#qi-hardware on 2016-12-27 — irc logs at freenode.irclog.whitequark.org

2015-04-02 04:38 kyak changed the topic of #qi-hardware to: Copyleft hardware - http://qi-hardware.com | hardware hackers join here to discuss Ben NanoNote, atben/atusb 802.15.4 wireless, anelok and other community driven hw projects | public logging at http://en.qi-hardware.com/irclogs and http://irclog.whitequark.org/qi-hardware

00:40 dandon has quit [Quit: .]

00:49 dandon has joined #qi-hardware

02:41 fengling has quit [Ping timeout: 268 seconds]

02:51 fengling has joined #qi-hardware

04:26 wildlander has quit [Quit: Saliendo]

05:29 DocScrutinizer05 has quit [Disconnected by services]

05:29 DocScrutinizer05 has joined #qi-hardware

06:28 fengling has quit [Ping timeout: 268 seconds]

07:30 fengling has joined #qi-hardware

08:16 <kyak> found this http://routersecurity.org/bugs.php while persuading a collegue of mine to wipe out the vendor firmware

08:16 <kyak> and use openwrt or derivatives instead

08:17 <kyak> all related news are put together for convenience :)

08:40 sb0 has joined #qi-hardware

09:03 eintopf_ has joined #qi-hardware

09:06 eintopf has quit [Ping timeout: 264 seconds]

09:06 eintopf_ is now known as eintopf

09:43 <whitequark> hm, where's joerg

10:22 sb0 has quit [Quit: Leaving]

11:35 sb0 has joined #qi-hardware

11:36 <wpwrak> whitequark: he's traveling these days. he may still notice (eventually) then you write something here, though.

11:36 <whitequark> ahh 33c3

11:36 <whitequark> then he probably already knows

11:37 <eintopf> 33c3 I wish I would be there

11:37 <wpwrak> naw, visiting a friend. not 33c3

11:46 <wpwrak> kyak: someone should make a horror movie with this :)

12:20 Nik05_ has quit [Read error: Connection reset by peer]

12:22 Nik05 has joined #qi-hardware

12:37 sb0 has quit [Quit: Leaving]

12:37 <kyak> wpwrak: and the horror part starts when a guy tries to install openwrt --)

13:05 <wpwrak> kyak: ah, you're planning the sort of movie where the heroes die, too :)

13:25 <kyak> ^)

13:46 <DocScrutinizer51> whitequark: not 33C3

13:48 <DocScrutinizer51> what's up?

14:13 <whitequark> DocScrutinizer51: https://twitter.com/josephfcox/status/813460065722269697

14:14 <DocScrutinizer51> sorry, not going to visit shitty twitter on N900

14:17 <DocScrutinizer51> prolly wou.dn"t work amyway

14:17 <whitequark> DocScrutinizer51: then https://mobile.twitter.com/josephfcox/status/813460065722269697

14:17 <whitequark> but anyway the link was https://motherboard.vice.com/read/global-travel-booking-systems-open-to-fraud-and-abuse

14:18 <DocScrutinizer51> well thats german news :)

14:19 <DocScrutinizer51> our TV journalists found it together with Mhackers'

14:20 <DocScrutinizer51> basically brute force cracking of a 'pw' alike 6digit transaction number afaik

14:21 <DocScrutinizer51> they prolly should inastall fail2ban ;)

14:22 <DocScrutinizer51> funny hack but no real big thing in my book

15:02 <whitequark> its like BGP

15:02 <whitequark> anyone can hijack anyone's flights

15:06 <DocScrutinizer51> well, as long as you cam brute force crack the 6charr(?) transaction token, yes. Under same premise i can root 60 percent all computers on this globe

15:15 <DocScrutinizer51> you 'only' need family name of a customer. rough time window of transaction, and then bruteforce the transaction token. pretty 'insecure' eh? No, they just should throttle bruteforce e.g. by fail2ban

15:16 <whitequark> DocScrutinizer51: but that's true, you can intercept 60% (actually might be more than 60%) of traffic with a fake BGP advertisement

15:16 <whitequark> and if you know a rough timewindow then you don't even need to bruteforce the entire token

15:16 <DocScrutinizer51> nfc what's that BGP thing

15:17 <DocScrutinizer51> what they told in TV they simply bruteforce cracked the transaction ID

15:18 <DocScrutinizer51> which is... cracking for kindergarden

15:36 <wpwrak> kids today ...

15:41 <DocScrutinizer51> yeah, they just repeated it in TV: the hackers brute force cracked the 6char reference ID with a known customer name. So how does that differ from bruteforcing the root password of any arbitrary server?

15:43 <whitequark> DocScrutinizer51: who even uses passwords anymore? good luck bruteforcing my ssh key

15:43 <DocScrutinizer51> add reasonable throttling like fail2ban and everything banana

15:43 <DocScrutinizer51> meh

15:43 <DocScrutinizer51> good luck clickbaiting me into this nonissue

15:50 <DocScrutinizer51> poor implementation of an otherwise perfectly secure concept

15:52 <DocScrutinizer51> of course the IDs need to be true random, and auth needs rate limit, just lie any arbitrary other auth system. That they do call it reference ID and not password is a communication failure, not an IT design failure

15:54 <DocScrutinizer51> Nohl is making up big news to give ARD reporters a topic to cover C3 in news

15:55 <DocScrutinizer51> pretty dishonest

16:03 <eintopf> :o the channel is alive

16:04 <eintopf> btw: my tft power supply with the replaced elkos still works

17:56 fengling has quit [Ping timeout: 268 seconds]

18:25 fengling has joined #qi-hardware

19:16 wildlander has joined #qi-hardware

19:52 mth has joined #qi-hardware

20:34 sandeepkr has joined #qi-hardware

20:37 sandeepkr has quit [Read error: No route to host]

20:39 sandeepkr has joined #qi-hardware

20:45 sandeepkr has quit [Remote host closed the connection]

20:47 sandeepkr has joined #qi-hardware

20:47 sandeepkr has quit [Read error: Connection reset by peer]

20:48 sandeepkr has joined #qi-hardware

20:50 sandeepkr has quit [Remote host closed the connection]

20:50 sandeepkr_ has joined #qi-hardware

20:55 sandeepkr_ has quit [Max SendQ exceeded]

20:56 sandeepkr_ has joined #qi-hardware

21:09 sandeepkr__ has joined #qi-hardware

21:10 sandeepkr__ has quit [Remote host closed the connection]

21:11 sandeepkr_ has quit [Ping timeout: 260 seconds]