|
mystes posted:Excuse me while I buy the rights to old IOT thermostats so I can sell extended service as a subscription for $20/month "We have been trying to contact you about your thermostat's extended support plan."
|
#
¿
Mar 30, 2022 16:21
|
|
|
|
| # ¿ Apr 26, 2024 10:55 |
|
|
Hed posted:I also vote QUIC because I’m going to have to build something involving it soon and I need to understand QUIC guts better.
|
|
#
¿
Apr 6, 2022 03:08
|
|
|
If I were a person that only watches porn, then I could see no other conceivable reason to convert and remaster video streams except for porn. The reality is that I only watch anime.
|
|
#
¿
Apr 24, 2022 04:56
|
|
|
Hed posted:interesting. I’m pretty familiar with the Secure Enclave on the Apple side but I need to check out how Windows is doing it and the whole hello thing. also curious what this does for Yubikeys used as a simple FIDO/2 token. Yubikeys would still be useful as an alternative to carrying around an entire smartphone. Like as an emergency "break glass" second factor or login token. Yubikeys can also be used as a mechanism to encrypt FDE passwords, or at other times when it's not really feasible to connect to a computer to fetch the password.
|
|
#
¿
May 5, 2022 22:39
|
|
|
tired: using a bash script and awk to comb through git repositories for ssh keys and api tokens wired: using an AI to comb through twitch live and archive streams of people programming and automatically guessing passwords based on typing heuristics and totp qr code screenshots
|
|
#
¿
May 6, 2022 08:06
|
|
|
dang man, all my health insurance gives me is a free $10K in life insurance or was that my credit union?
|
|
#
¿
May 6, 2022 16:42
|
|
|
I find that older businesses that should have tighter security are usually the ones that have the most conservative and outdated security models and controls.
At least, in the wider sense, password expiration is going away. I hope password complexity goes with it. I think account security should just require a six character password minimum that isn't your username, and a second factor.
|
|
#
¿
May 7, 2022 23:34
|
|
|
CMYK BLYAT! posted:still higher than when i sold off my options in april 2020 lol The hilarious thing is that NIST, who gathers and verifies and disseminates standards, specifically changed the standard so that arbitrary password expiration (including periodic expiration) is not recommended. Password expiration should instead be done only when there is evidence of compromise (such as malicious activity or if someone steals the hash). They also specifically say that password complexity is not recommended and a blacklist of common passwords is a better alternative. They also recommend that users be able to paste passwords in order to use password managers.
|
|
#
¿
May 8, 2022 06:15
|
|
|
https://pages.nist.gov/800-63-FAQ/ Here's a faq with more info. I like to forward this information to people so that they know that their security theater policies are actively harming user security.
|
|
#
¿
May 8, 2022 06:17
|
|
|
Funny enough, I use keepass because it doesn't integrate with my browser. That way, I know how to backup, migrate, and test my password databases. Also, if there's some insane 0day that completely breaks firefox and chrome and forwards all passwords to a website using a watering hole attack, I'll still be ok because keepass would be in a completely separate process.
|
|
#
¿
May 8, 2022 07:31
|
|
|
Penisface posted:cant take nist advice, its the us which means its basically cia and the recommendations are in some clever way actually weakening your security Yes. That was the insane dual ecc backdoor. Although I have hardly ever seen it used in practice, even when it was part of the standard (and yes, it has already been withdrawn). https://en.m.wikipedia.org/wiki/Dual_EC_DRBG It is an incredibly big black eye for NIST, who recommended it based on guidance from NSA. Given that NSA is responsible for other lapses including the accidental release of their EternalBlue exploit (which lead to the WannaCry worm: https://en.m.wikipedia.org/wiki/WannaCry_ransomware_attack), they seem to be more interested in finding and fixing vulnerabilities than hoarding them (see: https://en.m.wikipedia.org/wiki/Ghidra) You don't have to trust NIST, but a lot of US based organizations have to follow their guidance and they have a lot of good common sense suggestions that are backed by a lot of analysis. If you have to convince someone of something, and NIST already backs that position, then it's not a bad idea to crib their work and save you some time. One last point. NIST is pretty clear and public about requirements for systems that require high security. This is because they want to encourage use of commercial tech instead of expensive custom built solutions (see: csfc). So it makes little sense to require use of insecure curves or algorithms if other countries would be able to find any flaws.
|
|
#
¿
May 8, 2022 07:55
|
|
|
I mean, there's little point to thinking that there's a conspiracy afoot when NIST recommends against arbitrary password expiration. A lot of it is just reasonable stuff, although quite exhaustive. It's the inscrutable stuff, like crypto algorithms, that would rightly tend to attract a more jaundiced eye. Probably why wireguard doesn't use any of the NIST approved algorithms (as far as I know). But as another poster said before, NIST generally just picks whatever makes sense. It should be pointed out that AES was not initially developed in the states, but in Belgium. Same with the SHA-3 family. If there was a flaw introduced, then surely the original developers would have spoken up. EDIT: fix misspelling sb hermit fucked around with this message at 08:22 on May 8, 2022 |
|
#
¿
May 8, 2022 08:08
|
|
|
Penisface posted:i guess the real question is: how much are nist a tool of united states foreign policy? and will their quality of service suffer if its needed for us global hegemony? idk Other countries will likely have their own standards, likely written in their own language, so on the surface, the effect is minimal. Businesses will likely only implement the minimum needed to fulfill legal requirements and insurance requirements and whatever will ultimately save enough money to be worth the time to implement. However, for companies providing services to the US government or are otherwise subject to US laws (like HIPAA), or even companies providing services to US government contractors, may need to implement NIST guidance to be able to sell their wares. For example, if you do any encryption of certain kinds of data, you'll need to provide documentation that your cryptographic modules are FIPS 140-2 certified. It's why Samsung phones and the Ubuntu Linux OS have spent a large amount of time and money to be certified. But at any rate, the NIST standards are generally gold, and provide exhaustive coverage on a lot of expansive topics that simply aren't available elsewhere. Unless your requirements demand their use, however, nothing stops you (or anyone else) from just ignoring them. It should be pointed out that weakened standards will be pointed out by researchers and further undermine trust in the organization. Not to mention potential leaks if another backdoored algorithm is shipped. No one wants to buy american products with state mandated back doors and vulnerabilities, so international trust in NIST is key.
|
|
#
¿
May 8, 2022 10:07
|
|
|
Ulf posted:it's no surprise that pretty much everyone ignores the NIST curves and key exchange in any popular TLS / QUIC library is using djb's curve25519 or stronger curves like curve448 that copy his work. And the kicker to all of this is that using just EC for asymmetric crypto is not quantum resistant, so we'll be seeing new algorithms in the next decade that replace all of this. Hopefully it'll be an open process so that, internationally, we won't be seeing any algorithms that give architects any pause before using them. It already sucks balls to have to modify good implementations because they don't work with standards you are contractually obliged to work with. On the other hand, being able to negotiate algorithms would lead to some seriously overengineered crap like IKEv1. Just having a default set that everyone accepts would be much better. Preferably with a hardware accelerated symmetric crypto algorithm, hash algorithm, and deterministic random bit generator.
|
|
#
¿
May 8, 2022 21:39
|
|
|
CommieGIR posted:Yeah but, ironically, I get why they did it. I disagree with it, but the reality is a lot of people absolutely refuse to install actually Multifactor apps on their phones or might have phones old enough not to be able to do so. I don't see smartphones as a good mechanism for passwordless logins in high security situations. Heck, for certain areas, having a powered-on smartphone itself would be an auditable event. Much better to have a smartcard or yubikey, paired with a reasonable password, for secure mfa authentication. And yeah, for better or for worse, sms 2fa is better than no mfa, but not good enough for domain admins or accounts that require reasonable confidentiality.
|
|
#
¿
May 8, 2022 21:46
|
|
|
Real talk. All the NFC usb stuff that's good for desktops is like $100, maybe $50 for sketchy stuff. Does anyone have a recommendation from a reputable vendor? Or are all the $20 readers only available on aliexpress or something? I would be very mad if there was just a cheap hp or dell or microsoft thing that everyone uses but I somehow overlook. EDIT: I'm just talking about something that can read NFC on a yubikey or an NFC tag or something, nothing too complicated.
|
|
#
¿
May 10, 2022 07:10
|
|
|
Guy Axlerod posted:If you're after a cheap solution, I'm not sure why you'd use a USB nfc reader for a yubikey. You can just plug it in? Get a USB hub or extension to put it on top of your desk if that's what you're missing and price sensitive. I'm asking for suggestions for which usb based nfc reader to buy. EDIT: I somehow misread this. I'm testing out security solutions and it's easier for users to just use nfc than to try plugging stuff in. I mentioned yubikeys because they're the easiest thing I have on hand to try out. sb hermit fucked around with this message at 16:53 on May 10, 2022 |
|
#
¿
May 10, 2022 16:47
|
|
|
Hed posted:I bought this HID reader a couple months ago and 3M stripped it to the underside of my desk. https://www.amazon.com/gp/aw/d/B079T2FKN1 Midjack posted:the scl3711 is a fairly competent reader that also works with libnfc if that's something you need. there are a couple of formats it can't handle (don't think it does iclass for example) but it's a good general purpose hf rfid reader. Sweet! Thank you!
|
|
#
¿
May 10, 2022 16:49
|
|
|
El Mero Mero posted:$30-50 is cheap as hell. Alternatively, do people not get security badges issued? You can always make those more expensive and turn them into nfc-enabled cards. the yubikey security key nfc is $25 and at times has been as low as $10 (in a $100 10-pack)
|
|
#
¿
May 10, 2022 17:33
|
|
|
Beeftweeter posted:...guys, the CEO says he lost his yubikey and i locked myself out of the AD console. guys? As long as you have physical access to the computer, you can change anything. Wait, you were being serious about the AD being Azure? Seriously, though, this is the time to break out the disaster plans. You ... did ... make disaster plans, right? And you tested them?
|
|
#
¿
May 10, 2022 20:57
|
|
|
why is there always a dave in an infosec group of sufficient size?
|
|
#
¿
May 10, 2022 20:58
|
|
|
mystes posted:What you want is a piv card and reader I want something that users can just tap. Something on a keychain would be preferable. Or maybe even let users use their phone if they want. If they have to insert anything then might as well just do usb security keys.
|
|
#
¿
May 10, 2022 21:03
|
|
|
Volmarias posted:Ok, but where does this reader live? Are you inserting it into everyone's computers? Will people with laptops have to carry it with them? If users potentially just leave their security key in the device at the end of the day, what's the specific concerns and how do you remediate them? What makes this better than using the device itself for authentication? I just asked for cheap nfc readers to test out new mfa scenarios. This is initially for personal use so that I can get a feel for how easy it is to use. If I was pricing something out for a larger userbase, I certainly won't be asking YOSPOS, I would be getting a buyer to do that research. I know that smartcards exist (I have about a half dozen, I think). I know that security keys exist, and I talk a lot about yubico keys in yospos. I also know that NFCs in phones are getting more prevalent and NFCs in laptops are not uncommon. I'm simply trying to get ahead of the curve. Smartcards are nice but they don't really work well with phones if you have to get an external reader. The fact of the matter is that I just want to try out NFCs for the desktop. It probably has limitations and whatnot, and I won't know how much they matter in a practical sense until I actually get hands on.
|
|
#
¿
May 10, 2022 21:22
|
|
|
Beeftweeter posted:speaking of shorting pins, can't you just (in theory) force the tpm to reset to bypass the rate limiting though? Resetting the TPM will clear its registers, making it unable to provide the correct values needed to unlock the PC. at which point, you'll need a bitlocker recovery key. However, you could potentially setup LUKS or other encryption systems to be less stringent about how much tpm deviation is acceptable. Dylan16807 posted:the TPM code is on your motherboard maker I've seen motherboard bioses that let you disable the onboard TPM so that you can use a different TPM chip.
|
|
#
¿
May 10, 2022 22:39
|
|
|
I don't bother trying to connect a smartcard to a linux computer unless it's an explicit use case that supports it. The usb reader might work, ok, but you still need drivers to communicate with the firmware on the card, and I'm not going to risk bricking a smartcard today if I need to use it to auth tomorrow. The vendor that sold me my smartcard also sold me the reader and also provides the software to put it all together. It's janky as all hell (and previously required MSIE to work at all) but it's what the job wants and is definitely not some sketch "dod military usb amazon sponsored" gadget.
|
|
#
¿
May 17, 2022 03:52
|
|
|
Midjack posted:saicoowned saicoomed
|
|
#
¿
May 17, 2022 03:56
|
|
|
nudgenudgetilt posted:that's true of every os, not just linux. if you're using a card that implements an interface other than those already implemented in opensc (mac or linux) or windows, opensc will have no clue what to do. well, yeah, but what kind of vendor sells user-facing authentication solutions that don't work in windows? Or actually supply a linux driver? I'm just pointing out that this sort of use case instills a bit of artificial requirement for Windows (maybe Mac). Sure, future versions of the authentication solution might work under linux and I look forward to it. For now, I have to keep a windows laptop patched and raring to go in case I have to use this smartcard.
|
|
#
¿
May 17, 2022 07:39
|
|
|
are pictures of trees better or worse than pictures of animals on o'reilly books (or pictures of overly enthusiastic millennials on their head start series)
|
|
#
¿
May 18, 2022 08:53
|
|
|
maybe if they had pictures of trees then I would finally remember the difference between a eucalyptus tree and an oak tree
|
|
#
¿
May 18, 2022 08:54
|
|
|
Crime on a Dime posted:oak: acorns trap sprung
|
|
#
¿
May 18, 2022 13:23
|
|
|
dpkg chopra posted:calculate all the factors of 2, record your brain output, make that your password. now you have true two-factor authentication I wonder how effective this would be as an actual authentication mechanism. Like, somehow deriving a code with a sufficient bit length with enough entropy by converting brainwaves at a specific point in time or a shifting window when instructed to remember a memory or scent. Or just trying to empty your mind entirely.
|
|
#
¿
May 20, 2022 16:59
|
|
|
with good hardware randomizers being standard, at least no one is going to bother with emphasizing nonce generation
|
|
#
¿
May 20, 2022 20:37
|
|
|
nonces are heavily used in IKE. In fact, they can be used to generate cookies.
|
|
#
¿
May 20, 2022 20:42
|
|
|
ate poo poo on live tv posted:BGP is actually a poor example in this case because things like BGP Flow-spec can actually be used by people running their ancient mainframe internet access through an EoL Cisco box, they can also implement a number of BCP's such as BGP TTL Security, or anti-spoofing measures. All of those are relatively recent improvements that were designed to be compatible with BGP Speakers that are running on ancient hardware. the bgp speakers of the 3rd tier NANOG
|
|
#
¿
May 21, 2022 19:38
|
|
|
an ancient company selling paper supplies that was an early adopter of the internet and has an entire class B of the public ipv4. the network operators trying to justify to iana that they need all that space, but are secretly using it for their own purposes the c-suite executives trying to find a way to sell off the class B but get thwarted by the network operators the independent tech journalists trying to find out the real truth behind everything
|
|
#
¿
May 21, 2022 19:42
|
|
|
The fact that you can run arbitrary commands is enough of an exploit to make it critical.
|
|
#
¿
Jun 1, 2022 05:43
|
|
|
run a cryptominer install malicious browser extensions perhaps even tap the mic and camera and/or steal keystrokes force them to watch anime to unlock their files
|
|
#
¿
Jun 1, 2022 17:47
|
|
|
the uwu will continue until compliance is satisfactory
|
|
#
¿
Jun 1, 2022 17:47
|
|
|
Obviously a lot of it is bad advice, but there's a nugget in there. If you were consulting and fishing for work then it would make sense to just take an hour of time to do a sales pitch and a boilerplate security regime and hit them with contracts for periodic security assessments or priority alerts. Like lifelock but for cyber and for businesses (I have never used lifelock but identity protection in general sounds like a scam) Lawyers do this all the time. Heck, they'll even buy you a nice dinner and give you free literature if you're the right client and just willing to listen. It's just a business decision. I also get a crapload of spam e-mails from local tech outsourcing firms (as in, the work is remote but the reps are local) to talk about organizing development teams or free developer time plus coffee. Not worth the time. Most real businesses would not have the time or the inclination to take up such an offer, especially if it's free. If it was required by regulation or insurance or other sound business decision then maybe.
|
|
#
¿
Jun 1, 2022 19:39
|
|
|
|
| # ¿ Apr 26, 2024 10:55 |
|
|
User notifications of audit events seems to be pretty standard. I get them all the time while logging into netflix, or gmail, or my bank, or ebay, etc. They just let you in but they also e-mail you about it. That way, if it wasn't you, you can do something about it. It's part of the "don't force users to change their passwords willy nilly but make sure the access is not weird like from china or russia if they haven't logged in from there before" that modern cybersecurity strategies are adopting since being championed by NIST and etc. Getting users in the loop may be annoying for users but it lowers IT cost and risk if done right.
|
|
#
¿
Jun 3, 2022 02:12
|
|