|
SeismicTriangle posted:anyone here come from military background? im currently about to enlist for this. People are saying it will be pretty easy to transition to a civilian career afterwards, just wondering if thats true from your perspectives and anything else you'd like to share. I dont really know anything about infosec/networks atm and school is only 6mo long so i have my doubts about those claims I don't know much about nothin' here, but wtf is this when I visit that URL: 
|
#
?
May 23, 2017 01:41
|
|
|
|
| # ? Apr 28, 2024 11:12 |
|
|
Don't worry about it. It's not meant for you
|
|
|
#
?
May 23, 2017 01:46
|
|
|
gently caress all militaries don't do it, get a better real job
|
|
#
?
May 23, 2017 02:00
|
|
|
Last Chance posted:I don't know much about nothin' here, but wtf is this when I visit that URL: LOL, I thought it was just ScriptSafe acting up or something.
|
|
#
?
May 23, 2017 03:27
|
|
|
You used to have to get those from a public site that used the same root ...
|
|
#
?
May 23, 2017 03:37
|
|
|
https://www.us.army.mil/ The plot thickens not really it's supposed to happen
|
|
|
#
?
May 23, 2017 04:24
|
|
|
milk milk lemonade posted:
This. The dod runs its own ca and gives zero fucks about public root ca's
|
|
#
?
May 23, 2017 05:23
|
|
|
Last Chance posted:I don't know much about nothin' here, but wtf is this when I visit that URL: Worked on certs for the DOD. They have their own series of private CAs they use to authenticate everything including using it to auth base entry and their websites. They track every single cert by calling up the crl list every time you want to do something with your id. There is only one place in the org where you are allowed not to use your CAC card and that is if you are in the middle of the sea but you will get a new one as soon as you land on shore. Also, really super illegal to let someone look at or hold your card. They are always told to keep it close because if they do lose it or it's stolen, it is going to be a lovely nightmare for them.
|
|
#
?
May 23, 2017 05:31
|
|
|
EVIL Gibson posted:...crl list... I'll bet you say ATM machine and PIN number. You monster.
|
|
#
?
May 23, 2017 13:52
|
|
|
EVIL Gibson posted:Worked on certs for the DOD. They have their own series of private CAs they use to authenticate everything including using it to auth base entry and their websites. So thats why the GIP CE thread freaked out over the pic of Bannon with his exposed.
|
|
#
?
May 23, 2017 13:55
|
|
|
flosofl posted:I'll bet you say ATM machine and PIN number. If you took the ciscp or you did anything with certs, then all these should be common terms.
|
|
#
?
May 23, 2017 15:04
|
|
|
EVIL Gibson posted:If you took the ciscp or you did anything with certs, then all these should be common terms. E: removing grumpy response. I'm probably missing the joke or something.
|
|
#
?
May 23, 2017 15:10
|
|
|
RFC2324 posted:So thats why the GIP CE thread freaked out over the pic of Bannon with his exposed. There's always the jokes about the CAC card, but it's a no joke huge loving issue to lose to let others use your CAC card. Even letting people see it can be a big issue in some areas.
|
|
#
?
May 23, 2017 17:35
|
|
|
EVIL Gibson posted:If you took the ciscp or you did anything with certs, then all these should be common terms. No reason to be an rear end in a top hat, he was making a joke that you said 'CRL list' Certificate Revocation List List...hence the statement about ATM (automatic teller machine) machine and PIN (personal identification number) number.
|
|
#
?
May 23, 2017 18:30
|
|
|
EVIL Gibson posted:If you took the ciscp or you did anything with certs, then all these should be common terms. Just cause it's in a cert doesn't mean it's correct.
|
|
#
?
May 23, 2017 19:02
|
|
|
Doug posted:No reason to be an rear end in a top hat, he was making a joke that you said 'CRL list' Certificate Revocation List List...hence the statement about ATM (automatic teller machine) machine and PIN (personal identification number) number. I was being a butt because I took his reply wrong.
|
|
#
?
May 23, 2017 19:33
|
|
|
EVIL Gibson posted:Also, really super illegal to let someone look at or hold your card. unless someone offers you a military discount, in which case you gotta prove you're with the military somehow
|
|
#
?
May 24, 2017 03:29
|
|
I don't remember it being all that serious. I lost my CAC card at a dog park and they just gave me a new one. I had access to some relatively interesting stuff  Edit: the card had a picture for visual identification obviously, but the PKI is only 1/2 or less of the equation in terms of accessing any part of any information systems milk milk lemonade fucked around with this message at 04:28 on May 24, 2017 |
|
|
#
?
May 24, 2017 04:26
|
|
|
milk milk lemonade posted:I don't remember it being all that serious. I lost my CAC card at a dog park and they just gave me a new one. I had access to some relatively interesting stuff As soon as you report it missing they immediately deactivate it in the tracking system (DEERS I think. Woo acronyms. It's a loving nightmare). The pin will be locked out after a couple times permanently unless you go the office to give biometrics. Mainly there are baaad bases with questionable security practices that flashing the cac might be enough to get you in but you should hit a swipe machine someway along the way. The worldwide system is updated enough that current card you reported lost will not work on the swipe. For the other person talking about it being used for vet benefits, that is one of a few reasons you can use it outside of military use. I was just saying that if you don't keep track on it or have control of it beyond the normal uses, the rules say there are punishments. Funny story. You know how to get a card, you need to get it electronically signed by someone else in the system (and from the CA)? There was a little business going on where one of the issuers found a way to sign the same person while they had multiple versions of legit cacs. Utter poo poo storm when they found out Joe Smoe buying from the military store and finding no Joe Smoe actually there because the card was being used by someone else who changed the pic on it. This was like ten years ago or something . EVIL Gibson fucked around with this message at 07:15 on May 24, 2017 |
|
#
?
May 24, 2017 05:01
|
|
|
General question here: When WiFi first came out it had WEP security that ended up being trivial to break. Then there was WPA. Then there was WPA2. Is there any new standard like WPA3 or something different coming down the pipeline or is WPA2 just really solid?
|
|
#
?
May 25, 2017 23:18
|
|
|
Three-Phase posted:General question here: WPA2 is pretty solid, but it doesn't matter if it is or not since it's the only game in town anymore. The protocol does have a weakness with periodic de-authentication to force a key change leaving the session active until re-keying, but I've not seen any practical attacks using it yet. However, there can be issues with underlying authentication mechanisms. Short PSKs can be brute forced. EAP-CHAPv2 is not recommended at all, you're better off with PSK. EAP-TLS is solid but requires every client to have a client side certificate installed, which usually means some form of PKI in place.
|
|
#
?
May 25, 2017 23:52
|
|
|
Isn't WPA2 Enterprise roughly the same thing as 802.1x over a different medium?
|
|
#
?
May 26, 2017 03:32
|
|
|
PSK brute-forcing is if the password is something weak like "12345", right? Not something robust like "Gr@ceJ0nesmarrym3iloveu". Just you know, for example.
|
|
#
?
May 26, 2017 04:12
|
|
|
How did you figure out my password?
|
|
#
?
May 26, 2017 05:01
|
|
|
wolrah posted:Isn't WPA2 Enterprise roughly the same thing as 802.1x over a different medium? Yes. And just like bog standard 802.1x you can use different EAP methods for authentication.
|
|
#
?
May 26, 2017 06:33
|
|
|
Do you need a PKI if you use WPA2 enterprise against a Radius server?
|
|
#
?
May 26, 2017 10:43
|
|
|
Furism posted:Do you need a PKI if you use WPA2 enterprise against a Radius server? If you're using EAP-MS-CHAPv2 (which is the next most likely after EAP-TLS), I'd recommend looking at moving to a different auth method with RADIUS since MS-CHAPv2 has been horribly broken for some time.
|
|
#
?
May 26, 2017 12:26
|
|
|
Well, this looks like fun. OneLogin suffers breach—customer data said to be exposed, decrypted Customer account-only support page warns of "ability to decrypt encrypted data." https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/
|
|
#
?
Jun 1, 2017 15:59
|
|
|
Anyone have any thoughts about CKP? It's a Chrome extension that accesses your KeePass DB stored on GDrive or Dropbox or whatever. The main reason I would want to use it is for using on a Chromebook. It's a real hassle looking up passwords on my phone and typing a 32 character password in on my chromebook. On the other hand, decrypting my keepass database in the browser just feels horrible.
|
|
#
?
Jun 1, 2017 16:15
|
|
|
Given how often you see XSS exploits and other weird stuff, I'd be extremely hesitant to have your browser touching keepass at all. You can always make your passwords keyboard friendly, lowercase, numbers and symbols gives you 40bits with 20ish characters.
|
|
#
?
Jun 3, 2017 04:50
|
|
|
Thermopyle posted:Anyone have any thoughts about CKP? It's a Chrome extension that accesses your KeePass DB stored on GDrive or Dropbox or whatever. I'm totally the same, in that I need badly a Keepass app for my Chromebook. But yeah as said I just don't trust a browser with my password database 
|
|
#
?
Jun 3, 2017 05:21
|
|
|
CLAM DOWN posted:I'm totally the same, in that I need badly a Keepass app for my Chromebook. But yeah as said I just don't trust a browser with my password database You could always run Crouton and then install the regular Linux version of keepassx or whichever password manager you like.
|
|
#
?
Jun 3, 2017 05:30
|
|
|
Powered Descent posted:You could always run Crouton and then install the regular Linux version of keepassx or whichever password manager you like. But....then it wouldn't be a Chromebook anymore..... e: oh wait I see, it runs alongside it, hmmmm
|
|
#
?
Jun 3, 2017 05:33
|
|
|
Why would you want a Chromebook over a Linux laptop? Genuinely interested to understand the use case.
|
|
#
?
Jun 3, 2017 11:38
|
|
|
Furism posted:Why would you want a Chromebook over a Linux laptop? Genuinely interested to understand the use case. Less janitoring.
|
|
#
?
Jun 3, 2017 12:00
|
|
|
What's a good go-to management system when you're responsible for storing and managing things like encryption keys, privileged account usernames and passwords, private keys, etc? I'm looking at Vault Enterprise, is there anything similar? My google-fu comes up with a lot of KEY management systems, but I don't want to look at solutions for specific types of secrets, just a generic secure secret vault. I have a number of HSMs kicking around I'd love to repurpose for this which is why I'm leaning towards Vault but I don't know if there's anything better.
|
|
#
?
Jun 3, 2017 13:56
|
|
|
Furism posted:Why would you want a Chromebook over a Linux laptop? Genuinely interested to understand the use case. Yup, no janitoring required, it's fast, amazing battery life, and I simply don't need or want a Linux laptop.
|
|
#
?
Jun 3, 2017 16:36
|
|
|
Fair enough. I just don't trust (the security of) their OS all that much is why I asked. I'm probably too paranoid as usual. Their hardware seems neat though.
|
|
#
?
Jun 3, 2017 17:20
|
|
|
Furism posted:Fair enough. I just don't trust (the security of) their OS all that much is why I asked. I'm probably too paranoid as usual. Their hardware seems neat though. From everything I've read (and tried), ChomeOS is actually a VERY tough nut to crack from a security point of view. Its biggest drawback is its biggest strength -- it's basically just a web browser and not much else. That's a pain in the butt if you want to color outside that line at all (like running a local password manager), but it also reduces the attack surface to about as small as it can get.
|
|
#
?
Jun 3, 2017 17:31
|
|
|
|
| # ? Apr 28, 2024 11:12 |
|
|
Powered Descent posted:From everything I've read (and tried), ChomeOS is actually a VERY tough nut to crack from a security point of view. Its biggest drawback is its biggest strength -- it's basically just a web browser and not much else. That's a pain in the butt if you want to color outside that line at all (like running a local password manager), but it also reduces the attack surface to about as small as it can get. Can't the more recent ones by and large run Android applications too?
|
|
#
?
Jun 3, 2017 17:42
|
|
