|
BangersInMyKnickers posted:HP printers now have this feature out of box, default enabled. The printer will make a call home to some HP run mailserver front end and if you email the right address out comes a print. I have absolutely no idea how this isn't being abused to hell and back yet The first thing you do when you set up eprint is to restrict the list of allowed senders so you don’t get spammed by random messages. This is not the default behavior and is hidden behind two level of menus last time I went on hp connected.
|
#
¿
May 17, 2020 21:54
|
|
|
|
| # ¿ Sep 30, 2023 04:53 |
|
|
PSD2 is pretty much removing any option for “just sms” in most eu countries, be it on banks (pretty much every bank here demands you install their app to act as TOTP) or credit cards(hard code and then sms). Sadly I think it’s clearly written to not let customers use more strong systems like fido2 but only the bank apps.
|
|
#
¿
Mar 18, 2021 20:22
|
|
|
Pile Of Garbage posted:edit: that bullshit MFA app aside i've never once had a single issue filing my taxes via the portal and as far as im concerned i've a flawless record with online filing via the ATO both before the portal with eTax and with the portal. never once filed a paper return, drat it's good when AU finally does some poo poo right! TOTP being carried from device to device(eg Authy or ms authenticator) is convenience at the expense of security. PSD2 seems to demand to reenroll devices rather than migrate too as every bank app I have does the same.
|
|
#
¿
Mar 18, 2021 21:18
|
|
|
Carthag Tuek posted:nets (the company that runs nemid) just got swallowed by an italian company called nexi so... Anectodal since I’ve interacted with them in the past but Nexi(formerly known as CartaSI) is the sole entity in Italy that has been able to roll out every tokenized payment in existence(including Garmin and Samsung pay) while the rest of the banks had a thumb deep in their asses, they are far from the dumbest entity you could interact in the sector. Most banks here are now dropping their current in-house systems to a nexi-provided solution to not look like assholes.
|
|
#
¿
Mar 19, 2021 20:40
|
|
|
Rufus Ping posted:I think this is a bit strong, my (UK) bank uses them for just this as recently as last year. The agent could clearly see the whole answer on screen and seemed a little surprised when I was able to give all my nonsense answers correctly. But then said it made sense / was smart when I explained "it's just some gibberish I made up because everyone knows my actual dog's name" etc. Hopefully they wouldn't have accepted that explanation in lieu of an actual answer Before PSD, most banks in Italy provided you with a plastic card with a bunch of digits and you had to type the digits at specific coordinates to confirm ops and in case of lost passwords. After PSD all of this stuff was turned into OTP codes over sms and then over banking apps but in some cases you still need to fish out the code card if you forget the password.
|
|
#
¿
Jun 16, 2021 13:00
|
|
|
cinci zoo sniper posted:latvia, lithuania, finland, sweden, germany (west), uk I’ve been in centuries old Italian houses and I’ve never seen split outlets for hot/cold and the same applies for current ones. Either two knobs with a single output or a two axis single control lever with a single output.
|
|
#
¿
Jun 27, 2021 10:21
|
|
|
I started using authy when ms authenticator did not allow saving otp backups or sync after my google authenticator install corrupted its database(I know it’s not safe but I have too many otp to re enroll at every phone swap otherwise). I have moved the critical otp over to a yubikey to mitigate authy sync happy downside. Passwords are provided by keepass or KeePassium depending on platform. I keep otp and password separate cause there is not a decent native implementation for otp on keepass on my all my apps. SlowBloke fucked around with this message at 08:46 on Aug 13, 2021 |
|
#
¿
Aug 13, 2021 08:42
|
|
|
ewiley posted:(just buy 2 yubikeys!). Some sites sadly let you only register one single yubikey, hopefully this RFC will let you solve that issue https://www.yubico.com/blog/yubico-proposes-webauthn-protocol-extension-to-simplify-backup-security-keys/
|
|
#
¿
Aug 13, 2021 16:42
|
|
|
mystes posted:I mean it's the same as entering a passphrase by the keyboard so it's not terrible and will provide protection if someone steals your computer while it's off, but if your computer is compromised there's no reason they can't just steal the key or passphrase when you use your yubikey and that allows them to decrypt the entire password database. Current yubikey stance is either challenge response or hotp https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass both require plugins so if you want to use your yubikey on mobile apps you might be stuffed depending on the app.
|
|
#
¿
Aug 13, 2021 20:49
|
|
|
mystes posted:I think this conversion got mixed up and maybe I misunderstood what someone was saying but I was trying to say that it's not great to store TOTP secrets in your password manager and using a yubikey to authenticate to the password manager doesn't really fix that. Oh, sorry if I was out of scope, I just wanted to clear any confusion on the official option for current yubikeys. There is no U2F/Fido plug-in in the keepass repo so, if you don’t want to add an extra overlay of cryptography over the keepass file with the openpgp strata or the virtual smart card as the unlock key, those two are your current supported picks. While I understand the security implication of “if the device containing the keepass file is compromised and rooted, anything is unsafe”, there is a usability-security compromise to implement. If using the password safe takes more time than engaging a lost password flow, there is not much use of hardening keepass so much when you are never going to use it. Also anything older than 5series is EoL so don’t suggest to get any of those old parts to anyone that might want to purchase a yubikey 
SlowBloke fucked around with this message at 22:00 on Aug 13, 2021 |
|
#
¿
Aug 13, 2021 21:55
|
|
|
Antigravitas posted:Unlikely imo. It's a public forum and pseudonymous as well. I'd have to read the relevant laws again but I think I remember that forums like this weren't covered the same way you can't demand mailing lists remove your mails. Social media is covered by right to be forgotten too, which is why there is a "download all my data" and "wipe all my data" feature in multiple sites, even in roblox (https://devforum.roblox.com/t/update-to-gdpr-right-to-be-forgotten-messaging/885792) .There is already a "search posts by poster id" feature, the only requirement would be to add a "search all content by the poster id and wipe it from the db" to be compliant.
|
|
#
¿
Dec 30, 2021 11:52
|
|
|
ewiley posted:yes this is a problem if the government does not enforce its own laws and instead lets cronyism stand, I agree. Most trace applications have weird histories, the italian trace app "immuni" was done by a relatively unknown firm that was under the thumb of the Berlusconi family and other upper-class VCs. Today most people have no idea why they picked that firm rather than other offers.
|
|
#
¿
Dec 30, 2021 13:08
|
|
|
cinci zoo sniper posted:i wouldn't say "most". the european norm seems to have been to just make a thin wrapper on top of the google and apple exposure api, with uk and germany being 2 noteworthy excepitons that i know I mean that none of those apps got made for free and the contracts have been very nebulous for very few lines of code since as you said, they just reused the available device sdk.
|
|
#
¿
Dec 30, 2021 13:22
|
|
|
cinci zoo sniper posted:that’s a baseless assertion in your seeming quest to extrapolate italy being a known dysfunctional shitocracy to everyone else. to give you a specific example to the contrary, latvian contact tracing app (first globally to have a nationwide deployment with the exposure notification apis) was built pro-bono by the national tech industry (participants start with the ninth icon here https://www.apturicovid.lv/iesaistitas-organizacijas ) - they established a non-profit, developed and launched the app in a month, and afterwards earned an endorsement (and only that) from the government for job well done Can you stop putting words in my mouth, i didn't say ALL. Finland and Austria have not developed pro bono apps for instance(budgets in the 850-1m€ range), i am not aware of other examples of pro bono made tracing apps in the EU.
|
|
#
¿
Dec 30, 2021 14:28
|
|
|
At least euro trace apps code have been put on GitHub to please the skeptics, some authorities provided only the front ends while other provided the whole stack. Funnily enough the immuni git hub (https://github.com/immuni-app) includes front-end, back-end, ci tests and public open data
|
|
#
¿
Dec 30, 2021 19:01
|
|
|
eID and eidas should make national level id codes redundant but I think it will take a few years before they get abandoned
|
|
#
¿
Dec 31, 2021 15:33
|
|
|
Hed posted:I got some Yubikeys to gently caress around with. Does anyone actually use these widespread at their work? Or smartcards at all? If your firm is a windows shop on hybrid or azure ad join, they are the quickest and simplest way to go passwordless. Microsoft authenticator will work only on web sessions and not windows logins. The main component of a yubikey for current tech is the fido2/webauthn part, the rest is only to make it work with legacy tech.
|
|
#
¿
Jan 8, 2022 17:38
|
|
|
Hed posted:this is probably a good time to ask... all the SaaSes seem to gate their SSO connector behind "Enterprise" or a higher tier of service, but GSuite SSO seems to be the exception here. SSO on idp is mostly free, microsoft azure ad let you use it for saml without restrictions. Applications are the biggest issue since an awful lot of them demand special licensing to let you use saml or oauth instead of their own user db.
|
|
#
¿
Feb 15, 2022 22:52
|
|
|
post hole digger posted:can i get peoples thoughts on phishing sim campaigns? our org is currently doing a rather stupid knowbe4 one and I am not a fan of the practice in general. this is not being done to tick a compliance checkbox. purely for the love of the game. am i wrong in thinking about it this way? there is no 'goal' for the campaign, just good old 'user awareness'. It's a necessary evil to scare users into complying with MFA/security hardening. Having a successful phishing sim will make even the most stubborn people think "Maybe the nerds demanding me to confirm logins every X days are not so wrong after all". The most fun thing about KnowBe4 or other equivalent is that they are only useful in the united states, last time i checked there are zero payloads targeting non-us locales so, using them worldwide, will end up with 100% penetration on the US hq and the remaining sites getting 0%, making the hq staffers look like fools. SlowBloke fucked around with this message at 12:44 on Jun 21, 2022 |
|
#
¿
Jun 21, 2022 12:41
|
|
|
distortion park posted:It's fun coming up with the payloads if you're doing it yourself though. "New Halloween costume policy" with unacceptable.docm or whatever attached When we first tested our 365 attack simulator, we created the weirdest payloads (which have sadly been removed since then). Stuff like "Mosh pit corporate dress code change notification" or "Nigerian princes summit 2020 registration links", using our standard internal mail formats and i think i could have got a few bites if i ran it.
|
|
#
¿
Jun 21, 2022 14:39
|
|
|
Sickening posted:I just want simulated phishing to go away entirely. I don't want my staff to waste the mouse clicks in settings it up. User education seems to be less valuable every year. If the tech doesn't work, users aren't going to save you. Our field trials ended up in zero deploys since we had absolute certainty that, no matter how many times our users got pranked, they would never learn to check the indicators for a phish mail. One of our users cryptolocked us three times in the same fiscal quarter and nothing was done about it, not even a stern email, so we have zero hopes on that front.
|
|
#
¿
Jun 21, 2022 21:54
|
|
|
Beeftweeter posted:e: ^^^ yeah thats my understanding Third party SFP ONT are a convenience item if you have a router with a sfp wan port or a nerd fidget spinner(since it will require constant tinkering). It does nothing for latency or performance(since most units have a gigabit phy, same as the ISP external ONT kit). Source: I have a technicolor AFM0002TIM SFP ONT provided by my ISP.
|
|
#
¿
Aug 9, 2022 13:38
|
|
|
Shame Boy posted:it's not a joke it's just i've never seen a + on a phone and whenever i dial internationally i always have to look up all this stuff you posted to do it It has never been a dedicated key, most mobile phones i remember having it on the keyboard (i'm talking ye old t9 era) used a long press of the 0 key to type it.
|
|
#
¿
Aug 10, 2022 15:01
|
|
|
Hed posted:companies that have moved your Duo / Azure AD / SAML to FIDO2 what do you use for when users lose their physical key? Azure AD has temporary access codes, in case of fido key loss we do some challenges on corporate stuff that only a real employee should know over a known phone number and then we provide a time limited access code while removing the lost fido registration. If the employee is onsite we just document the loss of fido and provide support in registering the new one while deleting the lost one.
|
|
#
¿
Aug 16, 2022 08:25
|
|
|
Subjunctive posted:how would they determine that it’s outlook without just trusting the client to report it? If my conditional access logs are of any indication, Microsoft is certainly acquiring platform and specific app in most cases during the MFA request/modern auth attempt.
|
|
#
¿
Sep 20, 2022 10:37
|
|
|
TheMightyBoops posted:They disabled the fingerprint readers on the laptops they bought us. I have no clue why; I assume I can turn it on in the bios or something. If it's domain joined windows, you will need to have the admins turn on windows hello for business or no biometric of any kind will work.
|
|
#
¿
Sep 20, 2022 19:12
|
|
|
Pile Of Garbage posted:quick question re yubikeys: if i've hooked up a bunch of poo poo to a yubikey with an unset FIDO2 PIN and then set a PIN will that break the existing associations? Since nobody real answered, adding a pin will not effect existing associations, only require an extra step to validate the log on.
|
|
#
¿
Oct 22, 2022 12:14
|
|
|
Hed posted:Email is way away from what I do now but how do email spoofers get through to our finance & accounting team masquerading as our employees? You need to set up antiphish in 365 security portal to quarantine/drop impersonation attempts.
|
|
#
¿
Nov 21, 2022 19:25
|
|
|
If the germans want to go back that hard to in-house hosted dovecot with 1990s level of features nobody is stopping them, just stop trying to gently caress us public sector 365 users that are more than happy with microsoft.
|
|
#
¿
Nov 26, 2022 18:59
|
|
|
Subjunctive posted:sure but what about the tons of individuals’ private information you traffic in during your day to day work? those people have rights too, even if they’re German We don't have PII data in 365, we keep that in a dedicated local silo with purview actively hunting for erroneous data uploads. Which is what any sane people should do rather than cloud lift everything and then making such a racket afterwards.
|
|
#
¿
Nov 26, 2022 19:23
|
|
|
Sickening posted:you definitely have pii in your office 365 spaces, users can’t help themselves. We move so little PII that it's trivial to keep an eye on it, i'm not terribly worried. Plus our users are actively resisting moving the non critical data to 365 groups, I'm not expecting clandestine uploads when they cannot make a share point/teams site.
|
|
#
¿
Nov 26, 2022 19:45
|
|
|
Shame Boy posted:my users are simply too stupid to break the law, you see Given that one of those people decided that "i will print out the files path and bring the paper over" when asked to share the files, yes.
|
|
#
¿
Nov 26, 2022 22:58
|
|
|
rjmccall posted:fortunately just using a european cloud provider will solve all your gdpr problems (because nobody will bother investigating it) Double so when the cloud provider goes up in flame, after all the main proponent of gaia-x was ovh.
|
|
#
¿
Nov 27, 2022 00:39
|
|
|
Babies Getting Rabies posted:i just quickly read over the 8 page summary and i don't think this is particularly easy to fix for microsoft. a full EU instance might do it - but only if it either does not transfer data outside of the EU at all or if it only does so in very specific cases which are spelled out in detail and only to specific jurisdictions. Most 365 components have a European instance already, either in Germany, France or Ireland. Data processing is the only grey area that require bureaucratic/ops work to make the Germans happy. Whoever is keeping these debates alive has likely stakes in that flaming trash fire called gaia-x Babies Getting Rabies posted:gaia-x is functionally dead anyway, afaik It's still being considered active by policymakers sadly.
|
|
#
¿
Nov 27, 2022 00:45
|
|
|
Cybernetic Vermin posted:i love gdpr, almost everyone angry about it has a take along the lines of "omg why would you attack the wonders of modern it infrastructure, you'll be back in the dark ages before everything was controlled by two corporations", which is: a) dumb; and; b) wrong, microsoft will fix this (and aws will follow to get to bid for these things) and we'll all be better off because they do. My vent yesterday was due to working in the public sector for an awful long time and knowing that a similar document will end up with idiots in the c-suite reading it as "WE MUST RUN AWAY FROM MICROSOFT TO GOOGLE" or even better "WE MUST MOVE ALL OUR WORKLOADS BACK ON-PREMISE CAUSE THE CLOUD CANNOT BE EVER GDPR COMPLIANT REGARDLESS OF THE LAWS REQUIRING ALL WORKLOADS MOVED TO CLOUD". I could write books about hundreds of similar events (like google analytics becoming illegal without any clear legal document and being required to move to a national matomo instance that will show data from three months back since it cannot handle all the data processing) but it would pretty much dox me.
|
|
#
¿
Nov 27, 2022 10:52
|
|
|
Carthag Tuek posted:apparently some danish scientists did a quantum encryption of a video signal that detects tampering/eavesdropping One of the recent G20 in Trieste had a demo of a quantum videoconference in-between Lubiana, Fiume/Rijeka and Trieste (using a direct fiber connection). Sponsored by TIM-Sparkle.
|
|
#
¿
Nov 28, 2022 10:30
|
|
|
evil_bunnY posted:Cool, who's attesting that? Microsoft purview does understand all the PII data we elaborate minus one type(which we manage/hunt for using a different method that will dox me 100% if i explain it here). As it is it will trigger quarantine pretty much immediately and all audits of the 365 groups/personal onedrive used by the staffers that handle pii have shown no leaks.
|
|
#
¿
Nov 28, 2022 18:06
|
|
|
Babies Getting Rabies posted:* giving a group of nerds access to the proxy for the school network because they helped out with IT. they immediately configured it to replace all images with goatse. It does understand some common types of PII, not all. Markers can be added if needed, this is the stock list https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitive-information-type-entity-definitions?view=o365-worldwide .
|
|
#
¿
Nov 28, 2022 23:02
|
|
|
Word of advice, the fingerprint yubikey requires a pin to be selected during enroll so that if the fingerprint is not viable you can still use it. Most people we seen them use it had stupid simple pins on those since "they always use fingerprints" so they were actually worse than WHfB.
|
|
#
¿
Dec 22, 2022 20:34
|
|
|
|
| # ¿ Sep 30, 2023 04:53 |
|
|
Subjunctive posted:finally got some Yubikeys and what I really want is to have them be used to unlock my password manager and then do everything else from there, I think? my phone has my password manager locked with FaceID which I think is strong enough for my purposes, but I’m not sure how to best go setting up stuff otherwise. KeepassXC and keepassium use the yubikey as a challenge https://keepassium.com/articles/how-to-use-yubikey/ But it will make the password auto fill a bit of a mess.
|
|
#
¿
Jan 7, 2023 21:47
|
|