Jewel posted:

lmfao https://twitter.com/realJamesClick/status/1121995264649072640

evilweasel posted:

telling you to make sure to run routine antivirus checks





on your samsung smart tv

BangersInMyKnickers posted:

how do you stop your tv from connecting to the internet when the wifi will automatically attach to any open ssid in range, which is a thing some of them do (samsung)

quote:

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

mystes posted:

I just feel the need to point out that if you eliminated all patents you would have to fund pharma research directly but that wouldn't be a bad thing.

Coworker 1 posted:

Hi Boss and Fuckhead,

Starting Friday, Nov 8, Coworker 1 is going to work on inserting the SSH Master key to all the instances and provide a progress status early next week.

Instead of us generating a private key and insecurely sending it to you, can you generate your key pair and send it to us the public one?
We will start inserting it as soon as next week.

Some dumb fuckhead posted:

Hi Coworker 1,

I'll get a key pair set up for you. We'll work on sending you the private key securely since MY COMPANY should manage the key per your
policies.
IT Security Advisory - Director of Security Operations

Some dumb fuckhead posted:

Hi Coworker 1,

Actually, You should generate the key. That way you can test that it works properly on the first host before you start rolling it out to
all your hosts. Please go ahead and generate your key pair and I will work with you on getting the private key to us securely. Thanks!

Some dumb fuckhead

coworker 1 posted:

Fuckhead and co,

I think unless I hand someone the generated private key on a USB drive, I'm not sure how I feel about the security of passing private
keys around... after all, isn't that like, security 101? "don't send private keys over anything that is even remotely untrusted?" ??

I'll be ssh-keygen'ing a test public/private key pair to do the testing anyway (and PPK is pretty venerable and there aren't any
pitfalls here), so we aren't going in blind. I just don't like passing a credential with access to literally the entire company's
assets over an undecided, possibly insecure channel that we don't control.

Can you amend your plan to assuage my paranoia, please? ??

Some dumb fuckhead posted:

Hi Coworker 1,

The simple way to send a private key securely, without a USB drive, is to zip the key up with a password and then you can upload to our
secure dropbox location where only approved personnel can upload/download. That's the way you currently transfer documents with
us. The password can be sent to us via text. That should satisfy the secure transportation of private key concerns.

Some dumb fuckhead

coworker 1 posted:

I'll proceed with the buildout, in the meantime, Boss, can you weigh in here?

Some dumb fuckhead posted:

Hi Coworker 1,

I've included Some dumb fuckhead 2 in this conversation. This should be short. You can work with Some dumb fuckhead 2 on installing the key credentials into AlienVault without the key having to leave MY COMPANIES network since he has access to Alienvault to set up the credentials.

MY BOSS posted:

Why is the Private Key being shared? Isn’t the whole point of the public-private key pair is to provide a key (the public one) that can
withstand being sent over insecure or untrusted channels….

Some dumb fuckhead posted:

Hi BossMan,


AlienVault needs credentials to be able to log into an AWS host so that it can perform an authenticated scan. This can be in the form of a password or an RSA private key. Once we enter the key I can't retrieve the key from Alienvault so it's a one time input.

I don't need to have the private key sent to me. We can open up a RingCentral meeting and someone could input it for me in the UI and
we'd be good to go or SDF2 could do it since he's done it before. Coworker 2 can also do it but I did not teach him how to create credentials yet.
Either way works for me.

coworker 1 posted:

Can Alienvault generate the private key and then export the public key? That would be the ideal method (and doesn't seem out of the
realm of possibility, because it's literally just running ssh-keygen). Who puts the key into the system is immaterial, private keys
should ideally not move. That's kind of a breach of how PPK is meant to be used.

If there's no correct way to do this thing with Alienvault, is there a more security-conscious way we can do your scan?

Some dumb fuckhead posted:

Hi Coworker 1,

The answer is no to AlienVault generating the key. The connection to AlienVault is over HTTPS so the connection will be secure. As for
inputting the key, by having a MY COMPANIES employee put in the key removes extra steps of having the key to be moved too far from home
base. To be honest, I'm not seeing why this is an issue considering the connection will be encrypted and a one-time entry without the chance
for retrieval. If you'd like I can set up a meeting with Coworker 2 and we can do this over a screen share while he's logged into AlienVault.

Coworker 1 posted:

Not seeing why sharing a private key is an issue is a very concerning statement to hear.

I didn't set up the encryption. I don't know if the HTTPS connection in question uses HSTS. Granted, the chance of the key being
compromised through these methods are low, but would you take the chance with the key to the entirety of the company assets? If you're
not so sure, then imagine it were the keys to your identity on the line. Wouldn't you want to use the tried and true method set forth
by the PPK scheme, instead of trying to wrap an inherently insecure process with layers of security instead?

In short - PPK provides a method to do what you're trying to do. This is not it. This is compromising our security to prove that we
are secure. I am no auditor, but I imagine if I went up to a security auditor and said 'we give private keys out,' I'd fail my
audit faster than a moped at a drag race.

BOSS/Coworker 2, if you give the go-ahead to go with this method, I'll abide by your decision, but I strongly advise against it.

me posted:

Also, not to sound uncouth, but I thought this might be a test.

If we give the keys, do we fail the audit immediately? I know if I were
the auditor, I probably would.

Some dumb fuckhead posted:

Not a test. We aren't auditors. We're on your side.

The same dumb fuckhead posted:

That's what I've been trying to explain to you all. Having you generate the key would remove a step from transferring it to me. Either way you will have to upload the private key to AlienVault. The account that you use the key on should just have sudo privileges so you can limit what parts of the system it has access to. I can send the public key to Coworker 1 if that will work.

me posted:

ssh-keygen is available on all major operating systems.

I highly suggest you generate a private/public keypair with that and then use the generate private key in the private key field.

After that, you can send us your public key that was generated and we can add it to our servers.

If you aren't able to do that, I would be more than happy to google the instructions and provide some links that show examples for whatever platform you are currently using.

Me

CommieGIR posted:

This is the correct response. Its insane that they are asking you to transfer a private key around. Like, do they not understand why its called a private key?

mystes posted:

Honestly if they don't understand this part already and they're supposed to be doing a security audit you're hosed anyway.

MononcQc posted:

lmao get you an audit company that knows their poo poo, they have proven they're not competent enough to help you and whatever poo poo they run would be a liability

prisoner of waffles posted:

“this is so unreasonable we think you’re trying to get us to fail the audit by agreeing to it” is great and hilarious

Cocoa Crispies posted:

SecFuck M/T v18.3.11 - “fail the audit by agreeing to it”

refleks posted:

how many C-levels did you get to sign off on this poo poo so its not your rear end on the line

Captain Foo posted:

Partycat posted:

My read out of this all is that they arent intended to audit security as an all encompassing dictionary definition thing.

Some groups are in depth enough they do better jobs than others instead of just scanning ports and fingerprinting but theres some complexity to the whole thing that.... well

if they werent meant to find it , as good as your intentions are setting traps for them may not look great.

Partycat posted:

If they should be looking for it then they suck. It not then ...?

Of course they can never really tell you because youre supposed to fail first or they dont know. one of the two.

Trabisnikof posted:

"because you don't get an audit to find security issues, you get an audit to pass it" - mgmt

Blinkz0rz posted:

you're missing the point. why do you think you had an audit in the first place? i'll give you a hint: it doesn't have anything to do with anyone being concerned about security.

Plorkyeran posted:

the single use of strlen in the codebase is getting the length of a string literal as part of computing the size of a buffer which that string literal (and other things) will be copied into. strlen is the correct function to call for that.

quote:

Researchers find serious flaws in WordPress plugins used on 400k sites

The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.

Captain Foo posted:

You should have been ejected banned from the conference immediately

Shaggar posted:

Microsoft authenticator is the only auth app anyone should use

Shaggar posted:

goog auth is just totp which Microsoft auth supports but Microsoft auth also supports push which is superior.

apseudonym posted:

Is your baseline here C++ or something?

mystes posted:

It's very weird that a car company that makes cars where the wheels are routinely misaligned, water leaks in the first time it rains, and random parts fall off the car can't get crypto right.

haveblue posted:

what does TTP mean here?