|
Volmarias posted:They could also have the public facing team write good, well intentioned code and an internal team analyzing it for issues that can be exploited. I interviewed a guy who was on the “directed access program” or whatever they call it (basically hackingteam.gov) and asked about NSA open source on a whim. he said that they release things that will in aggregate improve the relative security posture of US and aligned organizations, and that his program explicitly didn’t target software from the US gov’t. I’ve wondered ever since how to read the emphasis in his voice.
|
#
?
Jun 22, 2019 19:39
|
|
|
|
| # ? Apr 27, 2024 12:01 |
|
|
Subjunctive posted:I interviewed a guy who was on the “directed access program” or whatever they call it (basically hackingteam.gov) and asked about NSA open source on a whim. he said that they release things that will in aggregate improve the relative security posture of US and aligned organizations, and that his program explicitly didn’t target software from the US gov’t. I’ve wondered ever since how to read the emphasis in his voice. There was this document that leaked out before Snowden, from a private intel company, that defined the NSA as completely out of control, doing reams of stupid poo poo and with tons of left hand, right hand problems, and I guess it meant he knew that, and that on his hand they did nothing too evil, but on the ten thousand others, they definitely did.
|
|
#
?
Jun 22, 2019 19:44
|
|
|
Dual_EC_DRBG is a good example of the nsa openly promoting something with a backdoor
|
|
#
?
Jun 22, 2019 19:58
|
|
|
The NSA is supposed to also be doing things that will help US security. It seems like they've been more interested in finding vulnerabilities to exploit recently, but they do sometimes actually do release useful software, like Ghidra. When they're doing stuff to help security, they might as well release the source for reasons similar to other organizations (good PR, getting input from the community may be useful, if they're modifying existing software it might be easier to push it upstream rather than maintain a fork, etc.) They probably tend to be secretive by nature so they may not be that focused on PR in general, but it wouldn't surprise me if the PR effects of the Snowden leaks have made hiring somewhat harder, and releasing cool stuff like Ghidra might help a lot.
|
|
#
?
Jun 22, 2019 20:14
|
|
|
Trabisnikof posted:Dual_EC_DRBG is a good example of the nsa openly promoting something with a backdoor isn't that the one that bruce was all "this obviously has a back door in it" like instantly and then it got passed anyway (because the NSA structured the committee approving it to be entirely controlled by them) and then, surprise, it had a back door in it e: wikipedia says yes Shame Boy fucked around with this message at 20:32 on Jun 22, 2019 |
|
#
?
Jun 22, 2019 20:29
|
|
|
s-boxes, though
|
|
#
?
Jun 22, 2019 20:30
|
|
|
The NSA jointly funds more publicly published academic security research--particularly in microarchitecture and firmware stacks--today than ever before. The CYBER CYBER CYBER! mission handed to our defense establishment in this decade has been hampered by the absence of the political will to force vulnerable domestic industry (read: all) to meaningfully improve information security practice through substantially stringer (costlier) judicial enforcement and stricter regulation. To wit, informing a solicitor or prosecutor that Hardware Company X or Huge Fucken Bank Y has been savagely negligent doesn't do anything when they haven't legally done any wrong. What does the alphabet soup do instead? In addition to dramatically expanding hilariously-draconian surveillance programs to catch the worst actors red handed, which doesn't scale well when the mission is to improve the security posture of a nation of a gagillion people and businesses, research can be funded that focuses instead on fostering a domestic growth spurt of the kind of infosec talent that emerges from school not with bullshit CS undergrad degrees suitable for administration of AV software, but rather with advanced degrees in complier engineering, hardware security, information and entropy, and real software security engineering. Push that talent not only into technical teams, but management suites of any forward-lokking industry and civil service willing to take them. The entire world is starting from behind on maintaining even a basic assurance the integrity of strategically critical industries from banking to power generation. If you can't regulate yourself to victory because GUBBERMJNT GET OUT!, you have to play the long game. American defense establishment is familiar and comfortable with the "foster Potato Salad fucked around with this message at 21:04 on Jun 22, 2019 |
|
#
?
Jun 22, 2019 21:00
|
|
|
lol why did i go down a wikipedia rabbit hole now i'm sadquote:You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch – it's one that ethically and legally we could try to exploit in order to keep Americans safe from others. ethically it's fine because we're the good guys and nobody else in the world has a big computer so instead of fixing things it's up to us to use our big good guy computers to hack into the bad guy computers of the gay muslim communists or whatever
|
|
#
?
Jun 22, 2019 21:13
|
|
|
a "fun" thread on the facebook crypto tech paper https://twitter.com/mcclure111/status/1142485680515366913 one of my fav highlights: https://twitter.com/mcclure111/status/1142501194390212609 oof
|
|
#
?
Jun 22, 2019 21:40
|
|
|
Shame Boy posted:lol why did i go down a wikipedia rabbit hole now i'm sad so basically: “only us and Russia could feasibly crack this, it’s fine”
|
|
#
?
Jun 22, 2019 21:55
|
|
|
Potato Salad posted:The entire world is starting from behind on maintaining even a basic assurance the integrity of strategically critical industries from banking to power generation. yea p much 0 thought has been put into security and integrity since the birth of electronic databases and only now is it being realized how open and insecure everything is denmark's been freaking out now that we've realized that america-based epic employees have total access to years/decades of health data for like half of denmark with no accountability and no oversight, this in spite of america being classed as an insecure third country under the gdpr we've had super good privacy protections in denmark since forever, like, its been illegal to combine or share datasets about persons since at least the 60s, for a while before the eu i think we were actually too strict, but the laws were all about paper and had no considerations for electronic databases & networks esp ones crossing borders. Carthag Tuek fucked around with this message at 22:18 on Jun 22, 2019 |
|
#
?
Jun 22, 2019 22:12
|
|
|
Jewel posted:a "fun" thread on the facebook crypto tech paper tbh if everyone could see everyone else's account balance it'd solve a lot more problems than it'd cause in the long run
|
|
#
?
Jun 23, 2019 15:12
|
|
|
too many secrets
|
|
#
?
Jun 23, 2019 15:19
|
|
|
secfuck astronomy
|
|
#
?
Jun 23, 2019 16:47
|
|
|
my post is my password, verify me
|
|
#
?
Jun 23, 2019 16:52
|
|
|
Lol holy poo poo. https://nvd.nist.gov/vuln/detail/CVE-2019-12450 quote:file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. That's been there since 2007 and was just fixed a few weeks ago. FlapYoJacks fucked around with this message at 22:45 on Jun 23, 2019 |
|
#
?
Jun 23, 2019 22:43
|
|
|
do you guys think there's gonna reach a point where organizations decide it's more convenient/feasible to simply roll back automation/networking/computerization than to try to deal with computer security, and if so how far away do you think that day is
|
|
#
?
Jun 23, 2019 23:42
|
|
|
Farmer Crack-rear end posted:do you guys think there's gonna reach a point where organizations decide it's more convenient/feasible to simply roll back automation/networking/computerization than to try to deal with computer security, and if so how far away do you think that day is That sounds hard so no
|
|
#
?
Jun 23, 2019 23:44
|
|
|
not a chance. not only would you get obliterated by your computer using competitors, but you'd still get owned by physical and personnel-based security defects computer security risks are relatively easy to mitigate and the cost of security failures are still way, way lower than the benefits.
|
|
#
?
Jun 23, 2019 23:49
|
|
|
plus computer security doesn't matter and there are no penalties if you gently caress it up
|
|
#
?
Jun 23, 2019 23:58
|
|
|
infernal machines posted:too many secrets no more secrets
|
|
#
?
Jun 24, 2019 01:28
|
|
|
Farmer Crack-rear end posted:do you guys think there's gonna reach a point where organizations decide it's more convenient/feasible to simply roll back automation/networking/computerization than to try to deal with computer security, and if so how far away do you think that day is the costs of automation won't be recognized until we're hiding from autonomous death robots like in "breath of the wild"
|
|
#
?
Jun 24, 2019 02:56
|
|
|
That one episode of Black mirror with the robot dogs is our future
|
|
#
?
Jun 24, 2019 06:34
|
|
|
spankmeister posted:That one episode of Black mirror with the robot dogs is our future Except instead of cool sci-fi dogs we'll be hunted down by autonomous lime-green pos scooters.
|
|
#
?
Jun 24, 2019 07:42
|
|
|
got an email today from instagram saying my profile name has been changed. I don’t have a instagram account so I tried to log in with my email going directly to the site and not clicking any email links (although the email was legit)... some verify codes and forgot passwords later I am apparently logged in but it’s no way my account. probably should contact their customer service and roll back this stuff so the crypto dude who apparently set my email in there gets his acc back in retrospect I should have left it alone but I figured that if it’s some scam I better do something before my email is associated with something I don’t control
|
|
#
?
Jun 24, 2019 08:48
|
|
|
Farmer Crack-rear end posted:do you guys think there's gonna reach a point where organizations decide it's more convenient/feasible to simply roll back automation/networking/computerization than to try to deal with computer security, and if so how far away do you think that day is
|
|
#
?
Jun 24, 2019 10:57
|
|
|
and hire more people? Never.
|
|
#
?
Jun 24, 2019 12:06
|
|
|
Farmer Crack-rear end posted:do you guys think there's gonna reach a point where organizations decide it's more convenient/feasible to simply roll back automation/networking/computerization than to try to deal with computer security, and if so how far away do you think that day is maybe if enough get slapped with GDPR fines or something. I doubt it tho
|
|
#
?
Jun 24, 2019 13:34
|
|
|
Krankenstyle posted:maybe if enough get slapped with GDPR fines or something. I doubt it tho I doubt this'll be the case for anyone but companies so small they can't either fight the fine in a european court or with so little capital that any fine would ruin them. Or the state institutions who have helpfully exempted themselves from fines
|
|
#
?
Jun 24, 2019 13:49
|
|
|
yeah
|
|
#
?
Jun 24, 2019 13:56
|
|
|
spankmeister posted:That one episode of Black mirror with the robot dogs is our future on the one hand it is the best episode but on the other that's not because it's the one I most want to live through 🤔
|
|
#
?
Jun 24, 2019 14:10
|
|
|
Penisface posted:got an email today from instagram saying my profile name has been changed. I don’t have a instagram account so I tried to log in with my email going directly to the site and not clicking any email links (although the email was legit)... some verify codes and forgot passwords later I am apparently logged in but it’s no way my account. probably should contact their customer service and roll back this stuff so the crypto dude who apparently set my email in there gets his acc back you are supposed to close the account of anyone who uses your email address, in theory they will eventually learn their email address
|
|
#
?
Jun 24, 2019 14:18
|
|
|
Penisface posted:got an email today from instagram saying my profile name has been changed. I don’t have a instagram account so I tried to log in with my email going directly to the site and not clicking any email links (although the email was legit)... some verify codes and forgot passwords later I am apparently logged in but it’s no way my account. probably should contact their customer service and roll back this stuff so the crypto dude who apparently set my email in there gets his acc back According to reddit this is a crime. You were not authorized to log into their account and have to go to computer jail.
|
|
#
?
Jun 24, 2019 14:53
|
|
|
Guy Axlerod posted:According to reddit this is a crime. You were not authorized to log into their account and have to go to computer jail. what is jail compared to your posts?
|
|
#
?
Jun 24, 2019 15:30
|
|
|
i once tried to reason with an email doppelganger through a throw away google voice number. as you can imagine, it did not go well.... dude was signing up for super scammy deal and coupon sites as well as an ebay account... ?  "enny since"
|
|
#
?
Jun 24, 2019 15:50
|
|
|
Penisface posted:got an email today from instagram saying my profile name has been changed. I don’t have a instagram account so I tried to log in with my email going directly to the site and not clicking any email links (although the email was legit)... some verify codes and forgot passwords later I am apparently logged in but it’s no way my account. probably should contact their customer service and roll back this stuff so the crypto dude who apparently set my email in there gets his acc back Yeah I get so many emails from someone who incorrectly uses my email address for everything (they have the same first initial, last name as me), that I have been able to develop quite a profile of who they are just looking at the type of stuff they sign up for. There are so many sites that don't verify your email at all, and let you order things with their stored credit card and have the items shipped wherever you want, it's scary. One of them was some flower delivery service, which I sent a message to telling them that I don't want to close their account, but they should probably figure out what the real email should be for the customer. Of course I got a robot reply that gave me instructions on how to recover my account. You would think it's just small services that do it but this lady had signed up for her company's phone contract with AT&T with my email address. She bought a ton of hockey equipment for who I assume is her son, since she also signed up for the hockey league's mailing list with my email as well. Years later I got emails from her attorney asking for confirmation of dissolving her LLC or whatever after bankruptcy or something like that. I bet she thinks email is horribly unreliable because she probably never gets messages for services she signed up for. This has been going on for a decade now. I just checked today and I got some new stuff related to her upcoming stay at a Bed and Breakfast. Still can't believe a company will let you use an email address as your primary user identifier and not do any validation of it at all, ESPECIALLY if they store your credit card information and let you order without confirmation. IIRC, the flower delivery company even listed the entire credit card # in the payment information, which is insane. duz posted:you are supposed to close the account of anyone who uses your email address, in theory they will eventually learn their email address This did not work. I closed her company's phone account because I panicked when it first happened (did not realize it was someone else, and not that my email account got compromised), and I still get this stuff non-stop.
|
|
#
?
Jun 24, 2019 20:40
|
|
|
CRIP EATIN BREAD posted:I bet she thinks email is horribly unreliable because she probably never gets messages for services she signed up for. This has been going on for a decade now. I just checked today and I got some new stuff related to her upcoming stay at a Bed and Breakfast. I'd just cancel their visit.
|
|
#
?
Jun 24, 2019 20:50
|
|
|
Krankenstyle posted:maybe if enough get slapped with GDPR fines or something. I doubt it tho
|
|
#
?
Jun 24, 2019 21:00
|
|
|
CRIP EATIN BREAD posted:IIRC, the flower delivery company even listed the entire credit card # in the payment information, which is insane. name and shame and report; regardless of this email situation.
|
|
#
?
Jun 24, 2019 21:08
|
|
|
|
| # ? Apr 27, 2024 12:01 |
|
|
If they order flowers, immediately call customer service and ask to change the note to say "From, an idiot who doesn't know what his/her email address is."
|
|
#
?
Jun 24, 2019 21:11
|
|