Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«262 »
  • Post
  • Reply
Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

Do you have SOC 2 type 2?

Adbot
ADBOT LOVES YOU

Diva Cupcake
Aug 15, 2005



lol
https://twitter.com/FCC/status/1278009203228098562

Darchangel
Feb 12, 2009

Tell him about the blower!



D. Ebdrup posted:

Maybe they think it'll be friends.

Thank you for this.
I need to go read that series again.

D. Ebdrup
Mar 13, 2009



Darchangel posted:

Thank you for this.
I need to go read that series again.
I take it you've listened to the radio series? If not, you absolutely should!

Ynglaur
Oct 9, 2013



droll posted:

Last week I was pulled into a SaaS rollout and discovered that the vendor of the application continues to allow direct password login after you federate with SAML. The data stored in this platform was rated a 9 out of 10 on their risk analysis. The vendor DEVELOPERS response when I asked them WTF they thought SSO was for? "Well it would be a lot of work to fix this so just tell your users to only use the SSO link".
The SaaS wasn't called Callidus was it (now part of SAP)?

droll
Jan 9, 2020

Shape shifta Time travela

No it is not. It's something niche to the industry my employer is in. They're writing a SOW to make us pay for them to fix their security hole, too. If my colleagues had just followed my process we would have caught it before they signed the contract. Not that this always works, they also recently completely ignored our recommendation NOT to use a SaaS vendor that failed miserably in my vetting process, all because the business (1 person) preferred the layout as it was familiar to something she had used before. We already have a really robust platform that does the same thing but she didn't like it. My colleagues refuse to gather hard business requirements that aren't just feelings. It's madness.

Internet Explorer
Jun 1, 2005





Oven Wrangler

If it makes you feel any better, at my place we'll roll out a new product without SSO and then get upset that it doesn't have SSO, only to find out that it does and we're idiots.

geonetix
Mar 6, 2011




Hubspot does the same, if you have an account that uses SSO, you can just call password reset and use either way. There's lot of saas tooling that just implements SSO hilariously lovely.

evil_bunnY
Apr 2, 2003



droll posted:

No it is not. It's something niche to the industry my employer is in. They're writing a SOW to make us pay for them to fix their security hole, too. If my colleagues had just followed my process we would have caught it before they signed the contract. Not that this always works, they also recently completely ignored our recommendation NOT to use a SaaS vendor that failed miserably in my vetting process, all because the business (1 person) preferred the layout as it was familiar to something she had used before. We already have a really robust platform that does the same thing but she didn't like it. My colleagues refuse to gather hard business requirements that aren't just feelings. It's madness.
All this poo poo sounds like a hard case of zero-management-buy-in, AKA working in tech outside the tech sector.

Internet Explorer posted:

If it makes you feel any better, at my place we'll roll out a new product without SSO and then get upset that it doesn't have SSO, only to find out that it does and we're idiots.
😾

Mustache Ride
Sep 11, 2001



Pillbug

Speaking of SSO, Guacamole supports SAML now: https://guacamole.apache.org/releases/

Darchangel
Feb 12, 2009

Tell him about the blower!



D. Ebdrup posted:

I take it you've listened to the radio series? If not, you absolutely should!

Yes, but should listen again, as well.

Potato Salad
Oct 23, 2014

Nobody Cares




Tortured By Flan


...are they wrong though

Pablo Bluth
Sep 7, 2007

I've made a huge mistake.


There's been a take down of a criminal-exclusive encrypted communication network.
https://www.theguardian.com/uk-news...-network-is-hit

I think this falls in the 'Don't put all your eggs in the same basket' clause of DON'T ROLL YOUR OWN CRYPTO.

Edit:
https://www.vice.com/en_uk/article/...organised-crime

Pablo Bluth fucked around with this message at 12:02 on Jul 2, 2020

Arsenic Lupin
Apr 11, 2012

This particularly rapid unintelligible patter isn't generally heard, and if it is, it doesn't matter.





https://twitter.com/fasterthanlime/...645178044121088

The Fool
Oct 16, 2003



what the gently caress

is that real?

Klyith
Aug 3, 2007

GBS Pledge Week


The Fool posted:

what the gently caress

is that real?

https://twitter.com/mrisher/status/1278724912585179136

https://twitter.com/mrisher/status/1278737942932930561

uhhhhh, holy moly. sounds like his PC was compromised, the hacker used the logged-in 2fa-authed session to disable 2fa and steal passwords.

"desensitizing to 2fa challenges" is a legit worry, but the one place that you shouldn't worry about it is for turning off the 2fa

AlternateAccount
Apr 25, 2005
FYGM

iOS 14 now pops an alert whenever an app sucks whatever's in your clipboard out. Spoiler: everyone is doing it.

https://www.youtube.com/watch?v=pRSWdtoUAjo

Internet Explorer
Jun 1, 2005





Oven Wrangler

Klyith posted:

uhhhhh, holy moly. sounds like his PC was compromised, the hacker used the logged-in 2fa-authed session to disable 2fa and steal passwords.

"desensitizing to 2fa challenges" is a legit worry, but the one place that you shouldn't worry about it is for turning off the 2fa

There are plenty of instances where an authed device can remove MFA without an MFA challenge. It makes MFA adoption a lot easier, because it makes recovery easier. Using a Google account as an example, they can't do recovery via email. Recovery via SMS is just as problematic, if not more. Expecting users to keep backup codes is having way too much faith in them. Not sure what folks expect.

If you don't want this to happen, don't save your login on the device. Then you'll have to MFA every time.

D. Ebdrup
Mar 13, 2009



AlternateAccount posted:

iOS 14 now pops an alert whenever an app sucks whatever's in your clipboard out. Spoiler: everyone is doing it.

https://www.youtube.com/watch?v=pRSWdtoUAjo
I wonder if they' make it so it pops up a notification asking if you wanna share it, and if it's denied, it just sends Kirk's Pride (or NULL, I guess, if you wanna be boring) to the developer?

Buff Hardback
Jun 11, 2019


Honestly I kind of agree with the Google engineer. If someone's popped your computer, you might have bigger problems than Google's threat model.

D. Ebdrup
Mar 13, 2009



Buff Hardback posted:

Honestly I kind of agree with the Google engineer. If someone's popped your computer, you might have bigger problems than Google's threat model.
Counterpoint: remote-executed third-party sourced untrustable code is probably running on your system right now, unless you're willing to give up as much convenience as I am - and most people aren't.
Counterpoint the second: Soon it'll be obfuscated assembly code.

Just loving lol if you think even Google has the skills to do heuristics that can properly protect against all the poo poo that can be done with that.

bull3964
Nov 18, 2000

DO YOU HEAR THAT? THAT'S THE SOUND OF ME PATTING MYSELF ON THE BACK.




That's the thing though. If you are already that compromised the attacker has no need to pop your google account anyways. They can just sit there and scrape your interactions at the source. They likely get more that way since you have no warning of anything gone awry that might change your behavior.

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate





But they didn't. Instead they exploited another vulnerability to strip away your protection from being compromised (and allow them to login whenever they like).

It's like allowing someone to change your password without providing your current password. Just dumb.

Volguus
Mar 3, 2009


Cup Runneth Over posted:

But they didn't. Instead they exploited another vulnerability to strip away your protection from being compromised (and allow them to login whenever they like).

It's like allowing someone to change your password without providing your current password. Just dumb.

I'm not a security engineer so this may seem a dumb question: how can you disable MFA if you lost your "other" device (whatever that may be, phone, dongle, etc.) ? I can see the security hole here, but there's also the practical portion to consider. People do lose/reset/whatever their devices so they need a way to update that token, right? I know DigitalOcean has a set of backup codes that can be used, if you have the paper with them printed, but in a major catastrophe (like your house burning down) odds are they are not stored in a fire-proof safe deposit box or off-site. They should, of course, but more often than not they arent.

Volguus fucked around with this message at 23:54 on Jul 2, 2020

Potato Salad
Oct 23, 2014

Nobody Cares




Tortured By Flan

D. Ebdrup posted:

Just loving lol if you think even Google has the skills to do heuristics that can properly protect against all the poo poo that can be done with that.

Aren't you describing a holy grail though? Automatic detection of THE INTENT of some arbitrary actions?

xtal
Jan 9, 2011



Because I've been loving with non-Turing-complete languages lately, the idea of analyzing Turing-complete code to determine if it's malicious is as impossible as determining if it halts. To avoid the possibility of endless loop bugs, you write in a non-Turing-complete language. To avoid the possibility of security vulnerabilities, stop running untrusted Turing-complete code on your computer. By definition that will never be safe. Yes this is a long way of saying disable JavaScript and never use WASM.

D. Ebdrup
Mar 13, 2009



Potato Salad posted:

Aren't you describing a holy grail though? Automatic detection of THE INTENT of some arbitrary actions?
Sure, and every antivirus company has failed at it so far.

xtal posted:

Because I've been loving with non-Turing-complete languages lately, the idea of analyzing Turing-complete code to determine if it's malicious is as impossible as determining if it halts. To avoid the possibility of endless loop bugs, you write in a non-Turing-complete language. To avoid the possibility of security vulnerabilities, stop running untrusted Turing-complete code on your computer. By definition that will never be safe. Yes this is a long way of saying disable JavaScript and never use WASM.
Technically speaking, no language is Turing complete - because the termination checker can't check itself.

Space Gopher
Jul 31, 2006
BLITHERING IDIOT

D. Ebdrup posted:

Technically speaking, no language is Turing complete - because the termination checker can't check itself.

That's not what Turing completeness means, at all. You're mixing up Turing completeness with the halting problem.

A language is Turing complete if you can use it to write an emulator for arbitrary Turing machines. A Turing machine is just a finite state machine that takes input from a single spot on an infinite tape, and can optionally overwrite the current tape symbol, shift its position, or halt based on FSM state transitions. The "infinite tape length" and "unlimited possible states" requirements are typically waived when discussing real-world systems, for obvious reasons. That's the entire definition in simple terms.

Almost all programming languages are Turing complete. It takes some effort to design a non-Turing complete language, because you can get to a Turing machine with nothing but variable storage, conditionals, and jump instructions (or, if you feel like goto is harmful, loop structures that don't put predefined fixed bounds on the number of trips through the loop, or recursion).

The halting problem is separate. It says that there's no algorithm that can take in a program for a Turing-complete system and an input to that program, and reliably answer the question of whether the program eventually halts. This isn't a limitation of Turing machines; it's just provably mathematically impossible. The concept of a Turing machine doesn't involve a "termination checker," because that's something that can't exist, even in a mathematical abstraction where the Turing machine can have an infinite length tape and an arbitrary number of states for the head.

CyberPingu
Sep 15, 2013

Ready To Ruck!






That guy seems pretty dumb if I'm being brutally honest. Thinking that because he can see his own passwords stored in Google's password managers that that means they are being stored in plaintext.


I'm also gonna assume he ticked the "Remember this device for 30 days" thing when he logged on to that machine. Which disables 2FA for 30 days because it assumes you are clever enough not to get RAT'd

CyberPingu fucked around with this message at 10:02 on Jul 3, 2020

Klyith
Aug 3, 2007

GBS Pledge Week


CyberPingu posted:

That guy seems pretty dumb if I'm being brutally honest. Thinking that because he can see his own passwords stored in Google's password managers that that means they are being stored in plaintext.


I'm also gonna assume he ticked the "Remember this device for 30 days" thing when he logged on to that machine. Which disables 2FA for 30 days because it assumes you are clever enough not to get RAT'd

If a security system doesn't work for a normal person it's bad security. When / if 2fa becomes more prevalent, any shortcut to turn off 2fa is going to become an avenue of attack.

It's not a thing that google wants to deal with because support costs. And they don't really care about the hit to security because these are one-off attacks which means no major blowback. A thousand people will lose their phones and need to reset their 2fa for every one that is hacked.

Internet Explorer
Jun 1, 2005





Oven Wrangler

Klyith posted:

If a security system doesn't work for a normal person it's bad security. When / if 2fa becomes more prevalent, any shortcut to turn off 2fa is going to become an avenue of attack.

It's not a thing that google wants to deal with because support costs. And they don't really care about the hit to security because these are one-off attacks which means no major blowback. A thousand people will lose their phones and need to reset their 2fa for every one that is hacked.

You were so close, yet so far. Here, I fixed it for you.

quote:

If a security system doesn't work for a normal person it's bad security. A thousand people will lose their phones and need to reset their 2fa for every one that is hacked.

Klyith
Aug 3, 2007

GBS Pledge Week


Internet Explorer posted:

You were so close, yet so far. Here, I fixed it for you.

That's not a very good fix though, because anyone who loses their phone without a logged-in session is still boned. For example, a common time to lose your phone is while traveling. Travel also makes the 2fa auth pop again because you're in a new location.

The answer to the lost phone problem is to design and promote better account recovery options, not make it trivial to turn off 2fa. Google accounts are so many peoples' master account that everything else in their life is set up to do recovery to. More people should be using 2fa on that.

I'm all for usable security, but I think the choice google made is for their maximal convenience, not the best usability & security for users.

CyberPingu
Sep 15, 2013

Ready To Ruck!





I mean. People are asked to save backup codes when you set up 2FA for the specific reason of if you lose your phone.

Volmarias
Dec 31, 2002


CyberPingu posted:

I mean. People are asked to save backup codes when you set up 2FA for the specific reason of if you lose your phone.

If you're not a computer toucher or computer toucher adjacent you're not doing that though.

Buff Hardback
Jun 11, 2019


FWIW: this was also an edge case of him needing a macOS device so he had bought a VPS running macOS that was using VNC by default, so he installed nomachine.

It seems like more of an edge case than "oops rdp popped", so I'm not really sure what the right answer is.

F4rt5
May 20, 2006



Volmarias posted:

If you're not a computer toucher or computer toucher adjacent you're not doing that though.
Some things can't be made to work around people's stupidity or ignorance, but people will not realize that

CyberPingu
Sep 15, 2013

Ready To Ruck!





Volmarias posted:

If you're not a computer toucher or computer toucher adjacent you're not doing that though.

The onus of security of an account is on the users end. Not the company. The company can provide the tools but it's up to the user if they want to use it.

Everyone has the ability to learn how these devices work. Google exists, search engines exist. If they don't want to learn that's on them. If they want to keep secure personal data but don't take appropriate steps to secure it what realistically do you think can be done.

Your insurance company isn't going to pay out if your house gets robbed and they found out you left your doors unlocked.

The Iron Rose
May 12, 2012

Cat Army


Realistically you educate and lower barriers to entry. It is important that safety is accessible to everyone, regardless of their knowledge or skill set or familiarity with computers. Inevitably that means designing for the lowest common denominator, and thatís a good thing!

Take the example of yubikeys or hardware 2FA. Right now, theyíre great for protection, but hard to train average users to take advantage of and poorly adopted by major service providers. The lower you make the barrier to entry, the more valuable the product, and the more better security practices can spread among consumers. Give it another five to ten years of workshopping and competition in the marketplace, and Iíll be able to get my mother on it.


a reminder: https://www.nngroup.com/articles/computer-skill-levels/

The Iron Rose fucked around with this message at 00:51 on Jul 4, 2020

CyberPingu
Sep 15, 2013

Ready To Ruck!





Most 2FA solutions would work for you average Joe user. Even though SMS sucks balls on the secure list, it's still better than nothing and I would wager most people that own a computer also own a phone and have used it to send a message before.

Implementing 2FA sucks, the support burden is really bad especially when it comes to resetting it. Depending on what you are providing, most of the time it has to lead to the end user providing proof of account ownership.

There are ways of semi automating that e.g memorable security questions or something. But it's still one of the things we struggle with a lot because resetting 2FA for one of our customers usually involves about a 20min phonecall to our support.

Adbot
ADBOT LOVES YOU

D. Ebdrup
Mar 13, 2009



I would be 100% okay with SMS 2FA if the standard had just recommended that every message be prepended with something like "Authentication Code:" so that iOS and Android could look for that in SMS messages and then blur the rest of the contents of the SMS from being displayed on the lock screen. Heck, it should be possible to implement the information as meta-data in the message itself.
I'm half-convinced that would solve every problem with SMS 2FA that doesn't involve the targeted attacks, for example where accounts are stolen via social engineering.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«262 »