[03:36:13] *** Quits: r0bby (sid699@guifications/user/r0bby) (Ping timeout: 250 seconds)
[03:36:13] *** Quits: magically (sid85402@gateway/web/irccloud.com/x-gfubkmslmxymgucg) (Ping timeout: 250 seconds)
[03:36:39] *** Quits: iangcarroll (uid74403@gateway/web/irccloud.com/x-nwimogonnuwuhdoa) (Ping timeout: 268 seconds)
[03:42:24] *** Joins: r0bby (sid699@guifications/user/r0bby)
[03:44:15] *** Joins: iangcarroll (uid74403@gateway/web/irccloud.com/x-lswsimgluxhukndr)
[03:45:05] *** Joins: magically (sid85402@gateway/web/irccloud.com/x-vjlneahovpeptngw)
[15:00:13] *** Quits: robbyoconnor (~wakawaka@guifications/user/r0bby) (Ping timeout: 252 seconds)
[16:10:41] <gsingh93> TIL the OpenSSL MD5 implementation is written in assembly that gets generated by perl
[16:11:08] <iangcarroll> sounds like openssl
[16:11:09] <iangcarroll> lol
[16:11:28] <gsingh93> lol
[16:11:29] <iangcarroll> i think they still have code for some computer system that's like 20 years old in their repo
[16:11:41] <iangcarroll> yeah, VMS
[16:11:41] <gsingh93> it's like 4-6 times faster than a C implementation
[16:12:23] <iangcarroll> wow, VMS is actually still developed
[16:13:24] <Clinteger> of course it is
[16:14:11] <iangcarroll> why do you say that?
[16:14:15] <iangcarroll> assuming not sarcastic
[16:15:45] <gsingh93> i'm assuming sarcastic
[16:16:18] <Clinteger> oh no it wasn't sarcastic
[16:16:24] <gsingh93> oh, lol
[16:16:37] <gsingh93> wait, was that sarcastic?
[16:16:45] <Clinteger> it wasn't
[16:16:47] <gsingh93> ok
[16:16:50] <gsingh93> wait...
[16:16:53] <iangcarroll> but... was that sarcastic?
[16:17:07] <iangcarroll> lol
[16:17:08] <Clinteger> so, i spent last summer in wisconsin at Epic, and they use MUMPS, which usually runs on an implementation called Caché, which runs on OpenVMS
[16:17:38] <iangcarroll> epic... games?
[16:17:42] <Clinteger> that said, support is being discontinued and HP isn't supporting it past 2020
[16:17:46] <Clinteger> no iangcarroll
[16:18:07] <iangcarroll> wikipedia says they sold the development rights
[16:18:09] <Clinteger> they do healthcare IT stuff
[16:18:13] <iangcarroll> ah
[16:18:21] <gsingh93> wow
[16:18:35] <gsingh93> that's horrible
[16:18:40] <Clinteger> which part?
[16:18:42] <Clinteger> or just, all of it
[16:18:58] <gsingh93> the fact that ancient operating systems are still in use
[16:19:05] <Clinteger> well, ~lol healthcare~
[16:19:07] <iangcarroll> let's rewrite it all in PHP
[16:19:10] <gsingh93> kevin fu's done a lot of research on the state of security in healthcare
[16:19:11] <iangcarroll> i know gsingh93 will be on board
[16:19:16] <gsingh93> it's pretty terrifying
[16:19:25] <iangcarroll> s/in healthcare/
[16:19:25] <yossarian-bot> iangcarroll probably meant: i know gsingh93 will be on board
[16:20:37] <Clinteger> is it really that bad gsingh93 ?
[16:20:43] <gsingh93> Clinteger: yup
[16:20:57] <gsingh93> i forget the details (this was a few years ago when he talked about it)
[16:21:05] <Clinteger> i'm not super surprised, but Epic loved to say "our customers have never had a data breach"
[16:21:08] <gsingh93> but essentially there are tons of medical systems with 0 authentication
[16:21:21] <gsingh93> things where you could easily get in and kill someone
[16:21:32] <iangcarroll> that pacer vuln was pretty bad
[16:21:38] <gsingh93> it's not as profitable as spam though
[16:21:58] <Clinteger> i mean, I think it's about comparable to the state of "lol IoT" things
[16:22:08] <gsingh93> yea, but this is life threatening
[16:23:14] <Clinteger> I don't know anything about his research
[16:23:20] <Clinteger> but did he focus on like, medical devices mostly?
[16:23:26] <gsingh93> i think so
[16:23:45] <Clinteger> because i only know stuff about the electronic medical records systems :p
[16:23:57] <gsingh93> nah, i think this was devices
[16:25:25] <Clinteger> yea I am not at all surprised those are insecure
[16:25:41] <Clinteger> why would hardware companies employ competent software people? that's not what they're in the business for
[16:25:49] <gsingh93> lol
[16:25:51] <gsingh93> yea
[16:26:26] <gsingh93> travis (works under halderman) found some buffer overflows through the web UI for some hardware company
[16:26:28] <gsingh93> i think AMD?
[16:26:31] <gsingh93> i have no clue actually
[16:26:35] <gsingh93> but they had some web interface
[16:26:45] <gsingh93> and there was like a password buffer overflow in the login
[16:26:47] <gsingh93> like wtf
[16:27:18] <Clinteger> I mean, you heard about the grub bug
[16:27:25] <iangcarroll> lol
[16:27:31] <Clinteger> where you could just press backspace enough times
[16:27:37] <gsingh93> lmao
[16:27:39] <gsingh93> yea
[16:28:45] <iangcarroll> http://bluephantommarketing.com/ such an amazing website
[16:28:46] <yossarian-bot> Title: Blue Phantom Marketing, LLC
[16:28:51] <gsingh93> i remember a few months ago i exploited a format string vuln through a web UI
[16:28:56] <gsingh93> for a CTF problem
[16:29:00] <gsingh93> that was awesome
[16:30:13] <Clinteger> or what about the not-at-all-a-ctf where beta.facebook.com didn't rate limit password reset stuff?
[16:30:22] <Clinteger> nobody is safe, software is horrible, and we're all going to die eventually
[16:31:10] <gsingh93> lol, that's somewhat true
[16:31:14] <gsingh93> software is horrible
[16:31:19] <gsingh93> but some is more horrible than others
[16:31:34] <gsingh93> that's what keeps some companies afloat
[16:32:37] <gsingh93> i.e., if things were really that bad, companies like facebook wouldn't exist
[16:32:47] <gsingh93> we do a pretty good job of keeping data safe
[16:33:13] <gsingh93> whereas there are tons of other companies that still use plaintext passwords :/
[16:33:28] <Clinteger> that just baffles me
[16:34:10] <gsingh93> i got an email recently from capitol one telling me that "if my password didn't have enough numbers and special characters, they'd force me to change it"
[16:34:12] <gsingh93> lmao
[16:34:37] <iangcarroll> you can calculate that and do hashing though
[16:35:01] <iangcarroll> just store length + num of special chars + num of numbers
[16:35:04] <gsingh93> so, even if you could do that, it's still not good to store metadata about passwords
[16:35:16] <iangcarroll> google stores password strength and their length for google apps customers (and presumably everyone)
[16:35:29] <gsingh93> well, occam's razor applies here
[16:35:37] <gsingh93> this is a company that got hacked in the first place
[16:35:40] <iangcarroll> true, it would make it easier to attack weaker ones
[16:36:07] <iangcarroll> and yeah
[16:36:08] <gsingh93> let's say they do hash the metadata, it'd be trivial to figure out it in most hashing schemes they'd probably use
[16:36:30] <Clinteger> wtf I thought capital one was reasonably technically competent
[16:36:31] * iangcarroll is not saying it's the best idea :p
[16:36:39] <Clinteger> they sponsor hackathons a lot, put a lot into hiring tech people
[16:36:48] <gsingh93> lol
[16:36:49] <iangcarroll> they sponsor them today
[16:37:02] <iangcarroll> their system was probably built decades ago
[16:37:06] <Clinteger> they invited me to an onsite interview
[16:37:23] <gsingh93> ask them about their password hashing scheme :P
[16:37:25] <Clinteger> and i've never spoken to anyone from there, and I applied like 6 months ago
[16:37:41] <Clinteger> so like, interview season is kind of over and I committed to something months ago :|
[16:38:29] <iangcarroll> i'll take your interview :p
[16:38:29] <Clinteger> the whole thing was just super weird lol
[16:38:50] <Clinteger> it was like, "email us back with which of these days you want to interview! hurry because they fill up fast!"
[16:39:03] <Clinteger> so i think if you didn't reply in time it'd be like "oh well, better luck next interview season"
[17:03:53] <sivoais> https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments
[17:03:53] <yossarian-bot> Title: Add Reactions to Pull Requests, Issues, and Comments · GitHub
[17:07:59] <Clinteger> :S how do you tell if a startup is legit
[17:08:14] <Clinteger> and that by working there you aren't going to be wasting your time
[17:13:18] <Clinteger> i may or may not be panicking about my own life
[17:13:59] <iangcarroll> ayy
[17:14:11] <iangcarroll> not in reply to you clint :p
[17:15:04] <iangcarroll> in reply to you though, look at the people behind said startup? and make sure they have a legit product w/ a plan they're building that makes sense?
[17:15:28] <sivoais> You can probably look up the people that work there on LinkedIn
[17:15:39] <sivoais> see how involved they are in the community
[17:18:04] <Clinteger> "the community"?
[17:18:09] <Clinteger> what if they don't have a consumer-facing product?
[17:18:26] <sivoais> nah, I mean the developer community
[17:18:34] <Clinteger> in what way?
[17:18:45] <sivoais> as in, do they go to meetups and conferences and share their knowledge?
[17:19:27] <Clinteger> so, that seems to indicate that they might be "nice people" who care about their community
[17:19:28] <sivoais> do they blog or work on FOSS
[17:19:51] <Clinteger> no, they just release press announcements about funding
[17:20:21] <sivoais> yeah, working with the community tells you a lot about the environment for learning
[17:20:39] <sivoais> because you could get stuck in a place with huge technical debt
[17:20:46] <Clinteger> i think they have weekly "knowledge sharing" things on fridays
[17:20:59] <sivoais> startups are known for technical debt because they need to move quickly
[17:21:37] <Clinteger> hmm
[17:21:45] <Clinteger> it seems actually they participate quite a bit in meetups
[17:22:02] <Clinteger> that's a good sign i guess
[17:22:56] <sivoais> yeah, so find out how they do testing and refactoring
[17:23:15] <sivoais> and their code review process
[17:23:35] <Clinteger> yea i did ask about that in one of my interviews
[17:23:38] <Clinteger> it seems pretty solid
[17:23:54] <Clinteger> since they're also in healthcare stuff, it's taken pretty seriously
[17:24:05] <Clinteger> because like someone was saying earlier, people could die |:
[17:24:14] <sivoais> take that all with a grain of salt... I've only worked in a research and FOSS environment, but I tried to do things properly
[17:24:25] <sivoais> Oooh, I'm interested in healthcare
[17:24:33] <Clinteger> yea me too :p
[18:03:37] <sivoais> So with GitHub, if they implement sort by +1, we can have GitHub issue voting
[18:21:56] <woodruffw> one of my biggest gripes with github is that you can't choose the repos featured on your homepage
[18:23:55] *** Joins: DarkNova (~DarkNova@146.229.255.21)
[18:52:06] <gsingh93> sivoais: how likely is that to happen?
[18:52:19] <gsingh93> is there some recent news (other than their letter response) that i'm missing?
[18:53:47] <sivoais> I don't know other than the blog. The reactions aren't in the API either,  so we can't easily get at them.
[18:55:54] <gsingh93> i really wish gitlab caught on as the new place to host projects
[18:55:58] <gsingh93> i'd love to move over there
[19:09:08] <iangcarroll> https://twitter.com/taviso/status/708053228001300480
[19:09:09] <yossarian-bot> Title: Tavis Ormandy on Twitter: "Working on an unusual exploit for Comodo Antivirus, just *scanning* a file can exfiltrate keystrokes. #wtf https://t.co/NKmPGh2DMW"
[19:09:16] <iangcarroll> Comodo RCE via scanning a file...
[19:26:54] <DarkNova> gitlab is weird though
[19:37:40] <Clinteger> taviso is literally the best
[19:39:40] <iangcarroll> Indeed. Really funny to see these vulns.
[19:39:59] <iangcarroll> It's depressing there's all this low hanging fruit in AVs though.
[19:41:05] <iangcarroll> (not meant to discount his work; just that he's finding so many bad vulns in these critical components so rapidly)
[20:13:47] *** Joins: DarkNova_ (~DarkNova@146.229.116.203)
[20:13:47] *** Quits: DarkNova (~DarkNova@146.229.255.21) (Read error: Connection reset by peer)
[20:19:01] *** Quits: DarkNova_ (~DarkNova@146.229.116.203) (Remote host closed the connection)
[20:57:35] <woodruffw> which company had the hilariously insecure chrome fork?
[21:03:38] <Clinteger> como do
[21:03:44] <woodruffw> yeah, that was it
[21:04:00] <woodruffw> something about open sockets accepting remote commands, iirc
[21:21:24] <iangcarroll> yeah
[21:21:34] <iangcarroll> AVG did that one, I believe
[21:21:45] <iangcarroll> comodo had a browser that disabled the same origin policy
[21:23:46] <iangcarroll> https://blogs.adobe.com/psirt/?p=1327
[21:23:47] <yossarian-bot> Title: Security Updates Available for Adobe Flash Player (APSB16-08)
[21:23:50] <iangcarroll> uh oh
[21:24:18] <iangcarroll> it's being actively exploited
[21:37:38] <Clinteger> chromodo was the name of it
[21:37:54] <Clinteger> the one that taviso just destroyed
[22:27:44] *** Joins: DarkNova (~DarkNova@c-68-35-150-201.hsd1.al.comcast.net)
[22:31:52] *** Quits: DarkNova (~DarkNova@c-68-35-150-201.hsd1.al.comcast.net) (Ping timeout: 244 seconds)
[23:12:20] <magically> iangcarroll: Ugh
[23:12:36] <magically> God damn it Adobe
[23:12:47] <magically> I was doing a CTF today which involved a Flash thing
[23:17:00] <magically> https://github.com/blog/2119-pull-request-and-issue-reactions
[23:17:00] <yossarian-bot> Title: Add Reactions to Pull Requests, Issues, and Comments · GitHub
[23:17:10] <magically> OMG you can react to GitHub postings now xD