|
CommieGIR posted:We looked at Defender, we like it, but yeah pricing was kinda sharply steep considering their just enering the market. We're corporate enough these days that I had to lean heavily gartner bullshit for vendor justifications since there are so many offerings out there, but CrowdStrike is up there along with Sophos, Trend, and Eset. Wouldn't mind kicking the tires on carbon black but I doubt I will have enough time unless they want to sweep in with a really competitive bid.
|
# ? Nov 18, 2019 17:53 |
|
|
# ? May 3, 2024 17:23 |
BangersInMyKnickers posted:lol 3des isn't broken its just slow as hell today, the problem is going to be in the non-ephemeral rsa key exchange EDIT: And again, according to NIST, 3DES has an effective key length of 80, which is no longer considered secure - which is similar to how SHA1 is no longer considered secure because its effective key length is also below 80. BlankSystemDaemon fucked around with this message at 18:21 on Nov 18, 2019 |
|
# ? Nov 18, 2019 18:15 |
|
No, that's 2DES which was fundamentally broken from day one because you could attack it from both the plaintext and ciphertext ends as those rounds used the same key. It was a terrible idea and it was almost never used, the world jumped from DES to 3DES. 3DES has a effective key strength of 112bit and in practical terms is just as strong as AES-128quote:Federal applications shall only use three distinct keys whenever using TDEA for applying cryptographic protection after December 31, 2015; see Table 2 in Section 5.6.1 and [SP800- 131A] for further guidance. Still permitted until 2030 BangersInMyKnickers fucked around with this message at 19:08 on Nov 18, 2019 |
# ? Nov 18, 2019 19:04 |
|
2DES is only as strong as single DES, and 3DES is as strong as 2DES, if it weren't broken. Meet-in-the-middle attack y'all.
|
# ? Nov 18, 2019 19:11 |
|
BangersInMyKnickers posted:No, that's 2DES which was fundamentally broken from day one because you could attack it from both the plaintext and ciphertext ends as those rounds used the same key. It was a terrible idea and it was almost never used, the world jumped from DES to 3DES. 3DES has a effective key strength of 112bit and in practical terms is just as strong as AES-128 It's also 3DES with key 1 = key 3, the most common configuration. Here, the actual key size is 112 bits, but you can do the same meet in the middle attack as in 2DES, reducing the effective key size to 80 bits. With 3 keys, you have 3 * 56 bits, but again meet in the middle brings you down to 112 bits. The difference between 112 and 128 bits is a factor 65536, or just enough to protect you short term on a nearly broken cipher (assuming DES takes the same time as AES, which I am fairly certain isn't the case).
|
# ? Nov 18, 2019 19:14 |
|
BangersInMyKnickers posted:No, that's 2DES which was fundamentally broken from day one because you could attack it from both the plaintext and ciphertext ends as those rounds used the same key. It was a terrible idea and it was almost never used, the world jumped from DES to 3DES. 3DES has a effective key strength of 112bit and in practical terms is just as strong as AES-128 What about this section?
|
# ? Nov 18, 2019 19:21 |
|
Yeah, you can't stand up a new application that encrypts with 3des after 2023 and you have until 2030 for existing stuff to spin it down and move it to AES or whatever is newer. And you wouldn't want do since its slow as poo poo compared to any AES option because every processor supports aes-ni now.
|
# ? Nov 18, 2019 19:25 |
|
seems like it's been a bad day for offshore banking https://twitter.com/UR_Ninja/status/1195947063990771715 from what I can tell this is part Panama papers, part massive theft
|
# ? Nov 18, 2019 19:55 |
|
Heavy_D posted:seems like it's been a bad day for offshore banking You left out the best part
|
# ? Nov 18, 2019 20:02 |
|
it’s not the Panama Papers until some reporters get murdered.
|
# ? Nov 18, 2019 20:22 |
I do think another encryption mechanism that's not even remotely related to Rijndael but able to be accelerated in hardware like it would be a good idea.
|
|
# ? Nov 18, 2019 20:26 |
|
Heavy_D posted:seems like it's been a bad day for offshore banking Ahaha they used psr.exe to capture screenshots/keystrokes, that's brilliant. I love these writeups of J Random Hacker that are just like 'yeah I used metasploit and some googling' but it's fun gems like this that I appreciate.
|
# ? Nov 18, 2019 20:26 |
|
stay strong, gay skeleton hacker
|
# ? Nov 18, 2019 20:28 |
|
any folks here have a good link or something for a college student asking "maybe i want a career in security?" (other than "no dont", "buy a million alcohol", "you will want to die", etc) i have a lot of deep dive stuff on specific topics, but all the high level stuff i turn up is from poo poo like "mynewcodingcareer.biz"
|
# ? Nov 18, 2019 21:45 |
|
Stabby McDamage posted:any folks here have a good link or something for a college student asking "maybe i want a career in security?" (other than "no dont", "buy a million alcohol", "you will want to die", etc) I don't think you want to start in security. You start doing some other type of software or IT work, and end up in security.
|
# ? Nov 18, 2019 21:48 |
|
Twerk from Home posted:I don't think you want to start in security. You start doing some other type of software or IT work, and end up in security.
|
# ? Nov 18, 2019 21:54 |
|
Twerk from Home posted:I don't think you want to start in security. You start doing some other type of software or IT work, and end up in security.
|
# ? Nov 18, 2019 22:16 |
|
Fundamentally security is not something you bolt on, it has to be integral to whatever system it is in question
|
# ? Nov 18, 2019 22:17 |
|
Twerk from Home posted:I don't think you want to start in security. You start doing some other type of software or IT work, and end up in security. that is how i started, but, personal opinion: getting people with non standard backgrounds into security is useful and productive for those of us already in security. all else being equal i'd rather hire someone who has a good security mindset ("doing things that way seems dangerous, here's why i think that!", or "what happens if someone puts something you don't expect here?", etc) vs someone who has 5 years of experience writing ansible playbooks or lovely flask apps or whatever. Stabby McDamage posted:any folks here have a good link or something for a college student asking "maybe i want a career in security?" (other than "no dont", "buy a million alcohol", "you will want to die", etc) to answer this question: yes i gotcha. https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/ ^^ this woman is rad. there's a bunch of good stuff all over her blog, but if you just want the "what is each job role kinda like give me more context" then you want the next post in the series: https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/ Jowj fucked around with this message at 22:27 on Nov 18, 2019 |
# ? Nov 18, 2019 22:21 |
|
An almost more important question is how does that student want to spend their day to day life on the job. Lots of ways to “be in security” from academia to dev to consulting to just doing math all day. But if you know you don’t want to code all day or that you value in person group work, that is really helpful when trying to find a career path that works for you.
|
# ? Nov 18, 2019 23:05 |
|
Stabby McDamage posted:any folks here have a good link or something for a college student asking "maybe i want a career in security?" (other than "no dont", "buy a million alcohol", "you will want to die", etc) My dude, have you heard of Bitcoin?
|
# ? Nov 18, 2019 23:11 |
|
Jowj posted:that is how i started, but, personal opinion: Thanks, that's absolutely perfect! Trabisnikof posted:An almost more important question is how does that student want to spend their day to day life on the job. Lots of ways to “be in security” from academia to dev to consulting to just doing math all day. But if you know you don’t want to code all day or that you value in person group work, that is really helpful when trying to find a career path that works for you. For context, I work with a lot of masters students with very little conception of what a computing career can be beyond "do software". They all want to work at Facebook/Apple/Google/Amazon/etc with a vague notion of programming, and if you ask what sort of programming, they just say "backend" or "frontend" (not realizing that they're just referring to web and not the rest of all of computing). I'm trying to get them to see that computing is actually broad and diverse and that most jobs you'd want are ones you've never heard of yet. As one part of this, I'm trying to introduce students to a variety of different areas, one of which is security, but it was difficult, because security has a larger-than-average shrieking buzzword mill surrounding it, which makes finding good introduction stuff hard. Incidentally, I also teach intro security, and this thread is the best thing ever for that. If YOSPOS ever goes away, getting a constant stream of secfucks to jam into my course is going to become actual work. Like, every year I tell students that Symantec is trash, and every year there's a new insane vulnerability posted here within a week or two of me saying that that reinforces my point.
|
# ? Nov 18, 2019 23:35 |
|
Edit: Wasn't on the last page
klosterdev fucked around with this message at 03:42 on Nov 19, 2019 |
# ? Nov 19, 2019 03:32 |
|
|
# ? Nov 19, 2019 04:53 |
|
strong candidate for new sa emote
|
# ? Nov 19, 2019 05:10 |
|
|
# ? Nov 19, 2019 05:26 |
|
|
# ? Nov 19, 2019 06:02 |
|
I got into security nearly accidentally, I was a huge tinkerer and loved breaking and fixing things, but I started in IT as a Unix guy, and then got introduced to doing CTF events, then Red Teaming, then Blue Teaming. Only thing Id say is it helps to know a little about each part of IT go see the big picture of infrastructure and how security and its controls fit into it. I just came back from coaching Red Teams at a DOE event. We had a ton of fun.
|
# ? Nov 19, 2019 06:07 |
|
|
# ? Nov 19, 2019 06:52 |
|
thanks for the crop, now it's a gang tag
|
# ? Nov 19, 2019 07:06 |
|
so the wife is currently evaluating some third-party service for where she works. her login wasn't working so they reset her password and told her that it was probably because she had a space in her previous password. after replying with a polite version of "wait what" they said "oh no you see it's okay because we encrypt your password before storing it in the database. but of course we can also decrypt that password" what do spaces get rot13-ed to?
|
# ? Nov 19, 2019 08:48 |
|
security fuckup megathread: be gay, do crimesAchmed Jones posted:thanks for the crop, now it's a gang tag nice
|
# ? Nov 19, 2019 09:05 |
|
Jowj posted:to answer this question: yes i gotcha.
|
# ? Nov 19, 2019 10:24 |
|
Sereri posted:so the wife is currently evaluating some third-party service for where she works. her login wasn't working so they reset her password and told her that it was probably because she had a space in her previous password. after replying with a polite version of "wait what" they said "oh no you see it's okay because we encrypt your password before storing it in the database. but of course we can also decrypt that password" A dash? Why would that matter?
|
# ? Nov 19, 2019 11:12 |
|
Powerful Two-Hander posted:security fuckup megathread: be gay, do crimes this
|
# ? Nov 19, 2019 13:55 |
|
this emote is haraam
|
# ? Nov 19, 2019 14:21 |
|
Sereri posted:so the wife is currently evaluating some third-party service for where she works. her login wasn't working so they reset her password and told her that it was probably because she had a space in her previous password. after replying with a polite version of "wait what" they said "oh no you see it's okay because we encrypt your password before storing it in the database. but of course we can also decrypt that password" she should suggest that they use rot180 as in rotate 180 degrees and get the gently caress out of here
|
# ? Nov 19, 2019 14:32 |
|
BangersInMyKnickers posted:We're corporate enough these days that I had to lean heavily gartner bullshit for vendor justifications since there are so many offerings out there, but CrowdStrike is up there along with Sophos, Trend, and Eset. Wouldn't mind kicking the tires on carbon black but I doubt I will have enough time unless they want to sweep in with a really competitive bid. wait, the company that trump keeps going on about is... an antivirus company? lomarf
|
# ? Nov 19, 2019 14:35 |
|
so the schizophrenic guy from last month is back with 3 new gmail accounts spamming a bunch of people with his pdf "book" that he appended another 400 pages to. great poo poo, love to deal with it
|
# ? Nov 19, 2019 14:43 |
|
|
# ? May 3, 2024 17:23 |
|
BangersInMyKnickers posted:so the schizophrenic guy from last month is back with 3 new gmail accounts spamming a bunch of people with his pdf "book" that he appended another 400 pages to. great poo poo, love to deal with it i have to do a big report and i wish i could do just 10 pages. writing is hard
|
# ? Nov 19, 2019 15:29 |