|
https://twitter.com/bread_berries/status/1122286859680268289?s=21
|
# ¿ Apr 30, 2019 01:49 |
|
|
# ¿ Apr 24, 2024 03:23 |
|
evilweasel posted:telling you to make sure to run routine antivirus checks You don't need to run antivirus if your TV isn't connected to the internet.
|
# ¿ Jun 17, 2019 20:12 |
|
BangersInMyKnickers posted:how do you stop your tv from connecting to the internet when the wifi will automatically attach to any open ssid in range, which is a thing some of them do (samsung) You can disable the wifi on their TV's I think. I have an LG TV and I just went to network -> wifi -> disable.
|
# ¿ Jun 17, 2019 20:17 |
|
|
# ¿ Jun 17, 2019 20:53 |
|
https://twitter.com/mikko/status/1140597386835877888?s=21
|
# ¿ Jun 18, 2019 13:15 |
|
Lol holy poo poo. https://nvd.nist.gov/vuln/detail/CVE-2019-12450 quote:file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. That's been there since 2007 and was just fixed a few weeks ago. FlapYoJacks fucked around with this message at 22:45 on Jun 23, 2019 |
# ¿ Jun 23, 2019 22:43 |
|
mystes posted:
lmao we already do.
|
# ¿ Aug 3, 2019 02:35 |
|
Oh good; my new bank's online password system is hosed. Passwords must be <= 15 characters long Passwords cannot contain spaces or any of the following invalid characters: : * ! ; | / ' Guess who probably isn't sanitizing input and/or storing passwords in plain text or just MD5'ing them/and or both?
|
# ¿ Oct 17, 2019 21:58 |
|
I remember using links to get the Nvidia drivers for Slackware some 15 years ago.
|
# ¿ Oct 27, 2019 03:06 |
|
HOO loving BOY! SADDLE UP BOYS! It's time for ~*~*SECURITY AUDIT*~*~ SEASON! The company doing the audit? They want our AWS server private keys. What the gently caress? Why do you ask? Because they use Alienvault which needs a private key! Fine I say, how about YOU generate a private key and give us your public key, then I can add you to the authorized_key's of our servers. The result is the email chain so far: Coworker 1 posted:Hi Boss and Fuckhead, Some dumb fuckhead posted:Hi Coworker 1, Some dumb fuckhead posted:Hi Coworker 1, coworker 1 posted:Fuckhead and co, Some dumb fuckhead posted:Hi Coworker 1, coworker 1 posted:I'll proceed with the buildout, in the meantime, Boss, can you weigh in here? Some dumb fuckhead posted:Hi Coworker 1, MY BOSS posted:Why is the Private Key being shared? Isn’t the whole point of the public-private key pair is to provide a key (the public one) that can Some dumb fuckhead posted:Hi BossMan, coworker 1 posted:Can Alienvault generate the private key and then export the public key? That would be the ideal method (and doesn't seem out of the Some dumb fuckhead posted:Hi Coworker 1, Coworker 1 posted:Not seeing why sharing a private key is an issue is a very concerning statement to hear. me posted:Also, not to sound uncouth, but I thought this might be a test. Some dumb fuckhead posted:Not a test. We aren't auditors. We're on your side. FlapYoJacks fucked around with this message at 00:58 on Nov 8, 2019 |
# ¿ Nov 8, 2019 00:43 |
|
I have now included my entire team in on this. It's fantastic. Even better: The same dumb fuckhead posted:That's what I've been trying to explain to you all. Having you generate the key would remove a step from transferring it to me. Either way you will have to upload the private key to AlienVault. The account that you use the key on should just have sudo privileges so you can limit what parts of the system it has access to. I can send the public key to Coworker 1 if that will work.
|
# ¿ Nov 8, 2019 00:50 |
|
I responded with a not-so politically correct response:me posted:ssh-keygen is available on all major operating systems.
|
# ¿ Nov 8, 2019 01:01 |
|
CommieGIR posted:This is the correct response. Its insane that they are asking you to transfer a private key around. Like, do they not understand why its called a private key? I have no idea. They also asked for IAM admin access. FlapYoJacks fucked around with this message at 01:09 on Nov 8, 2019 |
# ¿ Nov 8, 2019 01:03 |
|
mystes posted:Honestly if they don't understand this part already and they're supposed to be doing a security audit you're hosed anyway. They are so blindingly stupid I don't even know where to begin. At this point we are including the CTO so he can give his personal OK on this. The other problem they don't seem to grasp is that every server has a different private key (because I'm not a god damned moron.) So either we give them 20+ private keys, or we change the private key on all of our servers to THE SAME PRIVATE KEY.
|
# ¿ Nov 8, 2019 01:11 |
|
MononcQc posted:lmao get you an audit company that knows their poo poo, they have proven they're not competent enough to help you and whatever poo poo they run would be a liability Audit companies are all poo poo. I haven't ran into a single one that is competent. A year ago we were going to have an audit on a new product, so I purposefully put selinux in permissive mode just to see if they caught it. They did not. When I asked them why, the "lead security expert" stammered for a bit and then said "The scanner doesn't scan for SELinux." They are all so dumb and bad.
|
# ¿ Nov 8, 2019 02:58 |
|
So far this morning the Auditors have yet to respond back to us on the email chain.
|
# ¿ Nov 8, 2019 19:13 |
|
prisoner of waffles posted:“this is so unreasonable we think you’re trying to get us to fail the audit by agreeing to it” is great and hilarious It’s hilarious and also very true. I think they got upset at that.
|
# ¿ Nov 8, 2019 21:15 |
|
The conclusion is this: we were forced to create a user on each server of which we will dump their public key. Once the audit is done we will remove the user immediately along with their lovely key. And I do mean immediately. We will be logged into the server while the audit is being ran, and will be deleting the user IMMEDIATELY as soon as they are done.
|
# ¿ Nov 9, 2019 02:19 |
|
Cocoa Crispies posted:SecFuck M/T v18.3.11 - “fail the audit by agreeing to it”
|
# ¿ Nov 9, 2019 02:21 |
|
refleks posted:how many C-levels did you get to sign off on this poo poo so its not your rear end on the line 3
|
# ¿ Nov 9, 2019 20:31 |
|
The CEO, the CTO, and the CSIO
|
# ¿ Nov 9, 2019 23:59 |
|
The previous security audit said our embedded devices had to be encrypted. Auto decryption was just fine though.
|
# ¿ Nov 10, 2019 01:19 |
|
Fun fact! I disabled SELinux on one of the servers just to see if these NEW auditors would pick up on it. NOPE
|
# ¿ Nov 12, 2019 21:21 |
|
I will be asking them why they are incompetent in... not fireable offensive terms.
|
# ¿ Nov 12, 2019 22:35 |
|
Partycat posted:My read out of this all is that they arent intended to audit security as an all encompassing dictionary definition thing. lmao. Since when is checking for SELinux a "trap?"
|
# ¿ Nov 12, 2019 23:43 |
|
Partycat posted:If they should be looking for it then they suck. It not then ...? lol. Why wouldn't they be looking for it?
|
# ¿ Nov 13, 2019 00:26 |
|
Trabisnikof posted:"because you don't get an audit to find security issues, you get an audit to pass it" - mgmt I mean, it's not like one of the most common security issues for any CentOS/RHEL server ever that idiots disable SELinux just because it's slightly inconvenient or anything. Can't check for it all!
|
# ¿ Nov 13, 2019 00:31 |
|
Blinkz0rz posted:you're missing the point. why do you think you had an audit in the first place? i'll give you a hint: it doesn't have anything to do with anyone being concerned about security. I'm well aware it's just for ISO compliance, even so, it's trash and they should feel bad.
|
# ¿ Nov 13, 2019 01:06 |
|
Plorkyeran posted:the single use of strlen in the codebase is getting the length of a string literal as part of computing the size of a buffer which that string literal (and other things) will be copied into. strlen is the correct function to call for that. It is not because it's not C++.
|
# ¿ Dec 12, 2019 23:26 |
|
https://arstechnica.com/information-technology/2020/01/researchers-find-serious-flaws-in-wordpress-plugins-used-on-400k-sites/quote:Researchers find serious flaws in WordPress plugins used on 400k sites That's a lol.
|
# ¿ Jan 17, 2020 18:01 |
|
Captain Foo posted:You should have been
|
# ¿ Jan 22, 2020 15:32 |
|
Shaggar posted:Microsoft authenticator is the only auth app anyone should use Even better, Microsoft Authenticator is 100% compatible with the Google Authenticator.
|
# ¿ Jan 23, 2020 18:46 |
|
Shaggar posted:goog auth is just totp which Microsoft auth supports but Microsoft auth also supports push which is superior. I do like push. It's quite convenient.
|
# ¿ Jan 23, 2020 20:01 |
|
apseudonym posted:Is your baseline here C++ or something? Modern C++ is good op.
|
# ¿ May 29, 2020 23:46 |
|
Some green go-getter asked if we could install ssh on our ECUs.
|
# ¿ Oct 14, 2020 05:35 |
|
The thought of a brand new car ECU having ssh is just amazing to me.
|
# ¿ Oct 14, 2020 05:46 |
|
SECFUCK TIME! I got emails from SpaceX! I am not employed by SpaceX, but I do work on Buildroot which SpaceX uses! - My name and all of the other Buildroot developers have emails attached to many of the packages SpaceX is using. - Their email scraper probably didn't filter out emails not ending in SpaceX - All of the Buildroot maintainers/developers now have every engineer who is working on Starlinks email address lmao.
|
# ¿ Nov 2, 2020 17:58 |
|
mystes posted:It's very weird that a car company that makes cars where the wheels are routinely misaligned, water leaks in the first time it rains, and random parts fall off the car can't get crypto right. Actually it kind of is. Tesla is supposedly a software company that happens to produce cars. As such, their software should in theory be better than their manufacturing. But this is Tesla lmao.
|
# ¿ Nov 23, 2020 21:27 |
|
haveblue posted:what does TTP mean here? "The TTP project" of course
|
# ¿ Dec 14, 2020 20:25 |
|
|
# ¿ Apr 24, 2024 03:23 |
|
Buy an oem license from eBay for $10? The EU courts ruled they are legal afaik.
|
# ¿ Dec 28, 2020 19:33 |