|
fins posted:now i want to see a NIST procedural drama. bustin' down doors and kickin rear end for crimes against the metric system, or a hot tip on a group policy enorcing allll the password complexity requirements, rotated weekly. Wonder how many goons we will see in those IT depts Ban reason: In prison for forcing password complexity
|
# ? May 8, 2022 16:34 |
|
|
# ? Apr 26, 2024 07:13 |
|
fins posted:now i want to see a NIST procedural drama. bustin' down doors and kickin rear end for crimes against the metric system, or a hot tip on a group policy enorcing allll the password complexity requirements, rotated weekly. Ice Tea is all "The techs found out the password changed on a daily rotation. Whoever got into the office first would reset it and send it out over group chat" RFC2324 posted:Wonder how many goons we will see in those IT depts This freak had a password whiteboard. He would point a webcam at it to livestream broadcast it at start of shift. If anybody missed the group meeting he would send it through group chat at the McDonald's wifi spot. Real sick poo poo.
|
# ? May 8, 2022 16:46 |
|
The standards for national security systems are still woefully out of date w/r/t password requirements. When NIST updated their recommendations a few years ago we were hopeful it would trickle down but it hasn't yet. To this day, guidance such as the JSIG, NIST 800-53, etc have things like 60-90 day password expiration, no more than 3 characters of the same type in a row, and so on. The effect is that it's nearly impossible to come up with a good password, and you can only have it for 60 or at most 90 days before having to change it. I couldn't think of a more perverse incentive to get people to write their passwords down on sticky notes than that. Luckily people for the most part know it's not OK to write their passwords down, but that just shifts the burden onto the sysadmins to be doing password resets all day.
|
# ? May 8, 2022 17:01 |
|
in lastjob we built everything (cybersecurity training) based on nist standards and then all our sales dipshits started selling poo poo to other countries who want things based on their own standards so we square peg-round holed all of it to fit theirs and it’s just a mess last day was Thursday good loving riddance now pay my contract rate for me to keep fixing the poo poo you break
|
# ? May 8, 2022 17:11 |
|
Raere posted:Luckily people for the most part know it's not OK to write their passwords down, but that just shifts the burden onto the sysadmins to be doing password resets all day. lucky for me I am the sysadmin, so I just reset my password to the same one again in AD before the 90 days is up. pwdlastset is pwdlastset no matter who does it!
|
# ? May 8, 2022 17:31 |
|
fins posted:now i want to see a NIST procedural drama. bustin' down doors and kickin rear end for crimes against the metric system, or a hot tip on a group policy enorcing allll the password complexity requirements, rotated weekly. nist actually prefers metric (which by law is optional) because they're not loving insane
|
# ? May 8, 2022 17:37 |
|
nist also recommends no more password rotation or complexity requirements. only length and to check it doesnt match a list of compromised passwords or do things like include the users name
|
# ? May 8, 2022 17:40 |
|
also they dont consider SMS to fulfill 2fa
|
# ? May 8, 2022 17:41 |
CRIP EATIN BREAD posted:also they dont consider SMS to fulfill 2fa this is, of course, absolute bullshit - and i'm pretty sure i'm not the only person who lost a lot of respect for nist because of that. sms has not been and will never be acceptable for 2fa.
|
|
# ? May 8, 2022 17:50 |
|
Raere posted:the sysadmins to be doing password resets all day. you dont have a service desk? why are sysadmins doing this task
|
# ? May 8, 2022 18:03 |
|
KirbyKhan posted:Ice Tea is all "The techs found out the password changed on a daily rotation. Whoever got into the office first would reset it and send it out over group chat"
|
# ? May 8, 2022 18:06 |
|
Chris Knight posted:there's a new malware going round, kids are calling it APESTUMBLER. grandma goes to check her Facebook, next thing you know her PC is minting NFTs of the grandkids. These creeps used to run a scam they called the Clippy. Once the mark showed up to an iframe they were running, they'd wait real quiet and keep checking window.clipboardData the whole time. As soon as they saw a string with 8+ characters, at least one upper, lower, special, and number character, and no spaces, they'd send it to another sicko who would just plug it in again and again everywhere. Real nasty stuff.
|
# ? May 8, 2022 18:17 |
|
https://twitter.com/MithrilVi/status/1521848872196321288
|
# ? May 8, 2022 20:07 |
he done hosed up
|
|
# ? May 8, 2022 20:08 |
|
I thought raidforums got taken down with gov banners anyway
|
# ? May 8, 2022 20:13 |
|
sb hermit posted:It's the inscrutable stuff, like crypto algorithms, that would rightly tend to attract a more jaundiced eye. Probably why wireguard doesn't use any of the NIST approved algorithms (as far as I know). the NIST-recommended EC curves for key exchange have these mysterious magic values at their root: code:
by comparison we have Curve25519, which was invented by a crank cryptographer that everyone kinda dislikes but who does good work. the magic values at the root of his curve don't look big enough to hide secrets in, and he wrote a paper showing why he selected them: code:
vvv yeah, edited - they straight-up come from the NSA (suite b), the question is whether the choice was in good faith or not. there's no winning move for the nsa to author anything cryptographic, the only way they can sponsor something is to have an open contest AES-style and bless/review the result Ulf fucked around with this message at 20:48 on May 8, 2022 |
# ? May 8, 2022 20:38 |
|
oh no doubt those came from NSA, they're the primary agency in charge of cryptography generally. whether or not it's meant to be used offensively or covertly almost certainly doesn't factor into NIST's decision making, and the fact they were just as pissed about DRBG as everyone else would seem to confirm this. there's just literally nobody better within the federal govt to consult on e: that said i'm sure they have a classified analysis or some poo poo explaining the choice, but we're not going to see it for like 70 years unless it leaks. i'm not defending the practice and i think they should absolutely be more transparent, that's just how it is Beeftweeter fucked around with this message at 20:48 on May 8, 2022 |
# ? May 8, 2022 20:45 |
|
Crime on a Dime posted:you dont have a service desk? why are sysadmins doing this task When you're dealing with like compartmented programs and such, there's generally only a small handful of IT people read into the program, so they have to do everything from password resets and printer repairs all the way up to network architecture. Each additional person is a potential insider threat, afterall. Or something.
|
# ? May 8, 2022 20:59 |
|
BlankSystemDaemon posted:unfortunately, they made last-minute changes that softened the language - so that the requirement is that "an agency needs to assess, understand and accept the risks associated with that authenticator". Yeah but, ironically, I get why they did it. I disagree with it, but the reality is a lot of people absolutely refuse to install actually Multifactor apps on their phones or might have phones old enough not to be able to do so. This has been an issue with our stores that my company owns, I think as long as you understand SMS 2FA should not be the standard, but the exception, its fine. We also wrote requirements around no exceptions for people with Admin or Domain Admin when it comes to MFA.
|
# ? May 8, 2022 21:38 |
|
Ulf posted:it's no surprise that pretty much everyone ignores the NIST curves and key exchange in any popular TLS / QUIC library is using djb's curve25519 or stronger curves like curve448 that copy his work. And the kicker to all of this is that using just EC for asymmetric crypto is not quantum resistant, so we'll be seeing new algorithms in the next decade that replace all of this. Hopefully it'll be an open process so that, internationally, we won't be seeing any algorithms that give architects any pause before using them. It already sucks balls to have to modify good implementations because they don't work with standards you are contractually obliged to work with. On the other hand, being able to negotiate algorithms would lead to some seriously overengineered crap like IKEv1. Just having a default set that everyone accepts would be much better. Preferably with a hardware accelerated symmetric crypto algorithm, hash algorithm, and deterministic random bit generator.
|
# ? May 8, 2022 21:39 |
|
CommieGIR posted:Yeah but, ironically, I get why they did it. I disagree with it, but the reality is a lot of people absolutely refuse to install actually Multifactor apps on their phones or might have phones old enough not to be able to do so. I don't see smartphones as a good mechanism for passwordless logins in high security situations. Heck, for certain areas, having a powered-on smartphone itself would be an auditable event. Much better to have a smartcard or yubikey, paired with a reasonable password, for secure mfa authentication. And yeah, for better or for worse, sms 2fa is better than no mfa, but not good enough for domain admins or accounts that require reasonable confidentiality.
|
# ? May 8, 2022 21:46 |
|
sb hermit posted:And the kicker to all of this is that using just EC for asymmetric crypto is not quantum resistant, so we'll be seeing new algorithms in the next decade that replace all of this. Hopefully it'll be an open process so that, internationally, we won't be seeing any algorithms that give architects any pause before using them. It already sucks balls to have to modify good implementations because they don't work with standards you are contractually obliged to work with. and a pony!
|
# ? May 8, 2022 21:48 |
|
sb hermit posted:Hopefully it'll be an open process so that, internationally, we won't be seeing any algorithms that give architects any pause before using them. quote:In August 2015, NSA announced that it is planning to transition "in the not too distant future" to a new cipher suite that is resistant to quantum attacks. [...] New standards are estimated to be published around 2024. EDIT: I think I was wrong, I haven't really followed this space much. Here's the NIST-sponsored competition for post-quantum crypto: NIST Post-Quantum Cryptography Standardization. And google is sponsoring CECPQ2 which modifies TLS to add HRSS, which seems to be developed by known public cryptographers. Ulf fucked around with this message at 22:34 on May 8, 2022 |
# ? May 8, 2022 22:28 |
|
our favorite rear end in a top hat cryptographer et al have made a nice website evaluating all these curves: https://safecurves.cr.yp.to
|
# ? May 8, 2022 23:37 |
|
spankmeister posted:our favorite rear end in a top hat cryptographer et al have made a nice website evaluating all these curves: Stahp, this dude had that dumb domain since at least 2013
|
# ? May 9, 2022 00:21 |
|
i know? the page ia pretty good as far as I can tell though?
|
# ? May 9, 2022 00:36 |
|
it’s kind of annoying that that’s the most readable and friendly site on EC cryptanalysis because the curve he invented happens to score highest in every criteria listed and you kinda wish for an independent evaluator that didn’t spend his free time harassing you on Usenet in the 90s
|
# ? May 9, 2022 00:46 |
|
Ulf posted:spend his free time harassing you on Usenet in the 90s
|
# ? May 9, 2022 01:12 |
|
Ulf posted:kind of annoying independent evaluator harassing you on Usenet in the 90s sounds like they did some independent evaluation on your posts
|
# ? May 9, 2022 02:00 |
|
CommieGIR posted:Yeah but, ironically, I get why they did it. I disagree with it, but the reality is a lot of people absolutely refuse to install actually Multifactor apps on their phones or might have phones old enough not to be able to do so. guy at my work recommends to the new hires that they setup SMS as their MFA method in Azure AD. "what happens if you get a new phone"
|
# ? May 9, 2022 03:14 |
|
Beeftweeter posted:sounds like they did some independent evaluation on your posts
|
# ? May 9, 2022 03:15 |
|
lol
|
# ? May 9, 2022 03:34 |
|
Beeftweeter posted:sounds like they did some independent evaluation on your posts
|
# ? May 9, 2022 04:12 |
|
|
# ? May 9, 2022 05:07 |
|
we all like security but we don’t like buying people phones or yubis key to use for 2fa, so in fact depending on sms is the best we can do
|
# ? May 9, 2022 09:18 |
|
can you afford to get your poo poo wrecked and your data stole
|
# ? May 9, 2022 09:45 |
|
Crime on a Dime posted:can you afford to get your poo poo wrecked and your data stole that's next quarter's profit's problems, not this quarter's.
|
# ? May 9, 2022 09:51 |
|
Crime on a Dime posted:can you afford to get your poo poo wrecked and your data stole you might not get wrecked and then you would've spent all that money for nothing money that would otherwise go into the pocket of an executive
|
# ? May 9, 2022 11:04 |
|
keep talking I'm geolocating
|
# ? May 9, 2022 11:40 |
|
|
# ? Apr 26, 2024 07:13 |
|
viewed any images or links on any of these lately? got your anti grabify on lock?
|
# ? May 9, 2022 11:44 |