|
pretty sure they only use generic copyright free music. it'd be great if google acquired the rights to the venga boys' music though.
|
#
?
Feb 5, 2020 09:00
|
|
|
|
| # ? Apr 28, 2024 14:21 |
|
|
at work i've been tasked with deploying a certain software asset management solution which involves agents on servers/desktops sending data back to a central inventory service. this data payload is AES encrypted but as we've discovered the key is static and identical for all installs of the software. also on the agent side the encryption happens when the payload is written to disk (yeah idk why) before it is sent. this means by default it leaves around payloads on the system encrypted with a known key. in their defence they do let you change it but i'm confused why they wouldn't just make generation of the key something that happens by default for new installs (well actually i know why, because then they'd need to roll agent installs with that new key making things "harder" for the customer). for that matter why are they even using symmetric encryption of the payload altogether lol. another solved-problem ruined by dinguses.
|
|
#
?
Feb 5, 2020 11:08
|
|
|
Pile Of Garbage posted:at work i've been tasked with deploying a certain software asset management solution which involves agents on servers/desktops sending data back to a central inventory service. this data payload is AES encrypted but as we've discovered the key is static and identical for all installs of the software. also on the agent side the encryption happens when the payload is written to disk (yeah idk why) before it is sent. this means by default it leaves around payloads on the system encrypted with a known key. Isn't this the same problem as TeamViewer
|
|
#
?
Feb 5, 2020 14:00
|
|
|
if TeamViewer's problem was symmetric key re-use then yeah
|
|
#
?
Feb 5, 2020 14:11
|
|
|
Pile Of Garbage posted:at work i've been tasked with deploying a certain software asset management solution which involves agents on servers/desktops sending data back to a central inventory service. this data payload is AES encrypted but as we've discovered the key is static and identical for all installs of the software. also on the agent side the encryption happens when the payload is written to disk (yeah idk why) before it is sent. this means by default it leaves around payloads on the system encrypted with a known key. That sounds like work though, and they're already using industry standard encryption!
|
|
#
?
Feb 5, 2020 14:27
|
|
|
Pile Of Garbage posted:for that matter why are they even using symmetric encryption of the payload altogether lol. doesn’t everything use symmetric encryption of the payload, just with ephemeral keys that are themselves encrypted asymmetrically? I wouldn’t think very many things do the expensive DH math on payloads of arbitrary sizes, but I guess computers are fast now...
|
|
#
?
Feb 5, 2020 14:32
|
|
|
Subjunctive posted:doesn’t everything use symmetric encryption of the payload, just with ephemeral keys that are themselves encrypted asymmetrically? I wouldn’t think very many things do the expensive DH math on payloads of arbitrary sizes, but I guess computers are fast now... in this instance the vendor went out of their way to gently caress poo poo up. the payload is already sent via HTTPS so all they had to do was not write it to disk and they'd be more secure than they are now. oh also i forgot to mention: there's no auth between client and server. the client just fires payloads to wherever it's told and the server receives them. this is where a proper TLS-DSK or mTLS setup would have been preferable but instead the vendore just decided to encrypt the payload with a static symmetric key. as i like to say, there's two ways of doing things: the right way and the quick way.
|
|
#
?
Feb 5, 2020 14:49
|
|
|
Pile Of Garbage posted:in this instance the vendor went out of their way to gently caress poo poo up. the payload is already sent via HTTPS so all they had to do was not write it to disk and they'd be more secure than they are now. I'm picking the good one
|
|
#
?
Feb 5, 2020 15:26
|
|
|
Pile Of Garbage posted:
Remember, getting security right still isn't seen as a meaningful value ad, since compromises of any kind cause no lasting damage.
|
|
#
?
Feb 5, 2020 15:35
|
|
|
Volmarias posted:Remember, getting security right still isn't seen as a meaningful value ad, since compromises of any kind cause no lasting damage. Word, also as I pointed out earlier: Pile Of Garbage posted:in their defence they do let you change it but i'm confused why they wouldn't just make generation of the key something that happens by default for new installs (well actually i know why, because then they'd need to roll agent installs with that new key making things "harder" for the customer). quick way is cheaper
|
|
#
?
Feb 5, 2020 15:36
|
|
|
anyone have anything good or bad to say about amazon's private CA service? we need to manage a company CA and have some method to distribute and update certificates to our software running on customer machines/networks automatically and the guy who's in charge of figuring out how asked me about it. all i can tell is that it basically does the same thing as any other SSL API thingy but amazon runs it for you and it costs like $400 a month. i kinda figure the amazon one would be better just because then they have to worry about the server security and if customers ask to audit our security practices we can be like "look we use amazon's thing, i bet they know what they're doing right!!"
|
|
#
?
Feb 5, 2020 16:10
|
|
|
Subjunctive posted:doesn’t everything use symmetric encryption of the payload, just with ephemeral keys that are themselves encrypted asymmetrically? I wouldn’t think very many things do the expensive DH math on payloads of arbitrary sizes, but I guess computers are fast now... plus every public key system is so fragile the iPhone designers get jealous, look at an elliptic curve the wrong way and your private key falls out with basic algebra
|
|
#
?
Feb 5, 2020 16:36
|
|
|
Shame Boy posted:anyone have anything good or bad to say about amazon's private CA service? we need to manage a company CA and have some method to distribute and update certificates to our software running on customer machines/networks automatically and the guy who's in charge of figuring out how asked me about it. all i can tell is that it basically does the same thing as any other SSL API thingy but amazon runs it for you and it costs like $400 a month. i kinda figure the amazon one would be better just because then they have to worry about the server security and if customers ask to audit our security practices we can be like "look we use amazon's thing, i bet they know what they're doing right!!" if you're in a predominantly windows environment then you'll be far better served by a windows CA. harder to do right but really the integration is way better (mainly auto-enrolment and directory CDP). from what you describe though i'd maybe recommend reading up on PKI and how CAs function first.
|
|
#
?
Feb 5, 2020 17:06
|
|
|
Pile Of Garbage posted:if you're in a predominantly windows environment then you'll be far better served by a windows CA. harder to do right but really the integration is way better (mainly auto-enrolment and directory CDP).
|
|
#
?
Feb 5, 2020 17:24
|
|
|
Shame Boy posted:anyone have anything good or bad to say about amazon's private CA service? we need to manage a company CA and have some method to distribute and update certificates to our software running on customer machines/networks automatically and the guy who's in charge of figuring out how asked me about it. all i can tell is that it basically does the same thing as any other SSL API thingy but amazon runs it for you and it costs like $400 a month. i kinda figure the amazon one would be better just because then they have to worry about the server security and if customers ask to audit our security practices we can be like "look we use amazon's thing, i bet they know what they're doing right!!" its probably fine from a CA standpoint but the enrollment and deployment is probably not gonna be as easy as something like Active Directory Certificate Services. altho as mentioned above ad cs is extremely easy to gently caress up since it gives you a completely working but incorrect configuration out of the box. Its totally possible to do properly though, you just have to read the documentation. if you're on a Linux then everything will be a pain in the rear end so maybe the AWS CA would be easier to manage overall. check to see if the aws thing has an enrollment client for windows that would ease deployment.
|
|
#
?
Feb 5, 2020 17:31
|
|
|
for reference, the biggest out-of-box gently caress-up with windows CA is deploying a root and then going home. it raises zero warnings about doing so but realistically you need an off-line root and an intermediate to actually issue certs (plus potentially other servers to handle CDP or enrolment). microsoft do document this but won't guide you into it. that said doing PKI properly in general requires planning and i've seen plenty outfits gently caress-up non-windows PKI in exactly the same way.
|
|
#
?
Feb 5, 2020 17:41
|
|
|
Pile Of Garbage posted:for reference, the biggest out-of-box gently caress-up with windows CA is deploying a root and then going home. it raises zero warnings about doing so but realistically you need an off-line root and an intermediate to actually issue certs (plus potentially other servers to handle CDP or enrolment). microsoft do document this but won't guide you into it. good advice ty
|
|
#
?
Feb 5, 2020 17:43
|
|
|
the default templates are all junk too it’s not really hard to configure correctly, you just need to think about the design a little. the Microsoft docs on it are good and suggest a multilevel ca setup so go check them out
|
|
#
?
Feb 5, 2020 17:57
|
|
|
Shaggar posted:the default templates are all junk too no
|
|
#
?
Feb 5, 2020 17:58
|
|
|
the importance of your PKI depends mainly on what it's supporting. certs for web services is pretty low-key. client certs for auth is a bit more important. client certs for 802.1x auth is a giant fuckin deal and is why the last root CA renewal i was involved in was such a massive loving deal.
|
|
#
?
Feb 5, 2020 18:26
|
|
|
Pile Of Garbage posted:if you're in a predominantly windows environment then you'll be far better served by a windows CA. harder to do right but really the integration is way better (mainly auto-enrolment and directory CDP). unfortunately we're in a "whatever the hell" environment so probably can't go with that... i'll mention it though. Pile Of Garbage posted:from what you describe though i'd maybe recommend reading up on PKI and how CAs function first. i'm well aware of how PKI and CA's function, that's why the guy came to me (since he sure as hell doesn't). right now our process is basically telling every one of our customers to create their own CA, install it on all their devices (tablets lol), then generate certificates from that, install them in our service (which is running on their servers), and manage the rest themselves. as you can probably guess, this is highly variable and lovely, where some customers already have internal CA's set up that they can just use immediately, and others not having any idea what SSL even is. the plan this guy wants is to have a CA we give them the public key to, they install that on their devices (not that hard with the management stuff they already use to install our crap), then our service (the one running on their server) generates a private key and contacts [something] to get it signed / renewed / whatever. e: Pile Of Garbage posted:the importance of your PKI depends mainly on what it's supporting. certs for web services is pretty low-key. client certs for auth is a bit more important. client certs for 802.1x auth is a giant fuckin deal and is why the last root CA renewal i was involved in was such a massive loving deal. it's the first one, this is basically just to allow HTTPS between our clients and our services on their devices/servers in their internal network in the most painless and controllable way possible Shame Boy fucked around with this message at 19:40 on Feb 5, 2020 |
|
#
?
Feb 5, 2020 19:36
|
|
|
Shame Boy posted:i'm well aware of how PKI and CA's function, that's why the guy came to me (since he sure as hell doesn't). right now our process is basically telling every one of our customers to create their own CA, install it on all their devices (tablets lol), then generate certificates from that, install them in our service (which is running on their servers), and manage the rest themselves. as you can probably guess, this is highly variable and lovely, where some customers already have internal CA's set up that they can just use immediately, and others not having any idea what SSL even is. that's beyond variable and lovely. that basically shits all over the core tenant of PKI which is chain of trust. letting third-parties sign certs from their own CA and then implicitly trusting that CA in your infra is insanity. Shame Boy posted:the plan this guy wants is to have a CA we give them the public key to, they install that on their devices (not that hard with the management stuff they already use to install our crap), then our service (the one running on their server) generates a private key and contacts [something] to get it signed / renewed / whatever. whsat!?!?
|
|
#
?
Feb 5, 2020 20:59
|
|
|
Pile Of Garbage posted:that's beyond variable and lovely. that basically shits all over the core tenant of PKI which is chain of trust. letting third-parties sign certs from their own CA and then implicitly trusting that CA in your infra is insanity. it's not our infrastructure, it's all their servers and devices and crap, it's just our software running on it
|
|
#
?
Feb 5, 2020 21:54
|
|
|
we are trying to apply a veneer of security to something that's inherently insecure because regulations require us to do so
|
|
#
?
Feb 5, 2020 22:02
|
|
|
Shame Boy posted:it's not our infrastructure, it's all their servers and devices and crap, it's just our software running on it as long as you authenticate them before signing their service keys its probably not the worst thing in the world. maybe consider a CA per customer to prevent one customer from trusting another.
|
|
#
?
Feb 5, 2020 22:16
|
|
|
i made a quick diagram because i feel like i'm not very good at explaining Shaggar posted:as long as you authenticate them before signing their service keys its probably not the worst thing in the world. yeah to be clear it wouldn't just be "lol give me a cert" it would be "i'm x and can prove it with these credentials / key / something, please sign this" Shaggar posted:maybe consider a CA per customer to prevent one customer from trusting another. oh i was thinking about that earlier, thanks for reminding me i'll definitely bring it up
|
|
#
?
Feb 5, 2020 22:25
|
|
|
the way id probably do it is one root for your own components that all customers should trust and then another root per customer that's only trusted by that customer. I would not make the customer root a sub of your own root specifically to prevent cross customer trust.
|
|
#
?
Feb 5, 2020 22:39
|
|
|
election security just as bad as people feared https://twitter.com/jackgillum/stat...ingawful.com%2F
|
|
#
?
Feb 5, 2020 22:50
|
|
|
company wants to switch from azure mfa push to fortiauthenticator sms for cost reasons. I'm not a fan
|
|
#
?
Feb 5, 2020 22:56
|
|
|
azure mfa isn't even expensive jfc
|
|
#
?
Feb 5, 2020 22:57
|
|
|
it's $6/user/month for a P1 and forti comes out to like 30 cents /user/month
|
|
#
?
Feb 5, 2020 22:59
|
|
|
have at it kids https://www.vice.com/en_us/article/z3b3g9/here-is-a-link-to-the-shadow-inc-app-that-blew-up-the-iowa-caucus https://vice-sundry-assets-cdn.vice.com/sites/iowa-caucus-app/iowa-caucus-app.apk
|
|
#
?
Feb 5, 2020 23:08
|
|
|
quote:"Honestly, the biggest thing is—I don’t want to throw it under the bus—but the app was clearly done by someone following a tutorial. It’s similar to projects I do with my mentees who are learning how to code," Rahjerdi said. "They started with a starter package and they just added things on top of it. I get deja vu from my classes because the code looks like someone Googled things like 'how to add authentication to React Native App' and followed the instructions," Rahjerdi said lol
|
|
#
?
Feb 5, 2020 23:17
|
|
|
how the hell else do you program if you can't google the thing you want to do and copy/paste the first stackoverflow answer huh???
|
|
#
?
Feb 5, 2020 23:21
|
|
|
It says they followed the instructions the found with google, which puts in the top 50% of programmers
|
|
#
?
Feb 5, 2020 23:23
|
|
|
it's bad, but i'm reasonably sure if someone leaked diebold's voting machine implementation it too would be on the level of babby's first burp and fart piano apk
|
|
#
?
Feb 5, 2020 23:25
|
|
|
Shame Boy posted:how the hell else do you program if you can't google the thing you want to do and copy/paste the first stackoverflow answer huh??? cue the kgb climbing their way to the top result for "how to write election management app"
|
|
#
?
Feb 5, 2020 23:55
|
|
|
work made me give my contact info to every AV company in the top half of the gartner quadrant bs and I am in absolute hell
|
|
#
?
Feb 5, 2020 23:59
|
|
|
loving owned
|
|
#
?
Feb 6, 2020 00:37
|
|
|
|
| # ? Apr 28, 2024 14:21 |
|
|
gonna make an AV company called Checkbox that ensures Microsoft defender is turned on.
|
|
#
?
Feb 6, 2020 00:38
|
|