Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Achmed Jones
Oct 16, 2004



ACAB: All Credentials Are Bcrypted

Adbot
ADBOT LOVES YOU

Achmed Jones
Oct 16, 2004



thanks for the crop, now it's a gang tag

Achmed Jones
Oct 16, 2004



if the people running it are saying things that mean they don't know the difference between encryption and hashing it has to be a troll

...right?

Achmed Jones
Oct 16, 2004



no, you count. and no matter how good it was for us not to read it, it must have hurt you to hold that post in

there are truly no winners in the posting game

Achmed Jones
Oct 16, 2004



seriously don't be sorry. that's what it's called and it's not racist. someone got upset because they didn't know what the words meant. this is not a "it means bundle of sticks" situation.

Achmed Jones
Oct 16, 2004



Cocoa Crispies posted:

accept that it is possible for people to do good things that they don't want to be implicated in

you're obviously correct but do you really think that a usb cable attached to a carabiner will help whistleblowers in a meaningful way?

Achmed Jones
Oct 16, 2004



Volmarias posted:

The first rule of tautology club is the first rule of tautology club

lol

Achmed Jones
Oct 16, 2004



mystes posted:

Maybe he's thinking

nah

Achmed Jones
Oct 16, 2004



dregan posted:

five minutes of disappointing a computer

do not have sex with computer

Achmed Jones
Oct 16, 2004



Last Chance posted:

what would be the risk in appending the 2fa token to the password like that and lopping it off when checking it?

there isn't one. it's not any different from submitting the two items in separate fields. like, it'd be possible to screw up the implementation but only in "screwed up string handling/validation" ways that aren't relevant to the data being a password/2fa code

Achmed Jones
Oct 16, 2004



SAVE-LISP-AND-DIE posted:

How much of a shitshow is it to sign JWTs with a plain old pub/priv key pair, no CA involved? As you may notice, I'm an idiot who has no idea what is going on.

that's fine from a security standpoint, sort of. the actual problem becomes one of orchestration, because everything consuming the JWT needs to trust the keypair. how do you scale that to multiple signers?

1. add another key to a hardcoded list of trusted keys
2. copy the keypair around
3. trust another keypair that signs the keys that actually do the signing

(1) obviously eventually falls down with scale, but can get you pretty far (2) is terrible (3) is a rudimentary CA

and of course you have to have a decent rotation and revocation workflow figured out for when a dev inevitably uploads a server's private key to github

Achmed Jones
Oct 16, 2004



yeah but it's 2020 what about beyondcorp.com?

Achmed Jones
Oct 16, 2004



they're dying because they're on fire, not because of budgeting

Achmed Jones
Oct 16, 2004



Shaggar I get that you're trying to distinguish "broken encryption" from "send to Apple, Apple flashes the firmware to bypass authentication," but it ends up being a distinction without a difference when you think through the realistic ways in which each would be implemented

Achmed Jones
Oct 16, 2004



ya that's one reason it's a distinction without a difference

Achmed Jones
Oct 16, 2004



that motherfucker looks like gritty


Achmed Jones
Oct 16, 2004



I switched from redhat and Slackware to gentoo in college (early 2000s) and the difference was amazing. not performance, but having a package manager that actually functioned. rpm hell was real and terrible, so I always ended up building from source anyway on redhat, and Slackware didn't do binaries in a meaningful way (they had a few packages but...yikes). being able to use emerge was like a whole new world

if I were smarter I would've just started with Debian or something but 🤷‍♀️

Achmed Jones
Oct 16, 2004



Soricidus posted:

one if by mac, two if pc

one if by LAN, two of IP

Achmed Jones
Oct 16, 2004



why not? it's just totp

Achmed Jones
Oct 16, 2004



so you play 4K video without networking on a device with neither a hard drive nor a disk drive? that's quite a trick.

Achmed Jones
Oct 16, 2004



I just make up some nonsense that could be plausible. like for my childhood dog's name it might be "sir boddington fluffpaws, duke of the terlet". and then i put that in the password manager

Achmed Jones
Oct 16, 2004



so this the first i'd heard of raidforums, and i was poking around. they have a subforum for buy/sell/tradeing hackthebox flags lmao

Achmed Jones
Oct 16, 2004



Subjunctive posted:

no, youíre thinking of pretty much every language

Achmed Jones
Oct 16, 2004



redleader posted:

just avoid executing malicious code what's the big deal

gently caress

i never

brb, writing a conference talk

Achmed Jones
Oct 16, 2004



Pile Of Garbage posted:

i had to enable voice callback MFA for a single co-worker in a Duo account because the guy has a fuckin iPhone 5 in TYOOL 2020 which he can't install the app on. i deliberately disabled voice callback and SMS OTP in the account because they're less secure than push MFA smdh

lmao your company fucks up the entire org's security posture to save $200

or was this just for his account and the rest are still disabled?

Achmed Jones
Oct 16, 2004



lmao holy poo poo on the one hand I can't really fault somebody for not knowing the difference between an application and an application programming interface but on the other hand if you don't know what words mean, don't pretend that you do

Achmed Jones
Oct 16, 2004



poo poo

you're right

now im the rear end in a top hat

Achmed Jones
Oct 16, 2004



I don't have any links, but adversarial firmware on a printer isn't generally in my threat model for personal docs. Printers aren't expensive, though :shrug:

Achmed Jones
Oct 16, 2004




read that as dickeyes.app

Achmed Jones
Oct 16, 2004



i mean you could go all secret squirrel or just use plus addressing. they don't ever bother to strip it

Achmed Jones
Oct 16, 2004



i registered my old hAcKeR name as an alias at work

Achmed Jones
Oct 16, 2004



xtal posted:

Flowers for alg=none

name change looking tempting

Achmed Jones
Oct 16, 2004



a decent story poorly-told imo. worth reading but be prepared to skim over the twee affectations

Achmed Jones
Oct 16, 2004



I'd just like to interject for a moment. What youíre referring to as mods, is in fact, GNU/mods, or as Iíve recently taken to calling it, GNU plus mods.

Achmed Jones
Oct 16, 2004



good luck copy and pasting from your password manager into an OS login screen though

Achmed Jones
Oct 16, 2004



I mean there were lots of OSes. I'm not sure they were really competing or you could use them in any meaningful way

Achmed Jones
Oct 16, 2004



Midjack posted:

many of them were in fact pieces of poo poo

:hai:

Achmed Jones
Oct 16, 2004



Trabisnikof posted:

how about a write protect screw instead?

text me

Achmed Jones
Oct 16, 2004



there's a doomthread if you want to gnash your teeth and rend your garments about how you're going to die in the next decade due to global warming or whatever.

Adbot
ADBOT LOVES YOU

Achmed Jones
Oct 16, 2004



I got to the rest of yospos through this thread, a real life friend told me to read it when I started doing hacker poo poo professionally

i may never forgive him

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply