|
code:
join us on irc: irc.synirc.net #yossec useful news resource for information security professionals: http://reddit.com/r/netsec/ risky business podcast is worth listening to and yospos has been mentioned in it before here are some old threads that haven't been archived: Security Fuckup Megathread - v12.2 - you have slammed your dick in the car door (apr 2016-jan 2017) Security Fuckup Megathread - v11.4 - who u gonna snitch to pussy bitch gently caress u (apr 2015-apr 2016) Security Fuckup Megathread - v10.1 (Hackers can turn your gas station into a bomb) (nov 2014-apr 2015) Security Fuckup Megathread - v7.69 (stay safe security ghost) (aug-nov 2014) Security Fuckup Megathread - v7.2 "BoringSFM" (jun-aug 2014) Alereon posted:seriously though people dont post anything that would allow a lurker from gbs to gently caress with anything OSI bean dip posted:HERE IS A FORUM FOR YOU D&D WANNABES THAT WELCOMES CHAT ABOUT AMERICAN FOREIGN POLICY AND ITS UTTER FAILURE Lain Iwakura fucked around with this message at 18:27 on Jan 5, 2017 |
# ¿ Jan 5, 2017 16:08 |
|
|
# ¿ Apr 28, 2024 07:48 |
|
updated the op to include the secthread officially approved podcast, risky business (the previous thread was mentioned in an episode)
|
# ¿ Jan 5, 2017 18:28 |
|
if a yossec twitter list is created and doesn't look like poo poo, i'll make it official
|
# ¿ Jan 5, 2017 18:46 |
|
Segmentation Fault posted:speaking of secfucks and reddit, https://www.reddit.com/r/TronScript/ is a pretty good collection of "good at computers" types who believe in the "run a magical program" school of infosec i'm the batch files committed to github https://github.com/bmrf/tron/tree/master/resources
|
# ¿ Jan 5, 2017 19:23 |
|
https://bugcrowd.com/netgearquote:Payout Expected Outcome
|
# ¿ Jan 5, 2017 21:47 |
|
all bets are off with physical access
|
# ¿ Jan 5, 2017 23:31 |
|
r/netsec proves to be the best place to see painful discussions on password managers https://www.reddit.com/r/netsec/comments/5mahfl/1password_is_still_using_full_dropbox_access_to/ quote:1Password on iOS doesn't even promote good security. It allows copying text to the clipboard. Any third party app can read the clipboard – users have to manually clear the clipboard by copying over it. yes. jailbreak your device to fix a problem with 1password's innocuous copy and paste method
|
# ¿ Jan 6, 2017 18:28 |
|
negromancer posted:reminder that when I met him he told me that I reminded him a lot of himself and wasn't sure how to take that. Did he smell like smokes too because that is what I remember of him I got to meet him at DEFCON in 2015
|
# ¿ Jan 8, 2017 03:54 |
|
Shaggar posted:FileZilla is pretty good so idk why you'd do this. it's great if you want a tool that doesn't update itself effectively and has zero integration into AD
|
# ¿ Jan 9, 2017 16:22 |
|
never mind the fact that ftp is a garbage protocol
|
# ¿ Jan 9, 2017 16:23 |
|
negromancer posted:if you don't think mobaxterm isn't leaps and bounds ahead of fuckin putty, I don't know what to tell you. i dunno about you but i can get mobaxterm's cygwin terminal by installing ubuntu for windows, x11 support by installing xming, and ssh support by either using ubuntu for windows or using kitty, which is a better version of putty (which by default does have an https download) mobaxterm requires you to pay for more than three ssh sessions
|
# ¿ Jan 9, 2017 16:30 |
|
Shaggar posted:why would it need integration into AD? if it has no AD integration it has no business in an enterprise
|
# ¿ Jan 9, 2017 16:31 |
|
Shaggar posted:or are you talking about FileZilla server? cause yeah i wouldn't use that. yes. this is likely what atomicthumbs is talking about
|
# ¿ Jan 9, 2017 16:31 |
|
Westie posted:just got owned via plesk, i'd like to sha- reversing that will be difficult due to its use of perl
|
# ¿ Jan 9, 2017 16:36 |
|
negromancer posted:No it doesn't. You are right. It is 12 sessions and I am limited to two SSH tunnels. It is a terrible SSH client otherwise.
|
# ¿ Jan 9, 2017 17:54 |
|
negromancer posted:If you have more than 12 sessions open you either need to start using config management or screen sessions there buddy. it's the ssh tunnels that kill me more than the 12 sessions
|
# ¿ Jan 9, 2017 18:23 |
|
enough chat about garbage ssh clients https://www.assetstore.unity3d.com/en/#!/content/27938 https://www.gofundme.com/buy-secure-http-without-https
|
# ¿ Jan 9, 2017 22:35 |
|
http://www.semographics.com/smaes/quote:Your plain URL text.
|
# ¿ Jan 9, 2017 22:44 |
|
Migishu posted:wasn't there some thing about the [any oss project] guy being an absolute rear end in a top hat for not patching known, ancient, bugs or some poo poo about him being stupidly arrogant? anyway he has an apk http://www.semographics.com/smaes_webplayer/secure_http.apk if i had time i'd probably tear it apart too bad nothing seems to use it on github
|
# ¿ Jan 9, 2017 23:09 |
|
Tiny Brontosaurus posted:Yeah I heard but I'm not even looking. gently caress it. I have avs off anyway because that poo poo's annoying. An admin doxxed the credit card that bought my account and my IP info and is passing it around on offsites because they're mad at some person I'm not who was apparently getting them salty before I had so much as a facebook account. I get a pm inbox full of rape and death threats and gore but it's not actionable because "you can't prove anything." I'm not putting my own money into this shithole. FactsAreUseless posted:No mods or admins have access to your credit card information, or any other user's. I just want to make sure everyone knows this. We do not see this information at all ever. It is not associated with your account. There are actual federal regulations dealing with how CC information is handled. negromancer posted:As someone who worked at Steadfast (where the servers for this site are housed), that isn't true at all. Subjunctive posted:How would the hosting provider know? Are they looking at private customer data? negromancer posted:Because
|
# ¿ Jan 10, 2017 18:56 |
|
LeftistMuslimObama posted:just want to point out that tiny brontosaurus is legitimately a good poster who is constantly harassed because she calls out racist posts. that it's escalated to people doxxing her is horrible and it is an irl secfuck that the moderation here doesn't give a poo poo at all because she calls them out on their poo poo too. oh. it wasn't directed their way. i'm more interested in seeing what comes out of this
|
# ¿ Jan 10, 2017 19:31 |
|
Powaqoatse posted:tiny brontosaurus is cool
|
# ¿ Jan 10, 2017 19:53 |
|
this is getting interestingnegromancer posted:
negromancer posted:
|
# ¿ Jan 10, 2017 21:22 |
|
years and years and years ago there was a claim that fistgrrl was keeping track of registrations using credit card numbers to see if anyone who's not supposed to come back does that is where the rumours stem from
|
# ¿ Jan 10, 2017 21:36 |
|
Segmentation Fault posted:Security Fuckup Megathread - v13.1 - $10 for SA's customer CC info i got one better
|
# ¿ Jan 10, 2017 22:44 |
|
i have proof
|
# ¿ Jan 10, 2017 23:01 |
|
Tesseraction posted:Once on the SA servers it's saved to /tmp/Wiggly Wayne DDS.details until the folder is cleared out at midnight. also pls never ever use the term "military grade" thx
|
# ¿ Jan 10, 2017 23:40 |
|
how are the sa gift certificates generated? if you care not to divulge, can you tell us if they're generated in an idiotic manner? is "kjs500" used as a seed anywhere in the code or have you seen it anywhere else?
|
# ¿ Jan 11, 2017 00:06 |
|
Tayter Swift posted:it's kinda amazing that sa has gone as long as it has without getting completely owned in some fashion SA has been owned. There's a username and password dump floating about from 2004/2005 Wiggly Wayne DDS posted:someone was dumb enough to use heartbleed Not a big deal though!
|
# ¿ Jan 11, 2017 00:41 |
|
Tayter Swift posted:that was twelve years ago that may be but you didn't specify a time frame either also search has had stored xss issues as of last year
|
# ¿ Jan 11, 2017 00:45 |
|
remember firesheep?
|
# ¿ Jan 11, 2017 03:24 |
|
DuckConference posted:SA got banned from paypal a long time ago, the bittorrent forums or chargebacks or the katrina donation drive or something I don't really remember anymore. It wasn't that SA got banned but rather Lowtax got pissed off at how PayPal handled large sums of money coming in. He was annoyed that they froze the funds and wouldn't let him give it to the Red Cross.
|
# ¿ Jan 11, 2017 03:31 |
|
|
# ¿ Jan 11, 2017 07:15 |
|
|
# ¿ Jan 11, 2017 18:29 |
|
anthonypants posted:gonna be a cold four years talking about secfucks without being able to mention us policy ever this is the security fuckup thread; not the journalism integrity one if you want to talk about how much buzzfeed and vox suck, go make a new thread e: here you go: https://forums.somethingawful.com/showthread.php?threadid=3804977 Lain Iwakura fucked around with this message at 18:43 on Jan 11, 2017 |
# ¿ Jan 11, 2017 18:40 |
|
more ssl fuckery: https://groups.google.com/forum/?hl=en#!msg/mozilla.dev.security.policy/Htujoyq-pO8/uRBcS2TmBQAJ quote:Since many web servers are configured to include the URL of the request in the body of a 404 (not found) response, and the URL also contained the random code, any web server configured this way caused domain control verification to complete successfully. at least it didn't involve some random chinese outfit
|
# ¿ Jan 12, 2017 00:06 |
|
ErIog posted:im the /var/log folder on a pacemaker https://msdn.microsoft.com/en-us/commandline/wsl/about
|
# ¿ Jan 12, 2017 07:51 |
|
https://twitter.com/CiPHPerCoder/status/819418588582965248 This guy...
|
# ¿ Jan 12, 2017 15:51 |
|
Thanks Ants posted:has anyone got any pointers on what to look for when hiring a firm/consultant to do penetration testing? it seems there's a ton of charlatans in the industry. Usually a warning sign for me is when there are more marketing people than actual technical people.
|
# ¿ Jan 12, 2017 15:52 |
|
|
# ¿ Apr 28, 2024 07:48 |
|
Wiggly Wayne DDS posted:in non-piss news cellebrite was hacked sometime last year and 900GB of data has been handed to at least motherboard https://motherboard.vice.com/read/cellebrite-sold-phone-hacking-tech-to-repressive-regimes-data-suggests i've been asking about for the data to no avail McGlockenshire posted:he's nuts, but he's also one of the only loud voices in the PHP community talking about security i admire him for trying but i agree that he's insane for trying to fix the turd that is php
|
# ¿ Jan 12, 2017 19:00 |