|
Is it illegal to DVR the show and play it back on a computer?
|
#
?
Oct 22, 2017 07:49
|
|
|
|
| # ? Apr 27, 2024 18:57 |
|
|
Boris Galerkin posted:Is it illegal to DVR the show and play it back on a computer? Probably, at least in the US
|
|
#
?
Oct 22, 2017 08:39
|
|
|
Boris Galerkin posted:Is it illegal to DVR the show and play it back on a computer? Is that a likely scenario in this case? Edit: Also, literally the first few responses to the tweet: 
|
|
#
?
Oct 22, 2017 08:41
|
|
|
Absurd Alhazred posted:Is that a likely scenario in this case? The guy is super dumb. *Wink* is secret language for "hey, I want a dcma request from my isp"
|
|
#
?
Oct 22, 2017 16:09
|
|
|
ssh doesn't provide nearly as much protection as IPSEC, but if it's good enough for you then do that. Still, strictly speaking, it's less secure (but secure enough probably).
|
|
#
?
Oct 22, 2017 22:11
|
|
|
myron cope posted:I just did the algo deploy to DigitalOcean (actually I'd done it before, destroyed that droplet for Streisand today, then went back to algo). Am i really supposed to just create a new server instead of updating it? The FAQ seems to suggest that. If you set it up with the security enhancements role it will use the unattended-upgrades package so you get the automatic ubuntu security patches and so on (essentially what you get from doing apt-get upgrade without needing to ssh in and do it yourself). But as far as upgrading algo itself, yes you are supposed to just squash your server and re-deploy the newer version of algo.
|
|
#
?
Oct 23, 2017 01:42
|
|
|
All of my co-workers are screaming bloody murder at Microsoft because the recent security patching fixing the Office code execution vulnerability broke all of their lovely VB scripts that are still using Office 98 OLEDB drivers. A formal letter has been drafted to petition IT to turn off all further updates to our Windows running computers. 
|
|
#
?
Oct 23, 2017 16:05
|
|
|
Portland Sucks posted:All of my co-workers are screaming bloody murder at Microsoft because the recent security patching fixing the Office code execution vulnerability broke all of their lovely VB scripts that are still using Office 98 OLEDB drivers. A formal letter has been drafted to petition IT to turn off all further updates to our Windows running computers. The answer will be a round of firings of everyone who signed the petition, I hope.
|
|
#
?
Oct 23, 2017 16:10
|
|
|
Avenging_Mikon posted:The answer will be a round of firings of everyone who signed the petition, I hope. Unfortunately our IT gets pushed around like a bunch of chumps because "LOL NOT OPS" and really only have authority over the employee work stations and finance systems at this point. We have two independent networks because our production engineers staged a coup years back since IT wouldn't give them admin privs on the prod servers so they figured it'd just be easier to own their own network. Odds are if their formal notice to IT doesn't work they'll just fine a way to have the affected computers moved to the unsecured hacked together production network or else they'll just RFI new servers for it and move their lovely VB scripts on to those. I love this guys. 
|
|
#
?
Oct 23, 2017 16:35
|
|
|
I'm working with a client that does business in online personal loans and was approached by their marketing team with a request to deprecate password authentication for customers. Instead, the user would provide two pieces of PII (e.g. Last 4 or Last 6 of SSN + Date of Birth) to authenticate and log in. My immediate reaction is that this is a terrible idea, but I was wondering if this is an "ok" authentication scheme given the following:
Additionally, the customer base is not always computer savvy -- I've heard of support agents having to walk a customer through setting up an email account before using the client's site. So the primary driver for this, in marketing's mind, is to reduce user friction. I want to get some better argument against this terrible idea besides "DOB and last 4 are easy to glean from nearly any document," so I can stop them from shooting themselves in the foot.
|
|
#
?
Oct 25, 2017 00:20
|
|
|
Fluue posted:I'm working with a client that does business in online personal loans and was approached by their marketing team with a request to deprecate password authentication for customers. Instead, the user would provide two pieces of PII (e.g. Last 4 or Last 6 of SSN + Date of Birth) to authenticate and log in. My immediate reaction is that this is a terrible idea, but I was wondering if this is an "ok" authentication scheme given the following: How about in light of the Equifax breach those two pieces of information aren't enough to authenticate someone is who they are claiming to be? Does your client really want to give criminals even more PII to facilitate an even worse identity theft? Marketing people are the worst.
|
|
#
?
Oct 25, 2017 00:24
|
|
|
Fluue posted:I'm working with a client that does business in online personal loans and was approached by their marketing team with a request to deprecate password authentication for customers. Instead, the user would provide two pieces of PII (e.g. Last 4 or Last 6 of SSN + Date of Birth) to authenticate and log in. My immediate reaction is that this is a terrible idea, but I was wondering if this is an "ok" authentication scheme given the following: SSNs are not secret.
|
|
#
?
Oct 25, 2017 00:24
|
|
|
Fluue posted:I'm working with a client that does business in online personal loans and was approached by their marketing team with a request to deprecate password authentication for customers. Instead, the user would provide two pieces of PII (e.g. Last 4 or Last 6 of SSN + Date of Birth) to authenticate and log in. My immediate reaction is that this is a terrible idea, but I was wondering if this is an "ok" authentication scheme given the following: Do it.
|
|
#
?
Oct 25, 2017 00:31
|
|
|
quote:How about in light of the Equifax breach those two pieces of information aren't enough to authenticate someone is who they are claiming to be? I plan on drilling that into them. They don't seem to be aware of the breadth of that hack. There's a lot of post- credit pull verification that goes on that involves the user providing more information that's harder to fake, but by that point they already have a credit pull on their record. Not sure what the implications are for the business if they get a credit pull disputed. Mr. Crow posted:Do it. 
|
|
#
?
Oct 25, 2017 00:39
|
|
|
Fluue posted:I plan on drilling that into them. They don't seem to be aware of the breadth of that hack. There's a lot of post- credit pull verification that goes on that involves the user providing more information that's harder to fake, but by that point they already have a credit pull on their record. Not sure what the implications are for the business if they get a credit pull disputed. I imagine the company would at the very least be out the cost of the credit pull. Other stuff aside, would it make more sense to collect any of that post-credit pull info/verification before doing the credit pull?
|
|
#
?
Oct 25, 2017 00:46
|
|
|
I'm curious: who's requesting the service from you? The person whose credit is being pulled, or an agent acting on their behalf (finance person at a store, etc)? Is this some sort of credit escrow service where you can "prove" to an interested party that you'll be a good risk without having to give them more intimate details? I'm basically curious how the password even helps here, since you'd be using the service so infrequently that you're almost guaranteeing any repeat visits involve a password recovery flow and what are you using for THAT?
|
|
#
?
Oct 25, 2017 00:50
|
|
|
https://twitter.com/SwiftOnSecurity/status/922856687987552256 https://twitter.com/SwiftOnSecurity/status/922857208488103936 https://twitter.com/SwiftOnSecurity/status/922857767429398528 https://twitter.com/SwiftOnSecurity/status/922859061258981377
|
|
#
?
Oct 25, 2017 00:51
|
|
|
Volmarias posted:I'm curious: who's requesting the service from you? The person whose credit is being pulled, or an agent acting on their behalf (finance person at a store, etc)? Is this some sort of credit escrow service where you can "prove" to an interested party that you'll be a good risk without having to give them more intimate details? Good post/av combo.
|
|
#
?
Oct 25, 2017 00:51
|
|
|
Powered Descent posted:https://twitter.com/SwiftOnSecurity/status/922856687987552256 welcome to america, where if you badger customer service enough you can get away with a lot
|
|
#
?
Oct 25, 2017 00:55
|
|
|
Fluue posted:I'm working with a client that does business in online personal loans and was approached by their marketing team with a request to deprecate password authentication for customers. Instead, the user would provide two pieces of PII (e.g. Last 4 or Last 6 of SSN + Date of Birth) to authenticate and log in. My immediate reaction is that this is a terrible idea, but I was wondering if this is an "ok" authentication scheme given the following: How exactly does a customer change this method of authentication if there's a breach?
|
|
#
?
Oct 25, 2017 01:20
|
|
|
Fluue posted:I'm working with a client that does business in online personal loans and was approached by their marketing team with a request to deprecate password authentication for customers. Instead, the user would provide two pieces of PII (e.g. Last 4 or Last 6 of SSN + Date of Birth) to authenticate and log in. My immediate reaction is that this is a terrible idea, but I was wondering if this is an "ok" authentication scheme given the following: Given the fact that today SSNs are public domain, a password does sound a bit more secure against an account breach. Not by much, but a tiny itsy bit, for the simple fact that hopefully is a unique one and nobody knows it.
|
|
#
?
Oct 25, 2017 01:34
|
|
|
maskenfreiheit posted:welcome to america, where if you badger customer service enough you can get away with a lot Customer support often has a lot of power by nature of what they're there for while simultaneously being in a position of ignorance when it comes to best practices, business goals, etc and then having little incentive to give a flying gently caress. It's crazy how mismanaged and misaligned the incentives are for a lot of support teams.
|
|
#
?
Oct 25, 2017 02:10
|
|
|
I don't deal with porting myself but from what I've seen this isn't really surprising. Sometimes ports get held up on the dumbest of things but the verification is hilariously bad. We've had numbers stolen from us and inadvertently stole numbers from others more than a few times thanks to various errors and how loose the system is.
|
|
#
?
Oct 25, 2017 02:13
|
|
|
Incidentally, this is why SMS 2FA is absolute garbage, and should not be relied upon.
|
|
#
?
Oct 25, 2017 04:02
|
|
|
astral posted:I imagine the company would at the very least be out the cost of the credit pull. It wouldn't make much sense, no. The application is fairly linear. A lot of the post-credit pull info is mostly legal agreements for their loan offer along with any extra requests for data spit out by the decisioning engine (e.g. provide proof of employment). Volmarias posted:I'm curious: who's requesting the service from you? The person whose credit is being pulled, or an agent acting on their behalf (finance person at a store, etc)? Is this some sort of credit escrow service where you can "prove" to an interested party that you'll be a good risk without having to give them more intimate details? The customer initiates the credit pull, as they are the one filling out the application. It's not really an escrow service; the user gets offers back based on personal information provided before submitting their application. Once the user selects an offer (if the decisioning engine returns an offer), they go through some agreements and then the decisioning engine determines if any extra verification is needed. Password recovery flow is another sticking point. It uses email recovery (e.g. typical emailed links to reset password). They want to get rid of that with the "use your PII to login!  "It sounds like bringing up these facts will get some traction on the authentication: a) SSNs are pretty much out in the wild for everyone, along with (at the very least) a person's DOB b) It'll cost them extra in fraudulent credit pulls (though they'd expressed that they don't care much about these extra costs??)
|
|
#
?
Oct 25, 2017 04:06
|
|
|
Fluue posted:
Not only was ssn and dob leaked but sometimes things like work history, addresses they lived at, family information , phone numbers, etc etc The leak was pretty bad. It gave those with bad intent the ability to possibly answer questions BETTER than the actual person (exact work history or when they loved at a certain address).
|
|
#
?
Oct 25, 2017 04:59
|
|
|
Fluue posted:
This sounds disturbing so probably I'm missing something here. To me it sounds like they don't care because they'll make their money (or bonuses) anyhow, so ... who cares about fraudulent pulls?
|
|
#
?
Oct 25, 2017 05:01
|
|
|
.
|
|
#
?
Oct 25, 2017 06:04
|
|
|
do we really need to know about your period?
|
|
#
?
Oct 25, 2017 07:43
|
|
|
Which payday loan company do you work for? Be honest.
|
|
#
?
Oct 25, 2017 07:44
|
|
|
The Hollywood Move would be to turn up to the meeting with the personal details of everyone else in the room and point out that under their proposal you'd now have a loan out in their name.
|
|
#
?
Oct 25, 2017 07:47
|
|
|
Mr. Crow posted:Which payday loan company do you work for? Be honest. That was my first though, but payday loan companies usually dont bother with credit checks.
|
|
#
?
Oct 25, 2017 14:43
|
|
|
This is good. https://twitter.com/briankrebs/status/923188849056124929 Furism fucked around with this message at 15:15 on Oct 25, 2017 |
|
#
?
Oct 25, 2017 15:12
|
|
|
Portland Sucks posted:Unfortunately our IT gets pushed around like a bunch of chumps because "LOL NOT OPS" and really only have authority over the employee work stations and finance systems at this point. We have two independent networks because our production engineers staged a coup years back since IT wouldn't give them admin privs on the prod servers so they figured it'd just be easier to own their own network. Odds are if their formal notice to IT doesn't work they'll just fine a way to have the affected computers moved to the unsecured hacked together production network or else they'll just RFI new servers for it and move their lovely VB scripts on to those. I love this guys. Fluue posted:I plan on drilling that into them. They don't seem to be aware of the breadth of that hack. There's a lot of post- credit pull verification that goes on that involves the user providing more information that's harder to fake, but by that point they already have a credit pull on their record. Not sure what the implications are for the business if they get a credit pull disputed. incumbent telcos are the loving worst evil_bunnY fucked around with this message at 15:36 on Oct 25, 2017 |
|
#
?
Oct 25, 2017 15:33
|
|
|
You should do it for them like they asked. And then charge them megabucks to fix the problem when they get sued.
|
|
#
?
Oct 25, 2017 17:04
|
|
|
"This seems like a bad idea. I could just call up and be like 'hey my SSN is <insert SSN of marketing guy>' and get a credit check pulled as some random dude I don't know."
|
|
#
?
Oct 25, 2017 17:08
|
|
|
ChubbyThePhat posted:"This seems like a bad idea. I could just call up and be like 'hey my SSN is <insert SSN of marketing guy>' and get a credit check pulled as some random dude I don't know." I mean, anyone can go to a loan site and put in an SSN they stole and get a credit check. I could theoretically go to lendingtree.com right now and use SSNs from the Equifax leak to do some soft credit pulls. It's the hard credit pulls that make things sketchy.
|
|
#
?
Oct 25, 2017 20:48
|
|
|
I'm just starting my classes to get a degree in Cyber Security and Information Assurance. Anyone have any tips about the industry that you'd like to have known as you were getting started? I just finished my intro to InfoSec class and I'm digging it so far.
|
|
#
?
Oct 26, 2017 10:40
|
|
|
ThePagey posted:I'm just starting my classes to get a degree in Cyber Security and Information Assurance. Anyone have any tips about the industry that you'd like to have known as you were getting started? I just finished my intro to InfoSec class and I'm digging it so far. Work with everything. Get vms of all kinds to practice testing on. Choose a specific subfield that you love working in and get really good at it. I'm web app sec because I used to be a web app dev and found I'm really good at figuring when a developer took a shortcut that ruined the entire app. Does not stop me to open my router and directly work with with rhe firmware via serial ports or recreate the krackattack.
|
|
#
?
Oct 26, 2017 13:23
|
|
|
|
| # ? Apr 27, 2024 18:57 |
|
|
Anyone use AlgoSec for compliance or rule reviews? I sat through a demo and I like what I saw but I'm old fashioned and giving any 3rd party in the cloud access to my critical infrastructure never plays well with me, no matter how many process and audit attestations I get.
|
|
#
?
Oct 26, 2017 19:43
|
|
