Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

[Shields Up] Computer Security Thread

1373839404143»

Posts

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited February 24
    So a security bug in the Cloudflare hosting system may have compromised loads of sensitive information from a LOT of relevant websites. This includes Reddit, Discord, and even our very own Penny Arcade forums.

    It is highly recommended that you change your passwords for all afflicted sites.

    TetraNitroCubane on
    qwlru.png
  • OrcaOrca Registered User regular
    That's suboptimal.

    evilthecat wrote: »
    "Bioware I want to suck on your teets of gamingness".

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
    TetraNitroCubaneLostNinjaShadowfireNightslyr
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited February 24
    Apparently a very small percentage of all data being transferred through Cloudflare became public via this vulnerability, but it has the potential to impact ALL data traveling through Cloudflare during the duration in question. AND that data may be cached and visible via google currently.

    Passwords, SSL certs, even two-factor authentication secrets could be compromised and visible via plaintext on randomly cached websites.

    Here's a list of impacted sites that is currently evolving.

    Bonus note: This was all caused by a single-character coding bug, apparently.

    TetraNitroCubane on
    qwlru.png
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    Oh, and just to heap some gasoline onto the fire: SHA-1 is now officially broken, joining the ranks of MD5.
    Despite more than a decade of warnings about the lack of security of SHA1, the watershed moment comes as the hash function remains widely used.

    Not a good time for internet security right now, to say the least.

    qwlru.png
    EntaruNightslyr
  • OrcaOrca Registered User regular
    And this is why IoT remains dead to me.

    Security is hard and all it takes is a one fuckup anywhere in the chain to compromise things. Do I really need my pacemaker to be able to sync with my phone, or internet-enabled doorlocks? Aside from the software development cycle level of obsolescence. A furnace can easily last 20 years or more--give me the dead simple thermostat to control it and call it a day. Yeah, it would be nice to have remote start and the rest of it, but I don't want someone to be able to infiltrate my network because my 20 year old unpatched thermostat has a bloody vulnerability!

    evilthecat wrote: »
    "Bioware I want to suck on your teets of gamingness".

    The 2012 issue of Fornax. | Steam and Origin: Espressosaurus
    TetraNitroCubaneSynthesisBolthornFencingsaxamnesiasoftjmcdonaldVoodooVNightslyrCaptain MarcusDoctorArch
  • MugsleyMugsley Registered User regular
    I, for one, want my furnace to shut off and my doors to unlock when my pacemaker has to kick in. This way my body is preserved and the help doesn't have to bust the door down.

  • EntaruEntaru Registered User regular
    I am between wanting to tell IoT to go to hell and realizing that with my wife's current health status anything I can do to make life easier for her is a thing I am going to do even with the associated risks.

    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • a5ehrena5ehren AtlantaRegistered User regular
    edited February 24
    Oh, and just to heap some gasoline onto the fire: SHA-1 is now officially broken, joining the ranks of MD5.
    Despite more than a decade of warnings about the lack of security of SHA1, the watershed moment comes as the hash function remains widely used.

    Not a good time for internet security right now, to say the least.

    Someone used the SHA-1 collision to hose the WebKit SVN repo. So that's fun.

    Edit: Apparently it was one of the devs uploading the files to create a testcase for WebKit that busted the repo. But hopefully Apache fixes SVN soon.

    a5ehren on
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    Do you ever feel like maybe two-factor authentication just isn't enough?

    image

    qwlru.png
    PMAversDizzen
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    So how does the dermatologist confirm he's their dermatologist and just some random weirdo? Authentication has to go both ways for trust to be established properly dammit!

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
    TetraNitroCubane
  • MugsleyMugsley Registered User regular
    Welp. I went and updated my passwords for Patreon (which I don't use anymore), Betterment, and Uber. I still need to do Curse, even though I don't use my login anymore. Are there other financial sites that had a potential leak, that I should handle as a course of due diligence? I'm trying to not scrub the entire list.

  • VoodooVVoodooV Registered User regular
    Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.

  • LostNinjaLostNinja Registered User regular
    I always thought 10 minutes was the general best practice. 5 seems like it would be interfereing with people who are actually still at their desk working and just using whatever is on the screen as reference.

    A screensaver (that requires flash?!?) also seems pointlessly wasteful as opposed to just putting the computer to sleep.

    camo_sig2.png
    XBox Live: LostNinja05
  • DizzenDizzen Registered User regular
    edited March 26
    I don't know anything about the best practices and such, but hopefully the screensaver has the flash menu turned off, or
    that could become a more substantial security issue
    .

    Dizzen on
    Dichotomy wrote: »
    it'd be like Jurassic Park, but with bananas
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    Security best practice is training people to lock their workstations when not at their desks, and disciplining them for failing to do so. Or possibly fitting their seats with a dead-man switch that activates the screen lock when they get up. Let HR figure out the cost differential between those.

    Screen savers are obsolete; they are resource parasites that should have gone extinct when the CRT did but managed to change hosts.

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
    ShadowfireTetraNitroCubaneVoodooV
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    LostNinja wrote: »
    I always thought 10 minutes was the general best practice. 5 seems like it would be interfereing with people who are actually still at their desk working and just using whatever is on the screen as reference.

    A screensaver (that requires flash?!?) also seems pointlessly wasteful as opposed to just putting the computer to sleep.

    Also, Flash itself is a security risk.

    steam_sig.png
    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
    LostNinjaTetraNitroCubaneamnesiasoftDizzenVoodooV
  • MugsleyMugsley Registered User regular
    So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?

    Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)

  • LD50LD50 Registered User regular
    Mugsley wrote: »
    So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?

    Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)

    One easy thing you can do is use this: https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en

    Encrypting as much of your traffic as you can will prevent anyone (including your ISP) from knowing anything more than the domains you visit on encrypted sites (IE they don't actually see the subdomains you're requesting).

  • FeralFeral That's what I do. I drink, and I know things. Location: ByakkoyaRegistered User regular
    VoodooV wrote: »
    Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.

    I've seen recommendations ranging from 10 minutes to 30 minutes for desktop computers, and 5 to 10 minutes for mobile devices. We use 15 minutes and that satisfies our security auditors.

    Also, inactivity locks and screensavers are really different things, even though Microsoft puts the settings in the same place in Windows. So that's another way this whole shit sandwich is stupid. If all they wanted to do was enforce an inactivity lock, they could have done so through the native settings of whatever OS they need to secure. There's no reason to buy a Flash(WTF)-based screensaver for that.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
    the "no true scotch man" fallacy.
  • FeralFeral That's what I do. I drink, and I know things. Location: ByakkoyaRegistered User regular
    Mugsley wrote: »
    So, I know it still has to get through the House, but I'm slightly concerned by this "ISP data" thing. What VPNs are you guys using and how difficult are they to set up?

    Also, is there a way to set one up at the router level so I don't have to fix every device? (I know that what I'm trying to say here is using the wrong terminology)

    Any of these VPN services are fine: http://www.pcmag.com/article2/0,2817,2403388,00.asp

    Regarding your home router, just look for a router that can be a VPN client. All Asus routers have this feature out of the box.

    Other routers you might need to flash with custom firmware like DD-WRT, but that's a can of worms in and of itself.

    Keep in mind that pushing all of your traffic all of the time through a VPN may have unforeseen side effects. For example, it might impact your latency for online gaming, or one of your streaming media services (Netflix, Hulu, etc) may decide that it doesn't like your VPN service and just block your login.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
    the "no true scotch man" fallacy.
  • LD50LD50 Registered User regular
    Also, by going with a VPN you're just trusting someone else not to sell your data.

    TetraNitroCubaneEntarua5ehrenShadowfire
  • MugsleyMugsley Registered User regular
    Yeah, I have a friend who's been huge (YUUUGE) on this whole VPN/Privacy discussion. He talks about using Signal a lot for SMS/MMS and has ramped up the VPN discussion. I haven't jumped, yet, but I thought it would be worth the cursory research now, whlie we wait for things to fall out.

  • FeralFeral That's what I do. I drink, and I know things. Location: ByakkoyaRegistered User regular
    I'm a huge fan of Signal.

    Besides the encryption features (which are great) it is also one of the least-bullshit messaging apps I've used.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
    the "no true scotch man" fallacy.
  • VoodooVVoodooV Registered User regular
    edited March 28
    Feral wrote: »
    VoodooV wrote: »
    Anyone have any insights into inactivity timeouts? Our Dollar Store Lex Luthor governor just implemented a stupid screensaver (designed by his corporate buddies, oh and requires flash player btw) with a 5 minute inactivity timeout. They cited "security best practices" but the two benchmarks I know of only require 15 and there was much gnashing of teeth when I implemented that when it used to be 20. Is anyone aware of any standards that require 5 or are they talking out of their ass as usual and wasting taxpayer dollars and fucking with worker productivity and somehow claiming this is more efficient.

    I've seen recommendations ranging from 10 minutes to 30 minutes for desktop computers, and 5 to 10 minutes for mobile devices. We use 15 minutes and that satisfies our security auditors.

    Also, inactivity locks and screensavers are really different things, even though Microsoft puts the settings in the same place in Windows. So that's another way this whole shit sandwich is stupid. If all they wanted to do was enforce an inactivity lock, they could have done so through the native settings of whatever OS they need to secure. There's no reason to buy a Flash(WTF)-based screensaver for that.

    oh yeah, it's a complete shitstorm. The screensaver is just your standard "I want everyone to see my vision and mission statement of regulations are bad mmkay, and misuse the word efficiency when I really mean cheap"

    The timeout came directly from the governor, but instead of someone quietly telling him that a 5 minute inactivity timeout is a bad idea, his chief information officer (head IT/technology officer) made an announcement that claimed it was a best practice (of course, he never cited which best practice) so which leads myself to believing he's talking out his ass and just sucking up to the gov.

    A few months later, Ricketts' office then later dictated that everyone have the same wallpaper, which basically said the same thing as the screensaver, but again, he must have gotten major pushback because a couple weeks later he rescinded that....though we still have to make the wallpaper the default wallpaper, but users are allowed to change it.

    If you've forgotten, our gov is this guy:

    image

    VoodooV on
    Feral
  • MugsleyMugsley Registered User regular
    I haven't even hit play, and that guy is not someone I want to listen to. He looks like a Bond villain.

    ShadowfirefurlionVoodooV3clipseschuss
  • TheBlackWindTheBlackWind Registered User regular
    So, my girlfriend followed a bad flash download and picked up some malware on her Mac. Is Malwarebytes on mac as good as it is on PC? I don't really have much experience with Macs and know it's a newer program, but they've always been great for me.

    PAD ID - 328,762,218
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    Yeah, MBAM on Mac is totally fine.

    steam_sig.png
    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
    TheBlackWind
Sign In or Register to comment.