| lotuspsychje | good morning to all | 02:32 |
|---|---|---|
| Bashing-om | lotuspsychje: Maybe take another cup of motivation .. getting nuts in main :) | 02:34 |
| lotuspsychje | lol | 02:35 |
| lotuspsychje | Bashing-om: trolls or crowdy? | 02:35 |
| Bashing-om | lotuspsychje: Naww just off the wall stuff non procedural responses . | 02:37 |
| lotuspsychje | lol | 02:38 |
| lotuspsychje | lets c | 02:38 |
| Ben64 | bazhang has too much patience | 02:41 |
| Ben64 | i'd have ban hammered immediately lol | 02:41 |
| Bashing-om | bazhang been around here a while .. seen most of all I guess . | 02:42 |
| Ben64 | <jas> since when do you run [junk] here | 02:43 |
| Ben64 | /mode +b jas Since about 2007 | 02:43 |
| Ben64 | would have been my response | 02:43 |
| Bashing-om | That one is scating on thin ice presently . | 02:44 |
| Ben64 | yeah who uses emoji in irc | 02:44 |
| lotuspsychje | isnt that guy a regular volunteer? his nick sounds daily? | 03:06 |
| lotuspsychje | oh its about jas nvm | 03:12 |
| lotuspsychje | welcome | 04:14 |
| lotuspsychje | lol oerheks | 05:01 |
| oerheks | really, so obvious .. | 05:01 |
| lordievader | Good morning | 06:11 |
| ducasse | good morning all | 06:18 |
| lordievader | Hey ducasse | 06:23 |
| lordievader | How are you doing? | 06:23 |
| ducasse | up and about, trying to plan out the day. sun is shining and it seems not-freezing :) how about you? | 06:25 |
| lordievader | Doing good here | 06:26 |
| lordievader | Trying to wake up with coffee | 06:27 |
| ducasse | just keep chugging it down, it's bound to work soon :) | 06:28 |
| lordievader | Hahaha | 06:49 |
| * lordievader bounce bounce | 06:49 | |
| EriC^^ | !ping | 08:03 |
| ubot5 | pong! | 08:03 |
| === kostkon_ is now known as kostkon | ||
| BluesKaj | Howdy all | 12:03 |
| BluesKaj | HI EriC^^ | 13:04 |
| EriC^^ | hi BluesKaj | 13:05 |
| oerheks | :-) | 13:06 |
| BluesKaj | hey oerheks | 13:06 |
| oerheks | hey guys, are you all on wifi ? | 13:06 |
| oerheks | :-D | 13:06 |
| BluesKaj | not atm, my laptop is in suspend | 13:07 |
| oerheks | this wpa2 crack makes more waves than kim jung ill & trump tweets together | 13:08 |
| EriC^^ | what wpa2 crack | 13:08 |
| EriC^^ | wpa2 isn't secure anymore? | 13:08 |
| ducasse | https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ | 13:08 |
| oerheks | jups, and https://www.krackattacks.com/ | 13:09 |
| oerheks | German dude http://papers.mathyvanhoef.com/ccs2017.pdf | 13:10 |
| oerheks | but the attacker must be in your neighbourhood, and you must click something to reuse the key | 13:10 |
| EriC^^ | wow | 13:12 |
| BluesKaj | heh, some of my neighbours don't know enough to use wpa2, one didn't even use a wifi pw | 13:13 |
| daftykins | it's all about 64-bit WEP keys | 13:14 |
| daftykins | ;D | 13:14 |
| BluesKaj | turns out he was using ethenet and didn't know his laptop was broadcasting wide open | 13:15 |
| BluesKaj | thought ethernet auto-killed laptop wifi, unless it was a misconfigged router | 13:56 |
| daftykins | nah both carry on at once always | 13:57 |
| BluesKaj | Hi daftykins, ok, makes sense then | 14:01 |
| daftykins | surely it wasn't the laptop sharing out a network though, that'd be odd | 14:02 |
| BluesKaj | guess I was mistaken, must have been the router | 14:03 |
| BluesKaj | don't think anyone around here would have realized there was no pw needed except me when I logged on to their wifi, but i let them know so not much piggy backing went on. | 14:07 |
| daftykins | :D | 14:07 |
| BluesKaj | local cable guy set it up ...moron | 14:07 |
| daftykins | hmm, usually they're not allowed to touch consumer gear | 14:08 |
| BluesKaj | it was the cable comapny's router | 14:09 |
| BluesKaj | cable tv/internet bundle | 14:09 |
| daftykins | ah everything ISP supplied always has default keys ime | 14:10 |
| lordievader | The lovely thing about those company routers is that they usually have a backdoor. That way they can see everything which goes on in your network. | 14:10 |
| BluesKaj | he neglected to setup a pw...she told me the installer didn't show them how to set up the wifi pw etc | 14:12 |
| ducasse | i always thought they handed out those routers to give to children to practice soldering on | 14:16 |
| BluesKaj | i have my own router , a TP-Link-TL WDR3600 and a TP-Link modem as well, which was suggested by my ISP as a compatible brand | 14:17 |
| lordievader | Those things can be evil on ipv6 | 14:17 |
| lordievader | IIRC spamming dhcpv6 request at a rate of 300Hz while the network uses SLAAC | 14:18 |
| BluesKaj | lordievader, what things? | 14:18 |
| lordievader | TP-links | 14:18 |
| BluesKaj | my ISP is strictly IPv4 afaik | 14:18 |
| nicomachus | so how is the KRACK vuln fixed? Can kernel upgrades do it, or is the protocol itself broken? | 15:50 |
| ducasse | the protocol, aiui | 15:51 |
| nicomachus | aiui? | 15:51 |
| daftykins | as he understands it | 15:51 |
| nicomachus | oh | 15:52 |
| daftykins | yeah so firmware all over the show | 15:52 |
| nicomachus | so we need a new protocol then. | 15:52 |
| daftykins | most likely gonna mean a lot of devices turn into crap | 15:52 |
| daftykins | nah it's fixable | 15:52 |
| ducasse | for linux, a patch to wpa_supplicant, i think | 15:52 |
| * nicomachus sets a check for updates every hour on the hour | 15:53 | |
| ducasse | supposed to be made available later today european time | 15:53 |
| nicomachus | ah, well that's timely. Good to know. | 15:53 |
| nicomachus | unrelated, but --progress really should be a default option on rsync | 15:55 |
| daftykins | anytime i've tried to use rsync i've found it prohibitively slow :< | 15:56 |
| nicomachus | what's the alternative? | 15:58 |
| nicomachus | for transferring files over SSH, anyway | 15:58 |
| daftykins | depends on the scenario really | 16:01 |
| nicomachus | "Notably, our attack is exceptionally devastating against Android 6.0: | 16:01 |
| nicomachus | it forces the client into using a predictable all-zero encryption key." | 16:01 |
| nicomachus | that sounds like a serious problem for Android | 16:07 |
| ducasse | tons of fun for the gazillion devices that get no more updates | 16:08 |
| nicomachus | I wonder what the market share is for 6.0 nowadays | 16:09 |
| nicomachus | I'm on 8, but last I heard 4.4 was still the most common | 16:10 |
| daftykins | it's definitely a shit-show | 16:10 |
| daftykins | did i tell you mine made me download and install 8.0 on top of itself? o0 | 16:10 |
| freakyy | does anyone find hosting rocket.chat myself would be worth it? ;D | 16:10 |
| daftykins | what's that and how does it relate to ubuntu? | 16:11 |
| nicomachus | daftykins: what do you mean? | 16:11 |
| daftykins | nicomachus: i'd put on 8.0 myself manually, then it prompted me to update to 8.0 :D thing downloaded it quite rapidly, then installed rapidly as well | 16:11 |
| nicomachus | I tried texting my dad a few questions about this whole deal because he's in netsec for some gov contractor and all he replied was "busy" | 16:11 |
| daftykins | build didn't change or anything | 16:12 |
| nicomachus | oh, yea, mine did that too but I assumed it was something slightly different. Didn't check the build number. I had the 8.0 beta installed and it made me download and install the first 8.0 release. | 16:12 |
| nicomachus | Looks like patches may be public now: https://twitter.com/vanhoefm/status/919853110700531712 | 16:40 |
| nicomachus | hostapd and wpa_supplicant | 16:40 |
| TJ- | The patches were released just after midnight | 16:43 |
| TJ- | Ubuntu published updated packages about an hour ago, just waiting for the release team to push them to the archives | 16:44 |
| nicomachus | debian fix: https://lists.debian.org/debian-security-announce/2017/msg00261.html | 16:44 |
| TJ- | LineageOS (previously Cyanognemod) has the patches in review now, so should get merged later on | 16:45 |
| nicomachus | Just got a wpasupplicant update on my Ubuntu 16.04 laptop | 16:46 |
| daftykins | seen a few defections to Lineage for OnePlus owners annoyed with the privacy woes that was a story in the last week | 16:46 |
| nicomachus | Looks like Android itself won't get an update until the November 6 normal security release | 16:47 |
| daftykins | yeah | 16:48 |
| TJ- | unless someone releases an active exploit then Google/device-makers may move faster | 16:48 |
| TJ- | it's not a difficult set of patches to apply after all | 16:48 |
| nicomachus | rpi got the wpasupplicant update too. | 16:48 |
| nicomachus | and HTPC. So I'm all up to date except for my phone. :/ | 16:48 |
| nicomachus | TJ-: I was hoping for something sooner just because Google is my carrier, manufacturer, and OS maintainer. Lol | 16:49 |
| TJ- | nicomachus: I know, I was suprised they said they're leaving it so long. I can only guess they weren't one of the manufacturers notified during the 5-month embargo window since the exploit was discovered | 16:50 |
| daftykins | probably down to how faceless Google is so you can't find anyone to contact :< | 16:50 |
| TJ- | otherwise I'd have expected them to have access to the wpa_supplicant patches early and apply them and get an update out. Same as Microsoft have done with Windows | 16:50 |
| TJ- | Ubuntu security devs didn't know about it until I told them at midday UTC | 16:51 |
| TJ- | so they've done fabulously to turn around the updates so quickly | 16:51 |
| nicomachus | You would think the researchers would have notified Google since one of the strongest attack vectors was on Android 6.0.... | 16:55 |
| TJ- | Yes. As I said, it's my guess based on Google's reaction. I may be wrong. | 16:55 |
| TJ- | You'd think with the way their Project Zero operates they'd have been ready and have a fix out before the embargo ended though | 16:56 |
| TJ- | You know what's neat about this exploit though? | 16:56 |
| nicomachus | They have a decent reporting department don't they? I thought they were one of the best for responding to bounties, etc | 16:56 |
| nicomachus | TJ-: please do tell | 16:56 |
| TJ- | The researcher - Mathy Vanhoef - found this because he was reading the source-code of wpa_supplicant whilst avoiding finishing writing up another paper he was working on, and noticed a function call ic_set_key(), and wondered what would happen if it were called twice. Made a note, went back to it some time later and discovered this issue | 16:58 |
| TJ- | So ... more eyeballs on code do sometimes make bugs shallow | 16:58 |
| nicomachus | +1 for FOSS? | 16:59 |
| TJ- | and as this is a protocol bug too, not implementation, that's even more impressive | 16:59 |
| TJ- | I'd say so yes. | 16:59 |
| TJ- | If he'd not been prevaricating from his other work he may not have discovered it. | 16:59 |
| nicomachus | +1 for procrastination | 16:59 |
| TJ- | There's some indication someone spotted this potential before him too, but no indication they ever followed up on their doubts on it | 17:00 |
| nicomachus | but honestly, who procrastinates by reading the source code of wpa_supplicant? | 17:00 |
| daftykins | XD | 17:00 |
| daftykins | true smarticles | 17:00 |
| TJ- | so, this could be out in use as an exploit because I would assume anyone in places like GCHQ/NSA tasked with reviewing source code for vulnerabilities would easily come to the same conclusion | 17:01 |
| TJ- | It's the kind of question I ask myself as I'm scanning source-code all the time. I think most hackers operate in that way too | 17:01 |
| TJ- | hackers in the sense of code-hackers, not crackers | 17:02 |
| nicomachus | In the words of Elon Musk: Nerd. | 17:02 |
| TJ- | That was just the Whiskey talking :) | 17:02 |
| TJ- | daftykins: are you getting blown about by the storm? | 17:03 |
| TJ- | oh, in case you need to pass it on to others asking, this is the USN https://usn.ubuntu.com/usn/usn-3455-1/ | 17:03 |
| daftykins | nah just saw the yellowy skies this morning and really low light | 17:03 |
| nicomachus | daftykins: I figured out an alternative to rsync | 17:06 |
| nicomachus | instead of transferring all the episodes of this series I wanted to watch from my HTPC to laptop, I just symlinked ~/Videos in /var/www/html/. :D | 17:07 |
| daftykins | haha | 17:08 |
| daftykins | in London at the weekend i was tethering to a spare phone to get online... mooched a small TV episode from home :> | 17:09 |
| nicomachus | hmm... pihole is blocking my access to the page for some reason. | 17:13 |
| nicomachus | and when I try to whitelist it says "not a valid domain". bugger. | 17:13 |
| nicomachus | oh I see now. nvm. | 17:19 |
| nacc | oerheks: maybe i missed it, did ricmm say why they wanted to know about vivid? | 18:59 |
| oerheks | nope.. | 19:00 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!