|
my high school was wired with pots terminated with rj45 for some reason and all the servers for the district were in a single lil closet with a normal residential air conditioner, which dripped. also all the schools got internet through microwave connections to the high school that wennt out when it rained. Lol
|
# ¿ May 11, 2019 14:23 |
|
|
# ¿ Apr 27, 2024 09:22 |
|
Got some pretty Normal folks in the comments
|
# ¿ Jun 29, 2019 18:29 |
|
darkforce898 posted:Are there any resources that can help me implement encryption and decryption of files and communication from a client to a server? since it's embedded investigate your options in the hardware. you should be able to blow a fuse on production devices that will prevent flash readback. some devices also come with hash verification in hardware for program memory.
|
# ¿ May 16, 2020 15:21 |
|
yeah all new proposed browser capabilities should have to meet a very high standard to be accepted over the null hypothesis
|
# ¿ Aug 24, 2020 22:08 |
|
flakeloaf posted:when they start hurting people instead of wealthy corporations that should never have existed in the first place so you need a paper trail of somebody who died because a prescription or diagnosis was wrong or missed because the computers were down? or do you accept generally lowered capacity from falling back to paper workflows in patient management? how about a prescription or diagnosis that's late, or increased waiting times? i think nobody cries for the hospital corporations paying ransoms, but those computer systems exist for a reason, and even if they should have been hardened or airgapped or whatever they still shouldn't be attacked.
|
# ¿ Oct 30, 2020 14:21 |
|
xtal posted:Do they know that it was politically motivated? doublepost but that's actually the point they're trying to raise. does it matter if it was politically motivated? the effects are the same. that said, the reason they (or at least pat) are bringing it up is because they've been kind of brain poisoned by talking to government people and explicitly are saying "we should treat it as terrorism, because if it's terrorism we can drone strike the people that did it". which is definitely some kind of magical thinking because yeah sure you can't arrest some crew in russia ransomwaring hospitals but uh you really can't drone strike them either!
|
# ¿ Oct 30, 2020 14:24 |
|
Soricidus posted:does it matter if a homicide was premeditated? the effects are the same fair enough, but i guess their point is that the response right now doesn't really differentiate between manslaughter, negligent manslaughter, etc etc - it's all "just ransomware". there should probably be a level of seriousness of a ransomware attack that isn't politically motivated (or at least not primarily politically motivated) but causes deaths or harm to actual people, that is both more serious than ransomwaring bob's jetski and less serious than a politically-motivated actor doing a megacrime.
|
# ¿ Oct 30, 2020 15:04 |
|
Shame Boy posted:i had to explain very slowly to the CEO at my last job that the reason we had so many problems with our java applet getting blocked n' poo poo (in like 2014) was that it wasn't 1999 anymore and browser java turned out to be a bad idea i honestly don't understand what was particularly bad about java applets that isn't replicated with js. just the sandbox i guess
|
# ¿ Dec 31, 2020 17:17 |
|
CRIP EATIN BREAD posted:i had a cleaning lady steal a bunch of money from me when she told her boyfriend about some money i had in my home, and they kicked in my back door and took it. Sick story bro sounds like they got totally owned. Servants should never strike their betters (?)
|
# ¿ Jan 26, 2021 19:15 |
|
flakeloaf posted:"text-security sans serif" *
|
# ¿ Mar 21, 2022 20:33 |
|
Luigi Thirty posted:https://www.newyorker.com/magazine/2022/06/13/the-surreal-case-of-a-cia-hackers-revenge it's so funny when the ooh big scary intelligence establishment gets all in its feelings. like if you have a choice between an open and shut "insane amounts of child porn and sexual assault" case and a "tedious and mostly circumstantial leaking case" why would you not just do the child porn one and have some rear end in a top hat in a grey suit spit something about "oh and he probably leaked some stuff wink" into some "reporter"s gaping mouth to be credulously reposted? nope, gotta put that lesser crime of, again, insane amounts of obviously discovered child pornography, on the backburner because we must Prevent The Betrayal Of THe Countr- oh what's that? nobody cares and it was a mistrial? Hmm
|
# ¿ Jun 7, 2022 01:08 |
|
go play outside Skyler posted:mandiant in french means shaggar
|
# ¿ Jun 8, 2022 03:55 |
|
Jabor posted:There are people that will sell you canbus firewalls that sit between an at-risk component and the rest of the bus, and only allow specific messages through. So you can allow the head unit to send a "increase temperature in zone 2" message to the climate control unit, while blocking if it tries to send a "apply brakes" message. you may know this, but others may not - the thing with can that makes firewalls like this reasonable to do is that the fundamental point of can is hardware enforced message id based prioritization on the bus. every can message starts with an arbitration id, which is 11 or 29 bits depending on the protocol, and if two things try and talk on the bus at once, the first time one of them sends a 0 in its arbitration id when the other is sending a 1, the 0 wins because of how the physical signalling method works. because of this, assigning can ids sort of conflates what a message's contents are and what its priority is, so they are (IN THEORY) assigned pretty mindfully. then, can node controllers all typically have the ability to, in hardware or device firmware, listen for message ids based on arbitrary bitmasks that can be accepted or rejected. all of this comes together to say that (IN THEORY) one could make a canbus firewall device where if you designed your can messaging schema with an eye towards expansion, and taking full advantage of the hardware, you could very efficiently say like - on the left side of this device is the infotainment subnet - no message with the function code or category 0x0-0x5 may go from left to right, since those function codes are reserved for car control and have a bunch of space to add new car control messages to other subcomponents without having to update your firewall. like a vlan or a subnet but if ip address also determined what a message meant. probably this is not usually done perfectly but it is possible
|
# ¿ Aug 15, 2022 12:41 |
|
goblin week posted:https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/ this is insane lmao hope
|
# ¿ Dec 7, 2023 15:23 |
|
Wiggly Wayne DDS posted:
this talk had really good content but a lot of (laugh line) (expectant smile) (completely dead room) on similar bits with similar delivery that worked in other talks, either this was like the first or last talk of the day or c3 has an insider/outsider problem and this guy was an outsider. it was really interesting though and I think the summary low-sells that he also made sgx key extraction and emulation as a portable script. really good talk quote:Back in the Driver's Seat: Recovering Critical Data from Tesla Autopilot Using Voltage Glitching by Niclas Kühnapfel, Christian Werling, and hnj quote:Operation Triangulation: What You Get When Attack iPhones of Researchers by oct0xor, kucher1n, and bzvr_ quote:Bifröst: Apple's Rainbow Bridge for Satellite Communication by Alexander Heinrich, and jiska quote:The Extremely Large Telescope (ELT) by lk, and panic fun! didn't catch the q&a. didn't know they intend to continuously resurface mirrors. hell of a machine, and ESO sounds like a cool job (although "European Southern Hemisphere Observatory" sounds like it could either be what it is or an intelligence agency from an alternate history where the EU was around in the 1700s that did MUCH darker things) quote:SMTP Smuggling – Spoofing E-Mails Worldwide by Timo Longin the standout after the polish trains one. short, sweet, great hacking, great failures of social interaction (in the RD stuff) from them and cert/cc. interesting side effect of the world's turn towards taking security seriously IMO - they didn't have to email every vendor they figured would be affected separately, and in fact only did it for ones they thought would pay a bounty, but that relies entirely on cert/cc not being clowns. oops quote:Breaking "DRM" in Polish trains by Redford, q3k, and MrTick The Certified Good Stuff. Good sharing of time between multiple presenters, well presented, incredible content, engaged audience. A good technical talk but also a good talk, if you see what i'm saying quote:AlphaFold – how machine learning changed structural biology forever (or not?) by Jan Gebauer another good technical talk that was also a good talk. from your summary i thought it was going to be much harsher on alphafold and google than it was. a really interesting look at the realities of how ml stuff can be a tremendously helpful tool, both upsides and downsides. love the buildup to the structural biology koan. quote:NEW IMPORTANT INSTRUCTIONS by Johann Rehberger good one, and one undersung part is the multiple languages thing he was doing to sneak stuff in. an excellent presentation on the downsides of openai's stupid loving plugin model. lmao at openai generally. i thought the comparison to sql injection was a really great one and i will be parroting it frequently. quote:What your phone won’t tell you by Lukas Arnold kind of another one in the category of "[product/service] does [x really cool thing] so we looked at [the userspace computer programs that only interact with the cool thing in an abstracted fashion]" which was weird because i think if it had lived mostly in baseband world it would have been better off, but i guess it ended up mostly being a pitch for cellguard, and that's the world cellguard has to live in. a lot of great stuff overall, thank you for the summaries!
|
# ¿ Jan 2, 2024 14:14 |
|
DJ Burette posted:
yup lol. it also means that anybody trying to make a product that wraps it like some stupid hugging face app tunes their prompt to a local minimum that may move tomorrow and require retuning
|
# ¿ Feb 22, 2024 13:45 |
|
...why
|
# ¿ Mar 23, 2024 01:27 |
|
shackleford posted:yeah making open source maintainers enable 2FA is about github catering to their big enterprise customers and their need to secure their software supply chains. what's next, forcing them to sign their commits with PGP? i mean it probably wouldn't be the worst idea. it already has webui for distinguishing signed commits and options in repo management to reject unsigned commits per-branch. make it ssh signing instead of pgp signing like someone else said, have nice instructions about how to do it (and github is pretty great at docs) and why not. the thing is that github lives in this space where it's hosting for massive and massively important projects that really should be assured, not just for "enterprise SBOM requirements" but for the safety of the public. but it's also hosting for volguus' sparetime fuckaround projects. and finally it's also hosting for some things like the apocryphal "runk", the tiny little project that's used under the radar by virtually everything but is maintained by one person. that's the sort of thing that really should have 2fa and signed commits forced on for.
|
# ¿ Mar 23, 2024 16:13 |
|
i mean i'm kind of hypocritical about this, i don't have commit signing set up and i probably wouldn't unless something forced me, but i wouldn't cry because mommy made me eat my veggies if they forced it on either
|
# ¿ Mar 23, 2024 16:14 |
|
haveblue posted:it seems kinda weird to propose that github reach out to the runk guy and say "your little spare time project has become too important. we cannot allow working on it to be simple and easy any more. start acting like a team that dedicates resources to security or else". but I guess this is how the tech industry and the nature of software has evolved yeah but i would hope the reality of the mechanism is more "your little spare time project has become too important. we need you to take these incremental steps towards security for the good of the public that depends on your work. here are some instructions on how to do this it will take about 10 minutes"
|
# ¿ Mar 23, 2024 17:21 |
|
yeah to be clear i'm not advocating any of this to make like nasa or facebook or google's lives easier, gently caress em. it's more like "you made leftpad2. leftpad2 is used by i18n-react-knex-t11n which is a 5 loc wrapper that bridges two translation apis. that's used by a two line package that adds a promise interface for translation. that's used by a library that implements a specific material design component. that's marked as a dependency for a core material design library. your spare time fuckaround project is running on 100 million user sessions a day. please sign your commits"
|
# ¿ Mar 23, 2024 17:47 |
|
in the js community all you'd need is a change of fashion towards vendoring node_modules tbh. all that poo poo happens at build time anyway, all these projects are using lockfiles anyway, nothing's binary anyway. higher bar for systems programs which have exactly the same set of problems tho
|
# ¿ Mar 23, 2024 21:05 |
|
that sounds pejorative but it's truly (and maybe rarely for this forum) not meant to be. the js community is networked and social and good about sharing ideas in a way that most other languages can only dream of. that means means it's easy to get into and full of opportunity for underprivileged groups, and it also means it's full of fads, and the nice thing about fads is they can change positively as well as negatively lol
|
# ¿ Mar 23, 2024 21:26 |
|
BlankSystemDaemon posted:there's a lot of other things that need to exist before signing commits for a sbom to make any meaningful difference in terms of assurance, instead of simple pci cert checkboxing i shudder to ask since i assume the answer will be 75% freebsd manpage references by wordcount but while i accept the thing about reproducible builds (though it's becoming easier especially for languages that whose build outputs are transformed source instead of compiled machine code, like js and python) why exactly does it matter what forge has your source and what exactly do you mean by "what signed commits mean isn't, in a technical manner, defined"
|
# ¿ Mar 24, 2024 12:51 |
|
i would venture a guess that the average person spends about 75% of their computer interaction time absolute floor using web-delivered if not web-native applications built with javascript or something that transpiles to javascript. yes that is technically running within a browser but saying "oooooh you're technically interacting with the browser" is like saying "who cares about that application you're technically interacting with the operating system". python is not quite as ubiquitous on the user interaction level but it is increasingly common in science, computation, and webserver workloads because of its easy system interop. probably the only large native-code applications that the average member of the public interacts with anymore are (1) browsers (2) video games (sometimes) (3) i guess photoshop. even office suites are increasingly web-delivered or web-integrated javascript applications. web-delivered or integrated javascript applications also are developed in an ecosystem of extreme sharing, minimalist libraries and library wrappers, and reliance on automated test coverage that incentivizes people to not really look beyond what a library's documentation says. it is a massive target for software supply chain attacks aimed at stealing credentials (since everything is web-delivered or web-integrated) or denying service or more occasionally stealing compute time. you cannot brush away this entire sector if you're seriously thinking about this sort of stuff. edit: this basically mystes posted:You can still say the same thing about python and javascript you just have to intend it to be an obnoxious/dumb hot take rather than a serious observation Phobeste fucked around with this message at 16:29 on Mar 24, 2024 |
# ¿ Mar 24, 2024 16:23 |
|
BlankSystemDaemon posted:
half the point of signed commits plus reproducable builds is to remove this as a factor, but even setting this aside how far does this go? are you going full "on trusting trust" here? are you allowed to host your repo of record on aws? in a colo with rented hardware? in a colo with owned hardware? or does it have to be a machine under your desk you personally built from parts you selected while wearing a blindfold? quote:as for codification of signed commits, it’s the same thing we have for signed email, which is defined by an rfc right, that corporation that owns git (?)
|
# ¿ Mar 24, 2024 16:26 |
|
BlankSystemDaemon posted:in my mind, there’s a fair bit of difference between servers in a datacenter where you’ve got dedicated access on a machine (and where access is a matter of physical security) vs butt infrastructure where you’re sharing resources i guess but also this may be another "since 2016" thing. owning or renting metal in a colo is much much rarer now. you essentially don't ever do it as a small company or organization that's starting in the last 5 years. there's intermediate levels where you can run github's ci stuff on your own infra if you want, they make the runner images completely available... but that also means you could inspect them if you want, so might as well use their stuff. quote:i refuse to believe that you’ve never heard about distinct advantage of developing against a standard, rather than treating a specific implementation as a defacto standard like, say, git sure, but the way commit signing in git specifically works is intricately bound with git as platform and git as implementation. that signature messages are trailers, that they relate to blob contents... both of those only make sense in a system like git where commit metatext is basically email content and where commits store content instead of diffs. it's also a large open source project. it's more on the "should you code against posix or linux" side of things than the "please do not use oracle sql extensions" side of things.
|
# ¿ Mar 24, 2024 18:01 |
|
mystes posted:Is this because they've gotten him to focus on performance or because they've distracted him enough that other people who actually care about performance have been able to step in? the latter, and it pwns
|
# ¿ Mar 24, 2024 18:34 |
|
spankmeister posted:for anyone wondering the same thing I was: this poc replaces the Ed448 public key, so it doesn't work on vulnerable systems in the wild. if I’m reading this correctly, the back door requires the payload to be crypted and signed to match that key, so this wouldn’t be generally possible without the attackers private key or finding a vector in the backdoor right
|
# ¿ Apr 2, 2024 17:16 |
|
Wiggly Wayne DDS posted:
the thing that’s even worse is that I think the thing in there is their specific push notification for affected individuals. figure 2 is notated as a “nation-state notification” and it does explicitly warn of that kind of compromise. meanwhile all the links are to domains like account.live-int.com which look like the type of thing a phisher would use lol. also the notification says “this notification does not mean that Microsoft’s own services have in any way been compromised”, which, lol
|
# ¿ Apr 4, 2024 22:33 |
|
|
# ¿ Apr 27, 2024 09:22 |
|
this thread is one of the best on the forums, thank you sincerely to wiggly wayne and amir and everybody who makes it this great
|
# ¿ Apr 17, 2024 14:25 |