Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Quackles
Aug 11, 2018

Pixels of Light.


cinci zoo sniper posted:

my unlimited phone plan costs 14 euro for unlimited data + 15 euro for unlimited voice/text

:nice:

Adbot
ADBOT LOVES YOU

Crime on a Dime
Nov 28, 2006

Cold on a Cob posted:

is it normal for my it dept to install both crowdstrike and bitdefender on my laptop

donít they do the same thing?

this poo poo is taking over 3gb of ram ffs

e: bd is doing a full scan since they just installed it so I guess thatís most of the problem there but Iím so tired of this crappy endpoint protection poo poo

e2: full scan done, still losing like 2.5gb of r and 25% of my cpu to this. jfc.

is this happening under load (applications, whatever) or while nothings running?

Cold on a Cob
Feb 6, 2006

i've seen so much, i'm going blind
and i'm brain dead virtually

College Slice

Crime on a Dime posted:

is this happening under load (applications, whatever) or while nothings running?

both, got a lot worse when I was trying to upgrade git but that makes sense I guess

Zamujasa
Oct 27, 2010



Bread Liar
the various monitoring and health reporting apps we were forced to install on our servers were like that. real fun losing 50% or more of your server's performance to multiple pieces of poo poo that do nothing.

Crime on a Dime
Nov 28, 2006

Cold on a Cob posted:

both, got a lot worse when I was trying to upgrade git but that makes sense I guess

devs always after an exception :allears:

Cold on a Cob
Feb 6, 2006

i've seen so much, i'm going blind
and i'm brain dead virtually

College Slice

Crime on a Dime posted:

devs always after an exception :allears:

yep and I get them all the time :smuggo: Iíve never requested they remove endpoint protection on my machine; as long as I get local admin Iím usually fine but looks like I might need new hardware now

anyhow mostly I was just curious if thereís any benefit to running both. either way looks like I need a new machine

Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slśgt skal fÝlge slśgters gang



rjmccall posted:

not even six figgies

I mean on top of my current salary

Lysidas
Jul 26, 2002

John Diefenbaker is a madman who thinks he's John Diefenbaker.
Pillbug

Subjunctive posted:

huh, I havenít tested it on other faces, I should try that

if my wife is driving and wants me to do something with her phone that is not trivial through carplay, i usually unlock it by covering the bottom half of my face with my hand and trying face id, it works fine since shes sitting next to me, meaning her watch is close by

the mitigation of this loose security is your watch notifying you that it was unlocked, letting you press the "lock iphone" button to make the phone require a passcode

Shame Boy
Mar 2, 2010

Lysidas posted:

if my wife is driving and wants me to do something with her phone that is not trivial through carplay, i usually unlock it by covering the bottom half of my face with my hand and trying face id, it works fine since shes sitting next to me, meaning her watch is close by

the mitigation of this loose security is your watch notifying you that it was unlocked, letting you press the "lock iphone" button to make the phone require a passcode

lmao

"this picture of half of someone else's face and a hand is close enough for me I guess"

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.
i am sincerely regretting having implemented azure information protection for a client

dealing with sensitivity labels on documents, and the myriad of sharing options in onedrive is just enough of a divergence from their usual workflow that they absolutely cannot get it right, and they're starting to get pissed off rather than taking the time to learn how it works (we've had multiple demo sessions and done one-on-one training with several of them, no one retains anything).

aip was a hard requirement to move them to cloud hosted infrastructure, which they wanted because they have people working across the country and they were getting annoyed with the limitations of the remote access system. now, instead, they're getting annoyed by the workflow changes and it appears everyone but a few of the partners are willing to throw access controls and data security to the wind because no one can remember the steps to do anything for longer than a single work day

i'm not sure if there's a lesson here, or a point to this, other than apparently security is impossible, because even if you can make it work, no one wants it.

SlowBloke
Aug 14, 2017

infernal machines posted:

i am sincerely regretting having implemented azure information protection for a client

dealing with sensitivity labels on documents, and the myriad of sharing options in onedrive is just enough of a divergence from their usual workflow that they absolutely cannot get it right, and they're starting to get pissed off rather than taking the time to learn how it works (we've had multiple demo sessions and done one-on-one training with several of them, no one retains anything).

aip was a hard requirement to move them to cloud hosted infrastructure, which they wanted because they have people working across the country and they were getting annoyed with the limitations of the remote access system. now, instead, they're getting annoyed by the workflow changes and it appears everyone but a few of the partners are willing to throw access controls and data security to the wind because no one can remember the steps to do anything for longer than a single work day

i'm not sure if there's a lesson here, or a point to this, other than apparently security is impossible, because even if you can make it work, no one wants it.

If this was a greenfield deploy why did you use AIP instead of MIP? AIP isn't natively integrated in sharepoint/onedrive/office but relies on several moving parts to work compared to the mostly transparent MIP.

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.
that's actually my mistake in the post. we did use mip, the original plan for the project predated mip and was planned around aip, but when it came time to deploy we used purview.

the problem isn't mip itself, it's people having to adjust their workflow to accommodate any kind of restrictions. it's two clicks to mark a file so that external clients can interact with it, but you have to remember to do those two clicks. if you don't the client sends you an email saying they can't open the file, it's asking them to sign in, and then you get mad because this is all a waste of your time.

actually, the problem is also mip, and onedrive, and 3rd party poo poo like acrobat not interacting well, but those are generally edge cases around the fundamental problem that people do not give a gently caress about the security of the data because they don't think the data needs to be secure, so this is all just making their lives more difficult for no reason.

the nature of the work these people do means that any kind of breach/leak would immediately kill their reputation, and would very probably result in huge fines, but until that happens it's not something anyone cares to worry about.

infernal machines fucked around with this message at 21:10 on Mar 14, 2023

evil_bunnY
Apr 2, 2003

Subjunctive posted:

huh, I havenít tested it on other faces, I should try that
I'm exaggerating, but not much. 2 pals with asian faces could open each other's phones when it was first released.

evil_bunnY
Apr 2, 2003

infernal machines posted:

i'm not sure if there's a lesson here, or a point to this, other than apparently security is impossible, because even if you can make it work, no one wants it.
Why is this not documented in a way you can rub their faces in it?

infernal machines posted:

the nature of the work these people do means that any kind of breach/leak would immediately kill their reputation, and would very probably result in huge fines, but until that happens it's not something anyone cares to worry about.
LOL welcome to infosec I guess. It's still hilarious that with MS owning the entire stack it's never, ever smooth sailing.

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.

evil_bunnY posted:

Why is this not documented in a way you can rub their faces in it?

i'm not sure what you mean.

the processes are documented, being able to say they they're documented, refer to the documentation, doesn't actually make people less annoyed or more likely to do it.

the justification for the information restrictions, the limitations thereof, and the exceptions already made in the name of expedience are also documented. they don't matter, because every time someone runs into an issue with it, they get mad that it exists at all.

evil_bunnY posted:

LOL welcome to infosec I guess. It's still hilarious that with MS owning the entire stack it's never, ever smooth sailing.

we've worked with this company for 12 years, no one has ever been happy with the way things have been locked down. this was basically done in a hurry because it was discovered that their remote teams were running shadow IT with sensitive information, because they refused to work with the old remote system.

individually, these people have worked with government orgs nation wide on all manner of PII and other sensitive information and apparently ours are the most stringent access controls they've experienced.


e: and yeah, the MS stack is a joke but mostly for the usual reasons with microsoft. testing in production, rolling releases, and nothing being in the same place across multiple apps for more than a month at a time

infernal machines fucked around with this message at 21:28 on Mar 14, 2023

SlowBloke
Aug 14, 2017
I do am curious to see how the google equivalent of MIP works, every big google tenant i interacted with had a security stance of "YOLO".

Captain Foo
May 11, 2004

we vibin'
we slidin'
we breathin'
we dyin'

AIP fuckin sucks dongs (bad)

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.
it doesn't help that microsoft has had three different versions of information rights management in the last year alone, some of which have been partially depreciated, all of which share names and have overlap in feature sets. to this day there is no complete and accurate documentation for mip/pureview, links within the documentation go to older, different branded irm solutions, and the licensing requirements remain "to be determined"

when we implemented things in december, mip wouldn't automatically apply sensitivity labels to pdf files unless you created them in word. the interface said automatic labeling rules would apply to them, they just didn't. then in february, suddenly they did. acrobat theoretically supports them even, except you have to manually push a registry key to get the sensitivity label interface to appear, and because of the way acrobat locks files, onedrive fails to sync files you change the label on, it just silently creates a duplicate file.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem
meanwhile over here, if you email someone a link to a document that they don't have access to, you get a little message saying "hey do you want to share this document so the person you're emailing can access it"

the power of a sensible integration instead of having two distinct systems that try their best to ignore each other

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.
mip is supposed to do that!

it doesn't, the feature is still in preview, but god willing one day it will. onedrive/sharpoint does it in outlook, but since it has no notion of sensitivity labels, it still lets you share a link the recipient can open but not actually view

e: of course, only about half the staff know how to share a link in outlook, the other half still try to attach documents directly, and so there's a spread between "sent a file that's protected and the recipient can't open", "sent a link to a document the recipient doesn't have permission to access", and "sent a link to a document the recipient can access but can't decrypt"

there's also the problem of recipient can edit/can view and making sure that the link created has the right setting there too.

infernal machines fucked around with this message at 00:41 on Mar 15, 2023

Sickening
Jul 16, 2007

Black summer was the best summer.

infernal machines posted:

it doesn't help that microsoft has had three different versions of information rights management in the last year alone, some of which have been partially depreciated, all of which share names and have overlap in feature sets. to this day there is no complete and accurate documentation for mip/pureview, links within the documentation go to older, different branded irm solutions, and the licensing requirements remain "to be determined"

when we implemented things in december, mip wouldn't automatically apply sensitivity labels to pdf files unless you created them in word. the interface said automatic labeling rules would apply to them, they just didn't. then in february, suddenly they did. acrobat theoretically supports them even, except you have to manually push a registry key to get the sensitivity label interface to appear, and because of the way acrobat locks files, onedrive fails to sync files you change the label on, it just silently creates a duplicate file.

Purview is maybe their most confusing rebranding yet. Purview.microsoft.com doesn't even go to their purview product. Its like a simple dns change they never got around to implementing.

They also tie a lot of their client dlp preventions into the protected apps service ... which is less than ideal.

Pile Of Garbage
May 28, 2007



i configured MIP recently for an environment that had to be done according to the australian PSPF standard. right off the bat i discover you can't use colons in sensitivty label names so "OFFICIAL: Sensitive" has to become "OFFICIAL - Sensitive" which doesn't align with the PSPF protective marking standard. also you cant customise the colours you set for each label so that doesnt align with the standard either. good poo poo thanks microsoft. at least i was able to implement the X-Protective-Marking header and [SEC=*] subject line suffix on e-mails properly (mostly)

Powerful Two-Hander
Mar 10, 2004

Mods please change my name to "Tooter Skeleton" TIA.


lmao someone reported an email from docusign as spam and now all emails from its sender address get black holed into proof point because the security team haven't bothered to review any of their queue yet

i am a moron
Nov 12, 2020

infernal machines posted:

it doesn't help that microsoft has had three different versions of information rights management in the last year alone, some of which have been partially depreciated, all of which share names and have overlap in feature sets. to this day there is no complete and accurate documentation for mip/pureview, links within the documentation go to older, different branded irm solutions, and the licensing requirements remain "to be determined"

when we implemented things in december, mip wouldn't automatically apply sensitivity labels to pdf files unless you created them in word. the interface said automatic labeling rules would apply to them, they just didn't. then in february, suddenly they did. acrobat theoretically supports them even, except you have to manually push a registry key to get the sensitivity label interface to appear, and because of the way acrobat locks files, onedrive fails to sync files you change the label on, it just silently creates a duplicate file.

I thought I was the only person who has ever had to deal with this garbage. Honestly itís so bad youíre just better off not even using it. Whatever team is responsible for this has got to be one of the worst product teams at Microsoft, its all of their worst practices compressed into a diamond made of absolute poo poo

Edit: also itís in almost the exact state it was in 2020 it sounds like. Wonder if they just fired everyone and forgot to remove any references to it

i am a moron fucked around with this message at 00:23 on Mar 16, 2023

taiyoko
Jan 10, 2008


infernal machines posted:

i am sincerely regretting having implemented azure information protection for a client

dealing with sensitivity labels on documents, and the myriad of sharing options in onedrive is just enough of a divergence from their usual workflow that they absolutely cannot get it right, and they're starting to get pissed off rather than taking the time to learn how it works (we've had multiple demo sessions and done one-on-one training with several of them, no one retains anything).

aip was a hard requirement to move them to cloud hosted infrastructure, which they wanted because they have people working across the country and they were getting annoyed with the limitations of the remote access system. now, instead, they're getting annoyed by the workflow changes and it appears everyone but a few of the partners are willing to throw access controls and data security to the wind because no one can remember the steps to do anything for longer than a single work day

i'm not sure if there's a lesson here, or a point to this, other than apparently security is impossible, because even if you can make it work, no one wants it.

With the mention of "partners".... If this is legal, why not use something like NetDocuments or iManage (now that the latter has a cloud offering) for document management? Access controls are built in, if someone doesn't have permission on a matter, they don't even see it as an option.

Not a shill, just someone who saw those pretty regularly working at a legal-industry-specific "outsourced t1 support" call center. [Snipped: a bunch of mostly unrelated rambling about that job that I realized after I wrote it wasn't important]

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.
it's not a law firm, but a few of the partners are former lawyers. they have not had/used a proper document management solution before, and mip/sharepoint is basically the the closest they've ever been to that

they have access controls and always have, but they're broad and there is enough overlap and collaboration between teams than only some things are really locked down. beyond that, they're primarily remote/WFH and the concern is still files taking a walk on them and ending up elsewhere.

the pitch for mip was the files themselves still work in office, etc. the way you're used to, but it's trivial to revoke access, and having sent or copied the file doesn't matter so much because it's still tied to the drm solution.

the friction comes from having files classified properly/automatically, and remembering when those classifications need to change because you're sending something to an external recipient intentionally.

infernal machines fucked around with this message at 13:27 on Mar 16, 2023

evil_bunnY
Apr 2, 2003

infernal machines posted:

the friction comes from having files classified properly/automatically, and remembering when those classifications need to change because you're sending something to an external recipient intentionally.
This would be so loving trivial to fix with outlook integration lmao

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.
it would be, which is no doubt why it's been sitting in preview for three months

Powerful Two-Hander
Mar 10, 2004

Mods please change my name to "Tooter Skeleton" TIA.


christ I've been trying to get our legal people to either a) use anything at all or b) upgrade off the ancient version of stuff some of them do have but most of all c) stop using network shares for dumping files into because who knows what's in there

my tip for doing this with an actual dms ia"absolutely do not let people change permissions on content in the DMS itself". make them go through some wrapper on an API so you can control and log/view it else you end up with 10000 folders/cabinets with 9000 different permission sets

sb hermit
Dec 13, 2016





Powerful Two-Hander posted:

christ I've been trying to get our legal people to either a) use anything at all or b) upgrade off the ancient version of stuff some of them do have but most of all c) stop using network shares for dumping files into because who knows what's in there

my tip for doing this with an actual dms ia"absolutely do not let people change permissions on content in the DMS itself". make them go through some wrapper on an API so you can control and log/view it else you end up with 10000 folders/cabinets with 9000 different permission sets

folders and cabinets are the past

the future is asking the AI for the document and it'll just hallucinate whatever you need

as long as the file is stored *somewhere*, you will always have access to some form of it or at least its core ideas and tenets

Celexi
Nov 25, 2006

Slava Ukraini!

Lysidas posted:

if my wife is driving and wants me to do something with her phone that is not trivial through carplay, i usually unlock it by covering the bottom half of my face with my hand and trying face id, it works fine since shes sitting next to me, meaning her watch is close by

the mitigation of this loose security is your watch notifying you that it was unlocked, letting you press the "lock iphone" button to make the phone require a passcode

I like that carplay will let you use a keyboard while driving while android auto requires the parking brake on(not that idiots don't bypass this)

Midjack
Dec 24, 2007



Celexi posted:

I like that carplay will let you use a keyboard while driving while android auto requires the parking brake on(not that idiots don't bypass this)

carplay in my hyundai won't give me a keyboard if the car isn't in park.

Celexi
Nov 25, 2006

Slava Ukraini!

Midjack posted:

carplay in my hyundai won't give me a keyboard if the car isn't in park.

so, it seems s to be up to the car/radio instead ofa standard

Midjack
Dec 24, 2007



Celexi posted:

so, it seems s to be up to the car/radio instead ofa standard

likely so. my 2018 honda would give me a keyboard even while moving on both carplay and android auto. i haven't plugged an android into the hyundai yet.

hobbesmaster
Jan 28, 2008

Samsung basebands apparently have a modern version of the old +++ATH0 trick

https://9to5google.com/2023/03/16/google-exynos-modem-vulnerabilities/

https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

quote:

Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victimís phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

oops.

note that the workaround for the affected models is to turn off all voice service available in the US right now (VoLTE and WiFi - UMTS and CDMA are gone)

Celexi
Nov 25, 2006

Slava Ukraini!

hobbesmaster posted:

Samsung basebands apparently have a modern version of the old +++ATH0 trick

https://9to5google.com/2023/03/16/google-exynos-modem-vulnerabilities/

https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

oops.

note that the workaround for the affected models is to turn off all voice service available in the US right now (VoLTE and WiFi - UMTS and CDMA are gone)

t-mobile still has gsm and umts in some places, the other day I was playing around with bands and I could use my phone fully in edge lol

hobbesmaster
Jan 28, 2008

ok, itís more accurate to say that theyíre in the ďsunsetĒ phase and you are extremely unlikely to hit a 2g/3g AT&T or Verizon tower but sprint/T-Mobile has apparently always kept things around longer

Pile Of Garbage
May 28, 2007



if you do find a CDMA/EVDO tower then it's prolly the FBI

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

as long as their back haul is decent, Iím ok with that

Adbot
ADBOT LOVES YOU

Pile Of Garbage
May 28, 2007



five 911 of uptime :nsa:

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply