|
ratbert90 posted:This is so wrong it's anti-right at this point. SELinux does support contexts, that's how it's designed. Then again, SELinux. Very capable apparently, also very complex. I remember few years ago I decided to give SELinux a go, and not just disable it like i usually do (this is my home computer, I don't manage computers at my work). It worked for almost 6 months. SELinux would tell me what it blocked and how to enable it if I want to. Until one day I hit a wall. If I remember correctly it was lighttpd related, but whatever SELinux was suggesting was simply not working. Many hours of googling later I simply gave up. I had a thing to do and gently caress SELinux. Went back and disabled it and did what I had to do. drat that thing. They probably have books about it, but unless I would need to manage enterprise computers I wouldn't worry about it too much.
|
# ¿ Aug 21, 2016 16:50 |
|
|
# ¿ Apr 25, 2024 21:48 |
|
apseudonym posted:Why in the world do you want it not to meet any standard? I'd venture onto a guess here: security by obscurity? Since history teaches us that it is working so well for people....
|
# ¿ Oct 24, 2016 02:34 |
|
Biowarfare posted:Custom text/array serialization format specifically for anti-compatibility purposes, in as hosed up a manner as possible. But why? What's the ultimate goal? Any format you choose can be reversed engineered by someone motivated enough. The entire point of using a standard is so that you don't have to do it yourself. Ultimately, it just seems to create work for the sake of creating work.
|
# ¿ Oct 24, 2016 13:07 |
|
Methylethylaldehyde posted:Using the most common 5000 words in the english language covers something like 97% of human speech. If you know it's a pass phrase somehow, you can reduce the possible entropy from 37^65 to 30000^4, going from 'will never be guessed' to 'I sure hope you didn't pick Correct horse battery staple'. Adding a punctuation sign(s), capitalizing a few letters and misspelling some words would further improve on this, wouldn't it?
|
# ¿ Nov 15, 2016 02:26 |
|
sarehu posted:Users will gently caress up the copy/paste and cost money getting customer support and complaining on Yelp. As opposed to being forced to type in a weak password that will be easily guessed and then cost money getting customer support to un-gently caress their account and complain on Yelp.
|
# ¿ Feb 26, 2017 07:57 |
|
Powered Descent posted:From everything I've read (and tried), ChomeOS is actually a VERY tough nut to crack from a security point of view. Its biggest drawback is its biggest strength -- it's basically just a web browser and not much else. That's a pain in the butt if you want to color outside that line at all (like running a local password manager), but it also reduces the attack surface to about as small as it can get. I never had a chromebook and I don't really have a clue what they can and cannot do, so please forgive my stupid question: Do they not have a way to access a storage device? Because, if they do have some kind of means of accessing a storage device, then maybe one could save the password database there and copy on the same drive a copy of keepass compiled for arm (or whatever cpu they have) and run it from there? Sure, it wouldn't be synchronized with the android one, but how often do you change the database?
|
# ¿ Jun 3, 2017 17:47 |
|
vOv posted:This is unironically good though. Digital cultural archiving is a big thing and it'd be lovely if it all got lost. This is one piece of software that i would not feel sorry if it got lost into ether.
|
# ¿ Aug 5, 2017 01:54 |
|
Cup Runneth Over posted:Oh man I can't wait until we have implants in our brains and I get hacked by someone sneezing on me Sneezing? Now that's well wishing. It will be some russian guy 6000km away, that will ask for 500 bitcoin or he'll blow up your brain.
|
# ¿ Aug 13, 2017 01:04 |
|
I have a small question about the WiFi security (or lack of). Is it better (as in safer, even by a tiny bit) to set your wifi to be hidden (not broadcast ssid) or not? Use case: Living in a place where there are tens of wifi access points, some even open. Then, wouldn't it make sense that if someone is looking for some "free" wifi to steal to go where the doors are open? Or even if the doors are closed, at least he knows that the doors are there? For a determined thief, the ssid being broadcast or not is irrelevant, as there are always ways to find it, but for the not so determined thief ... aren't there easier targets?. I am not talking about not having a passphrase, that's out of the question of course, but just not be obviously "out there".
|
# ¿ Sep 15, 2017 18:49 |
|
The Fool posted:Any benefit to security by having a hidden ssid (almost none) is far outweighed by the added inconvenience of trying to use an AP with a hidden SSID. Are there (as far as anyone can tell) any downsides though? Security-wise not convenience.
|
# ¿ Sep 15, 2017 19:12 |
|
wolrah posted:
hmm, that does sound like a possible thing to happen, indeed. thanks for the info. The idea was not about not using encryption (I was under the impression that WEP is .. nothing really, a coffee maker can decrypt that) or passphrase, but about simply not advertising your presence as much, especially when there are so many others to choose from. But yes, if the device itself then needs to yell to the world looking for that AP, then that's not good.
|
# ¿ Sep 15, 2017 19:35 |
|
Well, i guess this settles it then.
|
# ¿ Sep 15, 2017 19:58 |
|
I don't think any of the registrars force you to take hosting. Just buy the domain name (may or may not get free WHOIS privacy, depending on promos and stuff) and think about hosting and other stuff later.
|
# ¿ Sep 19, 2017 03:43 |
|
Double Punctuation posted:That happens when you delete the file. Running fstrim or defrag /O tells the drive's firmware that the system isn't expecting much disk activity, so it should erase the sectors soon. It is a performance thing, but there's no other generic way to do it other than erasing the entire drive. Is everyone at Equifax drunk or high nowadays? I mean, I understand , I feel for them, but holy poo poo.
|
# ¿ Sep 20, 2017 17:16 |
|
But, what could bankrupt them (other than the US government going medieval on their asses, which I don't think it will)? Is not like the millions of creditors around the world will stop sending them money and data and paying them and whatnot.
|
# ¿ Sep 20, 2017 19:28 |
|
Double Punctuation posted:There are three other companies that do the exact same thing, except they didn't just reveal they are completely incompetent. There are 3 more (which are probably just as incompetent) that's true, but will the creditors really care? Is not like I chose Equifax and Transunion and whoever else to hold my data in the first place. Unless I'll hear big banks yelling form the top of their lungs that Equifax is cancer and they won't do business with them anymore, it's safe to assume they'll be fine money-wise and can continue doing drugs and drinking on the job.
|
# ¿ Sep 20, 2017 21:50 |
|
Thanks Ants posted:All companies that release a "cloud" version of their app by putting it into a RDP session can die. How do their sales people can even say "cloud version" with a straight face when they know is just a loving computer somewhere that you remote into? It is not multitenant, it is not multiuser it is just a plain old desktop application. And how do CxOs believe that? Are they that incompetent (i think i know the answer ....)?
|
# ¿ Oct 4, 2017 21:24 |
|
Furism posted:Isn't that pretty much the definition of "cloud" ? Sure you can add bells and whistles and elastic this and scalable that, with a bit of SDN on top, but at the end a cloud is just someone else's computer you remotely connect to. RDP or SSH or HTTP API doesn't change much the basics. For me, the definition of the cloud is that remote machine also hosts a remotely-accessible service or application. Accessible by multiple users at the same time. If the application is not remotely accessible ... then all you have is a desktop application hosted "in the cloud". Essentially did nothing but inconvenience everyone and would be much more logical to just let them run it on their own desktops. Oh, that application needs to talk to a database that's shared between people? Sure, host that in the cloud if you want. I mean what, because i run ls on a VM in AWS that sales guy will then say that ls is now "hosted in the cloud"? WTF?
|
# ¿ Oct 5, 2017 12:24 |
|
Furism posted:I'm an rear end in a top hat, I know this, but I can't help correcting people who say SSL when they mean TLS. I even have a few slides in my training content just for that. I don't agree with that. Using either SSL or TLS you get a secure socket communication. The protocols are different yes, but the outcome is the same. The underlying protocol is only relevant to those that know the differences between the two, their flaws and strengths. SSH vs telnet for the average person is the same: secure vs insecure communication. How actually that is done ... pretty much irrelevant. Plus, even wikipedia agrees that in normal conversation people do refer to them as SSL: quote:Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network.
|
# ¿ Oct 11, 2017 18:10 |
|
Fluue posted:I'm working with a client that does business in online personal loans and was approached by their marketing team with a request to deprecate password authentication for customers. Instead, the user would provide two pieces of PII (e.g. Last 4 or Last 6 of SSN + Date of Birth) to authenticate and log in. My immediate reaction is that this is a terrible idea, but I was wondering if this is an "ok" authentication scheme given the following: Given the fact that today SSNs are public domain, a password does sound a bit more secure against an account breach. Not by much, but a tiny itsy bit, for the simple fact that hopefully is a unique one and nobody knows it.
|
# ¿ Oct 25, 2017 01:34 |
|
Fluue posted:
This sounds disturbing so probably I'm missing something here. To me it sounds like they don't care because they'll make their money (or bonuses) anyhow, so ... who cares about fraudulent pulls?
|
# ¿ Oct 25, 2017 05:01 |
|
Thermopyle posted:Well, maybe. Then the Equifax thingy will be looked upon as the "good-old times" by the future. And you can probably bet anything that there are more vulnerabilities than ever before. Since 1997 everybody and their mother has been doing some kind of development. From lovely php websites to monster applications that do millisecond stock transactions or ones that drive cars by themselves. 99.9999% of the programmers out there never think about security. For 99.999% of managers, security is not something that is worth budgeting for. And for 99.99% of companies is cheaper and easier to just ignore it and say "my bad" when security breaches do happen. The fact that Equifax is still doing business after this debacle is a testament of the importance of security for ... everyone basically.
|
# ¿ Nov 15, 2017 03:48 |
|
anthonypants posted:Equifax wasn't taken down by vulnerabilities from 2017, and if that is shocking to you then maybe you can begin to understand why a record number of vulnerabilities reported in the first 3/4 of this year is a very bad thing. I didn't read the rest of your post. Nobody said that those vulnerabilities are "young". They've been there since forever. Vulnerabilities reported is a bad thing, but not because they've been reported but because those are only the 0.1% of what's out there. There are plenty to go, and the amount of vulnerable code will only increase. And there will always be those people (state sponsored or not) that will not disclose anything from the vulnerabilities that they do know.
|
# ¿ Nov 15, 2017 05:31 |
|
Alpha Mayo posted:Wait so to be safe from Meltdown on Win10 x64, I will need both a BIOS update and the Windows patch? My mobo is 7 years old, I don't see a BIOS update happening any time soon. This has nothing to do with BIOS , only OS. Yes, updating windows will make you as secure as you can reasonably be at this time.
|
# ¿ Jan 5, 2018 01:42 |
|
What's the consensus here about not allowing pasting into password fields? In my opinion it lowers security by preventing the use of password managers, while bringing nothing to the table. Are there engineers out there that favour this approach towards password fields?
|
# ¿ Jan 16, 2018 00:35 |
|
Powered Descent posted:Got into a fun discussion today that this thread might enjoy pondering. I was just about to suggest a FIDO U2F key, but then I realized you said: "NOT keep the password in your memory or anywhere in your possession. ". The key would obviously mean that the "password" would be kept somewhere in your possession. To be fair it could be a vault in a bank, with specific instructions that Trump, Obama and Bush have to be present personally for that box to be opened. But still, it fails that requirement. Without keeping the password (in some way, shape or form) I don't see how the data can be decrypted, ever. Even if you have an algorithm that can generate the password from a known set of bytes (book, PI, or game roms) , then that set of bytes is essentially the password. So, you need to have the password.
|
# ¿ Jan 20, 2018 19:31 |
|
If nobody is reinventing the wheel most of us will be unemployed. We definitely do not want that.
|
# ¿ Feb 13, 2018 20:59 |
|
Kerning Chameleon posted:This is my Scare Em Straight video whenever I need to beat into people's heads why they need to be using password managers, yesterday: And then they go and pick lastpass or 1password or whatever some other lovely password manager service .
|
# ¿ Feb 14, 2018 18:39 |
|
I am a bit lost too: why do you need a browser plugin? What's wrong with the desktop application? You can copy and paste usernames and passwords from it into the appropriate login forms, never having to worry about automation making a mistake.
|
# ¿ Feb 23, 2018 20:33 |
|
Saukkis posted:One option is to do your emailing and suspect browsing inside a virtual machine and store your Keepass on the host computer. How does that help? Software can get out of a VM. I mean, if we're in paranoid mode and hell bent on doing stupid useless poo poo, there is absolutely nothing that can protect you, your computer or your data from the dangers of the internet. The only safe computer is turned off, guts ripped out and under 4m of concrete.
|
# ¿ Feb 23, 2018 23:26 |
|
The Fool posted:I don’t have any links, but I’ve heard that in a few places. A former boss of mine complained to me that the latest website that I launched for the company only had a green lock in the address bar, didn't show the company name like it does with PayPal. I showed him how much that would cost and what is involved ... the green lock only is fine.
|
# ¿ Mar 1, 2018 04:01 |
|
Proteus Jones posted:loving hell. WW3 will be fought online as well as on the battlefield. And the networks will be just as important as strategic victories/cities.
|
# ¿ Mar 15, 2018 23:06 |
|
BangersInMyKnickers posted:It turns out that spending hundreds of thousands of dollars per year to ingest loving nmap scans is a bad use of security resources. On the other hand: holy poo poo, are companies doing this? That's money that could go in my pocket for basically nothing.
|
# ¿ Jun 30, 2018 00:56 |
|
Thunderbird rules. Thunderbird works. There are many like it, but this one is mine. My Thunderbird is my best friend. It is my life. I must master it as I must master my life. Without me, my Thunderbird is useless. Without my Thunderbird, I am useless.
|
# ¿ Jul 28, 2018 06:13 |
|
hackbunny posted:No idea, they're embargoed and people are very tight-lipped about it. The rumored codenames for both include the word "smack", for what it's worth Oh, they have codenames now?
|
# ¿ Aug 4, 2018 01:49 |
|
Subjunctive posted:If your passwords aren’t worth $3/mo, just use the same one everywhere Which is what i do (and have them all set to 1234. nobody would guess that). For those passwords that are worth $3/month I use keepass (1,2,X, whatever) which incidentally asks me for 0$/month. Win/win if you ask me. Now, if you come and ask: "but how do you ... " with keepass, the answer is "you don't". That is what is not worth 3$/month.
|
# ¿ Sep 6, 2018 20:48 |
|
EVIL Gibson posted:What the hell is this logic? You pay more = better than? It is a known fallacy which is being taken advantage by corporations. The name is appeal to wealth or argumentum ad crumenam: https://rationalwiki.org/wiki/Appeal_to_money
|
# ¿ Sep 6, 2018 21:00 |
|
I played with it since everyone is praising it like it's the second coming. I used openvpn before as a client. I have absolutely no other experience with VPN servers or clients. It took me 10 minutes to install and configure a server following the first guide i found on the internet. The client (my machine) was even shorter. It works fine, it has good throughput. The tutorial I've read held my hand just fine. Wireguard is fine. Too bad is linux only so far, I hope for a *BSD solution as well. Windows ... meh, who cares.
|
# ¿ Sep 14, 2018 23:25 |
|
Boris Galerkin posted:So what does that gently caress up mean for me? A person with Linux machines running ssh (w/ public key access only)? Should I just assume all my poo poo is out there now or …? Probably not a lot. You can start by looking to see what depends on libssh on your system. For example: code:
|
# ¿ Oct 17, 2018 12:23 |
|
|
# ¿ Apr 25, 2024 21:48 |
|
Diva Cupcake posted:It’s the 10 year anniversary of MS07-067. gently caress Trustwave.
|
# ¿ Oct 27, 2018 00:25 |