|
hell yeah, back to working on infosec software after a year and a half at Oracle getting my rear end kicked working on boring non-infosec trash! I missed poo poo posting with you guys.
|
# ¿ Apr 22, 2019 23:34 |
|
|
# ¿ Mar 28, 2024 22:02 |
|
probably not tbh
|
# ¿ Apr 22, 2019 23:54 |
|
the intent to crime develops in the gonads
|
# ¿ Apr 23, 2019 14:38 |
|
geonetix posted:doesnt every Oracle agreement disallow any posts or comparison about their products? be careful before their army of lawyers take all of lowtax’s spine cash I'd tell you about how they're trying to be hip and cool and cloudy and embrace open source but I'd probably get sued for that too ¯\_(ツ)_/¯
|
# ¿ Apr 26, 2019 16:44 |
|
D. Ebdrup posted:So far as I can tell, this also means that firmware runtime attestation is completely impossible, so you cannot know if the firmware that's on the system messes with any future firmware, unless you JTAG the system and push the firmware to it in a way that the firmware runtime cannot know about. doesn't sound terrible to fix: quote:They discovered that when Cisco’s secure boot detected a breach of trust in a system, it would wait 100 seconds—a pause programmed by Cisco engineers, perhaps to buy enough time to deploy a repair update in case of a malfunction—and then physically kill the power on the device. The researchers realized that by modifying the part of the bitstream that controlled this kill switch, they could override it. The device would then boot normally, even though secure boot accurately detected a breach. Sounds like this bit of logic just needs to be thought through again...but as they didn't release the specifics yet, it's hard to say ¯\_(ツ)_/¯ e: lmaorf quote:They also broke two of their routers during the process of physically manipulating and soldering on the boards to look for the reset pin.
|
# ¿ May 13, 2019 21:23 |
|
Jabor posted:my read of that is that the code that decides what to do when secure boot can't verify the firmware can itself be modified, so all you need to do is modify it to just boot anyway. maybe, hard to tell if they have a real novel approach to fpga reverse engineering and if it can be generalized.
|
# ¿ May 14, 2019 02:02 |
|
Wiggly Wayne DDS posted:good thread to read in the morning: this post has inspired me to visit a pawn shop on my lunch break, thanks!
|
# ¿ Jun 4, 2019 16:27 |
|
I'd reinstall from USB to get rid of the hp poo poo and also swap the drive to cover the very unlikely event there is some latent malware on the drive as well as the very likely scenario he will want something bigger and faster as storage is always getting cheaper.
|
# ¿ Jun 5, 2019 15:24 |
|
Tankakern posted:what fud is this, "latent malware" if you flatten and reinstall? You spelled common knowledge wrong? NSA has been installing malware into HD firmware since at least 2001, and did it for 14 years undetected until that whole Kaspersky thing on equation group malware back in '15. e: I mean, it's really rare, but HDs are cheap, just get a new one and re-install from USB. If your threat model requires you to be any more paranoid, don't buy used, I guess? e2: a link https://www.kaspersky.com/blog/equation-hdd-malware/7623/
|
# ¿ Jun 5, 2019 17:25 |
|
Subjunctive posted:Serious Hardware / Software Crap > YOSPOS > Security Fuckup Megathread v18.2 - of course it was Lenovo
|
# ¿ Jun 5, 2019 18:27 |
|
graph posted:is that really better than the current tho gonna be honest, it isn't.
|
# ¿ Jun 5, 2019 21:07 |
|
Vomik posted:if you're worried the nsa installed malware into hard drive firmware then how would you get around it by buying a new hard drive where do you think the firmware on the HD lives? quote:Let’s start with explaining what “hard drive firmware reprogramming” means. A hard drive consists of two important components – a memory medium (magnetic discs for classic HDDs or flash memory chips for SSD) and a microchip, which actually controls reading and writing to the disk, as well as many service procedures, e.g. error detection and correction. These service procedures are numerous and complex, so a chip executes its own sophisticated program and, technically speaking, this is a small computer by itself. The chip’s program is called a firmware and a hard drive vendor may want to update it, thus correcting discovered errors or improving performance. e: afict this was not done as a supply chain attack Winkle-Daddy fucked around with this message at 23:12 on Jun 5, 2019 |
# ¿ Jun 5, 2019 23:09 |
|
mystes posted:A flash chip and/or the platter but how does it make the slightest difference with respect to what we're talking about? because replacing the drive with a totally different one as well as re-installing the OS will remove this kind of malware as described that previously called fud?
|
# ¿ Jun 5, 2019 23:16 |
|
mystes posted:Oh I see, I misunderstood what you're saying. Yeah if you think your specific single computer was compromised in transit quote:throw it out and get a new one at a store or whatever if you think that will protect you from the NSA. you're buying a used computer from somewhere you have zero idea what the user's behavior was and if it made them a target of state surveillance for some reason. 4 years ago NSA could re-write firmware for 12 different “categories” (vendors/variations) according to the article. With the increasing complexity on the hw engineering side, this number must have gone up. knowing what we know, and how cheap drives are, you can call it fud if you want, but I'll spend the hundred bux ¯\_(ツ)_/¯ This does leave me with a couple of questions though... HD manufacturers gotta go fast and will that lead to the same bad decisions of chip makers (lol speculative execution)? Is there going to be a temptation by HD manufacturers to basically stick an IoT computer on your HD, I have no idea how close it is to that now? Cocoa Crispies posted:how’s a picture of aatrek going to help with that lmbo
|
# ¿ Jun 5, 2019 23:34 |
|
god I hope there's a disclosure timeline with receipts.
|
# ¿ Jul 23, 2019 23:49 |
|
|
# ¿ Jul 25, 2019 20:19 |
|
^^that's phishing not mitm, good idea though
|
# ¿ Aug 1, 2019 15:24 |
|
tavis posted:Bonus... can you pop calc in calc? lmbo
|
# ¿ Aug 13, 2019 16:38 |
|
CommieGIR posted:Welp. I gotta internalize your criticism, you guys do have some very valid points. Still feels like a gut punch, but peer review often does. I'll roll with it. I just wanted to say this is a cool and good post and you are a cool and good poster for making it!
|
# ¿ Sep 3, 2019 20:12 |
|
Trabisnikof posted:Remember kids, scope is everything on a pentest the article doesn't mention the contract at all. My experience has been that pentesters (especially in the last 5-ish years) are not one to invent scope. I would be shocked if physical access was not spelled out in the contract the SCA signed, agreed to and failed to read. But I guess we'll have to wait and see.
|
# ¿ Sep 13, 2019 17:19 |
|
i... think we agree? also, I didn't realize this was tinkersec, he's usually incredibly careful.
|
# ¿ Sep 13, 2019 20:08 |
|
my p curve is just fine tyvm
|
# ¿ Sep 20, 2019 16:51 |
|
ewiley posted:I'm not a developer but is it normal to include credentials inline in PHP? Yes, this is very normal in PHP and one of the reason doing a Google dork for download.php?file= will yield so many juicy DB creds (when you edit the url to file=../config.php or w/e). When I was at Yahoo! we had developed an in house solution to read credentials out of a service at runtime. I haven't used PHP since then so I don't know if they have a better solution, but this isn't unique to you, but it is somewhat unique to PHP!
|
# ¿ Oct 17, 2019 22:55 |
|
Partycat posted:When you're doing k8s and containers , do you trust that infra enough to put your creds and secrets in environment variables? Do you go with file mounts and encrypted vaults or ...? I honestly don't know if a traversal or a variable dump are more likely exploits, but I feel like either of those things means in you're in a bad place. I don't really want to go down the slippery slope of having the app pull the cred into memory via an API call behind 7 proxies and 512 bit EC certs You should used the built in K8s secrets management with a host that isn't a dumpster fire.
|
# ¿ Oct 18, 2019 21:12 |
|
jre posted:You shouldn't use the built in for anything important because it's not implemented well uh...what? It's fine for most use cases. quote:Caution: Think carefully before sending your own ssh keys: other users of the cluster may have access to the secret. Use a service account which you want to be accessible to all the users with whom you share the Kubernetes cluster, and can revoke if they are compromised. quote:Currently, anyone with root on any node can read any secret from the apiserver, by impersonating the kubelet. It is a planned feature to only send secrets to nodes that actually require them, to restrict the impact of a root exploit on a single node. But seriously, unless you have a drat good reason not to, I don't see a problem. It's what we used for secret management on the k8s control plane and all things related to it for the K8s provider I used to work for ¯\_(ツ)_/¯ Winkle-Daddy fucked around with this message at 22:40 on Oct 18, 2019 |
# ¿ Oct 18, 2019 22:37 |
|
like the old infosec joke what's the difference between a VPN and a honeypot? An exploit.
|
# ¿ Oct 21, 2019 17:18 |
|
Shaggar posted:I use nordvpn with code lowtaxspine and it works fine for downloading Linux isos.
|
# ¿ Oct 22, 2019 02:11 |
|
Volmarias posted:Disable it by default and require admin configuration to enable it? I think you'll find that might generate calls to support.
|
# ¿ Oct 22, 2019 15:29 |
|
the worst is when you have to start going to seminars to learn secure coding from places that...don't teach much. "Here, let's exploit winamp with a bitflip in a skin, see how that worked in windbg? good, now, don't code like that!" Hope that was money well spent! It was fun, though, for me, the person not paying to make our software more secure.
|
# ¿ Nov 8, 2019 20:44 |
|
AARP LARPer posted:Hi everyone. A few years ago I asked you kind souls for book recommendations about cryptography and a very wise person suggested The Code Book by Simon Singh which rocked and I'm very grateful. There's something about the way that the book was written that really held my interest in a way that few books have. It's weird. I don't know anything about the book you mentioned, unfortunately. But what you're asking for sounds a little bit like @War by Shane Harris. I read it when it first came out and found it to be a really good overview of where we are in terms of a holistic view of "cyber" through the lens of the Military. It was written a little better than most things in this space.
|
# ¿ Nov 25, 2019 22:50 |
|
guess theo should spend less time bitching about openssl and more time fixing basic openbsd bugs
|
# ¿ Dec 6, 2019 18:20 |
|
sounds fake and dumb, and their responses to people calling them out make them sound even faker and dumber.
|
# ¿ Jan 13, 2020 21:59 |
|
chestnut santabag posted:Bring on the digital security arms race of them exposing one another's exploits to embarrass them. u should follow tavis on twittere, friend
|
# ¿ Feb 10, 2020 21:58 |
|
just run keepAss in it's own appVM in QubesOS with no network access, obviously
|
# ¿ May 17, 2023 23:04 |
|
"lol time to put a penny in the 'copilot wrote an SQL injection vulnerability' jar" spotted in work slack tonight
|
# ¿ May 19, 2023 02:26 |
|
happy 10th birthday, Let's Encrypt
|
# ¿ May 24, 2023 23:04 |
|
yes, I "rely" on winrar to extract my jrpg roms
|
# ¿ Aug 24, 2023 02:52 |
|
infernal machines posted:unrevoking certificates for, uh, compatibility's sake it's not revoked, it's no longer trusted (or was). minor distinction, but as Microsoft did not issue the certificate they cannot revoke it. reversing a revocation would be a much bigger deal and, I have to imagine would violate the BRs of the CA.
|
# ¿ Aug 26, 2023 04:39 |
|
in case your grafana stopped updating: https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/
|
# ¿ Aug 29, 2023 03:06 |
|
|
# ¿ Mar 28, 2024 22:02 |
|
lol, lmao even https://twitter.com/__silent_/status/1698345924840296801
|
# ¿ Sep 6, 2023 23:05 |