Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«164 »
  • Post
  • Reply
anthonypants
May 6, 2007



Dinosaur Gum

BangersInMyKnickers posted:

drat, I get not supporting every latest curve or whatever but 25519 is 13 years old and the NIST curves are from what, 1996?
Some people are working on a new Linux kernel crypto API called zinc, who just so happen to be the same folks who brought you WireGuard, and among the patches are Curve25519 implementations. But it's very new, so I wouldn't expect to see it for a while.

Adbot
ADBOT LOVES YOU

Double Punctuation
Dec 30, 2009

Ships were made for sinking;
Whiskey made for drinking;
If we were made of cellophane
We'd all get stinking drunk much faster!


To be honest, I’m probably being too hard on them, since 25519 was only added to the IPsec RFCs less than two years ago. That said, it’s been supported by browsers at least that long, and it hasn’t been a TLS RFC until a few months ago (just before TLS 1.3 was released), only a draft until then. It’s a much better curve than the NIST ones, both because of its technical merits and its design documents.

EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


Switchblade Switcharoo

anthonypants posted:

Some people are working on a new Linux kernel crypto API called zinc, who just so happen to be the same folks who brought you WireGuard, and among the patches are Curve25519 implementations. But it's very new, so I wouldn't expect to see it for a while.
This was brought up earlier and it's mainly because the guy making Wireguard is forcing zinc to be implemented to make Wireguard a thing.

Harik
Sep 9, 2001


EVIL Gibson posted:

This was brought up earlier and it's mainly because the guy making Wireguard is forcing zinc to be implemented to make Wireguard a thing.
I've seen a lot worse kernel submissions over the years. A quick readthrough of the threads involved he's cordial and responsive to maintainer concerns. Compare/contrast to ESR, Jeorg Schilling, etc.

The fact that it's turning into a direct-access for the already-existant software implementations rather than a completely parallel implementation speaks volumes.

FlyingCowOfDoom
Aug 1, 2003

let the beat drop


We hired a Senior Security Engineer back in March, he comes in and shits all over Qradar and gets execs to buy Splunk and lets our Qradar instance run itself into the ground. Splunk is, surprise, not done and he announced he is leaving the company and taking a new position. I'm just laughing at my boss because my team member and I told him this guy was not a good idea as he came from a military police background, openly said he was gunning to be a manager and was just not a good fit. Since he was ex military though our CIO/VP were drooling over him because they're your typical middle age American white guys.

Now we have an unfinished Splunk implementation not even ingesting half our logs and nobody who knows how to run it effectively while we let Qradar, the thing we analysts knew how to operate, lapse on renewal. Thankfully I just had the "I need a promotion and raise" talk two weeks ago and it was already on track so my stock is only going up as I am now the most tenured team member who actually does their poo poo and shows up reliably.

Gonna be a lot of poo poo work learning Splunk and implementing it fully in the coming months while keeping all the other plates spinning but it feels drat good to be right about my initial and continued appraisal of the guy.

FlyingCowOfDoom fucked around with this message at Sep 18, 2018 around 23:23

Mustache Ride
Sep 11, 2001



Pillbug

Boy does that sound familiar as all hell. 4 1/2 years ago I was a forensics hire when a jackass ex-marine "senior security engineer" decided to pull QRadar and implement Splunk. Now I'm an "expert" splunk consultant and know more than I care to about this lovely rear end product. It can be done and utilized in a Security fashion (especially without Enterprise Security, don't buy that poo poo its worthless) well, especially if someone is there to care and feed it. But it takes a lot of work, and you have to wade through the koolaide drinking bullshit that Splunk puts out to do so.

Speaking of which, Splunk .conf 2018 is at Disney World in 2 weeks (Oct 1-4). See if they'll let you go ride rides and take Splunk Classes.

Klyith
Aug 3, 2007

GBS Pledge Week


Newegg got completely pwned

Hey guys, you know what would make the web work so much better? If we built our security-critical websites with a bazillion cloud services such that every transaction connects to 100 external web servers, most of which we don't own and change with sufficient frequency that we don't even effectively audit them. Just pile that poo poo on there.

In fact we should make that cloud so critical that if our customers try to improve their own security, by for example locking down their browser so it doesn't load or send data to random web servers, the site will break!

anthonypants
May 6, 2007



Dinosaur Gum

That's what happens when you have all your services listening on 0.0.0.0

https://twitter.com/viss/status/1042453549806870528

anthonypants fucked around with this message at Sep 20, 2018 around 15:02

22 Eargesplitten
Oct 10, 2010

Also sexism, religious bias, jingoism, and so on. Don't do it, people!

Dogs, don't do it either, even if the police man really tries to train you to do it.


Well, there but for the grace of God and Newegg’s inflated prices on Pi parts go I.

Would the harvesting be prevented by using PayPal in that case? I think PayPal does the transfer themselves, right?

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

Yes, that would protect you.

Diametunim
Oct 26, 2010


I can't take this PCI audit anymore. Six months of auditing is too god drat long for everybody to pass their laundry list of blunders over to InfoSec because we're responsible for everything in the end. I just want to die.

Sickening
Jul 15, 2007

Black Summer was the best summer.

Diametunim posted:

I can't take this PCI audit anymore. Six months of auditing is too god drat long for everybody to pass their laundry list of blunders over to InfoSec because we're responsible for everything in the end. I just want to die.


Auditing is a huge part of infosec? Crazy

Martytoof
Feb 25, 2003

It's called a hassle, sweetheart..



Diametunim posted:

I just want to die.

The true PCI experience.

One of the auditors slipped me this one when I first met him.

"You know what PCI stands for, right?"
"Payment Ca--"
"Pain Commences Immediately".
"Ha ha, good joke"

Yeah.. "joke"..

EVIL Gibson
Mar 23, 2001

THE CLOUD WILL PROTECT US


Switchblade Switcharoo

Diametunim posted:

I can't take this PCI audit anymore. Six months of auditing is too god drat long for everybody to pass their laundry list of blunders over to InfoSec because we're responsible for everything in the end. I just want to die.


That feeling of dread and gently caress-me is a big reason people usually go with third party payment processers.

Removing the risk and no longer having to deal with audits is well worth the % take the third party takes.

This is why you NEVER do a PCI self assessment and mark yourself as compliant because the company is most definitely unless they know they are.

Do you know where in your network the payment processers and the external users are segregated. No? Oh, sweet summer child, you are most definitely not compliant in ways you cannot believe.

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010


EVIL Gibson posted:

That feeling of dread and gently caress-me is a big reason people usually go with third party payment processers.


But..but thats 2%-4% of transaction monies not kept by us! *hand-waves the entire cost of the apparatus to BE PCI compliant*

stevewm
May 10, 2005


EVIL Gibson posted:

That feeling of dread and gently caress-me is a big reason people usually go with third party payment processers.

Removing the risk and no longer having to deal with audits is well worth the % take the third party takes.

This is why you NEVER do a PCI self assessment and mark yourself as compliant because the company is most definitely unless they know they are.

Do you know where in your network the payment processers and the external users are segregated. No? Oh, sweet summer child, you are most definitely not compliant in ways you cannot believe.

I was so glad the day we switched to a platform that uses point 2 point encryption directly from pin pad to gateway. (Verifone Point).

The card data is collected on the pad and sent directly to Verifone's gateway and then onto our processor from there. Card data never touches our POS system, the POS only gets a go/no-go status from the pad and that's it. Even manual card number entries have to be done on the pad itself.

Each pad is individually authenticated and encrypted with its own certificate. Getting a new pad added requires the involvement of no less than 3 different companies (POS provider, Gateway provider, and processor) and several days if not weeks for them to order and setup the certificates, authorize the pad to the gateway, etc.. As the merchant we have zero access to any of this process, which is fine by me!

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010


Consumers: "How could it possibly get worse than the newegg breach?!"

Canada: hold my poutine

https://www.privacyfly.com/articles/ncix_breach/

mewse
May 2, 2006



incoherent posted:

Consumers: "How could it possibly get worse than the newegg breach?!"

Canada: hold my poutine

https://www.privacyfly.com/articles/ncix_breach/

CLAM DOWN
Feb 13, 2007

RICKARUS

It's Moot baby!




incoherent posted:

Consumers: "How could it possibly get worse than the newegg breach?!"

Canada: hold my poutine

https://www.privacyfly.com/articles/ncix_breach/

lmao

https://www.eteknix.com/ncix-databa...ut-being-wiped/

quote:

Craigslist seller claiming to have NCIX’ Database servers for only $1500 CAD...“18 DELL Poweredge servers, as well as at least two Supermicro server’s running StarWind iSCSI Software that NCIX had used to back up their hard disks.”.

Worst of all however, is that he also stumbled into unencrypted tables containing consumer information. This has their addresses, names, contact information and all necessary information to steal their identity. This not only includes NCIX customers from Canada, but from the US as well.

The database also contained full credit card payment details in plain text for 258,000 users.

quote:

From what Doering saw, the computers contained various papers and documents. Some of which even belonged personally to NCIX founder Steve Wu. According to Doering, he found “data going back 13 years, financial documents, employment letters containing SIN numbers”. This even featured personal documents and images of Mr. Wu’s family mixed in with numerous private photos of high end escorts from mainland china.

Martytoof
Feb 25, 2003

It's called a hassle, sweetheart..



Oh man that hurts my head

mewse
May 2, 2006



I guess I'm getting my CC replaced asap

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

I bet the NCIX infosec team bitched about their PCI audits too!

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010


Subjunctive posted:

I bet the NCIX infosec team bitched about their PCI audits too!

If you've ever worked for a company ran by a Chinese national there was no bitching. Just compliance. This makes perfect sense (even the mainland Chinese hookers).

incoherent fucked around with this message at Sep 20, 2018 around 19:20

Maneki Neko
Oct 27, 2000



incoherent posted:

If you've ever worked for a company ran by a Chinese national there was no bitching. Just compliance. This makes perfect sense (even the mainland Chinese hookers).

I've seen places where their previous folks just checked all the boxes on the PCI forms "YES" and submitted them, merchant doesn't care. As long as the automated vulnerability scan comes back ok, you're good.

azurite
Jul 25, 2010

Strange, isn't it?!

About 10 years ago, someone fraudulently used my credit card that I had on file at Newegg... on a Newegg purchase. It wasn't used anywhere else, and the purchase didn't show up on my Newegg account. I called Newegg to dispute it, they said "tough poo poo buddy, talk to your bank." So I did, and the bank did a chargeback. Haven't been back since. Luckily, there's a Microcenter close by, so I don't exactly miss them much.

I always thought the circumstances were strange, but now...

Kerning Chameleon
Apr 8, 2015



Happy National Credit Freeze Day, my fellow Americans!

Absurd Alhazred
Mar 27, 2010

I'm the babyliberal, gotta love me!



https://twitter.com/mipsytipsy/stat...293574815608833

Adbot
ADBOT LOVES YOU

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

Charity is straight up amazing, fwiw.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«164 »