Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Penisface
Jul 17, 2008

"I am Albino. You wish to see me?"


DoomTrainPhD posted:

Those people don’t disclose anything and exploit the money for themselves.

i mean that linked article leaves the impression that the 0day ended up being fixed instead of exploited
maybe authors just were smart about it and quietly made a bunch of cash and never told anyone

edit: in short i don’t think responsible disclose should be respected if the other side is irresponsibly destroying the planet
besides what happened to code is law?

Penisface fucked around with this message at 07:17 on Nov 14, 2021

Adbot
ADBOT LOVES YOU

Feisty-Cadaver
Jun 1, 2000
The worms crawl in,
The worms crawl out.

this app update showed up this week

if it’s not familiar it’s a popular international brokerage that handles hundreds of billions of dollars (at least). actual dollars, not stupid crypto poo poo

edit: to be clear, they are talking about a toggle on their login form where you enter your username and password. the toggle for ssl was off by default

Feisty-Cadaver fucked around with this message at 08:20 on Nov 14, 2021

GWBBQ
Jan 2, 2005




Main Paineframe posted:

they made sure to take care of the really important stuff too

https://twitter.com/briankrebs/status/1459548776226594818

The hacked the FBI but only managed to find five?

Not that the FBI is particularly good at keeping track of heads, they slapped another fifty years on the JFK files because they couldn't find his.

Jim Silly-Balls
Jun 6, 2001

Fondle my shiny metal ass





Feisty-Cadaver posted:

this app update showed up this week

if it’s not familiar it’s a popular international brokerage that handles hundreds of billions of dollars (at least). actual dollars, not stupid crypto poo poo

edit: to be clear, they are talking about a toggle on their login form where you enter your username and password. the toggle for ssl was off by default



why in gently caress would you let the user choose whether they use SSL in the iPhone app?

BlankSystemDaemon
Mar 13, 2009

System Access Node
Not Found:ins:




Jim Silly-Balls posted:

why in gently caress would you let the user choose whether they use SSL in the iPhone app?
:webshit: needs to be a smiley to explain this

haveblue
Aug 15, 2005




Toilet Rascal

hasn't ssl been mandatory for using http in app store apps for years

RFC2324
Jun 7, 2012

http 418



Lain Iwakura posted:

hi. i am still doing cool stuff. i run a cyber security team now so i get to be responsible for gently caress ups i guess

Hey, some of your posting in this thread helped inspire me to transition, so thanks

Crime on a Dime
Nov 28, 2006



haveblue posted:

hasn't ssl been mandatory for using http in app store apps for years

yeah it hasn't, ever

hobbesmaster
Jan 28, 2008



Feisty-Cadaver posted:

this app update showed up this week

if it’s not familiar it’s a popular international brokerage that handles hundreds of billions of dollars (at least). actual dollars, not stupid crypto poo poo

edit: to be clear, they are talking about a toggle on their login form where you enter your username and password. the toggle for ssl was off by default



iirc the last time it came up the authentication is always over tls but the actual trades and data could be sent over tls or not. the thing is that a lot of their traders think that they’re doing high frequency trading or some poo poo by hand and the millisecond saved by their phone not having to decrypt stuff matters.

doesn’t matter if it’s true if enough of their customers think they’re on a 486 on dial up in 2001 or something

Jonny 290
May 5, 2005

[ASK] me about OS/2 WARP




hobbesmaster posted:

the thing is that a lot of their traders think that they’re doing high frequency trading or some poo poo by hand and the millisecond saved by their phone not having to decrypt stuff matters.


uhhh lmao

mystes
May 31, 2006



Reddit is there to explain this for you!

https://www.reddit.com/r/interactivebrokers/comments/iwzho3/why_is_turning_ssl_off_even_an_option/

hobbesmaster
Jan 28, 2008



the other comment is

quote:

Some corporate networks still restrict SSL connections. Yes, even in 2020. The option exists for those clients.

Otherwise, there's no reason to turn it off.

RFC2324
Jun 7, 2012

http 418



Lmao

cinci zoo sniper
Mar 14, 2013



both more and less cursed than i thought

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.



Taco Defender

RFC2324 posted:

Hey, some of your posting in this thread helped inspire me to transition, so thanks

<3

Partycat
Oct 25, 2004



some corporate networks do prevent security , so out of a desire for comity we allow you to bareback the wire

BlankSystemDaemon
Mar 13, 2009

System Access Node
Not Found:ins:




:rubby:

Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'



epic lomarf

haveblue
Aug 15, 2005




Toilet Rascal

Crime on a Dime posted:

yeah it hasn't, ever

ok, it's not a hard requirement but if you want to allow insecure http in an app that goes through review you have to give apple a good reason to let you do this. looks like this policy was introduced in 2017

https://developer.apple.com/documentation/security/preventing_insecure_network_connections#3138036

maybe they've been using one of the listed exceptions

haveblue fucked around with this message at 20:48 on Nov 14, 2021

hobbesmaster
Jan 28, 2008



haveblue posted:

ok, it's not a hard requirement but if you want to allow insecure http in an app that goes through review you have to give apple a good reason to let you do this. looks like this policy was introduced in 2017

https://developer.apple.com/documentation/security/preventing_insecure_network_connections#3138036

maybe they've been using one of the listed exceptions

based on that they probably have their own protocol

Raere
Dec 13, 2007



ROT13 is a protocol right

cinci zoo sniper
Mar 14, 2013



Raere posted:

ROT13 is a protocol right

yes, if you interface it via rot13://

Hed
Mar 31, 2004



Fun Shoe


I mean SSL is obviously more robust security it's at what, 3.0? Why would you trust version 1.3 software.

ZeusCannon
Nov 5, 2009

BLAAAAAARGH PLEASE KILL ME BLAAAAAAAARGH

Grimey Drawer

Hed posted:

I mean SSL is obviously more robust security it's at what, 3.0? Why would you trust version 1.3 software.

I laughed and then frowned because this has been said to me before without irony.

kitten smoothie
Dec 29, 2001



Partycat posted:

some corporate networks do prevent security , so out of a desire for comity we allow you to bareback the wire

I was once a mobile app developer for a big stodgy company. All our poo poo was behind one of those data loss scanner appliances that strips SSL at the network edge, scans it, and re-encrypts it using an internal cert that is forcibly trusted on your machine courtesy of the MDM.

We used cert pinning in our product so our customers would have our app fail to work under such an environment, but hey our employees couldn’t have security

spankmeister
Jun 15, 2008








kitten smoothie posted:

All our poo poo was behind one of those data loss scanner appliances that strips SSL at the network edge, scans it, and re-encrypts it using an internal cert that is forcibly trusted on your machine courtesy of the MDM.

Those things are great because they often don't verify certificates properly, actively worsening security.

Lysidas
Jul 26, 2002

John Diefenbaker is a madman who thinks he's John Diefenbaker.


Pillbug

spankmeister posted:

Those things are great because they often don't verify certificates properly, actively worsening security.

spying on employees is the important part, preserving information security is just a token gesture

cinci zoo sniper
Mar 14, 2013



rowhammer 2: electrical hammering

https://arstechnica.com/gadgets/2021/11/ddr4-memory-is-even-more-susceptible-to-rowhammer-attacks-than-anyone-thought/

cinci zoo sniper
Mar 14, 2013



npm lol https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/

quote:

Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.

Bluecobra
Sep 11, 2001

The Future's So Bright I Gotta Wear Shades

hobbesmaster posted:

iirc the last time it came up the authentication is always over tls but the actual trades and data could be sent over tls or not. the thing is that a lot of their traders think that they’re doing high frequency trading or some poo poo by hand and the millisecond saved by their phone not having to decrypt stuff matters.

doesn’t matter if it’s true if enough of their customers think they’re on a 486 on dial up in 2001 or something

a lot of institutions still continue to use plain old ftp for daily clearing jobs, it's pretty lame

Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slægt skal følge slægters gang




ive been getting this error pretty consistently for a couple weeks. used to be only when i went to google books (which redirects me to https://books.google.dk when i click a result to see previews), but now it happens for gmail too. what gives?

Only registered members can see post attachments!

Ur Getting Fatter
Jun 9, 2007

Fast Food Fight



Grimey Drawer

first of all, let me just say that I laughed a bit at Google Bøger because I am a child

Also, the certificate for google.dk it's giving me doesn't match the same expiration date as yours so maybe check that your certificate cache isn't out of date for some reason?

Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slægt skal følge slægters gang




thx ill try

e: hmm i went into keychain and found an old TDC (danish telco) cert that i deleted and now it works even though that cert had nothing to do with google. i guess that caused a refresh? :confused:

e2: i mean gmail works but google books just errors out without even showing the cert

e3: restarted safari and books works again lol

Carthag Tuek fucked around with this message at 14:54 on Nov 18, 2021

Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slægt skal følge slægters gang




 

Only registered members can see post attachments!

Bluecobra
Sep 11, 2001

The Future's So Bright I Gotta Wear Shades

anyone here with palo alto firewalls?

the was a bunch of vulnerabilities that came out last week including this 9.8 one :lol:

https://security.paloaltonetworks.com/CVE-2021-3064

HELLOMYNAMEIS___
Dec 29, 2007



https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm

post hole digger
Mar 21, 2011


Bluecobra posted:

anyone here with palo alto firewalls?

the was a bunch of vulnerabilities that came out last week including this 9.8 one :lol:

https://security.paloaltonetworks.com/CVE-2021-3064

like 9 months ago my pan rep laughed at us for still being on 8.1.x so we scheduled an upgrade to 9.1.x back then. good call i guess.

Jenny Agutter
Mar 18, 2009



Do we still do OPSEC fuckups in here?

https://www.washingtonpost.com/nation/2021/11/22/rent-a-hitman-website/

guy runs a website called rent a hitman, forwards serious inquiries to the police

quote:

The website bragged about complying with HIPPA, which it said was “the Hitman Information Privacy & Protection Act of 1964,”

hobbesmaster
Jan 28, 2008



Jenny Agutter posted:

Do we still do OPSEC fuckups in here?

https://www.washingtonpost.com/nation/2021/11/22/rent-a-hitman-website/

guy runs a website called rent a hitman, forwards serious inquiries to the police

are you saying you don't look for hippa compliance?!

Adbot
ADBOT LOVES YOU

kitten smoothie
Dec 29, 2001



lmao that it’s ostensibly run by a guy named “Guido” to lend some air of legitimacy

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply