|
https://twitter.com/alyssam_infosec/status/1538166123035824129?s=21&t=igMyLqd8kPyXyhUQKISXpg lmao, they straight up tricked people so they wouldn’t have drop out
|
# ? Jun 19, 2022 14:05 |
|
|
# ? Apr 19, 2024 04:01 |
|
Plorkyeran posted:a c++ committee member was convicted for child porn, and is still on the committee and refusing to interact with them at in-person meetings is a coc violation Then the foundation board met with the group that was asking them to sever and refused to say whether he would or would not be invited as a speaker in future. A bit later they clarified this to: "The individual will not attend CppCon for as long as their presence would be broadly disruptive to the conference." all these details and more from the perspective of a member of the group that was trying to get the foundation to sever: https://patricia.no/2022/03/08/cppcon.html
|
# ? Jun 19, 2022 16:17 |
|
dpkg chopra posted:lmao, they straight up tricked people kaschei posted:rape and child porn. ... CppCon '21 yikes. might wanna think about changing the name of the conference too lol
|
# ? Jun 19, 2022 16:26 |
|
kaschei posted:CppCon found your problem!
|
# ? Jun 19, 2022 16:47 |
|
Kazinsal posted:listen I'd be okay with whatever kind of juggling and rules lawyering needed to get richard "technically, nobody ever saw jeffrey epstein with those children" stallman thrown off planet earth. doesn't matter whose hand is on the metaphorical trigger
|
# ? Jun 19, 2022 17:21 |
|
child porn procuring convict
|
# ? Jun 19, 2022 17:54 |
|
Beeftweeter posted:yikes. might wanna think about changing the name of the conference too lol
|
# ? Jun 19, 2022 23:56 |
|
kaschei posted:rape and child porn. They removed the convicted member as an organizer and official speaker from CppCon '21 then paid for their transportation, hotel, the president of the board introduced them as a speaker at an official community event, and they received a speaker gift basket for attending. Then same president told the member the names of the people who were asking the C++ Foundation to break ties, so he contacted them directly. herb sutter must really like that sex pest jfc
|
# ? Jun 20, 2022 00:39 |
|
i guess I never paid attention to the “community” behind c++ despite using it extensively and a cursory search left me more confused. are wg21 and standard cpp foundation related entities or not? edit: ok it’s herb stutter running both and stroustrup is treasurer of the foundation so I guess that’s kinda moot hobbesmaster fucked around with this message at 00:53 on Jun 20, 2022 |
# ? Jun 20, 2022 00:51 |
|
leave it to the c++ people to interpret the wording of their CoC in such a twisted way that ultimately nobody is happy
|
# ? Jun 20, 2022 01:01 |
|
Because there's a wide range of possible creepy behavior, anything left undefined by the CoC becomes an implementation detail for the sex pest to worry about.
|
# ? Jun 20, 2022 01:18 |
|
this is the cppcon code of conductquote:CppCon is a community conference intended for networking and collaboration in the developer community. it should be obvious the problem with this if you have programmer brain
|
# ? Jun 20, 2022 01:24 |
|
the short version isn't really much shorter than the long version, yet leaves out a hell of a lot of important points the long version covers somehow
|
# ? Jun 20, 2022 01:34 |
|
hobbesmaster posted:They are also encouraged to not be too quick to take offense lmao
|
# ? Jun 20, 2022 01:40 |
|
Plorkyeran posted:a c++ committee member was convicted for child porn, and is still on the committee and refusing to interact with them at in-person meetings is a coc violation is slugging the dude in the face considered "interacting"
|
# ? Jun 20, 2022 03:28 |
|
that depends, is it an appropriate physical contact?
|
# ? Jun 20, 2022 03:34 |
|
Zamujasa posted:is slugging the dude in the face considered "interacting" Yeah, you're just conforming to the spec, if they needed more specificity in the behavior then they should have defined it.
|
# ? Jun 20, 2022 03:35 |
|
who disabled garbage collection in CppCon
|
# ? Jun 20, 2022 03:55 |
|
Armitag3 posted:who disabled garbage collection in CppCon presumably hacked up template gc not able to deal with the "good buddy" reference cycle between the pedophile and organizers
|
# ? Jun 20, 2022 08:39 |
|
Armitag3 posted:who disabled garbage collection in CppCon C++ doesn't have garbage collection, you are supposed to not misuse pointers to child objects like normal people
|
# ? Jun 20, 2022 10:05 |
|
what the gently caress
|
# ? Jun 20, 2022 10:26 |
|
OzyMandrill posted:C++ doesn't have garbage collection, you are supposed to not misuse pointers to child objects like normal people seems that c++ is quite apt at collecting garbage to me, op
|
# ? Jun 20, 2022 11:03 |
|
Armitag3 posted:who disabled garbage collection in CppCon Cybernetic Vermin posted:presumably hacked up template gc not able to deal with the "good buddy" reference cycle between the pedophile and organizers Zamujasa posted:seems that c++ is quite apt at collecting garbage to me, op
|
# ? Jun 20, 2022 14:28 |
|
can i get peoples thoughts on phishing sim campaigns? our org is currently doing a rather stupid knowbe4 one and I am not a fan of the practice in general. this is not being done to tick a compliance checkbox. purely for the love of the game. am i wrong in thinking about it this way? there is no 'goal' for the campaign, just good old 'user awareness'.
|
# ? Jun 21, 2022 00:39 |
|
phishing campaigns are for when you need to prove to somebody that your org is vulnerable to phishing so that you can implement mfa or whatever. realistically, for an org of any reasonable size, phishing will work basically 100% of the time. sure, use awareness is great, but even if you reduce phishing hit rates by 90%, you're going from 5k to 500, or 500 to 50 - and that's still plenty of footholds to do whatever they want to do. you never get to the point where education on its own is enough. and if everybody recognizes that the org is vulnerable to phishing, there's not much info to get from it
|
# ? Jun 21, 2022 00:44 |
|
if they're using real phishing emails that aren't clearly fake or pre-announced, then I think its fine. At best you'll get a few users who will learn from it and not click stuff. At worst you get a list of the users who are at greatest risk and/or a measure of the general risk of your employees. then you can take that and use it to recommend/justify further remediation.
|
# ? Jun 21, 2022 00:57 |
|
Achmed Jones posted:phishing campaigns are for when you need to prove to somebody that your org is vulnerable to phishing so that you can implement mfa or whatever. this is the biggest thing. also to start instilling the idea of asking the help desk if you aren't sure about an e-mail but if your testing team is dicks then you can fool most people easily
|
# ? Jun 21, 2022 01:10 |
|
post hole digger posted:can i get peoples thoughts on phishing sim campaigns? our org is currently doing a rather stupid knowbe4 one and I am not a fan of the practice in general. this is not being done to tick a compliance checkbox. purely for the love of the game. am i wrong in thinking about it this way? there is no 'goal' for the campaign, just good old 'user awareness'. It's a necessary evil to scare users into complying with MFA/security hardening. Having a successful phishing sim will make even the most stubborn people think "Maybe the nerds demanding me to confirm logins every X days are not so wrong after all". The most fun thing about KnowBe4 or other equivalent is that they are only useful in the united states, last time i checked there are zero payloads targeting non-us locales so, using them worldwide, will end up with 100% penetration on the US hq and the remaining sites getting 0%, making the hq staffers look like fools. SlowBloke fucked around with this message at 12:44 on Jun 21, 2022 |
# ? Jun 21, 2022 12:41 |
|
It's fun coming up with the payloads if you're doing it yourself though. "New Halloween costume policy" with unacceptable.docm or whatever attached
|
# ? Jun 21, 2022 14:23 |
|
distortion park posted:It's fun coming up with the payloads if you're doing it yourself though. "New Halloween costume policy" with unacceptable.docm or whatever attached When we first tested our 365 attack simulator, we created the weirdest payloads (which have sadly been removed since then). Stuff like "Mosh pit corporate dress code change notification" or "Nigerian princes summit 2020 registration links", using our standard internal mail formats and i think i could have got a few bites if i ran it.
|
# ? Jun 21, 2022 14:39 |
|
I got one that was like "your desk is filthy and is costing us extra to clean. see attached photos (that are actually a link)" anyway they go in a filter now based on the X-HoxHunt-Organization-ID or whatever header (thx goon I forgot)
|
# ? Jun 21, 2022 16:39 |
|
Carthag Tuek posted:X-HoxHunt-Organization-ID or whatever header (thx goon I forgot) oh that's a good idea i wonder what ours is
|
# ? Jun 21, 2022 16:43 |
|
Achmed Jones posted:phishing campaigns are for when you need to prove to somebody that your org is vulnerable to phishing so that you can implement mfa or whatever. realistically, for an org of any reasonable size, phishing will work basically 100% of the time. sure, use awareness is great, but even if you reduce phishing hit rates by 90%, you're going from 5k to 500, or 500 to 50 - and that's still plenty of footholds to do whatever they want to do. you never get to the point where education on its own is enough. and if everybody recognizes that the org is vulnerable to phishing, there's not much info to get from it this is basically my takeaway of it as well, although we are already enforcing mfa and 'suspicious login' verification. the ironic thing is someone actually fell for a real phishing attempt (replied to an email but didnt send anything sensitive) on the same day this campaign started, but the phishing attempt they fell for is nothing at all like the emails we are sending out. it doesn't seem like there is any actual end goal other than 'increase user awareness'. there's no criteria for pass/failure for the org or specific security controls we are testing here. it feels like its just a reason to be assigning extra homework if you click on something. I've tried to stress this to the other guy on our security team, but he really loves this sort of thing. if our only findings are that 20 out of 1000 people didn’t see through our deception, then i have to ask myself what new actionable information have we gained? That each time, a handful of people will click a link designed to be clicked? If that’s all, then it seems like that wasn’t time well spent. I feel like the value of this stuff is massively overblown by companies like proofpoint and knowbe4. Captain Foo posted:also to start instilling the idea of asking the help desk if you aren't sure about an e-mail but if your testing team is dicks then you can fool most people easily we do this too and our users are generally pretty drat good about sending stuff post hole digger fucked around with this message at 17:18 on Jun 21, 2022 |
# ? Jun 21, 2022 17:07 |
|
Just junk filter anything thats not from inside your org. people aren't worth communicating with, so restrict it to people who can affect your income flow
|
# ? Jun 21, 2022 17:43 |
|
i mean, ive been trying to convince people to follow my lead by simply never checking their email.
|
# ? Jun 21, 2022 17:47 |
|
post hole digger posted:i mean, ive been trying to convince people to follow my lead by simply never checking their email. I have to click accept on the calendar invites for my scheduled maintenance, otherwise that would be my policy Like, I've had my directors be "we sent you a gift card for a couple hundo for the good work, check your drat mail" lol
|
# ? Jun 21, 2022 17:59 |
|
RFC2324 posted:I have to click accept on the calendar invites for my scheduled maintenance, otherwise that would be my policy i didn't realize you were a robot
|
# ? Jun 21, 2022 18:08 |
|
post hole digger posted:it feels like its just a reason to be assigning extra homework if you click on something. I've tried to stress this to the other guy on our security team, but he really loves this sort of thing it's also possible that it's for fedramp or hipaa or whatever and the people negotiating with the auditors weren't able to get out of it. sounds like your coworkers buys into the utility, but sometimes even if everybody knows it's obnoxious and useless, you just do the thing because the alternatives (losing certification or dozens of hours in meetings etc) are worse
|
# ? Jun 21, 2022 18:13 |
|
assuming you have a more real-time comm tool like slack or teams then you can just ignore email, you can just filter everything to trash and nobody will even notice or call you on it ime realizing this was a boon to my career and overall mental experience
|
# ? Jun 21, 2022 18:17 |
|
|
# ? Apr 19, 2024 04:01 |
|
the best is running a pishing campaign then chiding anyone who clicked for ever clicking on out of domain emails then sending everyone a mandatory security training from an out of domain address then chiding everyone for not clicking on it
|
# ? Jun 21, 2022 18:22 |