|
fisting by many posted:but I don't know how you offer that feature and not have it be vulnerable to enumeration scraping. You have them type in a phone number, and then say thanks, if it's connected to an account we'll text you an OTP or whatever. Don't divulge whether/which account until they prove ownership
|
# ? Nov 25, 2022 06:38 |
|
|
# ? Apr 23, 2024 07:26 |
|
it wasn’t recovery AIUI, but the contact-finder service. FB had this done to them a little while back too and mitigated it (rate limiting probably)
|
# ? Nov 25, 2022 06:51 |
|
Rufus Ping posted:You have them type in a phone number, and then say thanks, if it's connected to an account we'll text you an OTP or whatever. Don't divulge whether/which account until they prove ownership but the point is to allow other people (potentially strangers) to find you from your phone number. so there's no way to verify the request.
|
# ? Nov 25, 2022 06:59 |
|
fisting by many posted:but the point is to allow other people (potentially strangers) to find you from your phone number. so there's no way to verify the request. You "fix" that by requiring people to opt-in to that feature, and if they haven't opted in then it doesn't find their account.
|
# ? Nov 25, 2022 07:10 |
|
Jabor posted:You "fix" that by requiring people to opt-in to that feature, and if they haven't opted in then it doesn't find their account. which is what twitter did, at least. it still seems like a bad idea from a security perspective, as an ordinary person would not anticipate this kind of attack. it probably shouldn't be an option, even if opt-in.
|
# ? Nov 25, 2022 07:16 |
fisting by many posted:which is what twitter did, at least.
|
|
# ? Nov 25, 2022 07:56 |
|
fisting by many posted:which is what twitter did, at least. you could ask the person with the phone number if they want to allow @telescraper to know their username
|
# ? Nov 25, 2022 08:39 |
|
https://twitter.com/wolfiechristl/status/1596277060435345411 lol
|
# ? Nov 26, 2022 15:59 |
|
If the germans want to go back that hard to in-house hosted dovecot with 1990s level of features nobody is stopping them, just stop trying to gently caress us public sector 365 users that are more than happy with microsoft.
|
# ? Nov 26, 2022 18:59 |
|
sure but what about the tons of individuals’ private information you traffic in during your day to day work? those people have rights too, even if they’re German
|
# ? Nov 26, 2022 19:05 |
|
SlowBloke posted:If the germans want to go back that hard to in-house hosted dovecot with 1990s level of features nobody is stopping them, just stop trying to gently caress us public sector 365 users that are more than happy with microsoft. going back to 1990s terrible german software is why the GDPR exists. its protectionist, anti-american garbage.
|
# ? Nov 26, 2022 19:11 |
|
suse linux is comin back baby!!!
|
# ? Nov 26, 2022 19:12 |
|
Shaggar posted:going back to 1990s terrible german software is why the GDPR exists. its protectionist, anti-american garbage. i feel its got nothing to do with software and everything to do with us intelligence agencies having on demand access to all the data
|
# ? Nov 26, 2022 19:15 |
|
dream on, microsoft will almost certainly fix this pretty drat quick. no doubt they'd prefer to leave it entirely open what they do with the data, but i'd expect even a truthful enumeration of what they currently do would pass the requirements.
|
# ? Nov 26, 2022 19:15 |
|
the head of SuSE Linux for Novell ended up at Microsoft and then running GitHub before semi-retiring. MSFT always gets you in the end.
|
# ? Nov 26, 2022 19:16 |
|
Cybernetic Vermin posted:dream on, microsoft will almost certainly fix this pretty drat quick. no doubt they'd prefer to leave it entirely open what they do with the data, but i'd expect even a truthful enumeration of what they currently do would pass the requirements. they’re not going to want to encourage other jurisdictions to get fancy, though, so I expect there will be some brinkmanship
|
# ? Nov 26, 2022 19:17 |
|
Subjunctive posted:they’re not going to want to encourage other jurisdictions to get fancy, though, so I expect there will be some brinkmanship yeah, they'll do what they need to, but they'll spend the time and money to make it as broad as at all possible still.
|
# ? Nov 26, 2022 19:18 |
|
Subjunctive posted:the head of SuSE Linux for Novell ended up at Microsoft and then running GitHub before semi-retiring. MSFT always gets you in the end.
|
# ? Nov 26, 2022 19:21 |
|
Subjunctive posted:sure but what about the tons of individuals’ private information you traffic in during your day to day work? those people have rights too, even if they’re German We don't have PII data in 365, we keep that in a dedicated local silo with purview actively hunting for erroneous data uploads. Which is what any sane people should do rather than cloud lift everything and then making such a racket afterwards.
|
# ? Nov 26, 2022 19:23 |
|
SlowBloke posted:We don't have PII data in 365, we keep that in a dedicated local silo with purview actively hunting for erroneous data uploads. Which is what any sane people should do rather than cloud lift everything and then making such a racket afterwards. you definitely have pii in your office 365 spaces, users can’t help themselves.
|
# ? Nov 26, 2022 19:35 |
|
Sickening posted:you definitely have pii in your office 365 spaces, users can’t help themselves. We move so little PII that it's trivial to keep an eye on it, i'm not terribly worried. Plus our users are actively resisting moving the non critical data to 365 groups, I'm not expecting clandestine uploads when they cannot make a share point/teams site.
|
# ? Nov 26, 2022 19:45 |
|
Achmed Jones posted:suse linux is comin back baby!!!
|
# ? Nov 26, 2022 19:50 |
|
SlowBloke posted:We move so little PII that it's trivial to keep an eye on it, i'm not terribly worried. Plus our users are actively resisting moving the non critical data to 365 groups, I'm not expecting clandestine uploads when they cannot make a share point/teams site. my users are simply too stupid to break the law, you see
|
# ? Nov 26, 2022 22:45 |
|
Shame Boy posted:my users are simply too stupid to break the law, you see Given that one of those people decided that "i will print out the files path and bring the paper over" when asked to share the files, yes.
|
# ? Nov 26, 2022 22:58 |
|
I am sure they break the law in other more stupid ways. Just not in that particular way that requires a little bit of know-how.
|
# ? Nov 27, 2022 00:06 |
|
fortunately just using a european cloud provider will solve all your gdpr problems (because nobody will bother investigating it)
|
# ? Nov 27, 2022 00:14 |
|
SlowBloke posted:Given that one of those people decided that "i will print out the files path and bring the paper over" when asked to share the files, yes. Don't worry, users are extremely clever when it comes to destroying things, like your assumptions, weekends, and hopes.
|
# ? Nov 27, 2022 00:26 |
|
i just quickly read over the 8 page summary and i don't think this is particularly easy to fix for microsoft. a full EU instance might do it - but only if it either does not transfer data outside of the EU at all or if it only does so in very specific cases which are spelled out in detail and only to specific jurisdictions. as it is, the data agreements don't spell out who is processing data and for what - and specifically, they not only require microsoft to spell that out for their global services that might touch EU data, they also want microsoft to spell that out for third parties that somehow touch that data as part of microsoft's services. that is certainly more complicated. then there's the stuff in the twitter thread. Shaggar posted:going back to 1990s terrible german software is why the GDPR exists. its protectionist, anti-american garbage. idk, i doubt any larger players currently can offer a modern cloud-based architecture that can comply with that. last time i talked to SAP people about this, they wanted to change topic real fast. i guess some linux shop might be able to offer this, but in practice, not even public administration will use it. munich made waves about switching their entire IT to linux and then a few years later switched back to a microsoft environment because linux was more expensive and pissed off all the users. i assume the result is going to be a continued reliance on on-prem stuff, which in practice means on-prem exchange and other microsoft products in like 99% of all cases. or everybody will continue to ignore this and just use cloud products anyway, which is what is currently happening.
|
# ? Nov 27, 2022 00:34 |
|
rjmccall posted:fortunately just using a european cloud provider will solve all your gdpr problems (because nobody will bother investigating it) Double so when the cloud provider goes up in flame, after all the main proponent of gaia-x was ovh.
|
# ? Nov 27, 2022 00:39 |
|
SlowBloke posted:Double so when the cloud provider goes up in flame, after all the main proponent of gaia-x was ovh. gaia-x is functionally dead anyway, afaik
|
# ? Nov 27, 2022 00:42 |
|
Babies Getting Rabies posted:i just quickly read over the 8 page summary and i don't think this is particularly easy to fix for microsoft. a full EU instance might do it - but only if it either does not transfer data outside of the EU at all or if it only does so in very specific cases which are spelled out in detail and only to specific jurisdictions. Most 365 components have a European instance already, either in Germany, France or Ireland. Data processing is the only grey area that require bureaucratic/ops work to make the Germans happy. Whoever is keeping these debates alive has likely stakes in that flaming trash fire called gaia-x Babies Getting Rabies posted:gaia-x is functionally dead anyway, afaik It's still being considered active by policymakers sadly.
|
# ? Nov 27, 2022 00:45 |
|
Babies Getting Rabies posted:munich made waves about switching their entire IT to linux and then a few years later switched back to a microsoft environment because linux was more expensive and pissed off all the users. no, they went back to microsoft because microsoft lobbied the new mayor's party with a couple dozen million dollars (which they immediately made back by selling them brand new licenses) it was quite funny too, just as the users got used to the new workflow and costs started to go down after the migrations ended, they went back to microsoft, and of course costs rocketed up again for a few years as they started migrating back
|
# ? Nov 27, 2022 00:56 |
|
SlowBloke posted:Most 365 components have a European instance already, either in Germany, France or Ireland. Data processing is the only grey area that require bureaucratic/ops work to make the Germans happy. the way i read this document, it seems pretty focused on the legal side of things, ie. the literal agreements. while i don't doubt the protectionist angle or wanting to keep gaia-x alive (lol), i would not put it past german bureaucracy to simply have shitfit about this because they want to be technically correct. placating them is going to take forever. for further evidence of germans simply disappearing up their own rear end, i refer to our attempt to develop an information security framework (bsi grundschutz), which is so stupid and unwieldy that everybody here either uses iso 27000 or nist 800-53.
|
# ? Nov 27, 2022 00:56 |
|
M365 can't comply why exactly?
|
# ? Nov 27, 2022 01:05 |
|
there's a german guy i stumbled across on youtube that would post nothing but videos of his incredibly detailed, fully functional teeny tiny RC vehicles driving around his yard doing teeny tiny work. having the construction vehicles actually move teeny tiny piles of dirt to build a foundation for a crane to install a teeny tiny bridge that a teeny tiny fire truck could drive over and spray a teeny tiny amount of water on a teeny tiny fire, etc. i remember at the time thinking it was the most german hobby i had ever seen. it doesn't really have anything directly to do with the current conversation but i think it fits thematically, i guess
|
# ? Nov 27, 2022 01:06 |
|
Babies Getting Rabies posted:the way i read this document, it seems pretty focused on the legal side of things, ie. the literal agreements. while i don't doubt the protectionist angle or wanting to keep gaia-x alive (lol), i would not put it past german bureaucracy to simply have shitfit about this because they want to be technically correct. placating them is going to take forever. if there is an actual german translated nist 800-53, it would make my weekend really nice
|
# ? Nov 27, 2022 01:29 |
|
I made a joke that other countries probably base their it policy off of nist work because they have to clearly justify their recommendations but I didn't really think it spread beyond the Five Eyes
|
# ? Nov 27, 2022 01:31 |
|
sb hermit posted:spread beyond the Five Eyes that’s how you get Five Pink Eyes
|
# ? Nov 27, 2022 01:33 |
|
dpkg chopra posted:that’s how you get Five Pink Eyes
|
# ? Nov 27, 2022 01:36 |
|
|
# ? Apr 23, 2024 07:26 |
|
Babies Getting Rabies posted:
it doesnt matter if the german software companies can or cant comply because they wont ever be fined
|
# ? Nov 27, 2022 03:12 |