|
Wiggly Wayne DDS posted:or identify hosts that only whitelist bank ip ranges If they spoof, then wouldn't they never see the replies and therefore not know who whitelists what?
|
#
¿
Apr 22, 2019 16:47
|
|
|
|
| # ¿ Apr 26, 2024 11:16 |
|
|
Rufus Ping posted:in theory this isnt a dealbreaker (antirez's tcp idle scan) but yea i dont see how it would work here, or anywhere else for the past 20 years Hadn't heard of that, thanks.
|
|
#
¿
Apr 23, 2019 18:44
|
|
|
i installed raid drivers on a new pc. they came with apache. i thought of this thread then i thought about eating a bullet 
|
|
#
¿
Jul 28, 2019 17:02
|
|
|
Shaggar posted:i think its more that applications use services to handle privileged tasks without giving the user UAC prompts. and then if you're gonna have a service why not make it a web service. For a raid controller this might also be useful if its intended for management over a network. It reminds me of the elaborate poo poo that garbage developers did right after UAC launched to "work around" it, except now it's ~best practice~ among enterprise idiots abigserve posted:if you want to write an electron app without writing the entire backend in Node you will need to run a web server at some point I thought the same thing and uninstalled that poo poo immediately. this system can live without RAID. pseudorandom posted:
It makes you change it on login, but it's still 100+MB of code that eats network poo poo on one end and diddles your SATA controller on the other.
|
|
#
¿
Jul 29, 2019 06:29
|
|
|
Lain Iwakura posted:ah no i didn't mention it to her it seems but Resurrecting this to say that I was in a university group that PoC'd this exact thing several years ago, but administration wouldn't let us move forward with a disclosure because it was too hard/scary to report, and they just assumed that the right people must already know (?). Been waiting for it to finally hit the fan. When we had this setup going, I had to stop a student's live demo because SSNs, addresses, and diagnoses started scrolling by.
|
|
#
¿
Oct 4, 2019 19:32
|
|
|
https://krebsonsecurity.com/2019/11/retailer-orvis-com-leaked-hundreds-of-internal-passwords-on-pastebin/Krebs posted:a file containing a staggering number of internal usernames and passwords for Orvis had been posted to Pastebin. You can read between the lines and imagine the exact mixture of incompetence that led to this.
|
|
#
¿
Nov 12, 2019 16:39
|
|
|
any folks here have a good link or something for a college student asking "maybe i want a career in security?" (other than "no dont", "buy a million alcohol", "you will want to die", etc) i have a lot of deep dive stuff on specific topics, but all the high level stuff i turn up is from poo poo like "mynewcodingcareer.biz"
|
|
#
¿
Nov 18, 2019 21:45
|
|
|
Jowj posted:that is how i started, but, personal opinion: Thanks, that's absolutely perfect! Trabisnikof posted:An almost more important question is how does that student want to spend their day to day life on the job. Lots of ways to “be in security” from academia to dev to consulting to just doing math all day. But if you know you don’t want to code all day or that you value in person group work, that is really helpful when trying to find a career path that works for you. For context, I work with a lot of masters students with very little conception of what a computing career can be beyond "do software". They all want to work at Facebook/Apple/Google/Amazon/etc with a vague notion of programming, and if you ask what sort of programming, they just say "backend" or "frontend" (not realizing that they're just referring to web and not the rest of all of computing). I'm trying to get them to see that computing is actually broad and diverse and that most jobs you'd want are ones you've never heard of yet. As one part of this, I'm trying to introduce students to a variety of different areas, one of which is security, but it was difficult, because security has a larger-than-average shrieking buzzword mill surrounding it, which makes finding good introduction stuff hard. Incidentally, I also teach intro security, and this thread is the best thing ever for that. If YOSPOS ever goes away, getting a constant stream of secfucks to jam into my course is going to become actual work. Like, every year I tell students that Symantec is trash, and every year there's a new insane vulnerability posted here within a week or two of me saying that that reinforces my point.
|
|
#
¿
Nov 18, 2019 23:35
|
|
|
Truga posted:you say that, but the guy who put up a list of all SSNs (a text file with all numbers from 000000000 to 999999999) got banned from fb/twitter or something lmao poo poo, he must have had access to the hacker tool "seq"
|
|
#
¿
Nov 19, 2019 19:56
|
|
|
Shame Boy posted:if anyone weird like me wants to read the site i was talking about it's here oh that's greg buell! he was an awful link of the day like a million years ago and i check in on him every few years. he had a ton of spoken word poem mp3s about his obsession with some woman, his invention of the electric windmill car in the 80s (put windmills on cars so they power themselves), gravity control, non-poisonous cobra, "kennedy and the others", etc. he's got a youtube now where he posts phone videos of closed starbucks and cruise ships in florida from his old-crazy-person tricycle.
|
|
#
¿
Dec 3, 2019 20:03
|
|
|
rafikki posted:lol more solardwinds fun - https://www.trustwave.com/en-us/res...ulnerabilities/ Serv-U FTP? 
|
|
#
¿
Feb 3, 2021 15:56
|
|
|
Hey, I'm teaching a security class that looks at malware, and the emotet sample I've been giving to them to test now goes dormant and doesn't even persist (probably due to shutdown of its C2). I've been scrolling through malware-traffic-analysis looking for a replacement, but everything is too fancy, since it's the students' first reverse engineering ever. Anyone have a suggestion for some Windows malware that runs as an EXE, talks to some C2 stuff, and becomes persistent like with CurrentVersion\Run? That's what the old one did, and it was on their level.
|
|
#
¿
Oct 17, 2021 16:02
|
|
|
Fart Sandwiches posted:when I had to do the same thing for baby’s first re class I just wrote my own “malware” that did all the stuff I needed to. not sure what your timeline is but it only took me like an afternoon. worst advice ever tho haha I thought about it, but I hate Windows internals. I don't want to look up a RegWriteEx call with DWORDS or whatever dogshit API's I'd need to use. After plowing through sample after sample all goddamn day, the Remcos RAT from here seems like it will work. Now I just need to explain to the kids what a cmd.exe is, what a Windows NT Logon registry key is, and why you'd want to use one to create the other. I can't believe I spent a full day purposefully trying to get infected with malware, and it was HARD. Guessing most malware sees a stock VirtualBox environment and nopes out nowadays?
|
|
#
¿
Oct 17, 2021 20:14
|
|
|
spankmeister posted:the low hanging fruit fire and forget malware is 99% crypto miners nowadays. Dang, computing even sucks for criminals now 
|
|
#
¿
Oct 17, 2021 21:25
|
|
|
Ulf posted:hey what would be more interesting to people itt, a byte-by-byte breakdown of DTLS 1.2, or of QUIC? Just wanted to also thank you for these - I have students in my class use them on assignments to learn TLS. Also voting QUIC, because I don't understand that newfangled poo poo.
|
|
#
¿
Apr 7, 2022 18:00
|
|
|
BlankSystemDaemon posted:i added the 202 videos to a playlist Thank you for this.
|
|
#
¿
May 12, 2022 18:38
|
|
|
Unlurking to thank this thread for letting me know about flipper availability. Didn't think I'd be able to snag one. Also lmao the yiffy-hellman “key” exchange
|
|
#
¿
May 29, 2022 12:59
|
|
|
Ulf posted:dang, I thought I guarded again that by fudging^W adjusting the numbers if you put in any multiple of the base point’s order. Once again I take a thing from ulfheim.net and stick it directly into the class I teach. Lurking yospos: something my job should pay me for.
|
|
#
¿
Jun 17, 2022 14:15
|
|
|
Beeftweeter posted:has anyone here used them to do something cool? it looks rad but $170 is a bit steep for something i'm not even sure i'd get much use out of I got mine crazy fast for someone who only heard about it recently in this thread. I have zero RF experience, and:
Not critical to me, but definitely a fun toy.
|
|
#
¿
Jul 15, 2022 04:11
|
|
|
Snuff Melange posted:Nevertheless, the point was that even if a bad deploy to prod costs tens of thousands, it's still best to continually deploy and accept that risk. In what world is this a positive risk/reward tradeoff? What mindblowing superfeatures are on the other end of the equation that getting them out a few days earlier without review justifies a potential 5 figure cost, even at low probability? I know the last 20 years of software history have been "gently caress quality" in larger and larger font, but god, we don't need to step on the accelerator even more.
|
|
#
¿
Nov 6, 2023 17:28
|
|
|
|
| # ¿ Apr 26, 2024 11:16 |
|
|
Shame Boy posted:i would simply adopt the one that has the most CVE's because that means there's fewer left to find 
|
|
#
¿
Feb 11, 2024 06:19
|
|