THESE FORUMS NOW CLOSED (read only)
Fun Stuff => CLIKC => Topic started by: Pilchard123 on 25 Sep 2014, 14:51
-
Hi guys. How're you doing? Got Bash installed? Patched it? Maybe you should think about it. (http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html)
-
My OpenBSD machine doesn't have Bash installed.
-
tcsh? :-D
I love my zsh. But I still have bash installed. Sadly not easy to get rid of it completely.
-
Interestingly, there's a similar vulnerability in cmd.exe, it appears: https://twitter.com/dakami/status/517790323154485248
Impact is likely going to be far lower, though. Anything on Windows that needs scripting isn't using cmd.exe, it's using the Windows Script Host to run VBScript.
-
In other news, it appears that there is an unpatchable vulnerability in all USB devices.
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack
-
That is hilariously sensationalized.
There are vulnerabilities in many USB microcontrollers that can allow reflashing the firmware with untrusted firmware. That's been known for ages.
Sure, it'll take forever to get the bad devices out of circulation, but not all devices use Phison USB controllers, and not all devices even have reflashable firmware.
-
hmm. Have you by chance disabled SSLv3 for this server now? (Or did Cloudflare disable it?) Tapatalk on my mobile can't connect to the forums anymore, and SSLv3 support is disabled. Whoever it was, good decision. POODLE is bad.
-
I've not yet fully checked out what's going on, but you could have the answer.
Yesterday the forums were moved to a permanent https connection, using a new certificate (no longer self-signed). But this morning, I find that I can no longer connect using https using Tapatalk/Android, nor using Opera (Chroms)/Windows XP; whereas Tapatalk/iPhone is OK, as is Opera/Windows 8.1.
The comic works using http but not https on the Windows XP machine, but the forums are no longer available using http.
-
Ah. Explains why my IE is asking for me to allow unsafe content.
-
Windows XP shouldn't be used on the public internet anyway, so...
I believe there's options to disable SSLv3 support in newer versions of IE, as well, so it doesn't even try.
-
Windows XP shouldn't be used on the public internet anyway,
... without appropriate care and protection. Some of us can manage our computing infrastructure reasonably safely.
I believe there's options to disable SSLv3 support in newer versions of IE, as well, so it doesn't even try.
One problem is that such settings are often not exposed, but in the area where you have to know what you're doing. For instance, the command to force TLS only in Chrome is a command line one.
-
Note: the change of the forum to https means that Tapatalk users will need to delete the forum from their app and then add it back in; this will force it to fetch the changed address from the server.
-
I was wondering. It seems to be working again, though.
-
It's happened without? Even better - perhaps what I did just jumped the queue (cache) somewhere.
-
It is worth noting that, looking at what Firefox (now 33) is saying, it's not happy about there being content sourced from non-secure sites on this page.
So, I decided to change my avatar to pull from https://bhtooefr.org instead of http://bhtooefr.org, to help matters (although your avatar contributes to the problem, too)... and it reverts to no avatar. D'oh! (I just uploaded my avatar to the forums directly, though...)
-
There must be a setting I've turned off, because I don't get that warning.
Nor do I have a secure web server to hand; I guess the time is coming to think about that. I think there was a reason I didn't set one up ages ago... Ah, I remember, something to do with having a reverse proxy and multiple web sites - I have multiple URLs on the same port, and SSL negotiation precedes the exchange of headers, so the site name is unknown and the certificate can't be identified - something like that. Plus my port 443 is already dedicated to the mail server's web mail.
I may be out of date about the restrictions, so I'll investigate that.
-
I'll look at the avatar code in the forum software; the problem may be similar to that which I've just fixed to get YouTube back (SoundCloud will follow tomorrow).
-
Fwiw, my home PC has been unable to browse to forums.questionablecontent.net since the patch, in either chrome or IE.
I'm patching and scanning to try to find a problem on my side.
-
So let's bring back some life into this thread with more general computer security and crypto stuff!
I'm currently working on finally getting some order and safety into my data security.
I've rented a lock box in a bank, where I store paper copies and a USB stick containing encrypted digital copies of private keys and such things.
I've never really used GPG before, because I wanted to read some more about it to not do anything wrong. I've decided to use an additional subkey for signing, so I can leave my Master key in the lock box unless I want to sign other peoples keys.
I'll also keep a backup of the configuration of my Yubikey in there, so I can finally start using Keepass with OTP, without having to worry about losing my Yubikey and thus access to all my passwords. Oh. Fallback passwords for anything which is secured with the Yubikey are in the lockbox as well. Probably a backup of the LUKS headers of my encrypted hard drives as well.
What do you guys do to keep your data safe and secure?
-
I'll look at the avatar code in the forum software; the problem may be similar to that which I've just fixed to get YouTube back (SoundCloud will follow tomorrow).
I never mentioned here that I spent time trying to make a patch to fix this, but it got too complex to finish. It's been sorted in the next major release of the forum, which has just entered public beta, but that will be at least a year away on past performance.
I've spent a lot of time in the past week on web security issues at work, getting the https security on three old websites up from an F on the tester I use to B, B and A-. The A- one (running Tomcat v6) could have been an A, but only by dropping support for browsing in Windows XP, and many of the users are still on XP (they're in the NHS, which is rather behind in that matter). The other two are running IIS6, which can't do better; but they are both due for replacement quite soon. My own website (Apache 2.4) has a straight A, of course.
I've been wondering about suggesting Yubikey and AuthLite for two-factor authentication in the IT services I run.
-
It's probably just a *nix problem (including OS X), but there's a nasty NTP vulnerability going around, and that should be patched.
-
This is some scary stuff. (http://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html)
-
https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html
Apparently FreeBSD has been having problems with their random number generator.
-
Granted, -RELEASE is safe.
If you run -CURRENT, though...
In other news... Lenovo installs SSL MITM spyware on laptops: https://forums.lenovo.com/t5/Security-Malware/Potentially-Unwanted-Program-Superfish-VisualDiscovery/m-p/1860408/highlight/true#M1697
-
https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html
Fuck it I don't even. :psyduck:
-
I understand perfectly. We're not customers... we're the commodity.
-
I, of course, bought a new Lenovo laptop just before the news came out. I did check, and my laptop is not infected, but of course, I had Mint 17.1 installed on it, rather than Windows, and it was installed from a fresh disk, so life is good. So far.....
-
I, of course, bought a new Lenovo laptop just before the news came out. I did check, and my laptop is not infected, but of course, I had Mint 17.1 installed on it, rather than Windows, and it was installed from a fresh disk, so life is good. So far.....
Love it!
-
I had a random bit of security irony today. There was a presentation about security assurance in software development. I couldn't watch it because it requires Flash, which I flatly will not allow on my computer because of its record of endless security vulnerabilities.
-
I guess this belongs here as well as the News thread:
Be scared. Be very scared:
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/)
-
Well, that's terrifying.
And, really, I'm not surprised - even my 1999 Golf has a network upon which all devices can see everything else (while it's a year before VW put everything on a CAN bus, there is the K-line (essentially RS-232 at weird baud rates) that every control module in the car is sitting on for diagnostic purposes), and there's no access control other than matching the baud rate, sending the command to the correct control module address (but everything sees everything on the K-line), and occasionally 5 digit passwords that are, for the most part, printed in the workshop manuals).
Even things like the instrument cluster, which contains the immobilizer (well, on US-market cars it's not active until 2000), can be attacked with readily available software, the ROM dumped (on some clusters, this takes an hour of brute forcing a password, but most, it gets in immediately), the secret key code decoded, and the immobilizer protections are effectively defeated.
For all I know, there's a buffer overflow in the central locking (for manual windows)/central convenience (for power windows) module that can be used to attack other K-line or CAN-bus modules, for a wireless attack.
When modern cars don't even bother to isolate the infotainment from the powertrain/safety CAN bus, and have long-range wireless protocols in their infotainment systems... and even when they do (some cars use FlexRay or Ethernet for infotainment instead), they put infotainment data on the instrument cluster, which communicates with the powertrain/safety CAN bus anyway, and is therefore an attack surface on the powertrain/safety bus. And, don't forget the steering wheel/column controller, which is often on the powertrain/safety bus for things like cruise control (typically the airbags are directly connected to the airbag module) and the infotainment bus for infotainment control... And, then, you've got telematics systems that directly have a need to access the powertrain/safety bus to do what they do (crash detection to call emergency services, remote diagnostics, remote unlock (although central locking could be put on another bus), remote shutdown for police)...
-
Yep. I know of cars which have the control unit for the side mirror adjustments in the mirror, and this lead the whole CAN bus out of the vehicle. Those cars can actually be opened by opening the mirror casing, which is only clipped on and attaching to the CAN bus, which of course also controls the central locking. You can take control of a whole vehicle by opening the side mirror casing.
-
The car I bought a few weeks ago was recalled because of a bug in the radio software that causes the seatbelt chimes to not work. I guess I can sort of see them being related (and seatbelt chimes aren't exactly critical), but why on earth should the entertainment system software have access to the critical functions of the car like the engine and brakes? :psyduck:
-
Is it weird that I find this hugely fascinating
-
Is it weird that I find this hugely fascinating
Not at all.
And cesium - it's probably a cost thing. If you wire everything up on one bus you don't have to put in additional cabelage, which saves money.
-
Just a heads-up to the admins. I didn't see which advert it was but one of the ads on questionablecontent.net is a hijack that sends you to a fake Flashplayer download site.
-