<gchristensen>
"exposed a small amount of user data"
<gchristensen>
sure their repo wasn't that big I guess :P
<LnL>
that's a pretty nasty one
<pie_>
pffff <gchristensen> sure their repo wasn't that big I guess :P
<lrvick>
gchristensen: $200 is insulting.
<lrvick>
Lifesize offered me $200 and wanted me to keep the vulns a secret, and stated they had no intention of fixing them.
<lrvick>
So I took the $200
<lrvick>
then made them public after 90 days of no fix
<lrvick>
;)
<lrvick>
(which, I told them I would)
<pie_>
so they didnt make you sign something? xD
<pie_>
ah well reky
<lrvick>
I would not of signed it. I had the vulns in hand so the only thing stopping me from releasing them was my reputation of responsible disclosure
<lrvick>
I adopt project zeros approach
<lrvick>
give vendor 90 days to address their shit. If they don't, go public to protect consumers.
<pie_>
sure
<lrvick>
if people want to send me free money though, great.
<lrvick>
actually it has been over 90 days and Zoom has not fixed any of their 14 vulns I submitted.
<lrvick>
this could be fun
<lrvick>
protip: almost every company either puts all their private keys in git repos as gchristensen experienced, or they just put them right in their binaries
<lrvick>
engineers seem to assume no one knows how to extract files from a binary. that it is encrypted somehow
<lrvick>
sometimes they -do- encrypt them, then put the key in the headers so the system can actually run it...
<LnL>
lol
<lrvick>
I take it back, zoom did fix one of the vulns I submitted. I was able to take over zoom.com because it was registered to the personal email of the CEO, and the security questions for his password reset were found in a combination of the whois record itself, and a podcast he did.
<lrvick>
from there all firmware updates to hardware were unsigned and installed over http. gg
<lrvick>
(the latter is not fixed, and they don't think it is a big deal)
<lrvick>
zoom paid $900 total for the 14 vulns, which would of allowed me to end their company several different ways.
<pie_>
lol you sadist <lrvick> this could be fun
<lrvick>
and this is why it is really really hard to make a living as a pentester
<lrvick>
companies typically don't care about security and they look at pentesters with disdain for creating more work for their engineering team.
<pie_>
"and a podcast he did." wow you are thorough, or did that actually happen by listening to the podcast first
<lrvick>
I needed to know his personal phone number, and home town
<lrvick>
those were the security questions. combine that with no backup email, so it let me choose the email where the reset would be sent to
<pie_>
i mean im not sure id have looked for podcasts
<pie_>
tried to open zoom.com
<pie_>
"Blocked by Content Security Policy
<pie_>
This page has a content security policy that prevents it from being loaded in this way.
<pie_>
Firefox prevented this page from loading in this way because the page has a content security policy that disallows it."
<lrvick>
my dad was a private investigator, and I find most companies can be fully ruined using classic doxing tactics.
<pie_>
lrvick, ah well you have a head start on knowing how to do that stuff xD
<lrvick>
those will often get me past the front door anyway. that and social engineering
* pie_
just stumbles around the internet
<lrvick>
failing those you can use phishing
<lrvick>
odds are one of those gets you past the front door, and with most companies the front door is the last layer of security
<lrvick>
or sometimes there is none at all. I have accessed windows xp cash registers from guest wifi at major resorts. They just #yolo and plug shit in.
<lrvick>
I wish I could say finding security holes is hard. It isn't. It is actually kind of depressing.
<pie_>
its hard(er?) if you focus only on technical exploits
<pie_>
rce
<lrvick>
for sure. But the problem is you almost never need to resort to those to compromise a company
<lrvick>
don't get me wrong, those are more fun to find
<pie_>
harder to get caught?
<lrvick>
but usually a lot of effort with minimal gain over dumb tactics.
<pie_>
* low risk for the exploiter
<lrvick>
but those are worth it if you need to be very very covert.
<lrvick>
discovering a new 0-day, used correctly, can get you into the server of a major bitcoin exchange.t
<lrvick>
transfer funds and go launder yourself an island.
<pie_>
totally not speaking from experience :P
<lrvick>
the thought never crossed my mind.
<lrvick>
honestly though, I am mostly a blue time guy
<pie_>
blue time?
<lrvick>
red team is too easy, and too depressing.
<pie_>
ah
<lrvick>
blue team*
<pie_>
eh could have made sense from the context :P
<pie_>
im too nice to be a blackhat
<pie_>
btw if you ever get rich through totally legitimate means fund my decompilation research ;P
<lrvick>
i was a blackhat as a teenager, but after you are 18 shit gets real.
<pie_>
i didnt know enough to be a blackhat as a teenager
<pie_>
also when was that, early 2000s?
<lrvick>
well I mean, I was a skiddy
<pie_>
hehe
<lrvick>
honestly though, there -are- companies that really care about security and are willing to pay
<pie_>
(ill have to grep the logs and make myself a reminder later before i forget again, was i talking to you about HSMs?)
<lrvick>
which means it is possible to live comfortably and still do security research full time
<lrvick>
without having to risk prison
<lrvick>
I try to push blackhats I encounter in that direction
<lrvick>
blue team is the harder problem
<pie_>
yeah
<pie_>
and i agree based solely on the asymmetry
<lrvick>
pie_: indeed we did talk about HSMs
<lrvick>
that is most of my research these days (and why I don't get as much time as I would like to pursue git signing and other things I care about)
<pie_>
kk
<flokli>
lrvick: oh, these stories about zoom remind me sooo much of the mother company and another company owned by it
<flokli>
I just don't know if it's just a common problem in all larger companies, or if simply everything is broken
<pie_>
flokli, from the general sentiments of people i thin kits the latter
* flokli
grows a beard, moves to the forest and chops wood all day
<lrvick>
flokli: from the many dozens of fortune 500 companies I have audited at some level... yes, everything is broken.
<gchristensen>
no doubt
<pie_>
and yet we still cant manage to backdoor windows
<lrvick>
you can't?
<lrvick>
it is pretty easy
<lrvick>
lol
<lrvick>
plug in a usb type c charger
<lrvick>
with some extra ingredients
<lrvick>
boom. pwned
<lrvick>
if you control someones usb charger cable, you can generally backdoor their machine regardless of OS.
<lrvick>
such a device can pretend to be usb speakers and record audio, pretend to be a thunderbolt device and take screenshots, pretend to be a keyboard and inject keystrokes to install a backdoor. Pretend to be a flash drive and get people to accidentally save sensitive files to it instead of the one they meant to. Or it can do a PCI-leech style DMA attack and kill the lockscreen process, or sniff memory for
<lrvick>
the full disk encryption key.
<pie_>
whelp, i've got a lot to learn.
<gchristensen>
flokli's advice was the best advice of course
<lrvick>
and most of these attacks can be done with a tiny stm32 microcontroller embedded inside your usb cable. If you want to backdoor lots of companies in a big tech area, just buy a bunch of cables, mod them, return them.
<lrvick>
they go back on the shelves and make their way into major companies as charger cables and keyboard cables
<lrvick>
aaaaaand rekt
<lrvick>
gchristensen: that everything is broken?
<lrvick>
lol
<flokli>
lrvick: that's it's best to grow beard and chop wood
<lrvick>
Oh, lol. Well actually solving for all these exact classes of problems is my job. I got bored in most other areas of tech
<lrvick>
this is the one area I know I will never be an expert in. it is the gift that keeps on giving
<lrvick>
(not "the one" but "one")
<flokli>
lrvick: if people would hear your voice and actually change things, it could help. but currently it's just preaching to a horde of sheep that don't know better and don't want to learn either
<gchristensen>
baa
<flokli>
gchristensen: ssshh
<lrvick>
flokli: oh I found an area people care.
<lrvick>
like it or hate it: companies that support cryptocurrency are -terrified- of being hacked
<flokli>
latest madness: people uploading private ssh keys into jira. and totally fine with that, as they "encrypted" it with base64. at this point, I considered just running away
<lrvick>
and have no problem building things to NSA tempest standards to stop side channel attacks, and have plenty of money to spend on any security measure that is of > 0 reduction in attack surface.
<lrvick>
I intentionally sought out cryptocurrency companies to work for, because they are happy to pay for R&D to defend against not-yet-discovered 0days.
<gchristensen>
it is so true :')
<pie_>
huh.
<flokli>
yes, but that's again people just being afraid of getting money stolen, because it already happened. why can't we just have some basic sense and care of security by default?
<pie_>
oh irony.
<pie_>
if you wanna do cool shit go work for cryptocurrency
<lrvick>
humans only make change as a response to fear
<flokli>
it's so sad.
<lrvick>
It is why the only way to curb smoking that worked was put pictures of horrific cancer on the cig packs.
<lrvick>
you can't force people to do better, but you can scare the shit out of them until you get their attention.
<lrvick>
some people anyway
<flokli>
hmm
<flokli>
I do have this kind of bad feeling, preventing me from doing stupid stuff "just because people won't notice and it's easier to go that way"
<flokli>
but I very often feel pretty alone with that
<flokli>
¯\_(ツ)_/¯
<lrvick>
My social engineering and pyssec experience mostly came from me being broke as a kid and wanting to get into concerts and amusement parks for free.
<lrvick>
100% success rate.
<flokli>
so fear isn't the only way to get people motivated ;-)
<lrvick>
well to -attack- one needs to be motivated by desire.
<lrvick>
to -defend- one needs to be motivated by fear
<lrvick>
most CEOs I talk to say "we have not had to invest more in security before, and we have not been hacked yet"
<lrvick>
mostly survivors bias
<flokli>
what about satisfying curiosity?
<lrvick>
most of those same companies get hacked. Most of the hacks don't
<lrvick>
go public*
<lrvick>
flokli: I mean, that is the reason I did it as a teen. I had the -desire- to amuse myself.
<flokli>
and you were curious if it would work like this ;-)
<lrvick>
fair fair.
<lrvick>
but I think people like us that can talk about attack and defense for fun... are not representative of company owners.
<flokli>
right
<flokli>
when getting an email asking me for a bid on an upgrade to business class for my nixcon flight, I was also curious whether the form would do server side validation of the minimal bid price. turns out it didn't :-D
<lrvick>
+1
<flokli>
is that attacking? or just play instinct?
<flokli>
or satisfying curiousity?
<flokli>
wanting to figure out if the software is as crappy as most of the stuff out there?
<pie_>
pyssec?
<pie_>
oh physsec
<lrvick>
phys-sec. Physical security
* lrvick
can type sometimes
<lrvick>
My favorite are HID cards. most offices use them. stupidly easy to clone with $5 in hardware :D
<lrvick>
wander around big silicon vallue offices with no one calling me out on it.
<pie_>
im probably too old to lean SE by sneaking into concerts?
<pie_>
man shit i dont even know how concerts work
<pie_>
xD
<flokli>
me neither
<pie_>
i think they had rfid wristbands at some multi-day tihng here
<pie_>
not sure
<pie_>
all the easier? :P
<lrvick>
I bought every type of wrist band I could find.
<lrvick>
I keep a bag with a few of every major type
<pie_>
well thats beside the point though, because its not SE
<lrvick>
venues rarely use custom ones
<pie_>
sure, kind of thought of that
<lrvick>
it is SE. you are exploiting that the humans will blindly authenticate you based on a wrist band color, instead of a person.
<pie_>
well these days yo do get custom cloth writbands relatively often? but matching the rough color might be good enoug
<lrvick>
yep
<lrvick>
I actually got into this because I was a magician. It turns out hacking human brains is generally pretty easy.
<lrvick>
magic is mostly phishing and social engineering.
pie_ has quit [Remote host closed the connection]
<lrvick>
whelp bye
pie_ has joined #nixos-security
* lrvick
stops procrastinating and looks at pile of PRs