|
code:
join us on irc: irc.synirc.net #yossec useful news resource for information security professionals: http://reddit.com/r/netsec/ here are some old threads that haven't been archived: Security Fuckup Megathread - v11.4 - who u gonna snitch to pussy bitch gently caress u (apr 2015-apr 2016) Security Fuckup Megathread - v10.1 (Hackers can turn your gas station into a bomb) (nov 2014-apr 2015) Security Fuckup Megathread - v7.69 (stay safe security ghost) (aug-nov 2014) Security Fuckup Megathread - v7.2 "BoringSFM" (jun-aug 2014) Alereon posted:seriously though people dont post anything that would allow a lurker from gbs to gently caress with anything Lain Iwakura fucked around with this message at 15:43 on Nov 3, 2016 |
# ¿ Apr 8, 2016 19:12 |
|
|
# ¿ Apr 24, 2024 10:58 |
|
first post to hold stuff for later
|
# ¿ Apr 8, 2016 19:12 |
|
if you guys want me to put images or highlights from previous threads, just share them and i'll put them into the second post or some poo poo
|
# ¿ Apr 8, 2016 19:34 |
|
prefect posted:i think it's from this? i think that there is an extended version?
|
# ¿ Apr 12, 2016 15:37 |
|
Happy Badlock Day!
|
# ¿ Apr 12, 2016 15:50 |
|
http://www.postphp.com/namecheap-livechat-social-engineering-leads-to-loss-of-2-vps/quote:Namecheap live chat social engineering leads to loss of 2 VPS i wonder how weak his other passwords were
|
# ¿ Apr 12, 2016 17:41 |
|
Wiggly Wayne DDS posted:http://badlock.org/ so worth the hype i say
|
# ¿ Apr 12, 2016 18:14 |
|
Shaggar posted:so when they say samba do they really mean SMB or is this actually a samba only bug? https://technet.microsoft.com/en-us/library/security/ms16-047
|
# ¿ Apr 12, 2016 20:48 |
|
|
# ¿ Apr 15, 2016 03:51 |
|
pr0zac posted:I think im missing something here's the original image: i tried to get the code to read but it's a bit too low res
|
# ¿ Apr 15, 2016 06:28 |
|
https://twitter.com/afreak/status/721020332669214720
|
# ¿ Apr 15, 2016 18:24 |
|
mods pls change thread to: Security Fuckup Megathread - v12.1 - P4ssword <---- look! the sysadmin!
|
# ¿ Apr 17, 2016 20:02 |
|
more grey forum security advice Rathlord posted:A couple of people mention the whole "what's the point of having an AV, we're all screwed anyways!" deal and I'm not sure they got a perfect answer for it. Here's what I tell my friends: Rathlord posted:I'm well aware of that, but you've sidestepped my point massively. First, there's plenty of old malware floating around out there, and second heuristic analysis is... extant, if not necessarily effective in the vast majority of cases. The reality is, AV's will save casual users infinitely more than not having one will save them (assuming the same usage). That alone is enough to merit having and using one. The "don't be an idiot and you'll never get a virus" (doesn't particularly matter to the end user whether it's old or not) by-line is all good and well, except even the pretentious asshats who feel the need to say it all the time know it's not true. There's plenty of examples in this very thread that disprove that idea. For casual users (and even to a certain extent power users), a combination of not being a dipshit and using an AV is by far the optimal solution. Neither will work perfectly on their own. The unfortunate reality is that the crappy advice/attitude mentioned in your post (and found smeared well over the internet by presumptuous power users) can have a negative impact on people's lives. If someone is asking if they should have an AV or not, the unequivocal answer is "yes," because if they're not educated enough to know the answer, they need it. I realize you don't quite stand behind the point you're bringing up ("the people who say"), but I believe wholeheartedly that it's worth disproving those people's arguments. Rathlord posted:Some security is always better than no security. While you're right that security theater doesn't help anyone, really, your answer to someone asking you "Should I install an antivirus" is still always "yes." Again, unequivocally. Sure, always try to educate people. Yes, absolutely inform them that AV's aren't panaceas. But for sake of all that's good and holy please don't tell casual users not to use an AV unless you're going to sit down and teach them cyber (lol) security and ensure that they've learned it well enough to rely on that information (and update it) for the rest of their lives. Spoiler: most of the general population isn't going to do this. They should use AVs. Your weird strawman assuming that you can either tell people to never use AVs or tell them that all AVs are magical cure-alls doesn't add to this conversation. Rathlord posted:And you honestly believe that the holes AV's have are more of a risk for a casual user than leaving them open to years worth of malware that not having the AV would leave them vulnerable to? I'd venture a guess that if you're being honest, you don't. Let's not pretend this is some perfect world where we can educate every user. 95% of people with computers do not and will not learn. You're using fringe (if major) issues with AV's to justify leaving end users open to exponentially more vulnerabilities. Rathlord posted:There's an exception to everything in computer security. Glad you see my overall point, though. he got mad and ran off at least
|
# ¿ Apr 18, 2016 17:37 |
|
Kaal posted:Ah, now the explanation for the sudden change of pace in this thread becomes clear. I'm not going to recommend that the average user just teach themselves to be safer (because lol) and I'm not going to tell them to install fourteen different "community-supported" GitHub projects with half-baked GUIs either. I don't care if Snowden and Assange think that NSA could hack Symantec, that doesn't affect the average user. Most people don't need to encrypt all of their data and disable their radio antennae - they need to stop saving all three of their passwords on their phone's notepad. Debating about the merits of paying for AV or using a free-version versus using the onboard AV is one thing - that's always a worthwhile discussion, and the balance changes (slightly) every few years - arguing that all anti-virus programs are bad is another. lolwhat
|
# ¿ Apr 18, 2016 19:58 |
|
Kaal posted:The idea that the average user needs to deal with "zero-days" is complete nonsense. That thread is useful for the bored computer tech who wants to lock down their Steam games and Google photos tighter than Fort Knox and seriously discusses things like "state-level adversaries", and is willing to deal with all the inconvenience that goes with that, but realistically that just isn't that practical. For most people, it's a lot more useful to have software that will react when they ignore five different safety complaints by their un-updated browser/OS as they strive to click a link posted by their niece's "hacked" Facebook account.
|
# ¿ Apr 18, 2016 20:28 |
|
i'm the sec fuckup. i published my sa password to github (yes. this is still me)
|
# ¿ Apr 19, 2016 00:13 |
|
|
# ¿ Apr 19, 2016 01:26 |
|
poo poo
|
# ¿ Apr 19, 2016 01:41 |
|
Wheany posted:that's another advantage of using a password manager. even if you gently caress up, it only affects that one site. p much Segmentation Fault posted:that looks like one of those passwords SA automatically generates for you when you make a new account, I'd assume he didn't use it anywhere else i can say that this is not the case
|
# ¿ Apr 19, 2016 02:01 |
|
anthonypants posted:where else did you use your sa password everywhere
|
# ¿ Apr 19, 2016 02:12 |
|
akadajet posted:if you used lastpass it wouldn't be a problem bro i'll install that. thanks for the advice
|
# ¿ Apr 19, 2016 02:25 |
|
Parallel Paraplegic posted:so wait your password is only 6 characters? yes. i use a six-character password everywhere it's kjs500 don't log into my aquatic fish forum account please
|
# ¿ Apr 19, 2016 02:26 |
|
akadajet posted:somebody acting like they trying to save face p much the honest truth is that it was an old password from god knows when and may have been generated by the forums and has resided in a password manager for at least 6 years. i added the file by mistake to the repo by mistake and craisins was chill and told me about it having a password. i went and changed the password before admitting it
|
# ¿ Apr 19, 2016 02:34 |
|
BiohazrD posted:lmao osi, i saw that and was going to pm you about it but i just figured it was a hash or something i am
|
# ¿ Apr 19, 2016 04:54 |
|
uncurable mlady posted:someone ought to change 'P4ssword' to 'kjs500' in the thread title tho
|
# ¿ Apr 19, 2016 04:54 |
|
uncurable mlady posted:today I learned that I'm a more competent security professional than a team at $very_large_financial_institution and it's not even my job this is the case everywhere. some security professionals publish their passwords on github yes. i still feel like poo poo
|
# ¿ Apr 20, 2016 03:05 |
|
Cocoa Crispies posted:eh, ever have some crook run up a $400 AWS bill mining bitcoins on your behalf? fortunately not
|
# ¿ Apr 20, 2016 04:51 |
|
Subjunctive posted:yes, let's encrypt makes it trivial to enable SSL, since it automates server config, request generation, signature submission and cert/key installation. it is explicitly about making it too easy to not bother, because laziness/complexity is the big remaining barrier. this is horrible because shaggar cannot see the forest from the trees here okay?
|
# ¿ Apr 20, 2016 21:17 |
|
shaggar should just delete all of his CA trusts tbh
|
# ¿ Apr 20, 2016 22:25 |
|
giving godaddy your business is generally a bad idea like they offered to fund and host canary once and i said no
|
# ¿ Apr 20, 2016 23:42 |
|
Shaggar posted:any reason, or just standard goon hatred? basically they didn't fit my business model
|
# ¿ Apr 20, 2016 23:45 |
|
|
# ¿ Apr 21, 2016 00:24 |
|
suffix posted:lol at exposing anything written in php to the internet
|
# ¿ Apr 21, 2016 21:36 |
|
http://www.amazon.com/Dojo-Labs-Inc-DL007/dp/B017VTR1ZE/180-5870193-2671613?ie=UTF8&ref_=cm_sw_r_cp_awd_pGcgxb90MNJST so is this the cyber equivalent of a pet rock?
|
# ¿ Apr 21, 2016 21:56 |
|
quote:Dojo actually learns. It gets to know devices and finds patterns in their behavior that define their level of security and common vulnerabilities. It’s a sophisticated defense system that utilizes pattern recognition to learn to detect threats. Without even having to look at the data or knowing what’s attacking, Dojo can block them. It listens to patterns, not your data. quote:We’re a team of security experts and hackers on a mission to build a security net around the connected home. And we're building products that we actually enjoy having protect us – keeping our devices in check and ensuring we are the ones in control of our privacy.
|
# ¿ Apr 21, 2016 22:00 |
|
Segmentation Fault posted:it's a pet rock AND a firewall! Genius two things that do nothing merged into one i wish i came up with this idea aeons ago
|
# ¿ Apr 21, 2016 22:06 |
|
shinmai posted:crosspissing from the pics thread that is loving gold
|
# ¿ Apr 21, 2016 22:14 |
|
flakeloaf posted:more aesthetically pleasing than a garbage can inside another garbage can, i'll give them that much sort of amazed that they outright disappeared
|
# ¿ Apr 22, 2016 00:56 |
|
Trabisnikof posted:Atias also told Engadget that it designed the Dojo from scratch so that no legacy security issues from off-the-shelf components will compromise it. But he and the company acknowledge that nothing is completely hacker proof. It's really about setting up the best wall to stop most threats. "There's nothing that's 100 percent secure. It's always effort versus value. This is very high effort for the value of hacking a consumer," Atias said. Lol legacy I want to know more
|
# ¿ Apr 22, 2016 02:24 |
|
|
# ¿ Apr 24, 2024 10:58 |
|
the greys are overly paranoid about whatsapp pr0zac posted:You guys know It takes all of 5 minutes to decompile an iOS app and/or mitm the traffic to check claims of backdooring or logging right? Objective-C doesn't even obfuscate symbols, any idiot can do it. ohgodwhat posted:It doesn't have to do anything obviously nefarious if the protocol is poo poo and/or improperly or poorly implemented. poor pr0zac
|
# ¿ Apr 22, 2016 04:59 |