|
goatcry.pt We etch your passwords onto a ring, then
|
#
?
Jul 20, 2019 17:05
|
|
|
|
| # ? Apr 19, 2024 07:00 |
|
|
Potato Salad posted:goatcry.pt I think your system might have a gaping security hole
|
|
#
?
Jul 20, 2019 19:38
|
|
|
Potato Salad posted:goatcry.pt an impressive application of steganography. now I have all the more reason to study this picture in detail
|
|
#
?
Jul 20, 2019 19:51
|
|
|
Potato Salad posted:goatcry.pt we perform a special kind of key stretching
|
|
#
?
Jul 20, 2019 20:03
|
|
|
Someone at Microsoft just published something or other last week about password authentication in Azure and declared that their hashes were all stored as thousand-round SHA256. On the other hand, AD still uses NT hashes (md4) and we don't hear that much about people extracting those at rest - though nobody owns up to corporate breaches on the attacking or defending sides.
|
|
#
?
Jul 20, 2019 20:06
|
|
|
Azure AD provides a bunch of really good account protections but they all require like P1s or higher which is kind of bullshit.
|
|
#
?
Jul 20, 2019 20:15
|
|
|
https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/ 
|
|
#
?
Jul 20, 2019 21:41
|
|
|
its good that other agencies are relearning how to burn competitors publicly good of zdnet to translate the bbc russia article and drop half of the information
|
|
#
?
Jul 20, 2019 21:48
|
|
|
cinci zoo sniper posted:https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/
|
|
#
?
Jul 21, 2019 13:17
|
|
|
this means they didn’t sign the binaries, right? https://www.zdnet.com/article/pale-moon-says-hackers-added-malware-to-older-browser-versions/ (lol pale moon)
|
|
#
?
Jul 21, 2019 19:07
|
|
|
i can't imagine any significant number of people actually ever downloaded the compromised old versions
|
|
#
?
Jul 22, 2019 05:35
|
|
|
Plorkyeran posted:i can't imagine any significant number of people actually ever downloaded a forked version of firefox 38
|
|
#
?
Jul 22, 2019 10:24
|
|
|
according to wikipedia (i had to look it up, never heard of it) there are two separate forks of this firefox fork that make it run on windows xp. starting in 2017  I think it is a given that people who use this browser make bad decisions and love using obsolete software
|
|
#
?
Jul 22, 2019 10:34
|
|
|
Soricidus posted:I think it is a given that people who use this browser make bad decisions and love using obsolete software wonder how many yosposters use it
|
|
#
?
Jul 22, 2019 12:22
|
|
|
fairly certain every dev and user of the “pale moon” browser is on a fbi raid list. they probably installed the malware
|
|
#
?
Jul 22, 2019 12:24
|
|
|
James Baud posted:Someone at Microsoft just published something or other last week about password authentication in Azure and declared that their hashes were all stored as thousand-round SHA256. ntlm is "good enough" despite md4, the real killer are the amount of places you can intercept a LM hash. Those were still on by default up until 2008 on disk and were being generated in-memory up through one of the most recent Win10 builds, the latter problem you cannot fix with a GPO
|
|
#
?
Jul 22, 2019 14:07
|
|
|
BangersInMyKnickers posted:ntlm is "good enough" despite md4, the real killer are the amount of places you can intercept a LM hash. Those were still on by default up until 2008 on disk and were being generated in-memory up through one of the most recent Win10 builds, the latter problem you cannot fix with a GPO I'm the evil sec admin that forces 15 character passwords
|
|
#
?
Jul 22, 2019 15:27
|
|
|
ewiley posted:I'm the evil sec admin that forces 15 character passwords You can do password requirement targeting for specific groups now. You should absolutely be doing this for DA credentials, but if you do it globally you are a dick. It also drives up the pain point of people using DA creds for everything when they should be running a non-admin account for normal stuff
|
|
#
?
Jul 22, 2019 15:30
|
|
|
I paid my stupid isc dues, have the invoice, they're claiming I didn't pay and now want 50% more, though they are gracefully waving the $600 reinstatement fee. If you try to use their phone tree for support, the "press 2 for billing inquiries" does absolutely nothing and disconnects your call. loving clown show.
|
|
#
?
Jul 22, 2019 15:41
|
|
|
ewiley posted:I'm the evil sec admin that forces 15 character passwords why not just eight characters but you have to change it every two weeks?
|
|
#
?
Jul 22, 2019 15:47
|
|
|
i enforce 32 character minimum passwords on all our poo poo and everyone hates it but gently caress 'em
|
|
#
?
Jul 22, 2019 15:50
|
|
|
Boiled Water posted:why not just eight characters but you have to change it every two weeks? 15+ characters means it won't be converted to weak LM hashes anywhere, because LM splits the password into two 7 char blocks and hashes each piece individually
|
|
#
?
Jul 22, 2019 15:50
|
|
|
passwordpasswordpasswordpassword
|
|
#
?
Jul 22, 2019 15:52
|
|
|
CRIP EATIN BREAD posted:i enforce 32 character minimum passwords on all our poo poo and everyone hates it but gently caress 'em I guess your peers haven't learned about password managers by TYOOL 2019
|
|
#
?
Jul 22, 2019 16:07
|
|
|
how do you use a password manager to log in to your desktop?
|
|
#
?
Jul 22, 2019 16:10
|
|
|
Potato Salad posted:I guess your peers haven't learned about password managers by TYOOL 2019 oh we enforce it (we have 1password teams subscription) but still they get frustrated for whatever reason.
|
|
#
?
Jul 22, 2019 16:13
|
|
|
Potato Salad posted:I guess your peers haven't learned about password managers by TYOOL 2019 "lol storing all my passwords in one place to get breached" k look here you poo poo, I'm in your office because you phoned a tech support number you saw in a popup, if I had my way you wouldn't have a computer at all
|
|
#
?
Jul 22, 2019 16:14
|
|
|
our company is small enough that poo poo like that doesn't happen. everyone is afraid of the horrible berating they would take from me if there's even the slightest hint of a security issue.
|
|
#
?
Jul 22, 2019 16:20
|
|
|
CRIP EATIN BREAD posted:our company is small enough that poo poo like that doesn't happen. everyone is afraid of the horrible berating they would take from me if there's even the slightest hint of a security issue. hmm yes, making everyone afraid of being caught making a mistake sounds great for security
|
|
#
?
Jul 22, 2019 16:23
|
|
|
yeah, you gotta be the cool dad/mom security person just sit 'em down and make sure they know they can come to you with anything, no matter what, you know?
|
|
#
?
Jul 22, 2019 16:25
|
|
|
I usually take that approach but the guy who tried to open horse_fucks_girl.exe on the lunchroom computer can go straight to hell
|
|
#
?
Jul 22, 2019 16:34
|
|
|
infernal machines posted:how do you use a password manager to log in to your desktop?
|
|
#
?
Jul 22, 2019 16:34
|
|
|
infernal machines posted:yeah, you gotta be the cool dad/mom security person you need a chill-sec person and a security kraken. follow the chill-sec advice and you won’t attract the worm
|
|
#
?
Jul 22, 2019 16:44
|
|
|
BangersInMyKnickers posted:I usually take that approach but the guy who tried to open horse_fucks_girl.exe on the lunchroom computer can go straight to hell to be honest that sounds like more of an hr issue at that point
|
|
#
?
Jul 22, 2019 16:50
|
|
|
we have no HR dept at my company.
|
|
#
?
Jul 22, 2019 16:51
|
|
|
infernal machines posted:to be honest that sounds like more of an hr issue at that point lol yeah I refused to confront him. they were anonymous login thin clients so I learned his jackin pattern (10:30-11am) and watched the logs for some gross poo poo coming in and called the hr lady to make her deal with it
|
|
#
?
Jul 22, 2019 16:51
|
|
|
CRIP EATIN BREAD posted:we have no HR dept at my company. if you don’t have an HR dept, the CEO is the HR dept
|
|
#
?
Jul 22, 2019 16:52
|
|
|
Subjunctive posted:if you don’t have an HR dept, the CEO is the HR dept we have no hr department and 3000 employees
|
|
#
?
Jul 22, 2019 17:23
|
|
|
it's nice to make friends but it's not mandatory so follow the rules please Also attend my briefings, they're good (and mandatory) flakeloaf fucked around with this message at 14:58 on Apr 15, 2020 |
|
#
?
Jul 22, 2019 17:26
|
|
|
|
| # ? Apr 19, 2024 07:00 |
|
|
infernal machines posted:yeah, you gotta be the cool dad/mom security person can I turn my chair around when we 'get real'?
|
|
#
?
Jul 22, 2019 19:04
|
|
