|
Edit: nevermind
|
#
?
Aug 25, 2018 08:45
|
|
|
|
| # ? Apr 26, 2024 14:57 |
|
|
Boner Wad posted:yeah that’s what I thought too but the yellow threw me off ya see that yospos image in the top right of your screen ok, now click it
|
|
#
?
Aug 25, 2018 10:33
|
|
|
nooooo
|
|
#
?
Aug 25, 2018 10:48
|
|
|
spankmeister posted:Also atomicthumbs is the security fuckup imo Legit, this. Like, he’s not a journo or an infosec guy but  I’m neither either but that seems like the basic “right thing to do”, you know? Or at very least, give them a pre-publication heads up?This is more of a “lessons learned” thing than a “he should get  ” thing, obvs. Protect your sources or you won’t have any.E: also, death to pissPOS and all pissPOSers.
|
|
#
?
Aug 25, 2018 12:29
|
|
|
i don't think atomicthumbs predicted that it would spread beyond people already following him
|
|
#
?
Aug 25, 2018 17:04
|
|
|
yospos isn't even paywalled. i don't know what sort of privacy you expect posting here.
|
|
#
?
Aug 25, 2018 17:28
|
|
|
Security by obscurity
|
|
#
?
Aug 25, 2018 17:33
|
|
|
atomicthumbs did nothing wrong except maybe liking corgis a little too much
|
|
#
?
Aug 25, 2018 17:38
|
|
|
akadajet posted:yospos isn't even paywalled. i don't know what sort of privacy you expect posting here.
|
|
#
?
Aug 25, 2018 19:06
|
|
|
Schadenboner posted:
please don't post suicide threats in the pos
|
|
#
?
Aug 25, 2018 19:08
|
|
|
should've obfuscated the source by switching between yospos and amberpos
|
|
#
?
Aug 25, 2018 19:53
|
|
|
spankmeister posted:Security by obscurity my boss said to use this method for securing APIs then said something about certificates being dumb and expensive and just leave everything HTTP
|
|
#
?
Aug 25, 2018 20:13
|
|
|
Amberpos best pos. Also lol @ T-Mobile: went to change my password but they don't allow characters.
|
|
#
?
Aug 25, 2018 20:41
|
|
|
Wasabi the J posted:Amberpos best pos. No wonder, you're quite the character!
|
|
#
?
Aug 25, 2018 21:07
|
|
|
https://twitter.com/JamesPinnell/status/1033206934273384448 click through to the actual tweet to find bonus content in which epic games ceo tim sweeney complains about the fact that security researchers will publicly disclose vulnerabilities after they get patched out
|
|
#
?
Aug 26, 2018 02:58
|
|
|
Pikavangelist posted:click through to the actual tweet to find bonus content in which epic games ceo tim sweeney complains about the fact that security researchers will publicly disclose vulnerabilities after they get patched out I'mma just gonna quote it directly because it's such an amazing  .quote:Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
|
|
#
?
Aug 26, 2018 03:06
|
|
|
i just backdoored millions of phones trying to earn more money and google is making me look bad
|
|
#
?
Aug 26, 2018 03:07
|
|
|
mrmcd posted:I'mma just gonna quote it directly because it's such an amazing actually this is what i meant https://twitter.com/TimSweeneyEpic/status/1033226094357504000
|
|
#
?
Aug 26, 2018 03:08
|
|
|
The whole thing is the corporate nerd slap fight version of: https://www.youtube.com/watch?v=r6l_9reaLz0
|
|
#
?
Aug 26, 2018 03:10
|
|
|
lmao android is a dumb broken piece of poo pooquote:The Fortnite APK (com.epicgames.fortnite) is downloaded by the Fortnite Installer (com.epicgames.portal) to external storage: why is any of this a thing
|
|
#
?
Aug 26, 2018 03:13
|
|
|
how is an app that's already running and able to move other apps' poo poo around on the disk a thing that other apps have to work around is there no sandboxing?
|
|
#
?
Aug 26, 2018 03:16
|
|
|
Cocoa Crispies posted:lmao android is a dumb broken piece of poo poo "If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time." gj Google.
|
|
#
?
Aug 26, 2018 03:18
|
|
|
Cocoa Crispies posted:lmao android is a dumb broken piece of poo poo It's not really Android's fault though, beyond giving the user the ability to actually choose to "intentionally disabled the safety controlls and installed a half assed homegrown package manager that doesn't check signatures or really anything beyond a glorified file name." Like Android's fault is drinking too deeply of the well of FOSS thinking and saying "it's my handheld face computer I should have all the choices if I want"  which ok is a philosophy you can have but unfortunately 99% of the world population makes terrible choices if given the opportunity.
|
|
#
?
Aug 26, 2018 03:22
|
|
|
Cocoa Crispies posted:how is an app that's already running and able to move other apps' poo poo around on the disk a thing that other apps have to work around apps are sandboxed but they can access shared "external storage" which is typically a SD card, but it might just be another large partition on the phone's internal flash Shifty Pony posted:"If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time." yeah, Android's legacy permission model is terrible
|
|
#
?
Aug 26, 2018 03:27
|
|
|
pseudorandom name posted:yeah, Android's legacy permission model is terrible They should probably just bite the bullet and lock out old apps, but you just know there's still least a billion people who have that One Critical App For My Life™ that was last compiled from source in 2008 and still pretty much works and if it stops working every shitbox vendor that shipped the app once upon a time will blame Google when their users scream.
|
|
#
?
Aug 26, 2018 03:30
|
|
|
It is impossible to install the Fortnite for Android app without actively disabling several security measures. On some phones the carrier settings applied to the phone even make that impossible. This is because Epic were morons who refused to comply with the rules for getting listed on the regular store. And then on top of it they refused to implement basic methods for verifying signatures and integrity anyway, even though other apps that did somewhat similar things have had those for years.
|
|
#
?
Aug 26, 2018 03:33
|
|
|
Cocoa Crispies posted:how is an app that's already running and able to move other apps' poo poo around on the disk a thing that other apps have to work around the fortnite installer was deliberately not using its own private storage, it deserves all the blame here
|
|
#
?
Aug 26, 2018 03:34
|
|
|
Idea: make every app below a certain APK number, when it tries to run, pops up a big terrifying dialog that days "THIS APP IS OLD AS poo poo GARBAGE AND MAY PUT YOUR DATA AT RISK. CONFIRM OK? Y/N" before the OS executes it. Please hire me as an Android product manager.
|
|
#
?
Aug 26, 2018 03:35
|
|
|
mrmcd posted:Idea: make every app below a certain APK number, when it tries to run, pops up a big terrifying dialog that days "THIS APP IS OLD AS poo poo GARBAGE AND MAY PUT YOUR DATA AT RISK. CONFIRM OK? Y/N" before the OS executes it. iOS solves this problem in the typical Apple way by popping up a dialog that says “this app is too old to be allowed to run at all, tell the developer to fix this”
|
|
#
?
Aug 26, 2018 03:55
|
|
|
mrmcd posted:Idea: make every app below a certain APK number, when it tries to run, pops up a big terrifying dialog that days "THIS APP IS OLD AS poo poo GARBAGE AND MAY PUT YOUR DATA AT RISK. CONFIRM OK? Y/N" before the OS executes it. Ok
|
|
#
?
Aug 26, 2018 04:13
|
|
|
fishmech posted:It is impossible to install the Fortnite for Android app without actively disabling several security measures. yeah, if you want to leave important security measures intact, you get to install fortnite for iOS instead
|
|
#
?
Aug 26, 2018 04:22
|
|
|
Cocoa Crispies posted:yeah, if you want to leave important security measures intact, you get to install fortnite for iOS instead but then you end up with malware on your phone named "fortnite" so you're right back to square 1
|
|
#
?
Aug 26, 2018 04:31
|
|
|
i'd be ok with the whole "gently caress responsible disclosure" thing if google practiced it themselves but nah if you find a bug in google's code you have to wait an unbounded amount of time after you report the bug before you can publish your writeup for the bounty to be valid
|
|
#
?
Aug 26, 2018 07:37
|
|
|
Suspicious Dish posted:i'd be ok with the whole "gently caress responsible disclosure" thing What do you mean by that? Or do you use "responsible" as an euphemism for "vendor's fantasies" here?
|
|
#
?
Aug 26, 2018 08:56
|
|
|
EssOEss posted:What do you mean by that? Or do you use "responsible" as an euphemism for "vendor's fantasies" here? question mark dude strikes again
|
|
#
?
Aug 26, 2018 09:35
|
|
|
Suspicious Dish posted:i'd be ok with the whole "gently caress responsible disclosure" thing if google practiced it themselves but nah if you find a bug in google's code you have to wait an unbounded amount of time after you report the bug before you can publish your writeup for the bounty to be valid there's a difference between "if you want our money play by our rules" vs "ah bloo bloo someone talked about the huge fuckup we committed instead of helping us keep it a secret forever, to our benefit and their detriment" like dont get me wrong i loving cant stand the android permissions model, android users, and the general android philosophy, but you have to have some serious loving balls to follow the line of thought: "gently caress google they aren't getting a cut of our money" "well make our own installer with blackjack and hookers" "security is optional, what could go wrong" "oh no how could google not be on our side, refusing to help cover up the fact that our unbridled greed put their users at risk and made them look worse?!" "HOW COULD THIS HAVE HAPPENED"
|
|
#
?
Aug 26, 2018 09:36
|
|
|
teamdest posted:there's a difference between "if you want our money play by our rules" vs "ah bloo bloo someone talked about the huge fuckup we committed instead of helping us keep it a secret forever, to our benefit and their detriment" yeah, but if they did things the same way as every other game developer on mobile then their scrooge mcduck money pit might take longer to fill to capacity
|
|
#
?
Aug 26, 2018 13:07
|
|
|
we did a self-updating capability for our app because we wanted finer grained control on what to distribute to different phones and languages, maybe key rotation some day, and more bandwidth-efficient delivery, but Google got all butt-hurt and changed the Store policies to forbid it. they even admitted that our setup was fine from a security perspective, and they didn’t block use of downloaded code in general.
|
|
#
?
Aug 26, 2018 13:10
|
|
|
that sorta thing aint going to stop until a company can be brought on charges for negligence in relation to IT related poo poo "yeah our terribly written garbage app that we targeted towards millions of young children had critical security vulnerabilities, but google released it to the world before we had a chance to fix it?? Who is the real bad guy??" shouldn't be a position
|
|
#
?
Aug 26, 2018 13:17
|
|
|
|
| # ? Apr 26, 2024 14:57 |
|
|
spankmeister posted:Kevin Beaumont also didn't understand backporting when he scanned the Voatz website. There was also a thing around that same time where he didn't understand you could be prosecuted for poking at random unsecured public servers. His analysis of Windows malware is good, but the gaps in his knowledge are weird.
|
|
#
?
Aug 26, 2018 13:20
|
|
