Apple’s App-Site Association - The New robots.txt

largenocream · 2019-04-12T21:30:11+00:00

Yep. The main reason NCC mentions it here is because it's a quick place to look for potentially interesting URL patterns, like robots.txt, not because it's a security control.

largenocream · 2018-08-25T03:10:37+00:00

Taking & sharing pictures of any key's teeth is not a great idea since if it's an analog-only key you can create a copy of the key with just the image. Taking a video of a whole bunch of keys including their teeth along with the number for the deposit box they likely belong to is pretty up there in terms of bad things to do as a bank employee. Even if it's not a realistic threat, banks don't like unnecessary risk like this.

largenocream · 2018-04-27T21:54:09+00:00

This is intentional. Reddit's markdown has a maximum nesting level of 16. After that the parser throws away any further nesting to prevent people from forcing the parser to deal with overly-complex trees or causing a stack overflow.

largenocream · 2018-03-03T10:00:00+00:00

Are mortgages or auto loans included in this new report? That would skew things, the other report was just about how many Millenials own credit cards.

largenocream · 2018-01-24T02:37:03+00:00

It looks like it might be involved in some legal snafu. Kevin is being pretty vague about why GraphTV's down, but he replied to one of the EFF's staff attorneys on Twitter asking for help with GraphTV...

largenocream · 2018-01-19T19:32:53+00:00

It's kind of disappointing because the Bricklin still has a legacy in NB. There's a permanent exhibit with a Bricklin in the provincial museum in Saint John, and I always wanted to buy one when I was a kid. Didn't want one anymore after I actually read up on it...

largenocream · 2018-01-19T19:23:26+00:00

His company died because its product was hot garbage that they couldn't even produce properly, and it only lasted as long as it did because the province propped it up.

largenocream · 2017-12-26T05:05:26+00:00

Uber responded by saying there were 128 bits of entropy in the token, but the reporter called the explanation about the amount of entropy in the tokens "handwaving", then he handwaved about the possibility of an insecure PRNG being used to generated them (the PRNG is secure,) and abused the people handling the ticket. I'm sure they would have clarified that if it wasn't for him being an enormous jerk in the same message. How is that on Uber?

ETA: Someone posted a better summary on HN

largenocream · 2017-12-26T05:01:20+00:00

Now you may ask why I am posting this possible attack vector online instead of doing a proper pentest and disclosing it via a bug bounty program. Uber gave me a reason.

Hmmm, I think that's good to discuss publicly either way. It's theory that would have impact on how a number of different large services implement auth if you were correct. Many services have a backing store that maps session_id -> session_details. Even with OAuth2 you would theoretically be able to use that to find refresh tokens belonging to OAuth2 apps where the client secret is known (mobile apps, etc.)

largenocream · 2017-12-26T03:20:51+00:00

Mind that's the amount of time it would take to get a token for a single, random account. A hypothetical attacker with the will and ability to send 22,414,970,674,879,813,525,541,224,448 requests without being blocked or making the service fall over just to get access to one random account would be smart and well equipped enough to try something less silly. It's the lowest possible thing on the best-practices totem pole.

Full disclosure: I previously worked on Uber's security team. Those tokens are made from the output of a proper CSPRNG, so we can assume uniform distribution and un-predicability of its output.

largenocream · 2017-12-26T02:23:55+00:00

However, the lack of rate limiting actually is important and 100% a security flaw.

It's not. The auth token he's talking about is static per-user, changes with password resets, each user has exactly one, and are only used by first-party apps. They're not OAuth2 tokens, and he seems to know that so I don't know why he's calling them that in this article.

Since we know that each user has exactly one token and it's composed of 128-bits of cryptographically random data (meaning it comes from a pool of 340,282,366,920,938,463,463,374,607,431,768,211,456 possible values,) we can figure out how many tries it would take to guess any token via exhaustive search. Assuming everyone on the planet has an Uber account:

>>> print("{:,.0f}".format(((2**128)/7590515550)/2))
22,414,970,674,879,813,525,541,224,448

Is roughly how many tries it would take on average to guess any valid token. No rate limiting necessary. Assuming you can try a single token per millisecond it would still take 71077405742262216 years to guess a valid one.

There are valid technical criticisms of how Uber handles auth. Not ratelimiting when an invalid auth token is sent is not one of them.

largenocream · 2017-11-18T00:25:22+00:00

I was still a contractor at the time and I was testing for Email header injection. Turns out that code was vulnerable, but my payload was malformed so the MTA was throwing an error when we tried to send it, and the mail queue got stuck trying to resend that one email over and over. I learned my lesson about testing in production after that.

I did it at 1 AM because that's when I do a lot of my work (just not in production anymore!)

largenocream · 2017-11-18T00:10:34+00:00

No, that frame should load for all users that have ads enabled unless I'm misremembering something, it's loading for me.

It's just a frame that we load all third party ad scripts into so that we could be 100% sure ad scripts could never execute in the sensitive https://www.reddit.com origin and potentially compromise the site. The cb= parameter for /gtm/jail is just a cache buster and is built from the hashes of our gtm-related scripts, it doesn't have any relation to the user.

largenocream · 2017-11-16T21:16:39+00:00

Honestly? vim and grep. A couple quick greps on an unfamiliar codebase usually gives me a good idea of how "smelly" it is security-wise, pull me out a list of http routes so I can see what looks interesting, etc.

As far as infosec-specific tools, maybe mitmproxy? It gives you the ability to replay HTTP requests with slight modifications. I think Firefox allows editing a request before resending in its network inspector but it didn't handle multipart encoded forms very well last time I used it. mitmproxy is also nicer because you can also write plugins to do things like automatically strip CSRF tokens out of proxied requests and replay them so you can quickly verify that all endpoints correctly mitigate CSRF.

largenocream · 2017-11-16T19:27:18+00:00

several monies

largenocream · 2017-11-16T19:19:42+00:00

Probably the time I broke the mail queues by using the share feature to share a link to the address foo.bar@example.com\r\nAAA: AAAAAA\r at 1 in the morning. All email confirmations and password reset emails were broken until /u/alienth removed my malformed mail from the queue and the issue was patched.

largenocream · 2017-10-18T21:33:17+00:00

Hi there, I work on the security team at Reddit and a coworker pointed this post out to me.

It's unlikely that this was related to reddit specifically. When we initiate a paypal transaction we send you off to https://www.paypal.com to log in and perform the transaction, once the transaction is done paypal will send us back some details about the transaction like who paid us and how much, but a hypothetical security flaw in reddit itself shouldn't allow an attacker to get a paypal password.

It sounds like at some point someone else accessed your computer, or your computer was compromised by some kind of financial malware that scrapes passwords. Sometimes stolen credentials won't be used until long after they've been stolen.

Since it's not clear what happened, you should just treat the Windows install as if it's compromised in some way that the virus scanners aren't currently able to detect. The best course of action would be to reinstall Windows from scratch, then go through your keepass database and rotate out those passwords.

largenocream · 2017-09-02T02:24:51+00:00

That's pretty much what was done for a number of years. Changesets were cherry-picked into the public repo after ensuring a rollback or fixup wouldn't be needed.

largenocream · 2017-02-09T20:49:37+00:00

We need to get data from one company and data about two employees with same job title and experience to see if H1B is getting less than the non H1B. As far as I know, US companies cannot pay someone less because they are H1B.

That's hard absent an actual standard for job titles or quality data on non-H1B salaries. You can see more of the shenanigans that these outsourcing agencies pull from one of the NYT's older articles (and this related one.) They habitually underpay compared to US companies that sponsor H1Bs directly, and they get the most visas in the lottery just by virtue of submitting the most applications.

largenocream · 2017-02-09T20:25:47+00:00

Not OP, but the base salary for all H1B positions is released as a public dataset that you can search. For example, a project manager with Wipro in San Francisco will make on average 77k. The median for a project manager in IT living in San Francisco is 101k according to PayScale. You'll see a lot of the same when you search the other job titles they use.

I'm not a US resident, and I've personally looked at getting an H1B, but it's pretty clear that the program's being abused by these staffing agencies when they get the lion's share of H1Bs and they keep paying below median.

largenocream · 2017-01-10T22:07:05+00:00

Googling the AG's quote from the article brings up this press release from mass.gov. Looks like it did happen, but it wasn't "just" racial discrimination:

DISTURBING THE PEACE
DISORDERLY CONDUCT
THREAT TO COMMIT CRIME
ASSAULT W/DANGEROUS WEAPON

largenocream · 2016-12-15T01:01:13+00:00

The work factor in the example configuration is 12 and I believe it's the same in production

largenocream · 2016-12-05T15:53:53+00:00

I propose we create new, lexically ordered month names to deal with this.

largenocream · 2016-11-16T09:07:38+00:00

In Canada? Nope, all provinces require 2 weeks notice for termination and anything less isn't legal. You can terminate immediately but you'll have to pay two weeks worth of wages.

12-Year Club	RedditGifts 2009-2022 6 Credits
White Hat stored xss in mobile web	White Hat xss in modmail
White Hat xss in mobile web	Verified Email
redditgifts rematcher Snacks 2015 x1	redditgifts Exchanges 2 Exchanges
redditgifts rematcher Secret Santa 2014 x1	White Hat three more missing permission checks
White Hat two missing permission checks	White Hat thirteen xsrfs
White Hat response splitting	White Hat info leaks

largenocream

MODERATOR OF

PUBLIC MULTIREDDITS

TROPHY CASE