He already speaks at 1.5X rate

I watched at 1.75 lol

i am watching it 0.75x. issues of non english 🙄

@@simplified_101 Iranian hacker moment

Yeah, was my first talk at an infosec conference.. was a little nervous, definitely talked way too fast. Though I also had a lot of content to cram into my given talk window.

If you want to understand keep attending talks; keep looking things up - the key to gaining knowledge in this field is exposure!

You can't just use ******* as a password. Some don't let you use asterisks and it's just all the same character.

Hunter221

It's not a secret, it's a NSA backdoor key.

@@AdolphusOfBlood ok thanks for that valuable information

@@morshlop The NSA has asked them to keep security flaws unpatched before for their own use, only to have hackers use them before. The NSA's tools have been leaked before as well. It should not shock you or anyone else. The NSA also has a back door into HTTPS. So frankly, never be shocked the NSA does this. They do it as they can get away with it, that's why open source software is key, you can't internally make this an issue with open source software.

🤣🤣🤣

If only more people would actually understand this, I setup a network not that long ago for a company where we started going down that path of disabling powershell and command prompt. The problem with disabling this stuff is that 1, it make your life harder as an administrator. 2, the general user doesnt even try to use it (they probably dont even know its there). 3, regardless if it is disabled or not an attacker is always going to find away around it. There are so many ways in windows to get access to a command prompt or power shell even if it is disabled.

@@jasonfletcher1638 can confirm, in school we had a 5 line bat file that did exactly the same as cmd except the Copyright Information

My biggest peeve are signup forms that say the username is taken... fuck that noise... send them a 'We've created your account (if it was valid), check your email'

WriteCodeEveryday so your failure mode is not to tell the user trying to create an account anything about why, you just don’t send them an email? Lol. Try growing *that* online service.

[deleted] I shouldnt respond while still half asleep

I disagree to the "idiot" part. There is a user friendliness aspect to be taken into account here. Now, in the case of a company and access to its intranet, I would agree - they should know their format and if they don't they should abase themselves adequately to the IT admin to get the correct information. When dealing with an enterprise-level application, though, you have to distinguish between password failure and username failure. A person might not have logged into the service for a while, after all, so they might have a few different possible usernames they could have used. Opaque failures in this case is just going to generate frustration with your service as well as a lot of customer service traffic - basically, it will cost the company money. The real goal here should be to maximizing the user experience while minimizing the security risk.

roguishpaladin and for services that are general public facing on the internet - your gmails, dropboxes, etc... - not telling people that their preferred username is taken during account creation is pretty idiotic.

>public-facing servers that can connect to the internet Uuh ... isn't that the whole point of them?

@@rolfs2165 Let me phrase that a bit simpler: A web server should answer requests, not surf on P*hub itself.

Lol, it's not like those can be faked with ease or anything.

We've detected possible unauthorized access to your account. Please change your fingers as soon as possible. For security reasons, we recommend changing your biometrics every 120 days and not using the same physical body on multiple services.

Bear in mind when this video was released, when this talk happened. Security continues improving some two years after the fact.

Except I was locking out sprays a decade ago. This video is full of weak sauce "exploits" against VERY poorly setup security. There are multiple off-the-shelf solutions that shut him down with default settings.

@@buzzkrieger3913 he mentions this in the talk. Two things, 1. Botnets, 2. Testing for this on VPNs and attacking unsecured points preferentially.

@@buzzkrieger3913 The video is titled "why my job is so easy". It's about very simple exploits that he still constantly sees.

@@buzzkrieger3913 thats the entire point of this talk

Boxcarcifer you’re still using non-mobile devices? How out of touch you are.

Boxcarcifer sorry, no. Haven’t been outside Europe since 2002. But both my names are pretty common in NL, so I’m very much not the only one out there.

Which is why quite a few companies ban the use of it unless it's required. Google for example.

If you think lazy security habits only affect M$, I've got a bridge I can let you have for cheap...

@@setnaffa No, but Microsoft encourages it.

@@TheLukemcdaniel Shockwave? Heartbleed? D-Link? There are too many CVEs to list...