Random Jibber Jabber Thread

futant

Well-Known Member
I've been on Cheyenne air force base. It was the first time I realized how high a rank a colonel was. My grandfather pulled up, (years retired by then) and the young guards were like, "yea what can we do for you pops?" He showed his ID and their backs snapped straight and a salute was given with an apology.
Ya I have seen this scene before. My Grandfather was a full bird (L.O.M.) it was like that every time I would go to VA with him.
 

gioua

Well-Known Member
Each year Mom ships out the stocking stuffers they purchase for the gaggle here.. She sends out tracking info and lets us know it's on it's way.. I have been waiting for this since about 9am when I got her email..

Wifey has already grabbed them all and removed them from my sight.. I wanted to cherry pick the good stuff and give someone my tooth paste.. she wouldnt allow it..

 

hempyninja309

Well-Known Member
Each year Mom ships out the stocking stuffers they purchase for the gaggle here.. She sends out tracking info and lets us know it's on it's way.. I have been waiting for this since about 9am when I got her email..

Wifey has already grabbed them all and removed them from my sight.. I wanted to cherry pick the good stuff and give someone my tooth paste.. she wouldnt allow it..

Got any sixlets or whoppers in there??
 

gioua

Well-Known Member
Got any sixlets or whoppers in there??
no.. but wifey caved in when my daughter grabbed a Hershey's bar and ran to her room.. she sent granola bars too.. damn she's getting old.. soon it will be popcorn balls and pennies..

(she did pass out balloons for Halloween for a few years during the 80's Tylenol scare)
 

minnesmoker

Well-Known Member
Who wants to know the truth about the Target compromise?

I wrote a report, while under contract with Target Corp. in 2006, when I worked with their Virtual Server team, and did a security audit. It warned of this EXACT scenario.

I don't know the when or who, but here's the HOW:

1. Target uses a central repository,
2. Target uses trusted keys,
3. Target audits all updates before rolling them out, to look for security problems, BUT:
4. All target servers use "Golden Keys" for SSH connections, and
5. Target uses a single image, that is pushed by the roll out scripts,
6. After audit, engineers have EDIT access to the images that are pushed out.
7. In my team's security audit, we found multiple time bombs in the software.

The TGT exploit was done internally -- this isn't to say that it was an inside job. Contractors are not allowed to connect their laptops/smartphones/tablets to a TGT network. The unofficial "workaround" was pretty simple -- a tunnel in a tunnel. Desktops could be OS "re-purposed" by engineers -- the OSes of choice were Open SuSE, SuSE Enterprise, and RedHat. Occasionally Slackware (like me. :bigjoint: .) The reason? SSH tunnels to home or other "trusted" remote systems (or personal laptops, etc.) and an SSH connection BACK to TGT trusted computers, via the original open tunnel (it's a double tunnel technique that used to be pretty popular with security folks.) The end result? The double tunneled computer had direct administrative access to the TGT network. FULL ACCESS, ROOT privilege, on ALL of the servers.

As to internal connections -- all engineers, Project Managers, Network Analysts, and Sr. Wintel admins were give access to repository servers. In the /etc directory of those repository servers rested files with "golden keys." a simple scp command later, and your desktop (or tunneled remote system) were "trusted" Golden Servers. These are access keys that bypass ALL security checks, password requirements, and audit servers. (It was a "trusted" connection, and double encrypted tunnels, therefore no monitoring or auditing was possible.) When we did the audit, a number of "Time Bomb" programs were found. These were set by (then) current and former Security engineers. One of them, on the Financial Servers (the same ones compromised in this attack) would have set TGT to a 0 sum. We also found a few elevation time bombs (instead of programs destroying, or changing, server codes the time bombs re-established credentials, and elevated them to "allow external" and "wheel+root privilege.)

The how, specifics: With a Golden Key, the holder can access ANY target server, including POS, Rx, Display Wall, DB, and Server images. The drivers for ALL servers, POS systems, Kiosks, and wall systems were kept in the central repository. That means that the uniform POS scanners, with a couple drivers, sat, unprotected internally, on an open drive. Most scripts at TGT were written in Perl, PHP, BaSH, or CSH. We played the "hard to write, hard to read" game. An exploit was injected into an auto-update, most likely with a time bomb and timer (hence the start/stop times.)

Target also uses a centralized billing system, at their corporate headquarters -- and these systems share their golden keys with POS and Rx systems.

Walmart is vulnerable to a similar attack, although their network is really shitty and ugly, and would be a lot more painful to code to. Best Buy Corp., and Wells Fargo though -- they use the EXACT SAME deployment methods. They centralize, and distribute patches via timed pushes. Best Buy uses IBM hardware -- their commercial hardware is uniform, and so a single (or a couple) drivers are all that's needed, in addition to the secondary "forward" software.

I've emailed a few reporters, and a couple security blog sites, to get someone's attention, to share this information -- since they haven't responded, I'm publishing it myself -- if the SS reads this: FUCK YOU, you sent incompetent marshals to get me last time, I want a lawyer.

No one's safe from Corporate America, and ALMOST EVERYONE is vulnerable to the NSA. (Almost. NSA can't touch my private data. I don't put it online -- what they can touch is nothing but smoke, what they can't read, but can find .... They'll NEVER crack, because I encrypt my encrypted shit.)

All of you "nothing to hide, nothing to fear" retarded idiots ... Bet that credit card information is something worth hiding.

Oh -- Target Corporation is my "Golden Standard" of how business should be run in this country. Calculated, mature, thought out processes, and a very "community-centric" corporation. They still should burn for this, though -- they've had almost 10 years to prepare for something like this, and never bothered to implement the security standards we recommended after audit, to keep them PCI compliant, get them SOX compliant, etc., etc.


(This post brought to you by too many Santa Fe State Pen Ales.)

Sunni, if this runs afoul of your thumbs up on me, I apologize, please delete it, and ban my non-rule-following ass. ;-)
 

minnesmoker

Well-Known Member
I won't lie about being sorry for double posting ...

The NSA uses SIDWINDER 6.5 FIREWALLS. Don't bother, they really are (currently) unbreakable -- I know, I used to configure, install, train on, and maintain them.

They were designed by Secure Computing, Inc. (Now a McAfee business.) They were originally (pre 4.0) built on SELinux, but are now a custom DragonFly BSD distro, with jailed processes, local-only root (no programs run as root, no program can escalate to root, every program runs in it's own jail.)

The only people dirtier than criminals are those that prosecute criminals.
 

joe macclennan

Well-Known Member
You guys ever have a problem with Dynabloom falling out of suspension? I tried using it on 2 seperate occasions and both times the bloom crysalized badly. Not sure what to make of that.
yes, I just pitch it when it gets to that point. Even remixed like cn said I don't trust it to have the same ratios.
Hey Minne !
one of my girls from this years out door
is that the gsc?

looks very nice
 

mr sunshine

Well-Known Member
I was reading this thread on icmag it made me so mad this dude couldn't cure and didnt know why his good bud starts smelling like hay and ammonia when he jars. 6 fucken pages and none of those dumb asses where able to tell the guy it was chlorophyll he was just drying to fast and trapping chlorophyll. Fucken idiots!
 

curious2garden

Well-Known Mod
Staff member
I won't lie about being sorry for double posting ...

The NSA uses SIDWINDER 6.5 FIREWALLS. Don't bother, they really are (currently) unbreakable -- I know, I used to configure, install, train on, and maintain them.

They were designed by Secure Computing, Inc. (Now a McAfee business.) They were originally (post 4.0) built on SELinux, but are now a custom DragonFly BSD distro, with jailed processes, local-only root (no programs run as root, no program can escalate to root, every program runs in it's own jail.)

The only people dirtier than criminals are those that prosecute criminals.
**snicker**

It is SOOOOOO good to see you here!

MERRY CHRISTMAS! It's good to see everyone coming home for the holidays. I've been watching the T-38's coming in to EDW now. It appears all our ducklings are waddling home :)
 

curious2garden

Well-Known Mod
Staff member
I was reading this thread on icmag it made me so mad this dude couldn't cure and didnt know why his good bud starts smelling like hay and ammonia when he jars. 6 fucken pages and none of those dumb asses where able to tell the guy it was chlorophyll he was just drying to fast and trapping chlorophyll. Fucken idiots!
I thought chlorophyll was odorless, I thought that came from cellulose break down. Maybe singlemalt will enlighten us :) If I say please?,

Singlemalt, please?
Annie

PS mr sunshine don't feel to bad about icmag, I got brangling with OGRaskal over my Pre 98 Bubba Kush because it had a distinct lemon odour during a stage of her curing. I was literally drowned in people telling me I was full of shit. Unfortunately she still has a lemon edge for as much shit as I'm full of :) they are somewhat like us........
 

gioua

Well-Known Member
so have been looking at chromecast.. since gigs mentioned it.. just did some more research on it.. and getting bummed out on what I thought was gonna be a cool device..

so the chromecast does not take video's you have on your pc/smart phone/tablet etc and then cast them to your tv like I originally thought.. it will just cast youtube/netflix and some web pages correct? so hand helf games from a tablet wont be able to be played on the tv and videos other then those few..? that are castable?
 

gioua

Well-Known Member
I never saw gate guards refer to anyone as anything but sir or ma'am, LOL
When I was younger about 14 or so I was working on base.. ended up catching the rare ride with dad to work.. he had to stop off at his office to pick up some cartons of smokes he bought.. we walk into the office dad's in full attire.. (dad was a e-8 crypto tech instructor) watching the MP's snap straight and salute him was a kick in the shorts..

then we got the office.. doors are opened by 2 MP's he walks into the room does his security check past the front desk.. where I stayed.. did and eye scan.. this was in the 80's he swears I did not see it.. later admitted perhaps it was an eye scan.. anyhow doors open up more guards in there... He tells me the last time he was here that he was issued a C.W.P and always kept the gun at work.. Dad knew some scary crap for sure...
 
Top