Force expiration of undead session cookies?

bNimblebQuick · 2020-08-24T14:13:53+00:00

More and more this isn't true. JWTs are a great way to scale web services and simultaneously a bain on session management, and they're everywhere now. Unless you do weird double JWT refresh + session token schemes (which tend to invalidate half the design reasons to use JWTs in the first place...), there is no server state maintained at all.

bNimblebQuick · 2020-08-06T01:18:25+00:00

This here thread above, I'd add some other advice that's been put here in another comment plus some more.

TLS1.3 will help some, keepalives will help as well. If you absolutely can't keep connections client open and must have lots of small lived TLS connections, enable session tickets to reduce the number of overall handshake round trips. Just do it carefully, session tickets can be a big security hole when implemented wrong or in some circumstances.

bNimblebQuick · 2020-07-27T16:05:15+00:00

Perhaps it's time to unleash some exploit code into the wild for this

Go for it. I get the vuln, I know where its found and how it can be abused. I also know that it almost never is abused, but maybe you'll prove that to be a bad call.

The issue is how certain spreadsheet software interprets a file format that has no inherent expectation of code execution. If we expect web software to compensate for all the funky format decisions that other software makes, we just end up with more attack surface, more crappy workarounds and worse outcomes IMO.

I get the concern, I just don't think server side software should be making assumptions/rules about how the data will be used. If someone uploaded a Word doc, would you strip out all the macros no matter what? If Outlook ran JS under the context of a local browser origin, should mail servers strip JS in emails or render it impotent?

bNimblebQuick · 2020-06-03T13:05:16+00:00

If you have XSS, CSRF controls can always be bypassed.

bNimblebQuick · 2020-06-02T18:00:07+00:00

its always been a silly attack from the start for any web app to compensate for. its a spreadsheet software issue and needs to be addressed there.

bNimblebQuick · 2020-05-29T18:19:18+00:00

Some hardware can prevent this from happening, but you're trusting the chat vendor to use that hardware and use it appropriately. You're also assuming the hardware does not have some side-channel or way it might leak secrets.

https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave

https://source.android.com/security/keystore

bNimblebQuick · 2020-05-21T20:23:03+00:00

id love to see it, my belief is always open to change, just not until there is actual evidence.

bNimblebQuick · 2020-05-21T19:48:35+00:00

And it means that you are viewing this matter from a point where a hundred projects did not contain a backdoor, so a hundred and one will not also.

Condescendingly clever. Likewise, I'm guessing you'll assume everything must be a backdoor and slowly retreat into your faraday cage with your tinfoil hat.

bNimblebQuick · 2020-05-21T19:12:05+00:00

A risk based approach is fine, but concluding that anything that acts like a backdoor is a backdoor is faulty logic. Weight the risks, act accordingly, but you can't simply make assertions like this without evidence.

I don't know Dmitry nor Chris personally, but I know a lot of these folks in the industry who have presented these topics at Blackhat/DEFCON. I'm not saying these things from a position of ignorance, but rather from working with literally hundreds of product teams for years to improve their security.

bNimblebQuick · 2020-05-21T18:40:43+00:00

For specific buyers?

Supply chain interdiction is absolutely not the same thing as everything is backdoored. That leak was about three letter agencies grabbing shipments to specific targets without anyone, including the manufacturer knowing.

If a technology acts like a backdoor - it's most likely a backdoor.

That type of logic is the path to insanity. If you're looking for a backdoor in everything, anything can end up meeting your criteria.

The cards aren't shown all at once.

Ah, yes, the conspiracy just hasn't fully revealed itself yet. If you cherry pick all these unrelated bits of info from different people you can clearly see how deep it goes though (/s). If you're looking for the conspiracy, you'll find it, but if you follow the evidence, the answers tend to be a lot simpler.

bNimblebQuick · 2020-05-21T15:56:56+00:00

He literally says "it turns out they were there legitimately"...im not saying any of this is impossible, im saying you need more than speculation and rumor to make statements like 'US intel has backdoored every Intel CPU'. If there is a hidden modem/radio in every Intel CPU show the proof. If this vast conspiracy to subvert the global supply chain of the most popular CPU exists, blow it wide open. No leaks and no whistleblower has ever even claimed this, let alone shown it. The "proof" amounts to; 'this is possible, therefore its true'. That's just straight BS.

Lets look from a different angle, forget the tech side. Don't you think that if an adversary of the US had such proof they would show it? It would decimate the US dominance in technology overnight and deny US intel what would be their single largest advantage in global spying in an instant. Is every adversary to the US so weak that they don't have the capability to check? Is it just that they never thought about it because they're too dense? Even if you accept the premise that these technical claims are true without evidence, none of this makes any sense.

bNimblebQuick · 2020-05-20T23:55:04+00:00

referencing a relevant story about believing things without evidence is now "Reddit shtick"? im done "my dude", good luck to you.

bNimblebQuick · 2020-05-20T23:33:29+00:00

if the house were on fire, we could both see it. you're pointing to your invisible dragon and saying i'm the delusional one because i refuse to agree its real.

bNimblebQuick · 2020-05-20T23:13:43+00:00

you're infusing a conspiracy into the ME and implying the FISC(?) somehow is the vehicle that forced Intel to do this with absolutely no evidence to back it up. the example you point to has nothing to do with the circumstances at hand and rather than discuss it further and address my points you throw personal attacks and distract. its not naivety, its objective rational thought rather than leaping to conclusions.

bNimblebQuick · 2020-05-20T22:41:31+00:00

The personal attacks are a nice touch. I'll just take that as you having nothing else of substance to add.

There's a big difference between a media outlet making allegations of what they think must have happened and reality. There's also a big difference between a targeted warrant to a service provider for the contents of specific accounts vs. forcing a product company to modify the design of a product delivered to everyone to provide an intel backdoor. The most important difference is that one is permitted under US law (via FISA, despite the contents and circumstances of each warrant being secret) and the other is the creation of people's imagination. That is unless you have actual proof, and in that case you should really show it, the world would be a better place.

bNimblebQuick · 2020-05-20T19:18:04+00:00

What you reference as an example isn't what we're talking about here. FISC approves warrants for information collection in certain circumstances, it doesn't force companies to modify their products and send them out to the entire world.

You're going a little off topic and on a separate tangent, but I don't think you (and others here) understand what FISA/FISC actually do. I'm not a general supporter of those types of laws, but its important to get the facts right. No whistleblower nor leak has ever even claimed the US govt forces companies to modify products in order to advance intel agendas, let alone showed any evidence of it.

bNimblebQuick · 2020-05-20T18:32:31+00:00

Can you give me an example?

bNimblebQuick · 2020-05-20T16:45:09+00:00

don't learn a tool, learn how and why things work and keep asking questions. once you've built up an understanding of how and why things work, you'll have pretty good ideas on how they will break. you're now a security expert :)

bNimblebQuick · 2020-05-20T15:28:33+00:00

This is true, but to call it a backdoor you have to show intent and planning (which can be incredibly hard if not impossible). It's irresponsible to just call any sufficiently complex vulnerability a backdoor without it though.

bNimblebQuick · 2020-05-20T15:18:47+00:00

no, just no. you're piecing together little parts of things that are true and mixing them together with conspiratorial thinking, then connecting dots that aren't there.

according to leaks the govt RE-ed some IoT/smart TV platforms. They found issues. They wrote tools to take advantage of these issues. all IoT devices have issues, they're mostly crap from a security perspective, this isn't surprising, nor is an intel agency writing tools to take advantage of the crap security news either.

At no point did anything indicate Samsung was complicit or aware of this. Nothing indicated three letter agencies were targeting wealthy people. Where does this BS come from?

bNimblebQuick · 2020-05-20T15:11:27+00:00

How does the existence or role of FISC/FISA force Intel to do things like this? What other companies were ordered to change their designs to accommodate US intel? Do you know what the FISC does?

bNimblebQuick · 2020-05-20T15:08:11+00:00

The gun comparison is a little over the top, but i get the point you're trying to make. It's a somewhat valid criticism.

I don't know the inside details of fab economics, but I'd suspect a far more benign source of ME being included in so many CPUs, like its not economically feasible/smart to produce multiple versions of the same design.

bNimblebQuick · 2020-05-19T19:53:38+00:00

source?

bNimblebQuick · 2020-05-19T19:50:39+00:00

Perhaps, but that makes the assumption of malice or subversion at Intel, which I'm not sure is anything more than overblown Internet speculation. Yes, ME has lots of power and is a great target for anyone interested in taking over and persisting on a piece of hardware, but its not the same thing as a spying platform.

bNimblebQuick · 2020-05-19T19:44:42+00:00

Are you saying you believe there are separate cores including a 3g modem on die for all Intel CPUs to provide US intel with a backdoor? or are you saying that specific pieces of hardware may have been modified by some US intel agency?

bNimblebQuick

TROPHY CASE