|
post hole digger posted:i like this way of looking at this, too. we are going through a lot of user/country login pattern auditing right now too and I never really thought about it explicitly in this context w/r/t password lifecycling and such before. That kind of stuff falls under the "rate limiting" section as detailed here: https://pages.nist.gov/800-63-3/sp800-63b.html But continuous auditing and monitoring is a good starting path towards a network that adheres to the latest industry buzzword, zero trust security
|
# ¿ Jun 3, 2022 03:33 |
|
|
# ¿ Apr 23, 2024 14:24 |
|
don't go down the rabbit hole of zero trust security until you're ready it's an insane mess and that's before going into the discourse around it there's a nist document if you wanna dip a toe in it or something but I was serious when I called it a buzzword
|
# ¿ Jun 3, 2022 04:47 |
|
my homie dhall posted:I'm mostly an idiot, but traffic on your network should be encrypted and your traffic inspection magic means a compromised system results in having the plaintext for all services ipsec tunnels are network-to-network and remove true source and destination addresses, making it impossible to know who is talking to who (of course, ipsec transport mode is point-to-point but that's not the topic under discussion) also, by removing port numbers and other information, you won't know if someone is talking over smb, https, smtps, postgres-over-ssl, etc. Because at least if you have that info, you have a much better idea of the kind of traffic that is going around, and who to look at to audit any access. EDIT: to be clear, all of the above is encrypted. So there is confidentiality, but there is still visibility into traffic to look for very unusual behavior.
|
# ¿ Jun 3, 2022 04:52 |
|
it takes a certain amount of hubris, intelligence and wisdom to do that puerto rico vr tour too much of one, and sorely lacking in the others
|
# ¿ Jun 3, 2022 07:33 |
|
it should be noted that NFS security before v4 (I think) had no encryption, and security was largely centered on whitelisting machines instead of users. Not like early days SMB was any better. Modern systems have processor accelerated cryptography so it's not that much more expensive to encrypt data on the wire nowadays.
|
# ¿ Jun 3, 2022 18:27 |
|
so the mandiant leak is a wet fart?
|
# ¿ Jun 8, 2022 02:50 |
|
I don't see the point if the endpoint just returns json and not scripts. The endpoint is probably hard coded to indicate json as the content type. I mean, if you hijack the endpoint, you can make it do whatever you want including setting the content type to html or javascript. In that case, there's no need to muck with csp. I would probably only set the csp in this case if I were contractually obligated to conform to a widely accepted set of reasonable standards that dictates this. But I get the feeling that this bullet point was written up by someone who saw a vulnerability on a web page that would have been mitigated by csp and then decided that all http endpoints needed csp.
|
# ¿ Jun 11, 2022 18:57 |
|
nudgenudgetilt posted:but what benefit is there to pushing back on it? The problem with likening it to a firewall is that if you can RCE on a service, a telnet server with a shell is the quickest way to get into a server. Which a firewall mitigates. A firewall also does more than "drop default" - a well configured firewall will restrict access to sensitive services (like ssh) to only trusted clients. No one is arguing against adding a firewall. Now, I'm normally against arguing for someone else because I may have their position wrong. But required web junk is annoying because:
Personally, I wouldn't mind doing it if it were dictated by something like a NIST standard or something where real technical folks actually decided it was cool and good and required. And not just by the authors of the new thing that the standard wants. Otherwise, I'll just wait for the next new XSS mitigation tech that I need to implement in my jpeg flinger instead of constantly updating an already working piece of code because of the latest hot new standard.
|
# ¿ Jun 11, 2022 20:31 |
|
job qualifications are a suggestion if you know what you need to get the job done, or are willing to learn the necessary skills, it doesn't matter what kind of certificates you have And I doubt a goverment agency is dumb enough to just use AI to filter resumes. Instead, they want smart people with self-confidence and a drive to learn. like that joke about 15 years of Java experience in a 90s job posting I read that link and I get the feeling that these guys are pretty cool and open to whoever as long as they have potential
|
# ¿ Jun 14, 2022 17:19 |
|
Some places may absolutely require a 4 year degree or masters/phd (the diploma doesn't really need to be related to the position in many cases) for some positions for politics or optics but everything else that can be picked up in a quick wikipedia reading is optional Just don't lie. And government jobs tend to be a position of trust so don't be surprised if there's a background check.
|
# ¿ Jun 14, 2022 17:41 |
|
"I think we can be up to 5 to 10% more secure but it will require a 50% increase in budget and everyone will hate us" "Yes, but everyone already hates us" "Good point, sir"
|
# ¿ Jun 15, 2022 12:37 |
|
pki is a mess openssl is a mess at least the complexity helps pay the bills
|
# ¿ Jun 15, 2022 16:24 |
|
I once had trouble getting a SIPS client to talk to my server and it turns out that I think the client actually checks to make sure something like the web tls server bit on the x509 extended attributes in the server certificate is turned on. And I think key encipherment on key usage. It was pretty maddening when I figured it out. To top it all off, the code was open source. I dunno how fast I would have quit if the code was closed source.
|
# ¿ Jun 15, 2022 16:28 |
|
Truga posted:i use openssl once or twice a month, because dummies don't want letsencrypt and send certs in stupid formats instead of just requesting a CSR, so i've come to the conclusion that it's perfect as a CLI, because i now have a couple bash "scripts" that are just one openssl line that takes a file and spits out pem formatted certs i can throw into a web server or what have you One of my CA systems is based on a makefile and, to be honest, it's very needs suiting
|
# ¿ Jun 15, 2022 17:01 |
|
isn't tsx bad because it has a rare chance of unintended memory corruption? even without malware, natch
|
# ¿ Jun 15, 2022 22:10 |
|
Beeftweeter posted:get a medical card It's still illegal in federal law regardless of medical cards
|
# ¿ Jun 16, 2022 08:12 |
|
FlapYoJacks posted:Or the government could pay better wages and legalize weed? I agree that weed should be legalized but contractors (yes, I know, it's not 100% the same) can make bank
|
# ¿ Jun 16, 2022 08:13 |
|
sometimes, you really need an embedded linux guy and are willing to pay anything because good engineers aren't a dime a dozen but everything's gotta be cool at the federal level so weed is still not cool and it still might take another 4 years before it gets legalized. I don't smoke but I see it as the same level as alcohol
|
# ¿ Jun 16, 2022 08:15 |
|
Beeftweeter posted:lol, true enough, but who the hell is using theora video and vorbis audio in an ogv container? Video games and youtube? I think archive.org uses it too. Keep in mind that mp4 is not a free codec and some people are using old rear end servers that don't support vp9 or whatever. And ogv isn't really that popular in any case because it doesn't work on iphone. I think.
|
# ¿ Jun 16, 2022 08:18 |
|
nudgenudgetilt posted:there are plenty of government jobs that don't test. i touched computers for the department of energy in a medical, then recreational state and never got tested. currently touch computers for the state govt in a different state, and again no tests. That's a good point. I guess state agencies set their own rules and I guess some government agencies don't care as well. I was more referring to software development, though. Some federal contractors have a lot of money but sometimes their hands are tied regarding who can work on the code.
|
# ¿ Jun 16, 2022 08:20 |
|
the only winning move is not to play
|
# ¿ Jun 17, 2022 11:16 |
|
An important point in this discussion is that it's not the employer that's making the decision of whether or not you get or keep your clearance. It's DCSA. https://en.m.wikipedia.org/wiki/Defense_Counterintelligence_and_Security_Agency So, I guess if DCSA has a policy of being lenient on weed smokers then that's nice, but they certainly aren't going to advertise it. It's all a judgement call on the whole person. The employer is likely not going to care about the occasional use if the employee can be honest about it and keep the clearance.
|
# ¿ Jun 17, 2022 18:29 |
|
FlapYoJacks posted:I helped port asterisk to Buildroot, an embedded Linux SDK. Oh hey, maybe I'll make that my next project. I got an idea for something I wanted to do with asterisk, raspberry pi, and a couple of old grandstream VoIP phones
|
# ¿ Jun 29, 2022 05:56 |
|
i thought the pandemic would give me time to finally read my arrl training book and pass the ham radio test but it turns out that computer touching work only increases when everyone works from home
|
# ¿ Jun 29, 2022 05:58 |
|
FlapYoJacks posted:It also has pjsip! It’s fairly easy to compile and get going! I need to use a dial plan. I might look at pjsip if I need to but ... for right now ... the devil you know and all that
|
# ¿ Jun 29, 2022 08:13 |
|
Achmed Jones posted:read this: https://www.kb6nu.com/study-guides/. it is free and will take like an hour. sounds neat! I'll take a look.
|
# ¿ Jun 29, 2022 21:23 |
|
reading back an sms code is probably a weak nod to out of band authentication but probably the most friendly path for the geriatric crowd banks and credit unions, ironically, seem to be the ones holding onto sms authentication for dear life while everyone else uses phone based totp or fido2 wouldn't banks be the first to promote fido2? It's the most secure 2fa method. Although good luck getting old people to figure out how it works
|
# ¿ Jun 30, 2022 01:07 |
|
nudgenudgetilt posted:honestly, it depends. "if you called us" requires users to remember a conditional, which causes the whole system to fail. If they know that there is a single condition where disclosing the OTP is valid, then there is a good chance that a savvy phisher will just tell them that policies change and they should check their e-mail from april last year when it was announced. And no one is going to go through that hassle if they're just opening a new line of credit in exchange for a free toaster or whatever banks give away now. Applebees gift card? A free cruise trip to Mexico?
|
# ¿ Jun 30, 2022 03:20 |
|
nudgenudgetilt posted:right, so while protecting one medium you're actively sacrificing another. Frankly, I think there should be context to all the OTPs and have users read them off every single time they want to do something that could be expensive. The SMS should say "You are transferring $5000 to Kirk to purchase a ticket to the Razr afterparty. To confirm, repeat the following code to the service agent: 80085" And just do it for every single thing they want to do that would reasonably require it. And if it takes too long then they need to either get a personal banker or walk into the branch office. That way, a man-in-the-middle has a much harder time tricking them into doing something unintended.
|
# ¿ Jun 30, 2022 03:30 |
|
Jabor posted:The system sending the SMS knows that this one is going to be used to authenticate someone over the phone. (Or at least, it could know that it's being asked to send an SMS because someone in a call center pushed the "validate caller" button, rather than because a web server got a login request from the public internet). Instead of sending a number, it could send a pronounceable code phrase, that way you're not teaching people to recite web login OTP numbers to people on the phone. "my rear end is my password"
|
# ¿ Jun 30, 2022 03:36 |
|
Plorkyeran posted:i had a totp device for my wow account several years before it was an option for my bank account I wish blizzard and square would allow people to use a standard totp generator instead of using their custom bespoke apps
|
# ¿ Jun 30, 2022 18:43 |
|
flakeloaf posted:i still have mine, which they obsoleted for a stupid app I have one of those! I never used it. But originally I was referring to the ability to use google authenticator or something. I want one app to generate TOTP codes, not 3 or 4.
|
# ¿ Jun 30, 2022 21:14 |
|
Podima posted:square lets you use a generic authenticator app as of last April Subjunctive posted:I use TOTP for my FFXIV account. Thanks. I'll have to check it out!
|
# ¿ Jun 30, 2022 21:15 |
|
go play outside Skyler posted:lmao what do you need 2fa for on a gaming account? are you scared of losing your xp you loving nerds?? they give you bonuses if you attach an authenticator, you idiot. you absolute moron.
|
# ¿ Jun 30, 2022 21:16 |
|
business development via merge spam it's ingenious I wonder how many contract dev shops make use of it, although it may not be much since anyone getting tagged is gonna be a dev and not a program manager or anyone with pursestrings On the other hand, it could be pretty ingenious to use for dating scams
|
# ¿ Jul 1, 2022 06:15 |
|
I wish to push this 500k merge into your source tree but I require 10K lines from you as a good faith investment
|
# ¿ Jul 1, 2022 06:16 |
|
Beeftweeter posted:yeah i just edited it because i realized the way i worded it made it sound dumb as hell lol. thanks, some turbonerd is trying to advocate for sftp and i'm trying to shut them down I know sftp has been around as long as about ssh2 but I have never seen it used in any documentation or testing or production stuff. I think I've seen gui based file transfer clients for windows that might have used it, but that's about it. I use rsync for everything, since it does both local and remote copy. But I'll use scp in edge cases or if I feel like it. The only reason I could see a recommendation for sftp is maybe to reduce attack surface. But if everyone is using rsync anyway, it would just be easier to configure authorized_keys to restrict commands to rsync only or something
|
# ¿ Jul 1, 2022 16:04 |
|
if it's secure enough and the systems administrators are familiar with it, I see little reason to change from rsync to sftp
|
# ¿ Jul 1, 2022 16:42 |
|
nudgenudgetilt posted:that page links to the twenty year old ietf standard implemented by pretty much every server except, apparently, dropbear
|
# ¿ Jul 1, 2022 16:47 |
|
|
# ¿ Apr 23, 2024 14:24 |
|
Powerful Two-Hander posted:chatting with our it sec guys today about something and said "I mean look, if you want to treat it like that just go and cut the cables so there's no internet access at all" and the response was "if I could cut every connection to this building, i would".
|
# ¿ Jul 1, 2022 17:05 |