wanting to go to short-lived certs so that bad actors once identified could have their certs neutered. I'm actually on the their side on this one, its not the CA's business to certify if the person is bad or not, only that they are who they say they are. The last thing we need is a such an ambiguous area of decision making in the hands of CAs. quote:a. Active eavesdropping (e.g., Man-in-the-Middle [MitM] attacks); and
|
# ¿ Apr 21, 2016 02:59 |
|
pseudorandom name posted:oh, and also: The best thing the CA model has given us so far.
|
# ¿ Apr 21, 2016 03:13 |
|
Subjunctive posted:I dunno, the credible death threats Kathleen and I got when Mozilla added CNNIC as a root were pretty fun. (Mozilla and Google now actively distrust that root, even if cross-signed, because of grossly improper issuance. Microsoft continues to trust it fully as a root.) People on the Internet and their loving death threats, will we ever grow up?
|
# ¿ Apr 21, 2016 03:19 |
|
Subjunctive posted:all my passwords are hashes of shaggar posts Salted with the names of Microsoft products?
|
# ¿ Apr 21, 2016 16:40 |
|
Sharktopus posted:not necessarily a sec fuckup but it makes me giggle: Stealing this
|
# ¿ Apr 27, 2016 01:04 |
|
spankmeister posted:LEST WE FORGET Its 2016 and people still say "don't connect to untrusted networks". Jesus Christ how can people still miss the point so hard.
|
# ¿ May 1, 2016 00:17 |
|
Phoenixan posted:hey if phones, tablets, and windows 10 are willing to connect to open networks by default setting automatically it's gotta be secure enough! Phones, tablets, and (hopefully) windows 10 consider all networks untrusted, because they are.
|
# ¿ May 1, 2016 05:57 |
|
Powercrazy posted:"These things clearly only exist to torment me. " I see we don't like hyperbole when it's written by GIRLS on the INTERNET
|
# ¿ May 4, 2016 22:06 |
|
Subjunctive posted:grey thread reported that one of the malware removal tools we recommend was installing itself long term and upselling, so we're removing it from the program today and someone is writing them a letter. I hope it's strongly worded
|
# ¿ May 4, 2016 22:20 |
|
Subjunctive posted:strongliest Does the first letter of every line spell out "gently caress YOU"?
|
# ¿ May 4, 2016 23:03 |
|
pseudorandom name posted:Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 Tavis focusing on AV has been the best source of funny public bugs that show how dumb this whole industry is.
|
# ¿ May 17, 2016 02:27 |
|
Number19 posted:https://twitter.com/FiloSottile/status/735940720931012608 I hate bluecoat more than just about anyone in this thread but this response is overreacting. If bluecoat does something evil with that CA it will be noticed and that CA will be blacklisted by all OS and browser vendors faster and more effectively than a bunch of windows admins winging on twitter can dream. Relax. The CA model is actually better at handling this poo poo than other proposed systems, CA businesses that issue MiTM certs kinda stop being CAs.
|
# ¿ May 27, 2016 05:02 |
|
anthonypants posted:yes i agree, symantec specifically has been a good gatekeeper http://colin.keigher.ca/2015/09/geotrustsymantec-has-revoked-all-ssl.html As lame and dumb as that was there are much better examples. Misissuance is the sky is falling sort of event, incorrectly revoking just makes them dumb. Did you expect Symantec to be smart? They do AV. LordSaturn posted:how will we know if they do Chrome's detection of the various MiTM google.com certs over the years is just one example. Browsers and OSes actually watch for sketchy poo poo because catching bad CAs red handed is awesome fun and the only way to make a trust model work.
|
# ¿ May 27, 2016 05:11 |
|
DuckConference posted:can someone explain the qualcom trustzone key thing? Hardware backed keys are wrapped with the key burnt into the device that is only accessible by TZ, this makes the key blobs useless if they are removed from the device. If you steal the private key then that protection goes away. For disk encryption that drops the security of your disk encryption key from brute forcing the key space to the strength of your password, which is probably very weak. apseudonym fucked around with this message at 02:12 on Jun 1, 2016 |
# ¿ Jun 1, 2016 02:09 |
|
DuckConference posted:your vpn service is a piece of poo poo: http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/ To be fair you should still be using end to end encryption so this shouldn't matter. Shouldn't
|
# ¿ Jun 1, 2016 21:37 |
|
I completely ignore certifications when reading resumes, who cares?
|
# ¿ Jun 3, 2016 17:55 |
|
Pull up thread, pull up!quote:Jake is known to do whatever it takes to get others to do all the work, but have his name listed first on the paper "because the names should be alphabetically sorted." What the gently caress? Who would publish with someone that does that?
|
# ¿ Jun 4, 2016 09:54 |
|
Triglav posted:manarchist Please tell me you just made that word up and its not a thing.
|
# ¿ Jun 4, 2016 19:04 |
|
spankmeister posted:didnt know this was possible, thanks You can't get OTAs if you've modified your system partition so Also please don't root your devices you are the worst part of your device's security.
|
# ¿ Jun 8, 2016 08:39 |
|
OSI bean dip posted:bromium's job is to put every app into their own container. the idea is to make it hard to infect a system with a specific application, etc. if you download a file in internet explorer, it belongs to internet explorer and won't execute outside of its sandbox Sandboxes are the long term solution, but cludging it onto to OSes that werent designed with sandboxing in mind dont go great and most sandbox products are poo poo and AV levels of lies.
|
# ¿ Jun 9, 2016 01:31 |
|
Parallel Paraplegic posted:Yeah we can go to conferences but only wanky terrible start-uppy conferences like that Oracle circlejerk one or dumb things about Node.JS Just do what I do when I go to DEFCON, drink and pretend you dont know anyone.
|
# ¿ Jun 9, 2016 03:33 |
|
LeftistMuslimObama posted:also take the battery out of your phone and nailpolish on every screw and seem on your lappy Its DEFCON in TYOOL 2016, its much less interesting now, just dont be dumb.
|
# ¿ Jun 9, 2016 04:26 |
|
Swagger Dagger posted:https://twitter.com/deray/status/741355856420319233 Tying recovery and 2FA to phone numbers is so god drat dumb.
|
# ¿ Jun 11, 2016 00:35 |
|
spankmeister posted:when doing a con you don't really have a lit of time to go hiking or whatever so you're sorta stuck in vegas for the duration There's only like a few good talks at defcon and blackhat every year, you can make time.
|
# ¿ Jun 11, 2016 21:53 |
|
|
# ¿ Apr 20, 2024 00:21 |
|
invision posted:Get VMWare Player here: Dont touch metasploit if you're new to security unless your goal is to just blindly run other people's tools. Hell, write some lovely tools yourself, its not hard and you'll probably learn a lot more than running tools will teach you.
|
# ¿ Jun 14, 2016 02:53 |