bus hustler posted:https://www.schneier.com/blog/archives/2021/01/svr-attacks-on-microsoft-365.html This is "Richard Stallman using and recommending use of blank or user as password at MIT" levels of dumb.
|
|
# ? Jan 21, 2021 15:54 |
|
|
# ? Apr 29, 2024 06:56 |
|
BlankSystemDaemon posted:Why in the absolute shitfuck is golden SAML even a possibility?! Well, trying to counter the eventuality that an attacker manages to obtain the private keys needed to do the IdP signing in the first place is a bit of a challenge. At that point you basically are the IdP in a lot of senses. I mean, off the top of my head there doesn't seem to be any immediately obvious way to defeat such an attack other than removing the ability to export keys from the AD FS, which has its own set of issues. Or completely rewriting SAML to not allow tokens to be passed from clients, I suppose, but that again brings a whole host of issues.
|
# ? Jan 21, 2021 16:29 |
|
I long for the day sites and services require 2FA at account creation, but only via Authy or Bitwarden or similar, because lord SMS 2FA is stupid because of how easy it is to socially engineer or directly hack. At least in my neck of the woods replacing a SIM requires valid ID but it's exploitable by smooth talking in some cases, or corruption in general... Like how there was a scandal with our equivalent of the DMV where one department had a rascal that gave out drivers licenses to whomever willing to pay for it, forging test results etc.
|
# ? Jan 21, 2021 18:57 |
Hey guys, I made a thread over in IYG that shares some similarities with the topics discussed in here if anyone wanted to talk privacy.
cage-free egghead fucked around with this message at 00:03 on Jan 22, 2021 |
|
# ? Jan 21, 2021 19:12 |
|
F4rt5 posted:I long for the day sites and services require 2FA at account creation, but only via Authy or Bitwarden or similar, because lord SMS 2FA is stupid because of how easy it is to socially engineer or directly hack. Authy accounts are tied to a phone number
|
# ? Jan 21, 2021 19:45 |
|
Biowarfare posted:Authy accounts are tied to a phone number Yeah but you can also change that https://support.authy.com/hc/en-us/articles/115001953247-Phone-change-process-for-Authy-and-how-long-it-takes
|
# ? Jan 21, 2021 20:21 |
|
cage-free egghead posted:Hey guys, I made a thread over in IYG that shares some similarities with the topics discussed in here if anyone wanted to talk privacy. why did you post a link to an unrelated FYAD thread
|
# ? Jan 21, 2021 23:32 |
|
So I wandered into the diarrhea filled wading pool that is HSM configuration, key management, cardholder ceremonies, and process/procedures and I think taking my own life is an acceptable alternative right about now.
|
# ? Jan 21, 2021 23:42 |
Internet Explorer posted:why did you post a link to an unrelated FYAD thread lmao whoops. I deleted a digit when I pasted my link apparently
|
|
# ? Jan 22, 2021 00:04 |
|
Martytoof posted:cardholder ceremonies, Uhh what?
|
# ? Jan 22, 2021 00:08 |
|
Defenestrategy posted:Uhh what? Sorry it's the dumb term that someone here coined for basically any time you need to bring cardholders together to do anything.
|
# ? Jan 22, 2021 00:39 |
|
cage-free egghead posted:lmao whoops. I deleted a digit when I pasted my link apparently Okay, thank you for clarifying!
|
# ? Jan 22, 2021 01:45 |
|
Tangentially related... Youtube apparently changed their content rules and is disallowing content related to hacking, and seemed to have banned a bunch of security minded channels (and others showing off software workarounds), because rules were applied retroactively, and thus strikes rack up with the speed of light. The very least videos are being deleted. --edit: A large 13-year old German channel got banned, and some of the flagged videos were about installing VPNs and enabling the new start menu in Windows 10. Machine learning, gently caress yea! Combat Pretzel fucked around with this message at 17:26 on Jan 22, 2021 |
# ? Jan 22, 2021 17:19 |
|
Combat Pretzel posted:Tangentially related... Youtube apparently changed their content rules and is disallowing content related to hacking, and seemed to have banned a bunch of security minded channels (and others showing off software workarounds), because rules were applied retroactively, and thus strikes rack up with the speed of light. The very least videos are being deleted. That's gonna suck, there's a lot of good learning content on Youtube.
|
# ? Jan 22, 2021 18:50 |
|
BaseballPCHiker posted:I worked at a medical device manufacturer, and even after the Sunshine Act, our sales people were all sorts of shady. Salespeople were first hired on the basis of how good looking they were, male or female. Not really infosec related, but I was just at the doctors office and a sales rep for tylenol was arguing with my doctor in the waiting room, claiming that you can take 4000mg of tylenol a day, and the doctor was like “absolutely not, and do not say that in front of my patients.”
|
# ? Jan 22, 2021 19:52 |
|
Head Bee Guy posted:Not really infosec related, but I was just at the doctors office and a sales rep for tylenol was arguing with my doctor in the waiting room, claiming that you can take 4000mg of tylenol a day, and the doctor was like “absolutely not, and do not say that in front of my patients.” It is literally what the side of the bottle says E: technically it says “do not exceed 4000mg”
|
# ? Jan 22, 2021 20:00 |
|
The Fool posted:It is literally what the side of the bottle says "I recommend that we fire all of our employee's and do not hire any more as they are all security risks"
|
# ? Jan 22, 2021 20:07 |
|
I try to keep it under 1000, that's what they recommend for pregnant women and I figure that's probably a safe point for people without significantly compromised livers?
|
# ? Jan 22, 2021 20:12 |
|
Unrelated to the o365 thing business marches on - we bought a new medical clinic from another business unit within the same org (dont ask) and when they shut down forever they left a few computers logged into windows and their electronic medical record
|
# ? Jan 22, 2021 20:17 |
|
I think listening to the guy who studied how the body works is safer than listening to the guy who's selling the drug, or even the bottle made by the company selling the drug (and bribing the supposed oversight). Sort of like how you trust the security expert who found a flaw in a piece of software and not the vendor who insists it's perfectly safe.
|
# ? Jan 22, 2021 20:21 |
|
We had a couple of salespeople who were actually both good looking and incredibly knowledgeable about the product in a very niche way so that they could actually provide advice on how to use the product to a degree. Like they knew the device really well and the doctor knew medicine well and they could bounce ideas off of each other, but that was rare, and they tended to be higher up sales management types that had been promoted a few times. On topic. I've been playing around with Canary Tokens for a while, I've setup free tokens for a past employer and found them really beneficial. Trying to talk my current company into buying the paid version. Has anyone here used Thinkist Canary paid token software before?
|
# ? Jan 22, 2021 20:41 |
|
taking 4000mg in one day is not at all the same as taking 4000mg per day
|
# ? Jan 22, 2021 22:18 |
|
Internet Explorer posted:How about about sending a login link to their email that's a "click here" so they can't easily copy and paste it, then show them a bunch of pictures (blue dolphin, brown dog, etc.) and make them choose "their" picture. Maybe put a CAPTCHA before they can get an email link sent to them if you want to cut down on people getting spammed with links. Teaching people “click blind links in email then enter credentials” makes me uncomfortable, I have to say.
|
# ? Jan 22, 2021 22:37 |
|
Head Bee Guy posted:Not really infosec related, but I was just at the doctors office and a sales rep for tylenol was arguing with my doctor in the waiting room, claiming that you can take 4000mg of tylenol a day, and the doctor was like “absolutely not, and do not say that in front of my patients.” The dosing window between “barely effective” and “toxic” is so small for Tylenol that it wouldn’t make it through modern drug approval due to inadvertent overdose risk, as I understand it.
|
# ? Jan 22, 2021 22:41 |
|
Subjunctive posted:Teaching people “click blind links in email then enter credentials” makes me uncomfortable, I have to say. Well it wasn't entering credentials it was picking their picture, but yeah. Can't really be picky when your options are so, ah... limited.
|
# ? Jan 22, 2021 22:46 |
|
Combat Pretzel posted:Tangentially related... Youtube apparently changed their content rules and is disallowing content related to hacking, and seemed to have banned a bunch of security minded channels (and others showing off software workarounds), because rules were applied retroactively, and thus strikes rack up with the speed of light. The very least videos are being deleted. If the Lockpicking Lawyer gets axed, it’s war.
|
# ? Jan 24, 2021 02:44 |
|
Sonicwall being hacked by a zero day in their own VPN software is
|
# ? Jan 24, 2021 03:16 |
|
The Linux world never gets to make fun of Windows ever again. https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
|
# ? Jan 26, 2021 23:59 |
|
Palo Alto detected the Solarwinds breach a while before they attacked Fireeye, but it turns out Palo Alto missed the critical parts....which they then tried to cover up https://www.forbes.com/sites/thomas...sh=48516dc37f17
|
# ? Jan 27, 2021 00:41 |
|
Internet Explorer posted:The Linux world never gets to make fun of Windows ever again. This positively owns.
|
# ? Jan 27, 2021 00:48 |
Internet Explorer posted:The Linux world never gets to make fun of Windows ever again. No matter how much pair programming, code review, static analysis, automated fuzzing, and automated code sanitization you do, it won't be enough. Just look at FreeBSD; all of those are practiced, the source code is "only" ~13 million lines, and yet there's inevitably more fun things like this to find. For comparison, the Linux kernel itself is over 20 million lines (and that ignores all the userland code that makes up the libraries and utilities in a typical Linux distribution, because as an example Debian is ~60 million lines if you exclude the kernel), while Windows is estimated to be over 100 million lines. The sudo project is ~150k lines of code. Assuming a standard developer makes one bug per 100 lines of code, a good developer makes one bug per 1000 lines of code, and the ratio being 100 standard developers to 1 good developers, that leaves the various examples with somewhere on the order of 130k bugs for FreeBSD, 250k bugs for the Linux kernel, 600k bugs for Debian, over a million bugs for Windows, and ~1500 for sudo.
|
|
# ? Jan 27, 2021 01:14 |
|
It was a joke, BSD.
|
# ? Jan 27, 2021 01:17 |
Internet Explorer posted:It was a joke, BSD. I was just pointing out there's more fun to be had in the future.
|
|
# ? Jan 27, 2021 01:25 |
|
All computers and all operating systems are bad, especially your favorite one.
|
# ? Jan 27, 2021 01:26 |
|
CommieGIR posted:All computers and all operating systems are bad, especially your favorite one. you take that back. templeos is holy and pure
|
# ? Jan 27, 2021 02:27 |
|
Is this the same/related privilege escalation bug found in Ubuntu 20.04 in late 2020?
|
# ? Jan 27, 2021 03:01 |
|
CommieGIR posted:All computers and all operating systems are bad, especially your favorite one. My punch cards are flawless how dare you! So is my diesel powered warehouse sized computer running Fortran! Like a huge rear end Oldsmobile, insanely unwieldy, and........eats my punch cards...........sometimes........
|
# ? Jan 27, 2021 03:08 |
|
Internet Explorer posted:The Linux world never gets to make fun of Windows ever again. Turns out only using the root account wins again
|
# ? Jan 27, 2021 03:31 |
|
Can we talk more about how "Baron Samedit" is a great goddamn name?
|
# ? Jan 27, 2021 05:05 |
|
|
# ? Apr 29, 2024 06:56 |
|
DACK FAYDEN posted:Can we talk more about how "Baron Samedit" is a great goddamn name? Well, I mean, Baron Samedi (Baron Saturday to his friends) is a literal Haitian Voodoo religious icon
|
# ? Jan 27, 2021 08:30 |