Little Pig, Little Pig! Let Me Admin! (Security Thread)

User avatar
Thad
Posts: 13170
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Thu Sep 10, 2015 12:35 am

Mongrel wrote:So the mistake I was making was thinking your replies were meant to apply to all data services when you were only picking at email very specifically?


That sounds right, yeah.

It bears noting, of course, that Microsoft's not doing this because they've got our best interests at heart; if they were worried about our privacy, we wouldn't have to look up a fucking step-by-step tutorial on how to turn off all the shit they're harvesting from us.

The problem for MS is that if it has to start handing that shit over to governments, people are going to start paying more attention to all the data they're gathering and there's going to be pushback against it. (Though you're absolutely right that this will be a bigger deal in foreign countries than in the US.)

The same's true, to a lesser extent, for Apple, and to a greater extent for Google.

User avatar
Thad
Posts: 13170
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Thu Sep 10, 2015 1:29 am

Stagefright attacks now in the wild.

I wonder if Cyanogenmod has fixed the vulnerability in KitKat or if I have to update to Lollipop.

User avatar
Thad
Posts: 13170
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Thu Sep 10, 2015 12:17 pm

sei wrote:Using bcrypt put them heads and shoulders above the shit we hear about places like Sony.


Yeah, about that:

Ars wrote:Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack. The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week, they hope to tackle most of the remaining 4 million improperly secured account passcodes, although they cautioned they may fall short of that goal. The breakthrough underscores how a single misstep can undermine an otherwise flawless execution. Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two.

The cracking team, which goes by the name "CynoSure Prime," identified the weakness after reviewing thousands of lines of code leaked along with the hashed passwords, executive e-mails, and other Ashley Madison data. The source code led to an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers.

User avatar
Grath
Posts: 2388
Joined: Mon Jan 20, 2014 7:34 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Grath » Thu Sep 10, 2015 1:02 pm

Thad wrote:Stagefright attacks now in the wild.

I wonder if Cyanogenmod has fixed the vulnerability in KitKat or if I have to update to Lollipop.

Holy crap, Verizon actually already pushed a patch for my Galaxy S5 for Stagefright. I'm almost shocked.

User avatar
Thad
Posts: 13170
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sat Sep 12, 2015 1:13 am

Thad wrote:Stagefright attacks now in the wild.

I wonder if Cyanogenmod has fixed the vulnerability in KitKat or if I have to update to Lollipop.


Answering my own question: as of August 31, the latest release builds of Cyanogenmod 11.x and 12.x have patched the Stagefright exploit. So yes, update your shit, but no, you don't have to switch to Lollipop if you don't wanna.

User avatar
Sharkey
Posts: 768
Joined: Mon Jan 20, 2014 6:11 pm
Location: Send Lawyers, Guns and Money
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Sharkey » Sat Sep 12, 2015 8:52 pm

Thad wrote:Stagefright attacks now in the wild.

I wonder if Cyanogenmod has fixed the vulnerability in KitKat or if I have to update to Lollipop.


It sounds like we live in fucking munchkinland.
Image

User avatar
Thad
Posts: 13170
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sun Sep 13, 2015 1:17 am

So are you more into Ubuntu's unpronounceable animals, or Debian working its way through the cast of Toy Story?

Or, ooh. All the Chrome devices named after Nintendo characters. It's that one, right?

User avatar
Blossom
Posts: 2297
Joined: Mon Jan 20, 2014 8:58 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Blossom » Sun Sep 13, 2015 3:49 am

Sharkey wrote:
Thad wrote:Stagefright attacks now in the wild.

I wonder if Cyanogenmod has fixed the vulnerability in KitKat or if I have to update to Lollipop.


It sounds like we live in fucking munchkinland.


At least it's still alphabetical.
Image

User avatar
Thad
Posts: 13170
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Thu Oct 01, 2015 12:15 pm

New stagefright vulns discovered. The good news is they can't be triggered automatically with a text message anymore; you have to actually open a trojan. Still not good news.

User avatar
Thad
Posts: 13170
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Sat Oct 03, 2015 1:50 am

Patreon's entire backend database copied; site code too.

According to Patreon officials, user passwords were cryptographically protected using bcrypt, a hashing function that's extremely slow and computationally demanding to use. Its use was one of the saving graces of the breach, since it meant crackers would have to devote vast amounts of time and resources to crack the hashes. With the inclusion of source code, however, it's possible crackers may find programming mistakes that could significantly accelerate the process. That's precisely what crackers did last month to bcrypt-hashed password data taken during the hack of the cheaters dating website Ashley Madison. Access to the source code may also expose the encryption key said to protect social security numbers and tax IDs.


ETA: Aaaand they were warned about the vulnerability 5 days before the attack.

Granted, 5 days isn't a lot of time, but oh man you better believe that's going to come up in the inevitable class action suit.

User avatar
sei
Posts: 1079
Joined: Mon Jan 20, 2014 6:29 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby sei » Wed Oct 21, 2015 6:41 pm

Some of John Brennan, Director of the CIA, has documents compromised.

Here's the best part, though:

Apart from the CIA chief's email, the teenager claimed to have gained access to Brennan's personal AOL account, which contained the official's own application for top security clearance.
Image

User avatar
Blossom
Posts: 2297
Joined: Mon Jan 20, 2014 8:58 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Blossom » Wed Oct 21, 2015 6:49 pm

Specifically, got access to his personal AOL account, and not his official CIA account. But there's still some stuff in there, allegedly.
Image

User avatar
Joxam
Imperisaurus Rex
Posts: 1003
Joined: Mon Jan 20, 2014 11:23 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Joxam » Wed Oct 21, 2015 8:38 pm

So... this is two topics down. Like, seriously, when we do setup the new fucking forum can we have real honest to god thread titles? Do you know how many times it takes me five to ten minutes to search through all the bullshit topics we have just to try and post something either in the right topic or to make sure we don't already have a topic about something I might want to make a topic about? I just realized we're porting shit over and not making new forums... anyways, we should think about doing something about the bullshit thread topics... its annoying as fuck.
Image

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Wed Oct 21, 2015 9:42 pm

I'm not sure the issue is with titles - this one states it's about security, right in the title. I think it's that a lot of these topics overlap in such a way that it's tough to figure out where to post some of these stories.
Image

User avatar
Thad
Posts: 13170
Joined: Tue Jan 21, 2014 10:05 am
Location: 1611 Uranus Avenue
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Thad » Wed Oct 21, 2015 10:08 pm

Well, I mean, that's always going to be the dilemma: do you post stories that may be one-offs in a big assorted-news dump thread, do you start a new thread that may only ever get one or two posts, or do you look around and see if there's a thread where people are already talking about this stuff?

And yeah, Mongrel's got a point; this subject works in this thread, it works in the Assorted News thread, and it probably could just as easily have gone in, say, Who Watches the Watchmen? There's overlap in what subject matter fits where.

Different people are going to post things in different threads for different reasons; I don't think thread titles are the problem in this instance. Jox, you've got the power as an admin to retitle, split, merge, or create threads however you see fit, but speaking from experience it's probably not worth the effort. Especially splitmerging. Fuck splitmerging.

User avatar
Mongrel
Posts: 21290
Joined: Mon Jan 20, 2014 6:28 pm
Location: There's winners and there's losers // And I'm south of that line

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mongrel » Wed Oct 21, 2015 10:13 pm

I think this thread and Who Watches the Watchmen have a LOT of crossover. I realize that one's about the state security apparatus and this one's about IT security, which are supposedly clear and separate topics, but these days there's a lot of stories that touch on both of those.
Image

User avatar
Mothra
Woah Dangsaurus
Posts: 3963
Joined: Mon Jan 20, 2014 7:12 pm
Location: Boston, MA
Contact:

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby Mothra » Wed Oct 28, 2015 3:42 pm

Haven't finished it yet, but there's a really interesting article on Freedom to Tinker about how the NSA keeps cracking so much crypto.

User avatar
sei
Posts: 1079
Joined: Mon Jan 20, 2014 6:29 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby sei » Wed Oct 28, 2015 10:38 pm

EFF on preventing encryption strength downgrades in one's browser and VPN client.

Title of the article seems a bit hyperbolic, but it probably wouldn't hurt.
Image

User avatar
sei
Posts: 1079
Joined: Mon Jan 20, 2014 6:29 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby sei » Wed Nov 04, 2015 4:25 pm

Cameron pushing for mandatory crypto backdoors via Investigatory Powers Bill.

You know, making everything less secure...in the name of combating terrorism.

It will be even funnier if they decide to stop allowing England to route traffic encrypted by unsanctioned algorithms.
Image

User avatar
sei
Posts: 1079
Joined: Mon Jan 20, 2014 6:29 pm

Re: Little Pig, Little Pig! Let Me Admin! (Security Thread)

Postby sei » Thu Jan 14, 2016 2:43 am

[url=US Intelligence director’s personal e-mail, phone hacked]http://arstechnica.com/security/2016/01/us-intelligence-directors-personal-e-mail-phone-hacked/ (Ars)[/url]
Image

Who is online

Users browsing this forum: No registered users and 18 guests