@fluffy @angristan @rotawerx
More to the point, if someone needs to be pre-emptively shielded from all negativity, they may wish to put the computer away.
Nick Jr., Noggin, and Sprout are still broadcasting for their convenience.
You should know three things:
* The chief engineer at every radio and TV station I've worked on has been a boomer whose most recent IT experience was in the 90s
* ENDEC units have default passwords and no they usually don't get changed
* There are two stations in every market that every other station listens to for alerts to rebroadcast on a purely automated basis
Now that Poettering works for Microsoft, phase 3 is about to start: renaming systemd to svchost.exe
https://www.phoronix.com/scan.php?page=news_item&px=Systemd-Creator-Microsoft
>Someone on reddit asks for help with a Network Solutions problem
>Literally every comment is telling them to run the fuck away from Network Solutions
This is your reminder that Network Solutions is hilariously insecure, and any domain with them can be taken over in under an hour, with just a phone call.
"A 2FA bypass is not a bug because you'd need to know the username and password to use it"
uhhhhh folks what do you think 2FA is for?
Riot Games 2FA implementation is inherently broken: The same code can be used multiple times.
The code is also emailed to you, and email is known to be an insecure channel. You do not have the option to use your own TOTP application to generate login codes.
Riot Games responded to a report saying that the system is "working as intended"
Lesson? Phish Riot accounts. They will do nothing to stop you.
Also, HackerOne is an absolute fucking joke.
Today I learned that unprivileged users can run "systemctl show servicename" to see all the environment variables set in the .service file.
This means if someone sets their AWS_SECRET_ACCESS_KEY in there (or any other secret), it can be read by an attacker even if they don't have read privileges to read the .service file.
For defenders, use EnvironmentFile= instead of Environment= and as long as your environment file has the correct privileges, you will be fine on this front.
Now, they did exactly one thing right:
They don't ask permission to send the code when you log in. They just send it.
Asking things like "Where would you like us to send the code?" or "Is it alright if we send you the code?" gives an attacker a chance to back out before the notification alerts the account owner to the potential breach.
Your auth systems should make attackers noisy. We like noisy attackers.
Riot Games deployed multifactor auth in basically the worst way they could:
1) *only* email 2FA is supported, no TOTP
2) The code is shown in the subject line, making it trivial to steal from streamers, or participants in a video call, or anybody who can wake up a target's phone (no unlock needed)
3) Enrolling your account forwards you through an absolute fuckton of redirects to unrelated domains, including sites for Riot's other games, and their eSpOrTs site.
Abysmal failure.
Patch now. Like right now. This one looks pretty easy to exploit, and it's present on default Debian, Ubuntu, and CentOS/RHEL installs.
Hacker, comedian, RED Scout fan, gold Ekko one-trick. Watching them sorting debris.