|
so, uh this is maybe a thingquote:Russia arrests top manager at Kaspersky cybersecurity firm on treason charge
|
#
¿
Jan 25, 2017 16:56
|
|
|
|
| # ¿ Apr 27, 2024 18:42 |
|
|
hobbesmaster posted:unless you mean a federal investigation into why yahoo engineers weren't in the crowd at the inauguration or if any of them voted for clinton, are you now or have you ever been a member of the democratic party?
|
|
#
¿
Jan 25, 2017 17:12
|
|
|
it's being reported that the charges relate to his work for russian internal cyber-security, before he joined kaspersky, but since he's going to be tried by a secret military tribunal it's not like that's verifiable.
|
|
#
¿
Jan 25, 2017 18:14
|
|
|
lmao anonymous starts a shooting war with china by hacking the president's twitter - coming 2017
|
|
#
¿
Jan 25, 2017 23:09
|
|
|
Security Fuckup Megathread - v13.2 - DON'T HACK THE PRESIDENT YOU FUCKS!
|
|
#
¿
Jan 26, 2017 18:49
|
|
|
brb - going to announce we've just signed the legislation to make antigua illegal, the bombing begins in five minutes
|
|
#
¿
Jan 26, 2017 18:53
|
|
|
if they're anything like the ones around here they're straight up windows PCs with VNC directly exposed to the internet. they're also paired with an ip cam directly on the internet, used to verify the displayed image remotely
|
|
#
¿
Jan 31, 2017 08:16
|
|
|
the most common ones here in toronto are just a display segment off a standard windows pc. you occasionally see the image app crash and there's a standard windows desktop with a few common remote control apps. usually teamviewer or vnc
|
|
#
¿
Jan 31, 2017 19:23
|
|
|
atomicthumbs posted:100% of drivers for printers are a trash fire
|
|
#
¿
Feb 2, 2017 00:13
|
|
|
my business partner wants to move our clients to an active monitoring platform, pulsewave. it works well enough, but it's a cloud hosted system and the system agent has the ability to run commands on the system. i keep having the same argument explaining why we cannot use it for our clients in law/lobbying.
|
|
#
¿
Feb 3, 2017 22:19
|
|
|
Subjunctive posted:what are the regulatory constraints? windows update has the ability to execute commands given server instruction, as do all browsers with a decent update model in this case our only specific constraint is that all data must be stored in canada. our clients have requested that any data stored offsite be encrypted, and they have ongoing concerns re remote data storage. basically everyone uses rdi for offsite work and all onsite systems use bitlocker. updates are managed by wsus locally, enforced by gpo and all automatic updates on 3rd party software are disabled, updating 3rd party applications is handled by sccm or ninite*. my concern is providing a direct control channel to the server from a 3rd party cloud service *yeah, i know, this is a potentially huge issue waiting to happen, since you're trusting their cached binaries implicitly
|
|
#
¿
Feb 3, 2017 22:50
|
|
|
pr0zac posted:same, don't doubt there's some crazy regulatory thing around lawyer stuff I don't know, am interested in what it is tho this isn't a specifically regulatory compliance thing, this is a "our balls will be nailed to the wall if the systems are breached through our maintenance and monitoring system" thing
|
|
#
¿
Feb 3, 2017 23:08
|
|
|
bonus secfuck: while setting up some workstations for a client, borrowed from an associated company, all the laptops had bitlocker enabled, with a pin required at boot. the pin was helpfully printed on a label affixed on the palmrest of each laptop
|
|
#
¿
Feb 3, 2017 23:32
|
|
|
pc bot letter? what the gently caress does that mean?
|
|
#
¿
Feb 4, 2017 22:42
|
|
|
lol. a us judge just nuked the global market for cloud services from us based companies turns out having local data centers can't save you from the us drinking your data through a straw. looks like ms built those fancy new canadian data centers for nothing infernal machines fucked around with this message at 17:34 on Feb 5, 2017 |
|
#
¿
Feb 5, 2017 17:31
|
|
|
the point is that previous ruling was the only reason patriated data centers mattered. if you have a legal requirement to store data domestically, you had the option of using local data centers even if they were being managed by an american company, because at least legally speaking the us couldn't just subpoena all your data across national boundaries. ms specifically built a bunch of canadian DCs so that they could bid on a shared services contract for the federal government. whoops, that's out the window now.
|
|
#
¿
Feb 5, 2017 17:40
|
|
|
well, you can expand this to the entire eu now. there is no way to ensure compliance with existing eu privacy legislation if you use an american owned cloud service
|
|
#
¿
Feb 5, 2017 18:27
|
|
|
oddly, fantasy sports isn't held to the same standard
|
|
#
¿
Feb 7, 2017 01:02
|
|
|
no, using a mechanical aid to subvert the pattern is cheating. memorization is fine.
|
|
#
¿
Feb 7, 2017 02:04
|
|
|
is it still sop for "internet security" suits to mitm ssl traffic with self-signed certs? like, i can't imagine a bigger way to make yourself less secure than that.
|
|
#
¿
Feb 8, 2017 01:12
|
|
|
better start epoxying those usb ports
|
|
#
¿
Feb 8, 2017 01:31
|
|
|
Shaggar posted:using your internal ca correctly. whoa, hey look at this, i think maybe you've identified the issue...
|
|
#
¿
Feb 8, 2017 16:49
|
|
|
well the other option is gateway filtering through an appliance or dedicated server, whether that's better or worse depends on your budget and key-management policies.
|
|
#
¿
Feb 8, 2017 18:27
|
|
|
unmanaged endpoints that roll their own certs and do mitm in whatever half-assed way the vendor designed. it's more common than you'd expect in smaller environments, because it's dirt cheap and low effort. it's also how every consumer oriented "internet security" suite does things.
|
|
#
¿
Feb 8, 2017 18:40
|
|
|
so if anything can hook into the endpoint, or hijack the cert authority, you're hosed and you'd probably never notice which would also probably not be a huge deal except for how cavalier some vendors are with their cert authorities that your machine now trusts by virtue of having their product installed
|
|
#
¿
Feb 8, 2017 18:43
|
|
|
nothing i can show being exploited, although i'll see if i can find something.
|
|
#
¿
Feb 8, 2017 18:49
|
|
|
there was an issue with avast not verifying the intercepted certs to begin with before injecting their own, i assume that was fixed because it happened back in 2015. basically going to a site with an invalid cert wouldn't trigger a warning because the browser always received a valid avast cert no matter what more recently there's a kaspersky fuckup where their internal ca used keys that were trivial to compute https://bugs.chromium.org/p/project-zero/issues/detail?id=978
|
|
#
¿
Feb 8, 2017 19:01
|
|
|
oh my god. how are there still that many that don't do any kind of cert validation?
|
|
#
¿
Feb 8, 2017 19:21
|
|
|
eripsa is also notable for having a rnn tweet bot that is more coherent than them* *and being proud of it
|
|
#
¿
Feb 9, 2017 20:47
|
|
|
i'm the browser extension designed to get around geoip blocks
|
|
#
¿
Feb 9, 2017 21:32
|
|
|
stop writing his name, you'll summon him then we'll have to give him some attention marbles or something
|
|
#
¿
Feb 9, 2017 23:53
|
|
|
What do you do if they ask your religion?
|
|
#
¿
Feb 10, 2017 23:06
|
|
|
Subjunctive posted:"hail Satan" probably gets you a pass i'm pretty sure any kind of heil will do these days... on a secfuc note, how long should i expect to spend convincing CBP that i do not, in fact, have a social media account?
|
|
#
¿
Feb 10, 2017 23:08
|
|
|
Subjunctive posted:why the gently caress does Arby's have data to breach? quote:The malware allows hackers to steal data as a credit or debit card is swiped at the cash register, similar to breaches that have occurred at Target and Home Depot in the past. I was secretly hoping they'd been profiling their customers somehow. or maybe someone breached their promotions systems and we get a dump of everyone signed up for the value meal club
|
|
#
¿
Feb 10, 2017 23:57
|
|
|
wait... is that shared services canada's cybersecurity firewall?
|
|
#
¿
Feb 11, 2017 00:07
|
|
|
CPB has been detaining foreign nationals at the border and demanding passwords to the social media accounts, among other things depending on your level of cooperation and melanin, you may be rejected at the border, which is bad if you happen to conduct business in the us of a
|
|
#
¿
Feb 12, 2017 02:27
|
|
|
yeah, so cbp is forcing american citizens returning to america to unlock their phones on entry. and in this case copying data from the work-issued phones of people working for other government agencies. tl;dr: stay the gently caress away from the border for the foreseeable future
|
|
#
¿
Feb 12, 2017 23:10
|
|
|
also in the news: you don't have to provide us with your decrytion key, but we will hold you in jail indefinitely until you give us your unencrypted data so we can build a case against you. you're being held for contempt, because the court ordered you to hand over in-the-clear data to investigators, but you haven't actually been charged with a crime.
|
|
#
¿
Feb 13, 2017 00:10
|
|
|
and the issue specifically here is using the all writs act to end run around 5th amendment protections on the basis of "actually, we're not asking for your password, we're asking for the data protected by that password" while holding you indefinitely, without a charge. you don't have to supply the data so they can look for something to charge you with, but you'll never leave prison again either.
|
|
#
¿
Feb 13, 2017 00:32
|
|
|
|
| # ¿ Apr 27, 2024 18:42 |
|
|
sure, so what? that would be the proper legal method of doing this, instead of indefinite detention on no charges. if they can make the case to a jury of his peers, that's the way the system is supposed to work. saying, "nah, we know it's on there but we're not gonna charge him until this is a slam dunk" is bullshit a nation of laws sort of relies on the government obeying its own rules, even when they're inconvenient
|
|
#
¿
Feb 13, 2017 03:29
|
|