|
AARP LARPer posted:Hi everyone. A few years ago I asked you kind souls for book recommendations about cryptography and a very wise person suggested The Code Book by Simon Singh which rocked and I'm very grateful. There's something about the way that the book was written that really held my interest in a way that few books have. It's weird. I don't know anything about the book you mentioned, unfortunately. But what you're asking for sounds a little bit like @War by Shane Harris. I read it when it first came out and found it to be a really good overview of where we are in terms of a holistic view of "cyber" through the lens of the Military. It was written a little better than most things in this space.
|
#
?
Nov 25, 2019 22:50
|
|
|
|
| # ? Apr 27, 2024 21:05 |
|
|
Fortinet took three weeks to respond to a vulnerability report and a year and a half to fix it. Security in infosec must be unprofitable
|
|
#
?
Nov 26, 2019 05:54
|
|
|
klosterdev posted:Fortinet took three weeks to respond to a vulnerability report and a year and a half to fix it. Security in infosec must be unprofitable better link: https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/ it's worth mentioning that fortiguard comms use HTTPS by default since maybe fortios v4.0 MR2 (~2010, latest fortios is v6.2) so you'd only be vulnerable if you went out of your way to disable TLS (which i'm not even sure you can do). that said fortinet should junk their non-TLS endpoints entirely edit: ok now that i'm back home i've been able to check on my FGT-60E running fortios v6.2.2 and there are two protocol options available: HTTPS and UDP pre:DARKSTAR1-FG60E-POE # config system fortiguard DARKSTAR1-FG60E-POE (fortiguard) # set protocol ? udp UDP for server communication (for use by FortiGuard or FortiManager). https HTTPS for server communication (for use by FortiGuard or FortiManager). Pile Of Garbage fucked around with this message at 10:42 on Nov 26, 2019 |
|
#
?
Nov 26, 2019 06:07
|
|
|
1.5 years timeline? what irresponsible disclosure by those researchers.
|
|
#
?
Nov 26, 2019 14:40
|
|
|
Pile Of Garbage posted:better link: https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/ They should have been able to implement UDP over DTLS, that standard is as old as TLS 1.2.
|
|
#
?
Nov 26, 2019 15:05
|
|
|
BangersInMyKnickers posted:They should have been able to implement UDP over DTLS, that standard is as old as TLS 1.2. true. they support UDP over DTLS for their SSL VPN implementation but that appears to be it. also i've just realised the vuln is worse for environments with on-prem fortimanager appliances installed and downstream fortigate firewalls connecting via UDP. in that configuration the shittily encrypted traffic is going over LAN 
|
|
#
?
Nov 26, 2019 16:14
|
|
|
does anyone know if there's anywhere I could look up a breakdown of how many people self-host their e-mail servers vs. how many people use third-party providers (e.g.: Google, Microsoft, etc.)? Doesn't need to be some peer-reviewed study or anything like that, just something I can throw as a reference on a small writeup I'm doing. I've tried Googling but I keep finding breakdowns on the marketshare of the different providers, but none seem to include how many self-host.
|
|
#
?
Nov 29, 2019 21:17
|
|
|
Ur Getting Fatter posted:does anyone know if there's anywhere I could look up a breakdown of how many people self-host their e-mail servers vs. how many people use third-party providers (e.g.: Google, Microsoft, etc.)? Are you asking about businesses running their own exchange servers, or home user turbo nerds?
|
|
#
?
Nov 29, 2019 21:23
|
|
|
Ur Getting Fatter posted:does anyone know if there's anywhere I could look up a breakdown of how many people self-host their e-mail servers vs. how many people use third-party providers (e.g.: Google, Microsoft, etc.)?
|
|
#
?
Nov 29, 2019 21:29
|
|
|
idk how much fuzz it adds to the data but we have a bunch of clients running through an mx queuing/hosted spam filter that then are split between o365 and self hosted mail systems, so you wouldn't see any difference there just by looking at the mx
|
|
#
?
Nov 29, 2019 21:34
|
|
|
Volmarias posted:Are you asking about businesses running their own exchange servers, or home user turbo nerds? Either, really. I'm more interested in essentially how many people have full control over their email implementation vs. people that depend almost entirely on the provider's implementation. I understand there's a million asterisks to this question but I figured "self-hosted" vs. "uses a third party service" was probably the most basic distinction I could use.
|
|
#
?
Nov 29, 2019 21:46
|
|
|
i wonder if the number of home users who run their own mail server and domain would even show up in a poll hahaha. that has to be a tiny fraction of a fraction
|
|
#
?
Nov 29, 2019 22:03
|
|
|
The number is probably lower than in 2000 despite a huge increase in internet users.
|
|
#
?
Nov 29, 2019 22:03
|
|
|
i know that until like, 5 years ago, the small office I used to work for was running a Squirrel Mail webmail on a self-hosted IMAP server that someone's nephew had configured who knows when. Eventually they got blocked from most MX lists and switched to G Suite like normal people
|
|
#
?
Nov 29, 2019 22:18
|
|
|
There is zero reason in the the year 2019 to be hosting your own email. Email has been a solved problem for over 10 years now. Solved meaning only use email for your okta ID and things like PR notifications and not actually for communication.
|
|
#
?
Nov 29, 2019 22:57
|
|
|
i think the only reason left is avoiding government sunshine laws
|
|
#
?
Nov 29, 2019 23:21
|
|
|
Methanar posted:There is zero reason in the the year 2019 to be hosting your own email. You are very wrong. Sure, you should probably not host your mail on a Raspberry Pi in a closet or whatever, but there are very good reasons not to go with the classical big cloud email providers. Especially American companies are very problematic especially for European government or government-like institutions. Using Google, O365, or even running your "own" mail server at Amazon or Microsoft is in some cases not an option due to the CLOUD act. I've a customer like that with strict EU-only, preferable same country policies for data. They just switched from O365 to a local shop. They have a strong bias against non-open software, especially if it is US or even UK-based. We do not host vital data for them, but they do deal with very sensitive health data, that they host in-house. The CLOUD act means there's more reason to host your own e-mail than anytime since O365 and Gmail matured. E: doesn't apply if you're US-based, of course. Then you're pretty much hosed either way and might as well go with O365 like everybody else. klafbang fucked around with this message at 23:48 on Nov 29, 2019 |
|
#
?
Nov 29, 2019 23:44
|
|
|
"Surveillance Valley: the Secret Military History of the Internet" by Yasha Levine is another very good book, although it's more about the internet itself as a geopolitical tool, rather than cyber warfare specifically
|
|
#
?
Nov 29, 2019 23:45
|
|
|
klafbang posted:You are very wrong. Sure, you should probably not host your mail on a Raspberry Pi in a closet or whatever, but there are very good reasons not to go with the classical big cloud email providers. i've only recently been able to use o365 for a couple customers because they cannot use cloud providers that store data outside of canada. it's very much a thing and the home grown canadian solutions have until now been worse than rolling your own exchange solution
|
|
#
?
Nov 30, 2019 00:29
|
|
|
there’s dozens of email companies whose entire selling point is “in your country and not US based”, so even that’s commoditized at this point sorta regretting paying for several years of fastmail in advance but I guess I don’t really care if aussies are reading my mail in the meantime
|
|
#
?
Nov 30, 2019 06:05
|
|
|
infernal machines posted:idk how much fuzz it adds to the data but we have a bunch of clients running through an mx queuing/hosted spam filter that then are split between o365 and self hosted mail systems, so you wouldn't see any difference there just by looking at the mx there's also exchange hybrid environments which have centralised transport enabled. in that setup all mail for your domains is routed to your on-premises exchange servers which then deliver to on-prem or o365 mailboxes via the hybrid transport. the last environment i worked on was like that plus what you describe so mail would go to whatever symantec are calling messagelabs -> on-prem exchange -> exchange online lol edit: not really related but kind of idk. last i checked AWS SES is only able to receive e-mail when deployed in US East which is bizarre. anyone know why? Pile Of Garbage fucked around with this message at 07:47 on Nov 30, 2019 |
|
#
?
Nov 30, 2019 07:43
|
|
|
klafbang posted:
fuckin lol I can practically picture these people
|
|
#
?
Nov 30, 2019 09:00
|
|
|
we only use open source here, we don't trust microsoft or amazon with our data. instead, we entrust it to our systems team, composed of Phil, Phils offsider (I forget his name) and Drew from the windows team who helps out with domain stuff.
|
|
#
?
Nov 30, 2019 09:03
|
|
|
abigserve posted:fuckin lol I can practically picture these people You’re imagining them wrong. There’s a legitimate concern. US companies are severely tainted by CLOUD. CLOUD means that if your hoster is US owned, US government can get to your data, regardless of where it is hosted. That is a no-go for data concerning national security. Health data is close enough to that (and this data involves PII + diagnoses for a lot of people so it’s super sensitive). The concern for closed US/UK software has to do with practicality (Trump is very trade war happy and Boris is very stupid, so what if we get locked out of using business critical software), and a bit paranoia (are there backdoors in the applications?). It’s a balance between self hosting, hosting at more or less professional locals, and hosting at the big but very professional providers. And cost is also a factor. As mentioned by Progressive JPEG, there are local providers but they need to be as good and cheap as the big ones. They are typically small enough I classify them as “hosting yourself,” but that is of course not technically true. Europe has a problem in that we don’t have good, cheap local cloud providers. A US company would never use Yandex or Alibaba cloud for sensitive data as there are alternatives, but EU companies and even governments have the choice between giving data to US/Russia/China or basically self-hosting. It’s not great.
|
|
#
?
Nov 30, 2019 11:07
|
|
|
EU government should run their own data centers and sell capacity to entities (companies, individuals, local govt, whatever) in member countries can spin it out into a government owned enterprise or whatever but it’d effectively be public infrastructure and can have the Romanians build it 
|
|
#
?
Nov 30, 2019 11:49
|
|
|
Progressive JPEG posted:EU government should run their own data centers and sell capacity to entities (companies, individuals, local govt, whatever) in member countries maybe not romanians, please? i worked for a really large european company doing online business, and we had more fraud issues in romania than in russia, mexico, or any other country with prominent corruption passes handed down by the government
|
|
#
?
Nov 30, 2019 12:11
|
|
|
cinci zoo sniper posted:maybe not romanians, please? i worked for a really large european company doing online business, and we had more fraud issues in romania than in russia, mexico, or any other country with prominent corruption passes handed down by the government 
|
|
#
?
Nov 30, 2019 14:01
|
|
|
d’oh 
|
|
#
?
Nov 30, 2019 14:13
|
|
|
not sure I can adequately imagine how big a clusterfuck an EU gov run hosting service would be, like don't get me wrong, the EU is generally good but imagine combining rabid internal protectionism and grinding bureaucracy together on the cloud it'd be like "your data is only available in German 30 hours a week and the whole system is offline for all of August"
|
|
#
?
Nov 30, 2019 14:20
|
|
|
I’d say most European agencies are pretty on the spot. the food agency and space peeps seem to be very competent the last thing I’d want is a startup cloud provider
|
|
#
?
Nov 30, 2019 14:25
|
|
|
having had immediate experience with european space agency, i have to say that while the bureaucracy taking place is often gargantuan (primary point of comparison - nasa), everything works in order and as intended, with redundant redundancy mechanisms and audit trails to the level of who microwaved a fish in kitchen 4a in poland on last wednesday at 3:12am
|
|
#
?
Nov 30, 2019 14:28
|
|
|
there's always some motherfucker trying to microwave a fish
|
|
#
?
Nov 30, 2019 14:29
|
|
|
cinci zoo sniper posted:having had immediate experience with european space agency, i have to say that while the bureaucracy taking place is often gargantuan (primary point of comparison - nasa), everything works in order and as intended, with redundant redundancy mechanisms and audit trails to the level of who microwaved a fish in kitchen 4a in poland on last wednesday at 3:12am was it you that worked around arecibo for a bit? im getting old and forgetting my yospos story lines if so that was cool
|
|
#
?
Nov 30, 2019 14:33
|
|
|
infernal machines posted:there's always some motherfucker trying to microwave a fish too true
|
|
#
?
Nov 30, 2019 14:33
|
|
|
Bulgakov posted:was it you that worked around arecibo for a bit? im getting old and forgetting my yospos story lines yep, that was me. my primary supervisor/advisor for that study project was a senior engineering manager/project lead at esa
|
|
#
?
Nov 30, 2019 14:35
|
|
|
infernal machines posted:there's always some motherfucker trying to microwave a fish
|
|
#
?
Nov 30, 2019 15:25
|
|
|
placing my last week’s fish dish at the focal point of a crater sized antenna dish so that a buncha outer space radio waves might eventually heat it up within the next billion years 
|
|
#
?
Nov 30, 2019 16:10
|
|
|
Pile Of Garbage posted:edit: not really related but kind of idk. last i checked AWS SES is only able to receive e-mail when deployed in US East which is bizarre. anyone know why? email has to go via fort meade
|
|
#
?
Nov 30, 2019 16:15
|
|
|
infernal machines posted:there's always some motherfucker trying to microwave a fish Fish Microwaver would be a good username
|
|
#
?
Nov 30, 2019 17:05
|
|
|
|
| # ? Apr 27, 2024 21:05 |
|
|
Lutha Mahtin posted:Phish Microwaver would be a good username
|
|
#
?
Nov 30, 2019 17:06
|
|