<DocScrutinizer51>
our TV journalists found it together with Mhackers'
<DocScrutinizer51>
basically brute force cracking of a 'pw' alike 6digit transaction number afaik
<DocScrutinizer51>
they prolly should inastall fail2ban ;)
<DocScrutinizer51>
funny hack but no real big thing in my book
<whitequark>
its like BGP
<whitequark>
anyone can hijack anyone's flights
<DocScrutinizer51>
well, as long as you cam brute force crack the 6charr(?) transaction token, yes. Under same premise i can root 60 percent all computers on this globe
<DocScrutinizer51>
you 'only' need family name of a customer. rough time window of transaction, and then bruteforce the transaction token. pretty 'insecure' eh? No, they just should throttle bruteforce e.g. by fail2ban
<whitequark>
DocScrutinizer51: but that's true, you can intercept 60% (actually might be more than 60%) of traffic with a fake BGP advertisement
<whitequark>
and if you know a rough timewindow then you don't even need to bruteforce the entire token
<DocScrutinizer51>
nfc what's that BGP thing
<DocScrutinizer51>
what they told in TV they simply bruteforce cracked the transaction ID
<DocScrutinizer51>
which is... cracking for kindergarden
<wpwrak>
kids today ...
<DocScrutinizer51>
yeah, they just repeated it in TV: the hackers brute force cracked the 6char reference ID with a known customer name. So how does that differ from bruteforcing the root password of any arbitrary server?
<whitequark>
DocScrutinizer51: who even uses passwords anymore? good luck bruteforcing my ssh key
<DocScrutinizer51>
add reasonable throttling like fail2ban and everything banana
<DocScrutinizer51>
meh
<DocScrutinizer51>
good luck clickbaiting me into this nonissue
<DocScrutinizer51>
poor implementation of an otherwise perfectly secure concept
<DocScrutinizer51>
of course the IDs need to be true random, and auth needs rate limit, just lie any arbitrary other auth system. That they do call it reference ID and not password is a communication failure, not an IT design failure
<DocScrutinizer51>
Nohl is making up big news to give ARD reporters a topic to cover C3 in news
<DocScrutinizer51>
pretty dishonest
<eintopf>
:o the channel is alive
<eintopf>
btw: my tft power supply with the replaced elkos still works
fengling has quit [Ping timeout: 268 seconds]
fengling has joined #qi-hardware
wildlander has joined #qi-hardware
mth has joined #qi-hardware
sandeepkr has joined #qi-hardware
sandeepkr has quit [Read error: No route to host]
sandeepkr has joined #qi-hardware
sandeepkr has quit [Remote host closed the connection]
sandeepkr has joined #qi-hardware
sandeepkr has quit [Read error: Connection reset by peer]
sandeepkr has joined #qi-hardware
sandeepkr has quit [Remote host closed the connection]
sandeepkr_ has joined #qi-hardware
sandeepkr_ has quit [Max SendQ exceeded]
sandeepkr_ has joined #qi-hardware
sandeepkr__ has joined #qi-hardware
sandeepkr__ has quit [Remote host closed the connection]