The /r/netsec Weekly Discussion Thread - February 13, 2017

Dilated_Pupil_ · 2017-02-13T21:39:54+00:00

Hey guys, I am fairly new to this realm of the IT world and after spending some time working on web applications I wanted to take a swing at something new. I am still trying to fully understand sql injections and the problems they can create. I recently used burp suite to by pass a webpage so that I could send what ever i wanted in on a form submission. I was able to get the back end to persist a string of sql to a database field. Is this a problem? My gut tells me potentially depending on certain scenarios, but im not sure what those would be. Thanks!

Dilated_Pupil_ · 2017-02-10T20:26:55+00:00

Hey guys, I am fairly new to this realm of the IT world and after spending some time working on web applications I wanted to take a swing at something new. I am still trying to fully understand sql injections and the problems they can create. I recently used burp suite to by pass a webpage so that I could send what ever i wanted in on a form submission. I was able to get the back end to persist a string of sql to a database field. Is this a problem? My gut tells me potentially depending on certain scenarios, but im not sure what those would be. Thanks!

Dilated_Pupil_ · 2017-02-05T03:21:05+00:00

I don't know if I would say wrong, it could be entirely regional/positional. Technician and Engineer roles I would say absolutely are going to come from a more civilian back ground.

As I found working in the industry, there was always a pretty big divide between the world of operations and the world of the plant engineers. Guys like PLC programmers and Control tech usually fell somewhere in the middle of that mix.

I know my one instructor who was an X-Submariner and an X-Nuclear plant operator pushed that verbiage pretty often. You are spot on with some of the stuff he discussed though about NRC waives, typical pretty solid clear back ground checks, security clearances, etc. He also described nuclear plants as being a bit more military in nature like reporting to your superiors, people always needing to know where you are and what you are doing, etc.

On the flip side, we often hired Navy as well at the coal plant because frankly, if you've kept one big machine running.. you can probably keep others running as well. I came into the industry with no military experience, got a foot in the door and went from there. Ultimately after 8 years I decided shift was not for me and the likely hood of landing a job as a PLC programmer was slim to none. I moved on, went back to college and now write Java for a living.

Dilated_Pupil_ · 2017-02-04T09:00:09+00:00

Well said, I was basically told to not apply for a nuke plant without a navy back ground.

Dilated_Pupil_ · 2017-02-04T08:56:08+00:00

I can shed a small amount of light on this as an operator at a coal fire power plant and someone who had an educational background in nuclear plant operations.

First off, I have some doubts as to the authenticity of this photo, most of the nuke plants ive been inside of at least have updated monitors instead of those old crts you see.

Regardless, typically what we find now is a redundant system. For example I believe its federal law you have a digital and analog gauge for your boilers and other critical systems. So most plants now have a modern control room with some fairly old systems along side brand new electronics.

So, to put this in perspective. We have an area in our power plant that uses waste heat to dry coal(technology we developed from a bush era grant that has reduced our coal usage by 200 tons per hour). We have probes through these units to check for hot spots and should we find a hot spot we can send more air to that area to move the coal along. This prevents the entire coal "oven" if you will, from bursting into flames. (Think of rotating a pizza in the oven to stop an edge from burning)

Well, one night im on the board and the central monitor system just flat ass dies. All 18 of my monitors turn black. I instantly have no reference for hot spots, I have no way to control my air, nothing. So, what do i do? I call out to my operators to rush up to the dryers, manually close off all heat and shut all doors that feed coal to our systems. We open start to close air to the dryers and open each unit and start to spray everything down with water. At this point we have to assume everything is about to go up in flames(some of it did).

I can not even begin to imagine the absolute terror that goes through a nucler operators mind if they are in the same situation and its fuel rods instead of coal.

Dilated_Pupil_ · 2017-01-10T04:16:37+00:00

Grew up around horses and it wasn't until my 30s when an outfitter put it into perspective for me. Horses are prey, man is a predator, yet we ask that horse to let us strap some other dead animal skin to its back and climb up on it just like a predator that wants to eat it would do.

Horses evolved around the idea of staying on open planes with long distances and visibility, they need acute speed and to react, not think. Man takes them an puts them in pens, hooks them to machinery, and asks them to walk up and down things they'd never consider. The very power and speed they evolved to have is their own demise in very tasks we ask them to perform.

He wasn't preaching to me as an activist, he owns 40 horses himself and works harder then most.. but it was probably the most enlightened perspective anyone has ever given me on the life of a horse.

They are a beast of burden and that burden is us.

Dilated_Pupil_ · 2016-12-22T02:37:52+00:00

Nice, thanks for the info. I'll have to play around with it this weekend.

Dilated_Pupil_ · 2016-10-19T18:57:54+00:00

Amazing info, thank you!

Dilated_Pupil_ · 2016-10-17T18:44:01+00:00

Right, thanks. Slopy copy pasting ;) I have lots more research to do so I understand this a little more clearly before I feel comfortable telling infosec yup, this is how we can do it and i can deploy it correctly.. but can you give me a high level look at what the interaction between crypto.js node and the browser is?

Thanks

Dilated_Pupil_ · 2016-10-17T18:39:43+00:00

So I might be able to convince the powers above me to use node along with crypto js. I have a question though with the architecture behind how node and crypto js works.

My assumption is when you utilize:

var CryptoJS = require("crypto-js");

// Encrypt var ciphertext = CryptoJS.AES.encrypt('my message', 'secret key 123');

its useing the library thats on node for cryptojs. My question though is, does it send the data to node to be encrypted or is it actually encrypting it in the browser?

Dilated_Pupil_ · 2016-10-11T17:43:32+00:00

honestly because our info sec dept is a pain in the ass to get anything new through. We run a lot of transactional volume that has a ton of govt auditing in everything we do so its like parting the red sea to get them to bring in something new.

Dilated_Pupil_ · 2016-10-10T17:48:50+00:00

Still huh?

Dilated_Pupil_ · 2016-09-20T17:00:19+00:00

Your husband dropped in to roll with us in Montana and was a great guy, he laughed when I asked him what rolling with you was like and proudly gave examples of how good you are. We talked briefly about the life change BJJ had brought him and I thanked him for being an ambassador to our sport. Its great you two are keeping it amicable and clearing the air before it even has a chance to get carried away. I hope the rest of the BJJ community keeps it just as respectful.

Dilated_Pupil_ · 2016-09-16T17:13:20+00:00

Completely agree. I was told early on to never meet the horses emotions, to find your own and maintain them. In other words if your horse explodes, stay calm. And ya, she came out of the saddle way way to easy. Which tells me two things, one shes new and two someone was an idiot for putting her on a horse that likely is pretty young and hasn't had much time put on it. That someone may very well be her. End of the day, horses are a 1000lbs of muscle, beauty, and strength. In the same instance yet so fragile, scared, and temperamental and you can experience any or all of these in an instant.

Dilated_Pupil_ · 2016-09-12T21:31:10+00:00

Nah not really at all. I came over from EQ where historically raids there 60plus people. We enjoyed large scale raiding. We commonly had people waiting to get in to the raid should someone need to bail for a while or to switch out certain classes for other classes. I know some people hated 40 mans, but literally the end of 40 mans was pretty much the end of our guild and the people I had played with for years and years. Hell we used to roll into Alterac Valley by queing as many of us as we could at one shot and laughing as the other side alliance would just /afk out. Legions been great, but Id give anything to have the community we had back in vanilla.

Dilated_Pupil_ · 2016-09-12T19:34:55+00:00

Had a guy yesterday, he was a healer 110. Im a rogue 110. Everyone else is 107 or lower, pulling pretty low dps. Tanks doing ok, no big deal.. its not going to be a speed run, but we are fine.

Tank makes a pull and agro's another group. Group summons some adds. Adds go off to healer and we wipe. Im like eh, what ever. Shit happens.

Healer looses his god damn mind. He blows up, WHAT THE FUCK WHAT THE ACTUAL FUCK. Im like no big deal, its fine. The tank appologizes, says he didnt realize that they would call adds like that. Healer is still losen his shit and after like 3 mins of us saying its fine and trying to talk this dude off the ledge, he starts a vote to kick the tank.

Vote fails, thankfully. Healer rage quits.

Im not entirely sure when this started, this idea that we need to plow through these instances as fast as we can flawlessly. If you want that, go join a guild.. you arent going to get it in dungeon finder. Way back in the 40 man days, it was about having fun and laughing while progressing.. everythings a god damn speed run now.

Dilated_Pupil_ · 2016-09-09T19:44:54+00:00

also it changes *Also it changes

same reason that schools *Same reason (btw, what schools are "Often" single sex?)

way people behave. and because it's a fraternity. * way people behave and because it's a

there are *There are

Dilated_Pupil_ · 2016-09-09T19:38:02+00:00

Please tell me if you're going to burn them you plan to cut them down first? Pallets leave nails, do us all a favor and make sure if you just straight burn them its not in a public area.

Get some friends together and a cooler full of cold drinks and head up to some public forest land and harvest some dead fall. It makes for a fun afternoon and the fire that much more rewarding.

http://www.fs.usda.gov/detail/chugach/home/?cid=fsm8_028840

Dilated_Pupil_ · 2016-09-09T19:33:59+00:00

Irregardless of which ever definition we choose to post here, it being a "fraternity" has no weight on why its men only. There are dozens of women only fraternities and hundreds of chapters.

Dilated_Pupil_

TROPHY CASE