the yeti posted:

Carbon dioxide posted:

Do you have any idea how slow and memory intensive the bcrypt algorithm is?

Ain't nobody got time for that.

Soricidus posted:

the only things normal people use vpns for are:

1. bypassing dumb region locks
2. accessing corporate stuff from home

nobody normal uses them for “privacy”

Pile Of Garbage posted:

in this instance the vendor went out of their way to gently caress poo poo up. the payload is already sent via HTTPS so all they had to do was not write it to disk and they'd be more secure than they are now.

oh also i forgot to mention: there's no auth between client and server. the client just fires payloads to wherever it's told and the server receives them. this is where a proper TLS-DSK or mTLS setup would have been preferable but instead the vendore just decided to encrypt the payload with a static symmetric key.

as i like to say, there's two ways of doing things: the right way and the quick way.

Pile Of Garbage posted:

if you're in a predominantly windows environment then you'll be far better served by a windows CA. harder to do right but really the integration is way better (mainly auto-enrolment and directory CDP).

from what you describe though i'd maybe recommend reading up on PKI and how CAs function first.

Pile Of Garbage posted:

for reference, the biggest out-of-box gently caress-up with windows CA is deploying a root and then going home. it raises zero warnings about doing so but realistically you need an off-line root and an intermediate to actually issue certs (plus potentially other servers to handle CDP or enrolment). microsoft do document this but won't guide you into it.

that said doing PKI properly in general requires planning and i've seen plenty outfits gently caress-up non-windows PKI in exactly the same way.

Shaggar posted:

the default templates are all junk too

it’s not really hard to configure correctly, you just need to think about the design a little. the Microsoft docs on it are good and suggest a multilevel ca setup so go check them out

Lain Iwakura posted:

hi. i am still alive

nadim has decided to stalk me for some reason

no. i am fine. i doubt it wasn't anything more than curiousity

ewiley posted:

beep boop 🤖 humor must obey my strict rules

Pile Of Garbage posted:

hey rufus if you wanna update the OP: the v1.0 secfuck thread was moved to the mod forum because i posted a directory traversal exploit i'd discovered on the itSMF website and a bunch of us piled-in on it. iirc the exploit was with a PHP script they used to render image thumbnails on the fly for some reason. it took a path parameter but didn't have any checks in place so you could feed it any path like /../../../../etc/passwd and it would happily spit the file back at you

so yeah, not exactly epic, just textbook irresponsible disclosure by my dumb self. i and some others copped bans, the website in question has since moved to WP. good times

e: tl;dr as alereon so eloquently put it in my ban: "You made a series of very bad decisions."

Schadenboner posted:

Seems like a missed opportunity to have used “Mossadmized”?

Cerv posted:

✂️

xtal posted:

What's that illegal for? Leaking birthdays? lol

SoundMonkey posted:

anything becomes legal if you call it "research"

stay tuned for my upcoming legal defence "i was just red teaming the liquor store"

Cerv posted:

✂️

Shame Boy posted:

yeah idk the news orgs are prolly not gonna get the nuance and just jump right to "local idiot posts how YOUR CHILD can have their PERSONAL BIRTHDAY INFORMATION STOLEN on a HACKER FORUM for HACKERS and then HACKING happened"

Perplx posted:

The t2 is required for steaming 4k HDR from Netflix, can I use this to rip 4k video from Netflix?

Hirez posted:

I have a last minute job interview tomorrow, and one of the questions they asked me about was cryptolocked systems and if I've dealt with them in the past like 3-4x - but at a whole other enterprise level where we had incremental backups like every 6 hours on some systems (govt). It ended up being some old legacy poo poo usually and was killdozed- but I don't think this company has that kinda resources as they consult for vet clinics (doggos ) and these are the type of requests they get.

Can someone gimme a good guide or coles notes on how to get around it at a low business level (where I assume backups are there, but limited) - plus I wouldn't be surprised if they didn't have SAN setups/etc to easily backup/restore.

I'm assuming other than paying (lol gently caress if I'm going to be paying bitcoin bounties at this job, but seeing as I got job cut thx to Doug Ford from eHealth right before covid hit (loving idiot like his fuckhead brother) and my Trudeau bux are gone, I'll take anything and this is listed at 75k~). and did I mention doggos

Is the correct answer re-imaging the clients systems these days? I haven't dealt with that lower level stuff in a bit, but I don't see how you can overwrite crypto-system locked files without the hard drive being taken out and connected to another system (not connected to anything meant just for this) and mount/overwrite that way unless I'm missing something obvious or new

I assume they're whole AD infrastructure other than Client Computers is at least stored in a datacenter with backup procedures.


Any help would be thankful

Potato Salad posted:

holy loving god drat that list of the vulns

it's almost as bad as every other x86 root of trust / secure enclave

Soricidus posted:

if you’re earning well over six and a half figgies and think you’re underpaid, then I have bad news about what role you’ll be playing when the guillotines make their comeback

~Coxy posted:

Not Anymore

The_Franz posted:

a girl my brother was friends with in high school with went to work for the nsa. she was a hyper-overachiever in high school, never drank or did any drugs, went to one of those uber-nerd technical univerisities where people spent their saturday nights drinking pepsi while programming and talking about math and happened to be a place where the nsa liked to recruit for internships, because the kids are almost all straight-edge nerds (which probably explains why so many of their projects have names that sound like pokemon). it seems like classic move of getting them while they're young with promises of getting paid for their hobby while serving their country and normalizing them into the organization early on so they don't think about how the compartmentalized bits of projects they work on are ultimately part of a larger system used to liquidate people, the banality of evil and all that

she had to do one of those background checks where they go back and talk to everyone you've known since kindergarten, so my brother had to talk to an investigator, who was a retired secret service agent turned security consultant, to answer questions like "to the best of your knowledge has she ever used narcotics, does she have ties to foreign countries or governments, has she ever said or done anything that could cast doubt on her loyalty to the united states, etc..."

Midjack posted:

the cryptography they do is 𝙡𝙞𝙠𝙚𝙡𝙮 use and maintenance of communication systems rather than cryptanalysis like nsa is most famous for.