Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
newer hyundais run android. there's an escape for my 2017 ioniq floating about that is more or less useless for me since i use iOS

the password to get into engineering mode is literally the clock's time

https://forum.xda-developers.com/general/connected-car/hack-navigation-multimedia-systems-kia-t3892333

Lain Iwakura fucked around with this message at 15:02 on Apr 30, 2019

Adbot
ADBOT LOVES YOU

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
considering when i scanned afrinic a almost a decade ago, i found multitudes of telnet servers tagged as belonging to vodaphone and were not huawei equipment either (like nortel, qualcomm, nokia, and cisco)

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
pre-masscan, scanning a /8 took a long time

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
code:
$ ssh [email]user@hostname.somethingawful.com[/email] -L 2222: hostname.somethingawful.com:23
secure telnet

[edit]

thanks radium

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://blitter.net/blog/2019/05/04/exploring-the-pippin-roms-part-7-a-lot-to-digest

code:
Apple’s public key for verifying the authentication data on a Pippin boot volume is:
E0 E0 27 5C AB 60 C8 86 A3 FA C2 98 21 79 54 A8 9F D1 B9 DC 8A BA 84 EF B1 E7 C9 E2 1B F7 DD D7 DC F0 E4 4A BB 79 51 0E 7C EB 80 B1 1D
like it's 20-years too late but hell yeah pippin homebrew

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://techcrunch.com/2019/05/07/freedom-mobile-data-leak/

nothing like logging passwords in plaintext in a log collector

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://twitter.com/KateLibc/status/1125963290050359301

i'm having fun with this. i wonder what sort of sensitive data exists within

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://twitter.com/filosottile/status/1125840275346198529

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Subjunctive posted:

I’m going to abuse my relationship with Lain to post a job description here. I don’t read YOSPOS anymore so PM me or sbjnctv@gmail.com if you’re a loser without plat.

I’m going to need a software developer focused on security soon. Hit me if that’s you.

- I’d be your boss’ boss, and you’ll never have as supportive a management chain as this one. I’m not kidding even a little.
- you need to make good decisions about tooling vs process vs just writing the diffs and tests yourself
- someone else handles all the certification/audit poo poo, you just deal with real problems and getting ahead of them
- our office is attached to a downtown subway station (line 1, west line best line)
- other software developers want to do a good job and will thank you for helping them not gently caress up
- when you tell a PM they shouldn’t ship because of a security issue, they listen
- strong privacy and tech ethics values, and we spend to honour them
- training? conferences? working from Tbilisi for two weeks because you’ve never been there (actual example)? tell your boss how it makes sense and sure. you’re an adult
- more than a year of runway
- actual paying customers
- you should be able to tell me about how you fixed a security fuckup and made sure it stayed fixed
- we have fired recruiting agencies for bringing us only white dudes for leadership and tech positions
- you don’t need to know about AI, but you’ll sure learn about it, including privacy and bias pieces
- talking to people (internal mostly) is part of the job. you can get coached to gently caress and back, but you can’t dodge it
- you’re moving to Toronto or convincing me that you can kick all the rear end if you’re here 1 out of 3 weeks
- your options are meaningfully in the black on day one because Canadian tax accounting is amazing

e: Lain isn’t even OP, well whatever

there's a decent vegan place near your work too

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
this new title is great

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
i gave myself domain admin rights via an obfuscated account i created in grade 11 when the lab teacher went to go coach basketball after school and left the domain controller unlocked while i was in the room

everyone got to play starcraft for my remaining 1.5 years in high school thanks to me

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
BES only exists for the three people left using a blackberry at your company

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://twitter.com/business/status/1128294423585071104?s=20

bloomberg is a reputable publication that should report on security more often because it does a good job at that

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Schadenboner posted:

Is Chronicle’s Backstory IDS any good?

I heard an interesting sponsor thing on Risky Business but that guy gives good interview so it might not actually be good?

:ohdear:

All IDSes are trash in a sense that they're anti-virus for network traffic. They have their purpose though--I like them being in ICS environments because it's easy to setup baselines for what is acceptable. However, your corporate environment will probably generate so much trash that you'll probably never find the good.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

COACHS SPORT BAR posted:

so what's the best E2E encrypted chat with a desktop client not written in electron these days

lol j/k i know there aren't any, ftge

https://www.donationcoder.com/software/mouser/other-projects/mircryption

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
:rip:

https://twitter.com/briankrebs/status/1132026003386241029

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
i have strong opinions about splunk despite being someone who maintains a splunk environment. it's not recommended

also

https://twitter.com/notdan/status/1134559331989434368

also lol

https://twitter.com/nginxorg/status/1134524968052690944

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
it's very likely that when i return to work late in the summer that i'll be migrating off of splunk to something else. elastic is a consideration but i am all ears on what everyone else is doing. humio does interest me but i am also nervous about a company green in the enterprise state

right now we're looking to do 600 GB/day by the end of the year and i can tell that the splunk sales rep we have is dying for us to ask for a quote. he also knows that i am extremely unhappy with him as well as my boss so this ought to be entertaining

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Wiggly Wayne DDS posted:

lain you've got to stop repeating yourself

https://twitter.com/notdan/status/1134820610570313728?s=21

:rip:

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
as per usual, a lot of non-technical people are mad that taviso dropped it at the 90-day deadline

https://twitter.com/taosecurity/status/1138490944347619329

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
have i been pwned is up for sale

https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Diva Cupcake posted:

should we really be considering Bejtlich non-technical?

in this case, yes

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Wiggly Wayne DDS posted:

he's sitting on a trove of questionably sourced dumps with public access and an expectation for it to forever expand and let's ignore the legal pitfalls with a global userbase

the "questionably sourced dumps" part combined with massive burn out is why i got out of this

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://www.yubico.com/support/security-advisories/ysa-2019-02/

quote:

An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted. This issue occurs only during the power-up of the YubiKey FIPS Series, version 4.4.2 or 4.4.4. After the predictable content in the random buffer is consumed, the buffer will be filled with the intended full random number generator output, and all subsequent use of randomness will not be affected.

For RSA key generation on the YubiKey FIPS Series, the RSA key may be impacted by up to 80 predictable bits out of a minimum of 2048 bits (length will depend on user configuration). We believe 80 predictable bits does not make it imminently possible for an attacker to obtain the private key material or decrypt data that has been encrypted to a key created in this way. During RSA key generation only a portion of these bits may be used, which could further reduce the impact on the algorithm’s output.

For ECDSA signatures, the nonce K becomes significantly biased with up to 80 of the 256 bits being static, resulting in weakened signatures. This could allow an attacker who gains access to several signatures to reconstruct the private key.

For ECC key generation on the YubiKey FIPS Series, the key may be impacted by up to 80 predictable bits out of the minimum 256 bit key length.

For ECC encryption,16 bits of the private key becomes known. For secp256r1 private keys, the key may be impacted by 16 predictable bits, reducing the number of unknown bits in the key from 256 to 240 bits. Similarly, for impacted secp384r1 private keys, the number of unknown bits in the key is reduced from 384 to 368 bits. 240 bit keys are not known to be defeated at the time of this advisory.

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Hed posted:

This seems like a good time to ask... are there any winners in the non-smartphone hardware token (like RSA SecurID, not Yubi) that aren't the SecurID? That also integrate with hosted exchange or GSuite for multifactor?

they’re all their own flavour of bad

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://twitter.com/mjg59/status/1141786872387010561?s=21

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

I wonder when I will get a call from them offering credit checks for a year.

also I completely forgot about Sucuri but seem to recall them being clowns years ago

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

CRIP EATIN BREAD posted:

what could go wrong?

US attorney general William Barr says Americans should accept security risks of encryption backdoors

https://techcrunch.com/2019/07/23/william-barr-consumers-security-risks-backdoors/

he should tell us his social security number then

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

https://twitter.com/videolan/status/1153715138333220864

they're mad

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://trac.videolan.org/vlc/ticket/22474

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
just link to a thread about video codecs and keep this thread security-related jfc

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
so this got posted to the grey thread

saphirecalypso posted:

I have always been a fan of elliptic curve. Is there anything that you suggest which is better?

I am new to these forums.



apparently there is a crypto challenge involved. if you look at his rap sheet it appears that they posted another thread and people took a crack at it

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
https://twitter.com/taviso/status/1154094837647331328

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
dating profiles were posted on pastebin

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

hello fellow gay tattoo haver

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
their service is off a stellar start with me

https://twitter.com/KateLibc/status/1155650247403511809

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
this thread is great if you're an ex-AV industry person like me or just hate AV like me

https://twitter.com/popepoperet/status/1155545502831845381

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender
so i am failing to read anything on dashlane's website on how it even works and i am guessing it's just a lastpass clone

https://support.dashlane.com/hc/en-us

anyone got a clue? i am trying to avoid installing it before i know what is going on

their release notes give some clue but still vague

https://support.dashlane.com/hc/en-us/articles/206553939-Release-notes

but then there is this other poo poo



so are they scanning the passwords server-side or is your client pinging back?

because then there is this poo poo



i am going to say that this is possibly worse than lastpass and that is impressive

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

Last Chance posted:

Dashlane has always sketched me the gently caress out and I wouldn't touch it with a ten foot pole

that is my logic too. there is nothing about it that really makes me go "yeah that is good"

Adbot
ADBOT LOVES YOU

Lain Iwakura
Aug 5, 2004

The body exists only to verify one's own existence.

Taco Defender

evil_bunnY posted:

Isn't that hash comparison with hibp?

i am asking if this is server-side or client. my gut says client but i am failing to see any mention of how they manage any of this

quote:

I mean having so many is weird but why wouldn't you want your partner able to access your poo poo if you get yourself 6ft under? Does it work differently than I'm assuming?

there are other, better ways to do this and relying on the server to dictate when to give the keys to someone else is pretty problematic

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply