#arpnetworks 2015-08-04,Tue

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
mercutiobrycec: apparently that got fixed (the ipv6 issue)
although i dunno what they'redoing now
but yeah i don't have a high opinion of it
[00:27]
.............. (idle for 1h9mn)
***dwarren has quit IRC (*.net *.split)
Seji has quit IRC (*.net *.split)
dwarren has joined #arpnetworks
Seji has joined #arpnetworks
[01:37]
......................................................................... (idle for 6h0mn)
JC_Dentonif it's the cp to your email, you're probably screwed [07:39]
grodythey use CloudFlare, so no surprise they got owned [07:39]
BryceBotThat's what she said!! [07:39]
grodythat company has a track hostory of "issues" [07:39]
JC_Dentonnot sure how you would get pwned "thru" cloudflare, unless you redirected an admin page or something [07:39]
grodynot sure why i put cloudflare.. meant to say godaddy
they used to be so easy to social engineer it wasn't even funny
the CSRF vuln. earlier this year is also another example
[07:50]
smells of an SEA hack [07:57]
............................ (idle for 2h19mn)
up_the_ironsbrycec: an EU location is much more of a possibility now :) [10:16]
brycecNeat. [10:16]
......... (idle for 41mn)
hazardoushttps://googlechrome.github.io/samples/subresource-integrity/index.html
very happy about this
[10:57]
...................................... (idle for 3h5mn)
mercutiooh nice, eu? :) [14:02]
............... (idle for 1h14mn)
gizmoguyright, I'm running synergy v1.7.4-rc5. lets see if this fixes my crash every time I copy and paste bug
mercutio: https://www.youtube.com/watch?v=kJlDY0XvbA4
[15:16]
BryceBotYouTube video: "BSOD Network Visualisation (2015 edition)" by WAND Network Research [15:17]
mercutiogizmoguy: oh new version? :)
i can cut and paste in one direction
[15:17]
gizmoguyyip that's running live against Waikato unis upstream
~600-700mbit
[15:18]
mercutiomost of it is tunneling?
QUIC is being used more and more by google/youtube
and that "google" server seems to be much further away than it should be
bloody dns
oh maybe it's fudging the address
[15:19]
...... (idle for 26mn)
apparently that bind dos is starting to be getting triggered [15:47]
staticsafeyes a third party released a PoC [15:53]
mercutiopoc? is that like an attack?
oh proof of concept
[15:55]
brycecWhat bind DoS is that? [15:58]
mercutiothe one that can't be blocked by acl
and crashes the server
with a single packet
[16:07]
brycecGuessing https://kb.isc.org/article/AA-01272/0/CVE-2015-5477%3A-An-error-in-handling-TKEY-queries-can-cause-named-to-exit-with-a-REQUIRE-assertion-failure.html this most recent one then [16:11]
mercutioyeh
at least it's just a crash
[16:19]
brycecisc-bind-9.10.2pl2 w00t, OpenBSD's packaged BIND is new enough to not be vulnerable.
Versions affected: 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
[16:23]
.... (idle for 19mn)
mercutioi'm not sure of that brycec
is pl2 and p2 the same thing?
[16:42]
brycecp-twelve and p-two? [16:43]
BryceBotThat's what she said!! [16:43]
brycecBy my math, twelve > two. [16:43]
BryceBotThat's what she said!! [16:43]
mercutioit looks like pl2 not p12
looks like there's pl3 for openbsd now
http://mirrors.arpnetworks.com/openbsd/snapshots/packages/amd64/isc-bind-9.10.2pl3.tgz

although this p vs pl thing is confusing
[16:43]
brycechm guess you're right, elle vs one. haaaate that when that happens. [16:46]
mercutiohmm bind hasn't had a code execution vulnerability since 2008
http://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64
kind of nifty to give all this detail
[16:47]
.... (idle for 16mn)
mjp_yes, yes it was [17:03]
.... (idle for 17mn)
mnathani_can a headless virtualbox instance be run on top of ARP KVM VMs? Performance would be terrible - but besides that [17:20]
brycecOne way to find out for sure ;)
IIRC it requires the virt extensions to be passed through from the host.
Of which there's a 50/50 chance
[17:28]
mercutioi don't think arp has that enabled
http://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64
oops
http://www.cvedetails.com/product/144/ISC-Bind.html?vendor_id=64
gah, now my cut and paste is broken
https://www.kernel.org/doc/Documentation/virtual/kvm/nested-vmx.txt
so it requires the kvm module to be loaded with different option, and the cpu flag to be passed through to the vm
but yeah altogether it looks too beta
[17:36]
.... (idle for 17mn)
mnathani_flags : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx lm up unfair_spinlock pni cx16 x2apic popcnt hypervisor lahf_lm svm abm sse4a
no vmx flag
In other news: http://www.vancitybuzz.com/2015/08/loonie-canadian-dollar-drops-lowest-11-years/
[17:56]
............. (idle for 1h0mn)
mercutiogizmoguy: did you manage to fix synergy cut+paste? [18:57]
gizmoguyhasn't crashed yet!
I usually get a crash per hour
want the deb?
[18:57]
mercutiothe canadian $ is called loonie?
nah i'm using arch linux
i'll try updating synergy though
[18:58]
gizmoguythere's a tag on git for it I think [18:58]
mercutioi just updated to master
make: *** No rule to make target 'install'. Stop.
weird that mkae works but make install doesn't
it's working sometimes
this is weird :)
[18:58]
gizmoguyI think they use cmake? [19:01]
mercutioyeah they do
it's weird it hasn't crashed yet, but linux -> windows seems to cut aobut 1/8 times
[19:01]
brycec@wiki Loonie [19:02]
BryceBotLoonie :: The Canadian one dollar coin, commonly called the loonie, is a gold-coloured one-dollar coin introduced in 1987. It bears images of a common loon, a bird which is common and well known in Canada, on the reverse, and of Queen Elizabeth II on the obverse. It is produced by the Royal Canadian Mint at its facility in Winnipeg. The coin's outline is an 11-sided curve of constant... http://en.wikipedia.org/wiki/Loonie [19:02]
mercutiomaybe 1/4
but other times it cuts and wipes the cut buffer
[19:02]
gizmoguyI want a loonie [19:02]
mercutioi don't remember ever seeing one [19:03]
brycecbrycec holds one up to the screen [19:03]
jpalmerjpalmer is a loonie. [19:03]
mercutiohas the US got dollar coins yet? [19:04]
jpalmersilver dollar [19:04]
brycecThe US has had dollar coins for ages
Just "nobody" uses them.
Silver dollar, Susan B Anthony, Sacajawea, etc
[19:04]
mercutioi was under the understanding that normal shops didn't accept them [19:05]
brycecmercutio: Under law, they're required to. [19:05]
mercutiooh [19:05]
brycechttps://en.wikipedia.org/wiki/Dollar_coin_(United_States) throughout the entire history of the US apparently. [19:05]
BryceBotError in Wikipedia's response: [19:05]
gizmoguywe have $1 and $2 coins here
nobody uses coins here tho
cash is for people living in the past
[19:06]
mercutiowell upgrading windows synergy made it worse
i use coins gizmo
i find 10c pieces rather annoying though
i use paywave when i can, but most small shops don't even take credit card so i pay in cash
it seems silly to pay $4 or something with eftpos
[19:07]
brycecDon't take CC? Crazy to hear as an american. [19:08]
mercutiobrycec: like bakeries etc? [19:08]
brycecRight. [19:08]
mercutiobakery, sushi shop etc. [19:08]
brycecI can't remember the last time I went somewhere that didn't take CC [19:09]
mercutiowell there are credit card surchages here [19:09]
brycecOf course, I often choose to spend cash at small shops for that reason. [19:09]
mercutiothe sushi place is annoying, as they have amounts like $5.40
y'know, maybe they do take credit card there, i'm not sure now
[19:09]
BryceBot<mercutio> ow nsuswinpluc nisnu nri gtnusnow rnwuv nusnu osnlim n$5.40 [19:10]
mercutioheh, y'know catches me out way too often. [19:10]
bryceclmao
Merchants like Paypal and Square here have made it very easy to accept CC's.
[19:10]
mercutioyou can use paypal in shops? [19:11]
brycecmercutio: https://www.paypal.com/webapps/mpp/credit-card-reader [19:12]
mercutiohere lots of small shops use dialup for eftpos and it's really slow
and with credit cards, when chips came into play lots of credit card stuff was slow until they upgraded their machines.
[19:12]
brycecThough there's a big hardware store chain I can actually pay with my Paypal account at. (Home Depot) [19:12]
mercutiobryce: you don't really do eftpos there do you? [19:13]
brycec(From a Home Depot terminal https://www.javelinstrategy.com/uploads/2012/02/PayPal-31-297x300.jpg) [19:13]
mercutioit says that page doesn't exist fwiw
probably geo stuf
[19:13]
bryceclol geo stuff [19:13]
mercutiothat's pretty cool [19:13]
brycecmercutio: and no, EFTPOS is essentially non-existent in the US [19:13]
mercutioi like paypal
i know some people really hate it though
[19:14]
brycecIn fact,according to Wikipedia it says it's basically .au and .nz only [19:14]
mercutiooh, interesting
it's kind of big here
[19:14]
brycec(or that's how I'm skimming the wiki page)
https://en.wikipedia.org/wiki/EFTPOS
[19:14]
BryceBotEFTPOS :: EFTPOS (pronounced /ˈɛftpɒs/) — electronic funds transfer at point of sale — is an electronic payment system involving electronic funds transfers based on the use of payment cards, such as debit or credit cards, at payment terminals located at points of sale. In Australia and New Zealand it is also the brand name of a specific system used for such payments. The Australian and New Zealand systems are country specific and... [19:14]
mercutioit's like a debit card which costs 35c per transaction
except if you use atm then it's like $1
[19:14]
brycecDebit transactions are almost always 0. (though ATMs are a different story) [19:15]
mercutiowell actually atm can be cheaper if you have an atm machine of the rigth bank around you (which i don't)
i'm with the biggest bank in the country, and there's no atm's nearby :/
there used to be lots of banks around here, but they all shut down, some left atm machines behind some just closed up completely
i don't even know where my "home branch" is now
but the banking market has all got more expensive, and less convenient
apparently eftpos started in the US
[19:15]
brycecYeah I did see that. [19:19]
gizmoguysquare is cool [19:19]
mercutioi kind of like how easy pay wave is
i suppose it's insecure, but it's just cool being able to pay for things quickly. it kind of sucks when you have to stand around waiting for some machine to be ready to take your pin etc.
[19:20]
brycecIf it's the "Paywave" I'm thinking of, it's about as secure as "chip" payments minus the PIN.
Which in the US, is most chip payments anyhow...
[19:21]
mercutioprobably the same dff [19:21]
brycec(Yes, in the few US places that have adopted chip so far, it's chip or chip+sig, but never chip+pin :'( [19:21]
mercutioerr www.visa.co.nz is trying to download a virus
it's a .swf file
[19:21]
brycecNo virus from visa.co.nz for me [19:22]
mercutio(yeh i know that's just flash, but argh) [19:22]
brycecOr maybe your AV just thinks all flash is viral [19:22]
mercutiochrome said it could harm my computer
and was downloading it rather than showing a window saying to install flash player
[19:22]
brycecMy chrome was happy enough. But I also don't load any plugin content. [19:23]
mercutioyeah i disabled flash
it means i can't view videos on some news sites
but that's about the only drawbakc.
[19:23]
gizmoguyi found most CC transactions in the states were magstripe and not chip? [19:25]
mercutiogizmoguy: didn't nz only move recently to chip? [19:27]
gizmoguyall my cards are chip'd
and they expire at the end of this year
[19:27]
mercutioithink i went chip like two years ago [19:27]
gizmoguyand CC cards take 3 years to expire [19:27]
mercutioreally?
i thought they lasted longer thanthat
[19:28]
gizmoguymaybe it's 4 years
anyway, it means we've had chip for the past 4 or so years
[19:28]
brycecgizmoguy: indeed they are :( [19:29]
mercutiotime flies i suppose
i just remember being annoyed when i first had chip because it was really slow
[19:30]
brycecBut the deadline is this October as I recall. At that time, the burden shifts from the issuer to the merchant for swipe transactions. [19:30]
mercutiobut then i could have swiped it?
maybe something changed with chip that made it slower
[19:30]
brycechttp://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php
Chip is slow because there's a handshake.
[19:30]
mercutiobrycec: new machines are like 8 times quicker than old machines though
for the handshake part
[19:31]
brycecSwipe is just reading a stripe of data off the card and phoning home.
mercutio: I'm not surprised.
[19:31]
mercutioo [19:31]
brycecv [19:31]
mercutiosupermarkets and petrol stations tend to be fast here
but some smaller places that take credit card are still slow
i suppose priorities and all that
[19:32]
gizmoguymerchants should stop charging so much for readers [19:32]
mercutiogizmoguy: there's a duopoly [19:32]
gizmoguyI was looking into those cellphone paywave readers
$400 for the reader
+2% transact fee or whatever
surely the transact fee is enough to make money off
[19:33]
mercutioyeah
the transaction fees are insane
i'm still annoyed that it costs 2.5% for bank to convert currency on credit card
there must be a better way :)
[19:33]
brycec"Entering a PIN connects the payment terminal to the payment processor for real-time transaction verification and approval. However, many payment processors are not equipped with the technology needed to handle EMV chip-and-PIN credit transactions. So it is not likely you will have to memorize new PINs anytime soon, according to Conroy."
*sigh*
[19:35]
BryceBot*sigh* [19:35]
mercutiooh you don't have pins there even? [19:37]
brycecMost people don't. One of my cards does though :D
"After an Oct. 1, 2015, deadline created by major U.S. credit card issuers MasterCard, Visa, Discover and American Express, the liability for card-present fraud will shift to whichever party is the least EMV-compliant in a fraudulent transaction."
[19:38]
mercutiopins have been common here for ages
i never used to use pin though
[19:38]
brycecOur debit cards have PINs... I don't see why people can't handle CC's with PINs [19:39]
mercutioas when i got my credit card issued they sent it in the mail i think? anyway, it didn't have a pin at first.
and i had to go in to get a pin put on it
when it asks for pin here you can just press ok
so pin is convenient rather than necessary.
[19:39]
brycecInteresting. [19:40]
mercutioyeah, although seeing people try to match signature is funny [19:40]
gizmoguyin US everyone would ask for photoid when I tried to pay with a CC :( [19:40]
brycecWait, do people actually do that there, mercutio ? [19:40]
gizmoguyand nobody knew what a NZ drivers license was [19:40]
mercutiogizmo: oh wow.
brycec: check signatures, yes.
[19:40]
bryceclol gizmoguy [19:41]
mercutiothey ask for id when buying alcohol often here too
ever since the age went up to 21 from 18
err down from 21 to 18
[19:41]
brycec*nobody* checks signatures here. I end up drawing lewd things. [19:41]
mercutioi used to just walk out of liquor shops if i got asked for id [19:41]
gizmoguynobody makes you sign anything here [19:41]
mercutiogizmo: what about if you get cash out with eftpos? [19:42]
gizmoguyas I said before, I don't use cash [19:42]
mercutiogizmo: never ever? [19:42]
gizmoguymaybe 1-2 times a year I'll get some out of an ATM [19:43]
mercutioyeah i get cash out way more than that
probably over 10 times a year
cash makes it easier to know much you're spending
especially for small transactions, like coffee, food etc.
[19:44]
mnathani_@exchange 1 usd to cad [19:53]
BryceBot1 USD -> 1.319006 CAD (as of Tue, 04 Aug 2015 19:01:02 -0700) [19:53]
mnathani_Someone needs to make a summary of facebook that is not time sensitive - ie: can be visited at a later date and only contains items that are most relevant to users. None of this firehose of posts that are missed if not viewed regularly [19:58]
.... (idle for 17mn)
mercutiomnathani_: the relevancy of facebook is questionable in general [20:15]
jpalmerquestionable? I'd go so far as to say, facebook needs to go the way of myspace. [20:26]
***mercutio has quit IRC (Ping timeout: 246 seconds)
mercutio has joined #arpnetworks
mercutio is now known as Guest31825
[20:26]
brycecCater towards musicians? [20:29]
***Guest31825 is now known as mercutio [20:29]
mercutiobloody freenode [20:30]
mnathanibecome irrelevant is what I think he meant [20:30]
mercutioseems i missed some stuff :)
jpalmer: myspace at least lets users customise pages.
[20:30]
................. (idle for 1h20mn)
kellytkDidn't myspace change user profiles to being Flash-powered? [21:51]
mercutiono idea, i havent' used it in years [21:52]
kellytkI tried to retrieve old photos from it a year or two ago and it had been converted to a blackbox Flash file unfortunately [21:54]
mnathani_I never really used myspace [22:00]
***mnathani_ has quit IRC () [22:13]
mercutiothere's some other big one i think it was in south america
and i think there's a big china one too
i had an idea like facebook before facebook exists, but i think many others did too :)
i've actually still got a slightly different idea. but i can't really devote the time to make such things work.
[22:15]
.... (idle for 19mn)
kellytkYes many did, Facebook was relatively late to the social game [22:35]
mercutiowell the internet was late to the social game in general :)
there's no reason such things couldn't have been around in the 90s
although it would have probably been more elite back then
[22:49]
kellytkI think they did, but in a different form. (BBS/online service)
What I meant about Facebook was that there were multiple successful social websites for multiple years before Facebook even started, let alone hit critical mass
[22:50]
Basically I was affirming what you said in "but i think many others did too" [22:56]
..... (idle for 21mn)
mercutioahh i see
yeah my idea was more to integrate messaging etc too
it's curious that facebook e-mail never went anywher
i ran a bbs btw, so yeh some of my influence came from there.
there was a lot more community feel back then.
what actually bugs me personally the most atm is secure phone calls / messaging.
i don't even have a high need for security. but it's important that people with nothing to hide also do secure, so that you're not guilty for securing communications.
you can do things ok with jabber+otr but hardly anyone i know uses jabber.
atm there's kind of vendor lock in with things like skype, and they're not secure.
but yeah, no money, and somehow have to get users.
[23:17]
kellytkI would be shocked if Skype were actually secure or respectful of privacy in any way [23:20]
mercutioyou wouldn't want such a service to be closed source or charge for it really
which also means you kind of want it to be decentralised.
[23:20]
kellytkI agree about community feel, although I've been feeling that way progressively moreso since the eternal September [23:21]
mercutiojabber you just use your own domain name.. and have special records
haha
when i first heard about that i had no context.
i had no idea what it was about
wow, when that happened i actually listened to the radio
but yeah jabber is the best that's around atm, but there's no one jabber client, one jabber domain you can easily point people to, and get them to use it
and otr is a plugin/extension
and i don't think jabber does well with video/voice
skype is actually pretty great for voip
it's video is a bit lacking
but it has great echo cancelation that works well, low bandwidth requirements, good audio quality
but there are some annoying things about it still, like you can't do group calls on android/iphone/mac
well you can participate audio only but not clal
[23:21]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)