Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
cinci zoo sniper
Mar 14, 2013




Frozen Peach posted:

Please tell me this is real

it is

Adbot
ADBOT LOVES YOU

The Fool
Oct 16, 2003


very real and very very funny

mystes
May 31, 2006

Frozen Peach posted:

Please tell me this is real
https://maia.crimew.gay/posts/how-to-hack-an-airline/

Also lol at that 90's style website with a webring appearing to have been created last year

edit: her wikipedia entry is an interesting read too: https://en.wikipedia.org/wiki/Maia_arson_crimew

mystes fucked around with this message at 03:14 on Jan 24, 2023

crepeface
Nov 5, 2004

r*p*f*c*
maia dot crimew dot gay

Phone
Jul 30, 2005

親子丼をほしい。

El Mero Mero
Oct 13, 2001

pseudorandom name posted:

you don’t even have to go to the demon core, there’s a long history of scientists accidentally or deliberately infecting themselves with the diseases they were studying or treating

to this day even. I was on a hike with some scientists last year and they were casually chatting about the time they aerosolized a set of brains full of prions and didn’t have any ppe. they were like “mmmm. that might have been a bad idea, but we won’t know for 30 years unfortunately”

DJ Burette
Jan 6, 2010

El Mero Mero posted:

to this day even. I was on a hike with some scientists last year and they were casually chatting about the time they aerosolized a set of brains full of prions and didn’t have any ppe. they were like “mmmm. that might have been a bad idea, but we won’t know for 30 years unfortunately”

Part of my masters project involved making large quantities of carbon nanotubes through an arc process. At the end of the production step we just used to brush the powder containing all the nanotubes into a plastic tub from the sides of the reactor vessel, obviously tons of it was aerolised during this process though. For protection we taped a bin bag to the opening of the chamber and just tried not to breathe too much in. We were also somehow evaporating about 10 liters of toluene into the lab every day, even though we were supposed to be reclaiming it.


After about 6 months of this the Uni suddenly realised what was happening and we all had to go and get our lung function tested, get fitted for full facemasks, and change our risk assessment forms to say that we were going to always use them from now on. I guess I'll find out how bad it was if I get lung cancer in a few decades.

Potato Salad
Oct 23, 2014

Nobody Cares


Frozen Peach posted:

Please tell me this is real

Not only is it real, she makes excellent loving music on the side.

Kitfox88
Aug 20, 2007

Anybody lose their glasses?

DJ Burette posted:

Part of my masters project involved making large quantities of carbon nanotubes through an arc process. At the end of the production step we just used to brush the powder containing all the nanotubes into a plastic tub from the sides of the reactor vessel, obviously tons of it was aerolised during this process though. For protection we taped a bin bag to the opening of the chamber and just tried not to breathe too much in. We were also somehow evaporating about 10 liters of toluene into the lab every day, even though we were supposed to be reclaiming it.


After about 6 months of this the Uni suddenly realised what was happening and we all had to go and get our lung function tested, get fitted for full facemasks, and change our risk assessment forms to say that we were going to always use them from now on. I guess I'll find out how bad it was if I get lung cancer in a few decades.

Carcinogen Nanotubes

Shame Boy
Mar 2, 2010

THE HORROR
THE HORROR




https://twitter.com/Niah19bunny/status/1617533990394789892

mystes
May 31, 2006

security fuckup megathread 18.18: holy loving bingle

Powerful Two-Hander
Mar 9, 2004

Mods please change my name to "Tooter Skeleton" TIA.



foreverially compromised, fully public and loving it

rafikki
Mar 8, 2008

I see what you did there. (It's pretty easy, since ducks have a field of vision spanning 340 degrees.)

~SMcD


Oops https://techcrunch.com/2023/01/24/goto-customer-backups-stolen-lastpass/

cinci zoo sniper
Mar 14, 2013





your sister i take?

cinci zoo sniper
Mar 14, 2013





they call it lastpass because it’s the last place you want to see your passwords stored in

rafikki
Mar 8, 2008

I see what you did there. (It's pretty easy, since ducks have a field of vision spanning 340 degrees.)

~SMcD



quote:

GoTo said the intruders exfiltrated customers’ encrypted backups from these services — as well as the company’s encryption key for securing the data.

cinci zoo sniper
Mar 14, 2013




the second packet has hit lastpass

mystes
May 31, 2006

cinci zoo sniper posted:

the second packet has hit lastpass
More like the five hundredth at this point

Powerful Two-Hander
Mar 9, 2004

Mods please change my name to "Tooter Skeleton" TIA.


it's called lastpass because it's the last password vault you'll ever use

e: more like lostpass!!!

ZeusCannon
Nov 5, 2009

BLAAAAAARGH PLEASE KILL ME BLAAAAAAAARGH
Grimey Drawer

rafikki posted:

They got everything

Oof. I just got a new computer and have been debating going a bit more enterprise with my passwords and nope. Back to keepass.

Fake edit: figure ill ask is there a preferred version for newer windows hosts?

cinci zoo sniper
Mar 14, 2013




ZeusCannon posted:

Oof. I just got a new computer and have been debating going a bit more enterprise with my passwords and nope. Back to keepass.

Fake edit: figure ill ask is there a preferred version for newer windows hosts?

if you only use windows, use the first-party client. for a cross-platform setup, keepassxc might situationally involve less hassle

polyester concept
Mar 29, 2017

i use strongbox for ios and macos, keepass on windows, and sync with sync.com
worksforme

syncing to ios requires a manual wifi sync, but the amount of new things i sign up for these days is close to zero, so i don't really need to update it that often

cinci zoo sniper
Mar 14, 2013





https://www.goto.com/blog/our-response-to-a-recent-security-incident

quote:

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.

looks like these weren't lastpass backups (yet)

Potato Salad
Oct 23, 2014

Nobody Cares


I already encountered someone attempting to cope with stanning for LastPass for years

essentially, "Is there a way to force our tenant to enforce new vault passwords to 1/100,000 collision entropy and reset vault passwords that don't satisfy?"

buddy

buddy it's dead, there is no saving this

Potato Salad
Oct 23, 2014

Nobody Cares


you can't shift blame for LastPass's fuckups and cryptographic weaknesses on to the user

Achmed Jones
Oct 16, 2004



on yeah? hold my beer and watch this

sb hermit
Dec 13, 2016

https://fi.somethingawful.com/images/gangtags/byobspacebuds.gif
https://fi.somethingawful.com/images/gangtags/trustfists.png
https://fi.somethingawful.com/images/gangtags/pigballswebsitegang.gif
https://fi.somethingawful.com/images/gangtags/errorinvalidgangtag.png

cinci zoo sniper posted:

if you only use windows, use the first-party client. for a cross-platform setup, keepassxc might situationally involve less hassle

I use keepassxc and it's very nice

Shame Boy
Mar 2, 2010

THE HORROR
THE HORROR



sb hermit posted:

I use keepassxc and it's very nice

same, my only gripe is that the browser plugin for it in chome specifically has problems with like, one or two websites i use regularly so i have to manually open it up and find the entry and plop it in

weirdly the older browser plugin (the non-xc one) worked fine on those sites so idk what's going on

Carbon dioxide
Oct 9, 2012

El Mero Mero posted:

to this day even. I was on a hike with some scientists last year and they were casually chatting about the time they aerosolized a set of brains full of prions and didn’t have any ppe. they were like “mmmm. that might have been a bad idea, but we won’t know for 30 years unfortunately”

Good news is, the lab boys say the symptoms of asbestos poisoning show a median latency of forty-four point six years, so if you're thirty or older, you're laughing. Worst case scenario, you miss out on a few rounds of canasta, plus you forwarded the cause of science by three centuries. I punch those numbers into my calculator, it makes a happy face.

ZeusCannon
Nov 5, 2009

BLAAAAAARGH PLEASE KILL ME BLAAAAAAAARGH
Grimey Drawer
Im gonna out myself as an idiot for a moment here and ask a probably dumb question.

For the people syncing their keepass are you all using an associated token for the database to restrict access as well as the u/pw? Ive always been shy about syncing since duplicating the database always felt less secure.

post hole digger
Mar 21, 2011
the hits just keep coming in password manager land


quote:

Summary

Multiple password managers can be tricked into auto-filling credentials into untrusted pages. This can lead to account compromise for any users using these password managers.

Bitwarden: Vulnerable - Bitwarden was found to auto-fill credentials into both types of sandboxed content as soon as the user clicked on the Bitwarden chrome extension. Fixed and released on 12/14/2022.

DashLane: Vulnerable - DashLane immediately auto-fills credentials into the CSP sandboxed page. It displays a warning box before auto-filling credentials into the sandboxed iframe. Fixed and released on 12/2/2022.

Safari: Vulnerable - Safari auto-fills credentials into both types of sandboxed content.

https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x

Powerful Two-Hander
Mar 9, 2004

Mods please change my name to "Tooter Skeleton" TIA.


ZeusCannon posted:

Im gonna out myself as an idiot for a moment here and ask a probably dumb question.

For the people syncing their keepass are you all using an associated token for the database to restrict access as well as the u/pw? Ive always been shy about syncing since duplicating the database always felt less secure.

I don't bother because I figured that if either device is compromised it's game over anyway but I guess it's an extra prevention against losing the vault file as long as you don't transfer the token between devices over the internet or something

but I might be being stupid here and probably should

Cold on a Cob
Feb 6, 2006

i've seen so much, i'm going blind
and i'm brain dead virtually
College Slice
i used a key file along with a password when i used keepass and i made sure it was excluded from backups and syncing in case i lost control of the encrypted db

e: correction, i did back it up but i didn't sync it to the cloud in the open or sync it between devices

Cold on a Cob fucked around with this message at 17:27 on Jan 24, 2023

The Fool
Oct 16, 2003



I feel like this happened in like 2015 or something as well

Cold on a Cob
Feb 6, 2006

i've seen so much, i'm going blind
and i'm brain dead virtually
College Slice

surprised to see safari vulnerable, for all the downsides of built in pwm they're usually pretty good at not auto-filling the wrong page no? or am i just that naive? :kiddo:

haveblue
Aug 15, 2005


Toilet Rascal
I'm pretty sure safari doesn't autofill at all, you need to take action to fill the field every time

they probably mean that it will still offer to do that and do it if you say yes on insecure pages

Cold on a Cob
Feb 6, 2006

i've seen so much, i'm going blind
and i'm brain dead virtually
College Slice

haveblue posted:

I'm pretty sure safari doesn't autofill at all, you need to take action to fill the field every time

they probably mean that it will still offer to do that and do it if you say yes on insecure pages

ah ok, gotcha. bitwarden also only does it that way, which tends to be more secure according to them, doesn't inject anything into the page then iirc

Truga
May 4, 2014
Lipstick Apathy
i still use the base keepass2 client despite not having a windows box anymore, just because it's the only one with the synchronize feature that lets me painlessly sync clients against a kdbx with zero chance of collisions thanks to its synchronize with file feature and changing things now would be more than 0 work :v:

the only quirk i've noticed is tray icon not being there in wayland, but i open it by typing kee into the app launcher anyway

Achmed Jones
Oct 16, 2004



one time in second grade i was whittling, and i wasn't using proper knife technique and i cut the inside of my left leg

then a bunch of old men fell over themselves to tell me that if i were a proper wood researcher i would've known better than to cut towards myself, that i was very stupid, and that if THEY had been whittling, they never would have done it the way that i did. oddly enough, many of those men were missing fingers.

anyway, they were right, of course, but i still think that event said more about them than it did about me

Adbot
ADBOT LOVES YOU

The Fool
Oct 16, 2003


what does that story have to do with security

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply