--- Log opened Fri May 25 00:00:10 2018
06:31 -!- Dolemite^ [a05bdbc9@gateway/web/freenode/ip.160.91.219.201] has joined #se2600
06:31 -!- mode/#se2600 [+o Dolemite^] by ChanServ
06:31 <@Dolemite^> mr0ning, be0tches and h0ez!
07:03  * aestetix hugs Dolemite^ 
07:15 <@Dolemite^> Wow, Weinstein actually got arrested
07:21 < aestetix> woohoo
07:21 < aestetix> maybe this will inspire some of the future victims to go to the police rather than the pres
07:21 < aestetix> press
07:56 <@Corydon76> Especially since going to the pres is likely to get them grabbed in the pussy
08:00 < aestetix> heh
08:05 < aestetix> I do think society should be encouraging more women to go to the police though
08:05 < aestetix> And not the press, and not staying silent.
08:27 <@Corydon76> We'd have to notibly improve police response times to complainants.  When I went in to make a complaint, it was structured in a way to get people to go away.
08:28 <@Corydon76> They lead you to a room where they're going to take your complaint, and then you wait 2 hours while they try to find the right officer to take your complaint.
08:29 <@Corydon76> Efficient, they are not.
08:29 <@Corydon76> And when Peaches went into the hospital recently, same complaint.  Yes, they have all sorts of tests and fancy equipment, but if they miss something, they'll get around to it the next day.  Maybe.
08:34 < aestetix> This is a reasonable complaint. How would you address it though?
08:34 < aestetix> Increases the number of police officers on staff? have some form to fill out and then leave? for something like this, that seems rather impersonal
08:35 < aestetix> plus I would hope that you need a police officer with specialized training to handle those issues
08:37 < aestetix> depending on how the city works, that might either require appropriations from the city council, or an increase in taxes
08:37 < aestetix> Or maybe they are well staffed and just lazy.
10:14 <@Corydon76> Or maybe cross train their officers, so that there is more than one person in a station who can take a complaint.
10:19 < aestetix> that would work too
10:24 <@Corydon76> But honestly, I think it's on purpose.  The whole point is basically to impress upon people that legal action is a giant PITA to all parties, so don't make a complaint unless you really think it's worth all the trouble.
10:25 < aestetix> Ok, I can give a personal example now
10:25 < aestetix> The nonsense that has invaded hacker conferences is really, really trying.
10:26 < aestetix> Having personally worked for hours to write a CoC that was ignored, and then working for dozens more hours to set up a CoC support team, hotline, and system that was not ever used
10:26 < aestetix> So I'm not in favor of solutions looking for problems :)
10:26 <@Dolemite^> CoC - Don't be an ass.   Done.
10:26 < aestetix> ^
10:26 < aestetix> absolutely
10:26 < aestetix> and if you are an ass, the security can and will kick you the fuck out
10:27 <@Dolemite^> Addendum - If you are called out for being an ass, admit it, and apologize, if warranted.   If you're a horrendous ass, be prepared to be evicted.
10:27 < aestetix> sure
10:28 < aestetix> Also, if there is a disagreement during the CoC writing process, don't call the person you disagree with awful names and then emoquit
10:28 < aestetix> Or dismiss their criticism as "well, we can do that next time"
10:28 <@Dolemite^> That, in itself, is being an ass, and a violation of the CoC.
10:29 < aestetix> And if you try to file a complaint, and are asked for details such as "what did they do specifically" and you can't say what they did, then don't be surprised if they tell you go to bother someone else
10:29 < aestetix> or time and date, who was involved, etc
10:29 < aestetix> ok, ending personal rant on the topic now :)
10:30 < aestetix> (acceptable specific details include "they touched me without consent" or "they said this to me")
10:31 < aestetix> and for the record, none of what I just said is hypothetical.
10:32 <@Dolemite^> The convention organizers are not the police.   Don't expect them to act as such.
10:32 < aestetix> Yep.
10:32 < aestetix> And when they tell you to go bother someone else, do not proceed to write an inflammatory blog post and share it on twitter
10:33 <@Dolemite^> Ok, I'm done with my half day of "work".   I used quotes, because I got to the office and all of our internal networking is down.   Internet works, but nothing internal.   So, nothing accomplished at all today that's work related.
10:33 < aestetix> I'm actually hoping twitter refuses to comply with GDPR so that it can get blocked in Europe
10:34 <@Dolemite^> I did get 3 new Cub Scouts added in to our online achievement tracking system this morning.   Now that school's out AND girls can join, I'm getting lots of interest.
10:34 <@xray> kind of hard to block EU people due to traveling to other countries, proxies, and VPNs.
10:34 < aestetix> xray: i'll settle for it being blocked on a dns level in various countries
10:35 <@xray> That would certainly push "pain" to a great number of EU people.
10:35 <@Dolemite^> https://slate.com/technology/2018/05/how-to-view-your-timeline-from-10-years-ago-on-twitter.html
10:35 < PigBot> How to view your timeline from 10 years ago on Twitter. (at slate.com) http://tinyurl.com/ya4q58b3
10:35 <@Dolemite^> Well, that's not the article headline. :P
10:35 <@xray> but wouldn't necessarily protect a company from GDPR compliance.
10:35 < aestetix> xray: and take a great deal of pain away from me
10:35 <@xray> It will be interesting to see how this settles out
10:36 <@Dolemite^> "We Went Back in Time to 2008 and Twitter Was Strangely Pleasant There"
10:36 < aestetix> you mean when it was up?
10:39 <@Dolemite^> I've never taken a liking to Twitter.   Call me an old fart all you want, but it's never been more than narcissists and brick walls yelling at each other.
10:39 < aestetix> As a sidenote to the previous rant, I find it amusing how so many self-proclaimed postmodernists (who claim to abhor rules and structure) love imposing rules and structure on others.
10:39 < aestetix> Dolemite^: depending on where you lived, it used to be really useful
10:39 < aestetix> I used to use it to find out about cool events and projects
10:40 <@xray> social media is an OPSEC failure looking for a place to happen
10:40 < aestetix> But now it's just a toxic cesspool
10:40 <@Evilpig> what social media isn't?
10:40 <@xray> exactly\
10:40 <@Evilpig> there are very few forum examples that aren't either
10:40 < aestetix> uhhh
10:40 < aestetix> hmm
10:40 < aestetix> If your point is that the internet sucks now, I would agree. :(
10:40 <@Evilpig> just check the comments on any site that are open to the public.
10:40 -!- Dolemite^ [a05bdbc9@gateway/web/freenode/ip.160.91.219.201] has quit [Quit: Page closed]
10:41 <@xray> The internet is fine, people using it . . . that is a different matter
10:41 < aestetix> xray: good point
10:41 <@Evilpig> it isn't the internet directly, people got used to the semi-anonymity and the luxary of saying whatever stupid thing was in their drug addled brains.
10:42 < aestetix> The funny part is there is a culture battle going on right now. There is a whole generation of people who basically use Facebook for everything
10:42 <@Evilpig> the internet is just the highways pre-drivers licenses
10:42 < aestetix> They have a radically different experience than those of us who only use IRC
10:43 <@Evilpig> hell even this channel is toxic at times.  maybe so even the majority of time
10:44 < aestetix> Evilpig: compared to any given subreddit?
10:44 <@xray> What happened to the right to just ignore a post?
10:44 < aestetix> xray: depends on what the consequences of a post being up are
10:45 <@xray> When did it become the thing to force the other person to stop talking?
10:45 <@xray> wimps
10:45 < aestetix> If a post goes up and you lose your job because of it, that's bad.
10:45 <@xray> What we say in public can get a reaction from those around us.
10:46 <@Evilpig> case in point me in gatlinburg last weekend listening to watsky's "hey asshole" going down main street
10:46 <@xray> but that is not the same thing as Government suppressing speech.
10:46 <@Evilpig> several of those people were _NOT_ amused
10:47 <@xray> Which part of freedom of association do people not understand?
10:47 <@xray> I can't force you to associate with me only on my terms. That is not what it means.
10:48 <@xray> If I'm a jerk, it has consequences.
10:48 <@xray> People stop associating with me.
10:48 <@xray> The process is dynamic.
10:49 <@Corydon76> Explain trolls, then.  The more they are jerks, the more popular they become.  Milo took being a jerk to political fame.
10:49 <@xray> On a completely different note: I find the GDPR opt in emails funny because they are unsolicited and therefore a violation of GDPR.
10:50 <@xray> Spammers have never been known for their intellectual prowess.
10:51 < aestetix> Corydon76: and then totally squandered it all.
10:51 <@xray> Don't mistake noisy for poplular
10:51 <@Corydon76> Look again.  He's still popular.
10:52 <@xray> So how many of the 7 billion on the planet have never heard of him
10:52 <@xray> I question the definition of popular in this contect
10:52 <@xray> context
10:52 <@Corydon76> xray: probably about the same number who have never heard of Beyonce.
10:52 < aestetix> I had some interest in Milo, and then I read his book
10:52 < aestetix> Well, "read"
10:53 < aestetix> Because Simon and Schuster included the entire thing in their response to his lawsuit
10:53 <@xray> She's a singer, known for "explicit dancing" during her shows?
10:53 <@xray> that's about as much as I know and not from watching
10:53 < aestetix> I noticed two things. First, the book was incredibly poorly written. Second, it didn't contain any of the things he'd claimed it would in his public ramblings.
10:53 <@Corydon76> I think she was also the lead singer in Destiny's Child.
10:54 <@xray> I would be hard pressed to recognize one of her songs as belonging to her.
10:54 < aestetix> I think I read two or three chapters before I tossed it down as a piece of garbage
10:54 <@Corydon76> xray: My Hump?
10:54 < aestetix> His book was about on the level with The God Delusion, which is also an uninspired piece of trash.
10:54 <@xray> Corydon76: What does that mean?
10:54 <@xray> never heard of it before
10:55 <@Corydon76> It's a song.  The tune was infectious, even if the lyrics were boring and uninspired
10:55 <@xray> I have way to many things that need hacking to deal with what is "popular" and typically inane.
10:56 <@xray> Corydon76: Ah. That would explain why I haven't heard it.
10:56 <@Corydon76> Oh, wait, that was Black Eyed Peas
10:56 <@xray> Speaking of hacking, have you seen this? https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/
10:56 < PigBot> Z-Shave. Exploiting Z-Wave downgrade attacks | Pen Test Partners (at www.pentestpartners.com) http://tinyurl.com/yc9zvual
10:57 <@xray> This is quoted in the article: "We were fascinated to see reference to a “S0 downgrade attack” in Z-Wave documentation, suggesting that it may be a known issue but has not been acknowledged or resolved"
10:57 <@xray> TL;DR If you have a Zwave lock on your house, your pwned
10:57 <@xray> even it it supports S2
10:57 <@Corydon76> Not really.  It's only there in pairing mode
10:58 <@Corydon76> So you need physical access to the device in order to pwn it.
10:58 <@xray> yes but the article talks about forcing repairing
10:58 <@xray> No . RF access
10:58 <@xray> Directional antenna works just fine
10:59 <@xray> I expect there will eventually be a portable tool that will let you walk up to a Zwave lock, push the button, and open says me.
10:59 <@xray> Typical IoT garbage security and they knew it when they built it.
11:00 <@Corydon76> Uh, second to last paragraph.  You have to be present during pairing
11:00 <@xray> I think I've had enough caffeine for today
11:00 <@xray> Yes but if you can force repairing then . . .
11:00 <@Corydon76> Once you're paired, the depairing process is complex
11:01 <@Corydon76> You still need physical access in order to put the device into pairing mode
11:01 <@xray> That is what software is for, making the complex a push of a button
11:01 <@xray> Actually, that remains to be seen
11:01 <@xray> Also I can do a drop device and just wait for a paring event.
11:02 <@Corydon76> In normal operation, it's not in pairing mode, so unless you have the network key, you're not going to be able to depair the device in order to repair it.
11:02 <@Corydon76> I have some experience with ZWave devices.  They are incredibly obstinate in trying to get them into pairing mode.
11:03 <@Corydon76> I had to remove them from my home network in order to upgrade firmware recently
11:04 <@Corydon76> Speaking of which, I still have 1 to do
11:05 <@xray> The article said they are still investigating de-authenticating a device in order to to force repairing.
11:05 <@Corydon76> Right
11:06 <@Corydon76> Still investigating, as in, they don't know if they can, but if they could, it might be a problem.
11:07 <@Corydon76> And yeah, if they could, it might be a problem.  Absolutely.  It's kind of like saying, if I throw this crafted packet at an Apache server and it starts passing me internal data, it could be a problem, but we can't get Apache to do that yet.
11:08 <@xray> The question is what is the likelihood of finding a way.
11:08 <@Corydon76> That value is as yet undetermined.
11:09 <@xray> It also is troubling that they knew about the downgrade attack when they initially built it.
11:09 <@Corydon76> But I'd say it's fairly low, in that they've tried, and failed, but haven't gone to exhaustive lengths yet.
11:09 <@Corydon76> Uh, I think you mean they knew about the downgrade attack when they built the latest generation
11:09 <@xray> yes
11:10 <@Corydon76> Downgrading the protocol is generally one of those things they do in a transitional period in order to allow compatibility with earlier products
11:10 <@Corydon76> i.e. let ZWave+ work with ZWave.
11:10 <@xray> And Z-Wave is only one of thousands of IoT device/protocols
11:10 <@Corydon76> ZWave isn't an IoT device
11:11 <@xray> Correct
11:11 <@xray> it is an IoT enabler technology
11:12 <@Corydon76> If you mean that it may connect to an IoT device, well, yeah, but that's true of basically anything.
11:13 <@xray> I mean it is targeted and remotely gluing together IoT devices via RF
11:13 <@xray> so if it has a security problem then so does every IoT device that uses it.
11:13 <@Corydon76> No, it's a leaf technology
11:14 <@xray> So you are saying that it doesn't allow communication with IoT devices?
11:14 <@xray> that incorporate Z-Wave?
11:14 <@Corydon76> I've never seen it connect any IoT together.  It can connect to an IoT device
11:15 <@Corydon76> But generally the IoT device is a hub, not a leaf in the ZWave network
11:15 <@xray> So the IoT device can some how magically talk Z-Wave without incorporating any of the Z-Wave technology? That is a good trick.
11:16 <@Corydon76> You specifically talked about connecting IoT devices together.
11:16 <@Corydon76> That's a different thing altogether
11:16 <@xray> Leaf, hub, doesn't really matter. If the communication protocol is vulnerable then any device using it becomes vulnerable.
11:16 <@Corydon76> Now you're hand-waving.
11:16 <@xray> If that is the front door lock on your house, that is a problem
11:16 <@Corydon76> Yeah, if they find a vulnerability.  THEY HAVEN'T.
11:17 <@Corydon76> They found a downgrade vuln when the device is in pairing mode, which is only true when you initially set up the device
11:17 <@xray> a down grade attack is a vuln
11:17 <@Corydon76> ONLY during setup
11:18 <@xray> This is true of ssh keys as well, If I say yes during the setup. But I can exchange the key out of band and prevent it. Is this also true with Z-Wave.
11:18 <@Corydon76> It's kind of like saying that a device out of the box is vulnerable because it has a default password.  If it then forces you to change the password, then it's only vulnerable if you can get physically close and perform a factory reset.  SO WHAT?
11:19 <@xray> Since this a well known potential exploit (ssh key exchange) you would think they would have planned for that.
11:19 <@Corydon76> See it initially?  We're talking about devices that have no screens whatsoever and which are controlled by a central hub
11:19 <@xray> I don't agree with your analogy.
11:20 <@xray> If you have physical access there is no security.
11:20 <@xray> So only allowing paring via a cable plugged into the hub would have solved that problem
11:21 <@Corydon76> xray: So if I have physical access to your servers, and I can get in with a USB key by rebooting it, none of your servers are secure.
11:21 <@xray> correct
11:21 <@Corydon76> Yeah.
11:21 <@xray> The issue is when you use RF and physical access becomes a mute point
11:22 <@Corydon76> Not in this specific case.
11:22 <@xray> If a device is going to use RF then it takes a lot more care.
11:22 <@Corydon76> Because you need physical access to put the machine into a vulnerable state
11:22 <@Corydon76> It's EXACTLY the same as rebooting your server with a USB key
11:22 <@xray> But that state can be compromised remotely
11:22 <@Corydon76> No, it cannot
11:23 <@xray> the server can not
11:23 <@Corydon76> The ZWave device cannot
11:23 <@xray> which part of downgrade during paring via RF did you not understaned
11:23 <@xray> that is a remote attack
11:23 <@Corydon76> WHICH PART OF NEEDING TO PUT IT IN PAIRING MODE (ESSENTIALLY REBOOTING) DID YOU NOT UNDERSTAND?
11:23 <@xray> I don't need to do it, I just have to wait for you to do it.
11:24 <@Corydon76> Good luck waiting
11:24 <@xray> If I reboot my server, you will not get access via RF
11:24 <@Corydon76> After setup, you never do.
11:24 <@xray> I don't need to, That is why I use a drop device.
11:24 <@Corydon76> If I cut the power, it doesn't go into pairing mode when I restore power.
11:24 <@xray> Unless it looses it's mind and needs to be repaired.
11:24 <@xray> I will admit this is a targeted attack for now
11:25 <@xray> And not the provenance of the typical burglar
11:25 <@Corydon76> Yeah, you need physcial access.  With physical access, virtually every device, including otherwise secure servers are vulnerable.  DUH!
11:26 <@xray> Going back to what you said earlier. If they can figure out a way to remotely force deauth, there will be an issue.
11:26 <@Corydon76> Hypothetical
11:26 <@xray> I don't agree with your analogy
11:27 <@xray> If I boot my server (physical access) you don't magically get remote access.
11:27 <@Corydon76> Hypothetically, if I can figure out how to compromise your SSL certificates, there will be an issue with your server
11:27 <@Corydon76> If I cut the power to a ZWave device and restore it, it doesn't go into pairing mode, either
11:28 <@xray> If I physically set my device for pairing, with this attack, an attacker could get remote access without physical access. So the scenarios are not the same.
11:28 <@Corydon76> You have to use the specific sequence on a switch to get it into pairing mode
11:28 <@Corydon76> xray: how many ZWave devices do you have?
11:28 <@xray> When you say switch, you are talking about a physical button on the device?
11:28 <@xray> None yet.
11:28 <@xray> If I get one it will be to test security
11:29 <@Corydon76> Get one.  Try it.  I'd like you to be on the same wavelength.  I have a dozen.  You're talking out of your ass right now.
11:29 <@xray> I have a deep distrust of IoT
11:29 <@Corydon76> It's not IoT
11:30 <@xray> I agree Z-Wave is not IoT, it is an IoT enabling RF technology.
11:30 <@Corydon76> You have a deep distrust of a related tech, so you refuse to learn, and instead you're talking out of your ass about hypotheticals
11:30 <@xray> So IoT devices are built using it
11:30 <@Corydon76> Which means this is a pointless argument.  Your're arguing from ignorance
11:30 <@xray> That is an interesting assertion.
11:31 <@xray> Given my background.
11:31 <@Corydon76> Dunning-Kruger.  You don't know what you don't know.
11:31 <@xray> Not what I was refering to
11:32 <@xray> Funny you should mention that
11:33 <@xray> You have me thinking about putting Z-Wave on my list of things to investigate
11:34 <@xray> I'll have to think about that as I have quite a few other projects in the works.
11:34 <@xray> One of which is root access on cable modems
11:35 <@Corydon76> Whether you investigate it or not is not what I'm saying.  But if you want to argue about it, the least you can do is to inculcate yourself with some experience working with it.
11:35 <@xray> It can be done easily via the admin web interface. I need to look into the doing it from the Cable side.
11:36 <@xray> Not sure I want to build the simulator for the RF
11:37 <@xray> I'm also working on some Bluetooth active and passive hacking.
11:37 <@xray> It's not looking good for Bluetooth
11:39 <@xray> Then there is KRACK. Which is going to be around for a long time given there are several billion Android devices out there that will never be patched.
11:39 <@ezelkow1> weee, https://github.com/apache/trafficserver/compare/master...ezelkow1:cf_core
11:39 < PigBot> Comparing apache:master...ezelkow1:cf_core · apache/trafficserver · GitHub (at github.com) http://tinyurl.com/ydepnzv7
11:39 <@xray> All that to say, I have full plate of RF remote hacking issues already being worked on.
11:39 <@ezelkow1> making the internet better one PR at a time
11:48 <@ezelkow1> hoping that that right there will save some companies origin servers
13:23 <@Corydon76> https://mailchi.mp/dee228011706/we-thought-about-updating-our-privacy-policy-but-didnt?e=fe76325592
13:23 < PigBot> We thought about updating our privacy policy, but didn't (at mailchi.mp) http://tinyurl.com/ya32udqf
15:43 < dasunt> About 6 weeks ago, I crushed my finger slightly while moving the clothes washer.
15:44 < dasunt> I could straighten it and bend it, and it didn't look too bad, so I figured I had a sprain.  Last week, I went to a doctor because the swelling didn't go down, and they sent me to a specialist today.
15:45 < dasunt> Specialist was amazed I could straighten my finger at all.  She showed me pictures of what it should look like - the bone is broken, and I shouldn't be able to extend the tip of my finger.
15:45 < dasunt> I told her that if my finger looked like the examples, I'd have been in there ASAP.
16:11 -!- sync350 [~sync@c-24-30-62-194.hsd1.ga.comcast.net] has joined #se2600
16:11 -!- mode/#se2600 [+o sync350] by ChanServ
23:21 -!- sync350 [~sync@c-24-30-62-194.hsd1.ga.comcast.net] has quit [Ping timeout: 248 seconds]
--- Log closed Sat May 26 00:00:11 2018