Little Pig, Little Pig! Let Me Admin! (Security Thread)

User avatar
Grath
Posts: 1313
Joined: Mon Jan 20, 2014 7:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Grath » Fri Feb 24, 2017 1:12 am

A major vulnerability in the Cloudflare proxying provider used by all sites using Cloudflare left all traffic vulnerable to hacking and leakage, going back for multiple months. Details: https://bugs.chromium.org/p/project-zer ... il?id=1139

List of Effected sites: https://github.com/pirate/sites-using-cloudflare

It is recommended you change your password for any site on that list.

User avatar
Kayma
Posts: 301
Joined: Tue Jan 21, 2014 1:40 am

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Kayma » Fri Feb 24, 2017 6:41 pm

It's a banner month for circumventing basic security practices.

Exhibit B: Google has crafted a practical attack on SHA-1. A nice big "I told you so" to the hardline approach they've taken to shaming-out SHA-1 TLS certificates for the last several years.

User avatar
Mazian
Posts: 220
Joined: Sat Jan 25, 2014 3:47 pm
Location: Up in the air

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mazian » Fri Feb 24, 2017 7:08 pm

Kayma wrote:It's a banner month for circumventing basic security practices.

Exhibit B: Google has crafted a practical attack on SHA-1. A nice big "I told you so" to the hardline approach they've taken to shaming-out SHA-1 TLS certificates for the last several years.


Exhibit B-and-a-half: Turns out that SVN deduplication relies on SHA-1, and uploading a pair of files with matching hashes irretrievably corrupts the entire repository. Deduplication is enabled by default.

It's an interesting (and terrible!) failure mode, since most prior thoughts about the effect of hash collisions in VCSes were only looking at avoiding doctored files, not how to break the backend itself. Git uses SHA-1 dedup too, and a few years ago, someone discovered similar repo failure modes by testing a deliberately shortened hash.


User avatar
Thad
Posts: 5163
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sat Mar 25, 2017 12:23 pm

Still has to pass the House, and if it passes the House it doesn't take effect until December 4, but as far as I know that doesn't mean they won't be able to sell your browsing history from today after December 4.

(Well, not yours specifically. But ours.)

There's a followup article at Ars: How ISPs can sell your Web history—and how to stop them

And here's a thing I wrote in the comments section:

I wrote:I've been looking for a good solution to be able to use a VPN but still be able to access Netflix, Hulu, and other sites that block shared IPs.

One possibility is to subscribe to a VPN with a dedicated IP. The downside is that you lose the anonymity that comes with a shared IP. Your ISP can't track your activity, but you're leaving a trail everywhere you go that all points back to the same IP address, much as if you weren't using a VPN at all.

Another possibility is to set up a whitelist so that certain IPs go straight through, circumventing the VPN. I'm running pfSense on my router and I found a thread on that subject: Netflix vpn block -> how to "fix"? (The thread is focused on Sweden, so I'm not sure the same IP whitelist would work in the US, but the principle is the same.)

The downside to that isn't just that it requires a certain amount of technical expertise (this is Ars, after all; adding some rules to a router configuration shouldn't be much trouble for anyone reading this), it's that it's clumsy and tedious. It requires keeping track of a whole raft of IP addresses (not just domains!) associated with the sites you want to use, and of course those can change at any time.

And of course it means your ISP still has access to data about how much time you spend watching Netflix.

There is the possibility of doing both: having both a static-IP VPN and a shared-IP VPN, and using router rules to pass some IPs through the shared-IP VPN and others through the static-IP one. That's really overkill, though -- unless anybody knows of a VPN where you can sign up for both without having to pay double?


Sadly, no responses or recommendations.

I'm already subscribed to Private Internet Access (a shared-IP VPN) but I don't relish the idea of fucking around with pfSense router rules, and then having to do it again every time Netflix or Hulu changes an IP. I could sign up for a dedicated-IP VPN since I think that's probably good enough for my purposes, but I'm not sure how much of a performance hit videos would take if I routed them through a VPN, in which case whitelisting them would be the better route regardless of what type of VPN I'm using.

Though, come to think of it, there have been times I've forgotten to turn PIA off and loaded up Netflix and it didn't get blocked (I must have been assigned an IP that Netflix hadn't noticed was shared yet), and I think video was fine.

User avatar
Mongrel
Posts: 7677
Joined: Mon Jan 20, 2014 6:28 pm
Location: Canadumb

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Sat Mar 25, 2017 12:58 pm

Pirates, as always, are unaffected.
Image


User avatar
Thad
Posts: 5163
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sun Apr 02, 2017 6:41 pm

Thad wrote:I'm already subscribed to Private Internet Access (a shared-IP VPN) but I don't relish the idea of fucking around with pfSense router rules,


Relish or no, this is what I spent this morning doing. I'll say one thing for it: it was less frustrating than doing taxes.

Thad wrote:and then having to do it again every time Netflix or Hulu changes an IP.


Incidentally, this is probably not going to be an issue. Hulu doesn't appear to change its required subdomains very often, so hopefully I won't need to change them in the future, and for Netflix there are actually a couple of automatically-updated lists that you can set pfBlockerNG up to use.

Anyway, don't know if anybody else here is using pfSense, but I put together a link roundup of the pages that told me how to do it.

User avatar
Thad
Posts: 5163
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Mon Apr 03, 2017 4:02 pm

...oh my God, the Senate resolution allowing your ISP to sell your browsing data is SJR #34.

User avatar
sei
Posts: 891
Joined: Mon Jan 20, 2014 6:29 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby sei » Tue Apr 04, 2017 5:58 am

[drawing of a draft taking lady liberty from behind]
Image

User avatar
Thad
Posts: 5163
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Tue May 16, 2017 10:31 am

Charlie Stross summarizes WannaCry, framing it as a novel pitch rejected for being too implausible.

Seriously, this shit's fucking crazy. NSA finds a Windows zero-day, doesn't disclose it (because it doesn't want it fixed); names it after a Sega CD game*; it gets compromised by somebody (Russians?) and put up on Wikileaks; somebody else (North Koreans?) uses it to create a ransomware worm, which leads to massive global problems until a vacationing security researcher happens to notice a domain name in the code, registers it, and discovers that registering that domain triggers a kill switch that makes the worm go dormant.

* I think; unless there's some other possible source for "Eternal Blue" I'm missing. I know there were a bunch of nerd culture references in their malware names; the TV-spying program was called Weeping Angel.

Who is online

Users browsing this forum: Yahoo [Bot] and 3 guests