Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
SlowBloke
Aug 14, 2017

BangersInMyKnickers posted:

HP printers now have this feature out of box, default enabled. The printer will make a call home to some HP run mailserver front end and if you email the right address out comes a print. I have absolutely no idea how this isn't being abused to hell and back yet

The first thing you do when you set up eprint is to restrict the list of allowed senders so you donít get spammed by random messages. This is not the default behavior and is hidden behind two level of menus last time I went on hp connected.

Adbot
ADBOT LOVES YOU

SlowBloke
Aug 14, 2017
PSD2 is pretty much removing any option for ďjust smsĒ in most eu countries, be it on banks (pretty much every bank here demands you install their app to act as TOTP) or credit cards(hard code and then sms). Sadly I think itís clearly written to not let customers use more strong systems like fido2 but only the bank apps.

SlowBloke
Aug 14, 2017

Pile Of Garbage posted:

edit: that bullshit MFA app aside i've never once had a single issue filing my taxes via the portal and as far as im concerned i've a flawless record with online filing via the ATO both before the portal with eTax and with the portal. never once filed a paper return, drat it's good when AU finally does some poo poo right!

TOTP being carried from device to device(eg Authy or ms authenticator) is convenience at the expense of security. PSD2 seems to demand to reenroll devices rather than migrate too as every bank app I have does the same.

SlowBloke
Aug 14, 2017

Carthag Tuek posted:

nets (the company that runs nemid) just got swallowed by an italian company called nexi so...

Anectodal since Iíve interacted with them in the past but Nexi(formerly known as CartaSI) is the sole entity in Italy that has been able to roll out every tokenized payment in existence(including Garmin and Samsung pay) while the rest of the banks had a thumb deep in their asses, they are far from the dumbest entity you could interact in the sector. Most banks here are now dropping their current in-house systems to a nexi-provided solution to not look like assholes.

SlowBloke
Aug 14, 2017

Rufus Ping posted:

I think this is a bit strong, my (UK) bank uses them for just this as recently as last year. The agent could clearly see the whole answer on screen and seemed a little surprised when I was able to give all my nonsense answers correctly. But then said it made sense / was smart when I explained "it's just some gibberish I made up because everyone knows my actual dog's name" etc. Hopefully they wouldn't have accepted that explanation in lieu of an actual answer

Before PSD, most banks in Italy provided you with a plastic card with a bunch of digits and you had to type the digits at specific coordinates to confirm ops and in case of lost passwords. After PSD all of this stuff was turned into OTP codes over sms and then over banking apps but in some cases you still need to fish out the code card if you forget the password.

SlowBloke
Aug 14, 2017

cinci zoo sniper posted:

latvia, lithuania, finland, sweden, germany (west), uk

Iíve been in centuries old Italian houses and Iíve never seen split outlets for hot/cold and the same applies for current ones. Either two knobs with a single output or a two axis single control lever with a single output.

SlowBloke
Aug 14, 2017
I started using authy when ms authenticator did not allow saving otp backups or sync after my google authenticator install corrupted its database(I know itís not safe but I have too many otp to re enroll at every phone swap otherwise). I have moved the critical otp over to a yubikey to mitigate authy sync happy downside. Passwords are provided by keepass or KeePassium depending on platform.

I keep otp and password separate cause there is not a decent native implementation for otp on keepass on my all my apps.

SlowBloke fucked around with this message at 08:46 on Aug 13, 2021

SlowBloke
Aug 14, 2017

ewiley posted:

(just buy 2 yubikeys!).

Some sites sadly let you only register one single yubikey, hopefully this RFC will let you solve that issue https://www.yubico.com/blog/yubico-proposes-webauthn-protocol-extension-to-simplify-backup-security-keys/

SlowBloke
Aug 14, 2017

mystes posted:

I mean it's the same as entering a passphrase by the keyboard so it's not terrible and will provide protection if someone steals your computer while it's off, but if your computer is compromised there's no reason they can't just steal the key or passphrase when you use your yubikey and that allows them to decrypt the entire password database.

It's not as good as doing something where you need the device to decrypt each password individually in which case only the passwords you actually decrypt could be stolen.

I think back in the day lastpass for example just used the static part of yubikey codes for encryption which is pretty halfassed but you can also configure a yubikey to do a longer static password, but neither of these things maintains the property where you actually need to steal the token because just intercepting the code isn't enough.

As I mentioned it's possible to use the fancier yubikeys with gpg keys but I think that pass is probably the only password manager that can actually do this.

I think there's also a mode for older yubikeys where they do symmetric encryption on the device without sending the key to the host and that might be more secure if each password was encrypted individually, but I don't think anything uses it.

It may also be possible to do something like this with one of the extensions to U2F that yubikey 4s support (I think there's something for encryption) but normal U2F/FIDO2 keys can't be used for encryption at all.

Edit: TL;DR: Anything where you just use the yubikey once to "unlock" the password manager and then you can view all of the passwords, which is the way I think most password managers are designed, is inherently going to have the problem that just intercepting whatever the yubikey sends or dumping memory is going to be enough to steal the whole password database.

Current yubikey stance is either challenge response or hotp

https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass

both require plugins so if you want to use your yubikey on mobile apps you might be stuffed depending on the app.

SlowBloke
Aug 14, 2017

mystes posted:

I think this conversion got mixed up and maybe I misunderstood what someone was saying but I was trying to say that it's not great to store TOTP secrets in your password manager and using a yubikey to authenticate to the password manager doesn't really fix that.

If you're logging into a password manager web app you absofuckinglutely should use some sort of 2FA to protect your password manager in general and yubikey HOTP and Challenge/Response or normal TOTP are all fine for that.

Once the password database is being stored on your computer in an extension or something, which is how most people use it, or once someone it's impossible for a yubikey to actually protect it in any real way so if someone steals the passwords they're also going to immediately have your TOTP secrets which sort of defeats the purpose of using TOTP in the first place. Similarly, if someone manages to get into your password manager web app once, they're going to be able to get both the passwords and TOTP codes all at once.

Oh, sorry if I was out of scope, I just wanted to clear any confusion on the official option for current yubikeys. There is no U2F/Fido plug-in in the keepass repo so, if you donít want to add an extra overlay of cryptography over the keepass file with the openpgp strata or the virtual smart card as the unlock key, those two are your current supported picks. While I understand the security implication of ďif the device containing the keepass file is compromised and rooted, anything is unsafeĒ, there is a usability-security compromise to implement. If using the password safe takes more time than engaging a lost password flow, there is not much use of hardening keepass so much when you are never going to use it. Also anything older than 5series is EoL so donít suggest to get any of those old parts to anyone that might want to purchase a yubikey :)

SlowBloke fucked around with this message at 22:00 on Aug 13, 2021

SlowBloke
Aug 14, 2017

Antigravitas posted:

Unlikely imo. It's a public forum and pseudonymous as well. I'd have to read the relevant laws again but I think I remember that forums like this weren't covered the same way you can't demand mailing lists remove your mails.

FWIW, getting SA GDPR and Cookie compliant seems trivial. Drop the google js dependency, do an inventory of what data of a user is being kept and why and evaluate which data is required; document it; prepare a way someone can receive a dump of all their data, and list a contact somewhere. And that's basically it. Doesn't need any of the idiotic consent banners either.

It would be different if SA's business model relied on targeted ads, of course. But destroying the industry of targeted ads is good.

Social media is covered by right to be forgotten too, which is why there is a "download all my data" and "wipe all my data" feature in multiple sites, even in roblox (https://devforum.roblox.com/t/update-to-gdpr-right-to-be-forgotten-messaging/885792) .There is already a "search posts by poster id" feature, the only requirement would be to add a "search all content by the poster id and wipe it from the db" to be compliant.

SlowBloke
Aug 14, 2017

ewiley posted:

yes this is a problem if the government does not enforce its own laws and instead lets cronyism stand, I agree.

this Luca debacle reminds me of the even worse techbro/government mashup in the UK https://cybergibbons.com/security-2/why-what3words-is-not-suitable-for-safety-critical-applications/

at least w3w is ďfreeĒ

Most trace applications have weird histories, the italian trace app "immuni" was done by a relatively unknown firm that was under the thumb of the Berlusconi family and other upper-class VCs. Today most people have no idea why they picked that firm rather than other offers.

SlowBloke
Aug 14, 2017

cinci zoo sniper posted:

i wouldn't say "most". the european norm seems to have been to just make a thin wrapper on top of the google and apple exposure api, with uk and germany being 2 noteworthy excepitons that i know

I mean that none of those apps got made for free and the contracts have been very nebulous for very few lines of code since as you said, they just reused the available device sdk.

SlowBloke
Aug 14, 2017

cinci zoo sniper posted:

thatís a baseless assertion in your seeming quest to extrapolate italy being a known dysfunctional shitocracy to everyone else. to give you a specific example to the contrary, latvian contact tracing app (first globally to have a nationwide deployment with the exposure notification apis) was built pro-bono by the national tech industry (participants start with the ninth icon here https://www.apturicovid.lv/iesaistitas-organizacijas ) - they established a non-profit, developed and launched the app in a month, and afterwards earned an endorsement (and only that) from the government for job well done

Can you stop putting words in my mouth, i didn't say ALL. Finland and Austria have not developed pro bono apps for instance(budgets in the 850-1mÄ range), i am not aware of other examples of pro bono made tracing apps in the EU.

SlowBloke
Aug 14, 2017
At least euro trace apps code have been put on GitHub to please the skeptics, some authorities provided only the front ends while other provided the whole stack. Funnily enough the immuni git hub (https://github.com/immuni-app) includes front-end, back-end, ci tests and public open data

SlowBloke
Aug 14, 2017
eID and eidas should make national level id codes redundant but I think it will take a few years before they get abandoned

SlowBloke
Aug 14, 2017

Hed posted:

I got some Yubikeys to gently caress around with. Does anyone actually use these widespread at their work? Or smartcards at all?

FIDO2 is cool but you can also do PKI with them without leaving private certs around--but I'll admit I very rarely hear people talking about s/mime and client certs these days.

If your firm is a windows shop on hybrid or azure ad join, they are the quickest and simplest way to go passwordless. Microsoft authenticator will work only on web sessions and not windows logins. The main component of a yubikey for current tech is the fido2/webauthn part, the rest is only to make it work with legacy tech.

SlowBloke
Aug 14, 2017

Hed posted:

this is probably a good time to ask... all the SaaSes seem to gate their SSO connector behind "Enterprise" or a higher tier of service, but GSuite SSO seems to be the exception here.
Were they a first mover in SAML or something...?

SSO on idp is mostly free, microsoft azure ad let you use it for saml without restrictions. Applications are the biggest issue since an awful lot of them demand special licensing to let you use saml or oauth instead of their own user db.

SlowBloke
Aug 14, 2017

post hole digger posted:

can i get peoples thoughts on phishing sim campaigns? our org is currently doing a rather stupid knowbe4 one and I am not a fan of the practice in general. this is not being done to tick a compliance checkbox. purely for the love of the game. am i wrong in thinking about it this way? there is no 'goal' for the campaign, just good old 'user awareness'.

It's a necessary evil to scare users into complying with MFA/security hardening. Having a successful phishing sim will make even the most stubborn people think "Maybe the nerds demanding me to confirm logins every X days are not so wrong after all". The most fun thing about KnowBe4 or other equivalent is that they are only useful in the united states, last time i checked there are zero payloads targeting non-us locales so, using them worldwide, will end up with 100% penetration on the US hq and the remaining sites getting 0%, making the hq staffers look like fools.

SlowBloke fucked around with this message at 12:44 on Jun 21, 2022

SlowBloke
Aug 14, 2017

distortion park posted:

It's fun coming up with the payloads if you're doing it yourself though. "New Halloween costume policy" with unacceptable.docm or whatever attached

When we first tested our 365 attack simulator, we created the weirdest payloads (which have sadly been removed since then). Stuff like "Mosh pit corporate dress code change notification" or "Nigerian princes summit 2020 registration links", using our standard internal mail formats and i think i could have got a few bites if i ran it.

SlowBloke
Aug 14, 2017

Sickening posted:

I just want simulated phishing to go away entirely. I don't want my staff to waste the mouse clicks in settings it up. User education seems to be less valuable every year. If the tech doesn't work, users aren't going to save you.

Our field trials ended up in zero deploys since we had absolute certainty that, no matter how many times our users got pranked, they would never learn to check the indicators for a phish mail. One of our users cryptolocked us three times in the same fiscal quarter and nothing was done about it, not even a stern email, so we have zero hopes on that front.

SlowBloke
Aug 14, 2017

Beeftweeter posted:

e: ^^^ yeah thats my understanding

i'm really skeptical an ONT might cause this, primarily because

seems much more likely, what about the other networking hardware? if it's consumer off the shelf poo poo it just might not be up to the task, depending on whatever the load is

Third party SFP ONT are a convenience item if you have a router with a sfp wan port or a nerd fidget spinner(since it will require constant tinkering). It does nothing for latency or performance(since most units have a gigabit phy, same as the ISP external ONT kit). Source: I have a technicolor AFM0002TIM SFP ONT provided by my ISP.

SlowBloke
Aug 14, 2017

Shame Boy posted:

it's not a joke it's just i've never seen a + on a phone and whenever i dial internationally i always have to look up all this stuff you posted to do it

It has never been a dedicated key, most mobile phones i remember having it on the keyboard (i'm talking ye old t9 era) used a long press of the 0 key to type it.

SlowBloke
Aug 14, 2017

Hed posted:

companies that have moved your Duo / Azure AD / SAML to FIDO2 what do you use for when users lose their physical key?

Iíve been experimenting with FIDO2 and while I have two keys Iím trying to figure out the ďIím on the road and forgot my key, I need an alternativeĒ. We buy everyone phones to push their MFA Duo accept butan but to fall back to that seems like it isnít accomplishing much.

Azure AD has temporary access codes, in case of fido key loss we do some challenges on corporate stuff that only a real employee should know over a known phone number and then we provide a time limited access code while removing the lost fido registration. If the employee is onsite we just document the loss of fido and provide support in registering the new one while deleting the lost one.

SlowBloke
Aug 14, 2017

Subjunctive posted:

how would they determine that itís outlook without just trusting the client to report it?

the new PAT stuff has some application authentication I guess, but I donít know how it works

If my conditional access logs are of any indication, Microsoft is certainly acquiring platform and specific app in most cases during the MFA request/modern auth attempt.

SlowBloke
Aug 14, 2017

TheMightyBoops posted:

They disabled the fingerprint readers on the laptops they bought us. I have no clue why; I assume I can turn it on in the bios or something.

If it's domain joined windows, you will need to have the admins turn on windows hello for business or no biometric of any kind will work.

SlowBloke
Aug 14, 2017

Pile Of Garbage posted:

quick question re yubikeys: if i've hooked up a bunch of poo poo to a yubikey with an unset FIDO2 PIN and then set a PIN will that break the existing associations?

Since nobody real answered, adding a pin will not effect existing associations, only require an extra step to validate the log on.

SlowBloke
Aug 14, 2017

Hed posted:

Email is way away from what I do now but how do email spoofers get through to our finance & accounting team masquerading as our employees?

We use MS-provided O365 as email and supposedly Exchange Online Protection is supposed to handle this... our first MX record is companyname-com.mail.protection.outlook.com. It seems kind of hosed up, for example if I query a DMARC record for example nothing comes up.

Our finance & accounting team gets emails that are properly marked as "EXTERNAL" in the subject line but then go right ahead and let the "From:" be bob@companyname.com with a reply-to of bob@pwned.pics

Feel free to tell me to gently caress off to the grey forums for this, I just want to understand and find if there's a checker or what I need to yell at my MSP to do.

You need to set up antiphish in 365 security portal to quarantine/drop impersonation attempts.

SlowBloke
Aug 14, 2017

If the germans want to go back that hard to in-house hosted dovecot with 1990s level of features nobody is stopping them, just stop trying to gently caress us public sector 365 users that are more than happy with microsoft.

SlowBloke
Aug 14, 2017

Subjunctive posted:

sure but what about the tons of individualsí private information you traffic in during your day to day work? those people have rights too, even if theyíre German

We don't have PII data in 365, we keep that in a dedicated local silo with purview actively hunting for erroneous data uploads. Which is what any sane people should do rather than cloud lift everything and then making such a racket afterwards.

SlowBloke
Aug 14, 2017

Sickening posted:

you definitely have pii in your office 365 spaces, users canít help themselves.

We move so little PII that it's trivial to keep an eye on it, i'm not terribly worried. Plus our users are actively resisting moving the non critical data to 365 groups, I'm not expecting clandestine uploads when they cannot make a share point/teams site.

SlowBloke
Aug 14, 2017

Shame Boy posted:

my users are simply too stupid to break the law, you see

Given that one of those people decided that "i will print out the files path and bring the paper over" when asked to share the files, yes.

SlowBloke
Aug 14, 2017

rjmccall posted:

fortunately just using a european cloud provider will solve all your gdpr problems (because nobody will bother investigating it)

Double so when the cloud provider goes up in flame, after all the main proponent of gaia-x was ovh.

SlowBloke
Aug 14, 2017

Babies Getting Rabies posted:

i just quickly read over the 8 page summary and i don't think this is particularly easy to fix for microsoft. a full EU instance might do it - but only if it either does not transfer data outside of the EU at all or if it only does so in very specific cases which are spelled out in detail and only to specific jurisdictions.
as it is, the data agreements don't spell out who is processing data and for what - and specifically, they not only require microsoft to spell that out for their global services that might touch EU data, they also want microsoft to spell that out for third parties that somehow touch that data as part of microsoft's services. that is certainly more complicated. then there's the stuff in the twitter thread.

idk, i doubt any larger players currently can offer a modern cloud-based architecture that can comply with that. last time i talked to SAP people about this, they wanted to change topic real fast.
i guess some linux shop might be able to offer this, but in practice, not even public administration will use it. munich made waves about switching their entire IT to linux and then a few years later switched back to a microsoft environment because linux was more expensive and pissed off all the users.

i assume the result is going to be a continued reliance on on-prem stuff, which in practice means on-prem exchange and other microsoft products in like 99% of all cases. or everybody will continue to ignore this and just use cloud products anyway, which is what is currently happening.

Most 365 components have a European instance already, either in Germany, France or Ireland. Data processing is the only grey area that require bureaucratic/ops work to make the Germans happy.

Whoever is keeping these debates alive has likely stakes in that flaming trash fire called gaia-x

Babies Getting Rabies posted:

gaia-x is functionally dead anyway, afaik

It's still being considered active by policymakers sadly.

SlowBloke
Aug 14, 2017

Cybernetic Vermin posted:

i love gdpr, almost everyone angry about it has a take along the lines of "omg why would you attack the wonders of modern it infrastructure, you'll be back in the dark ages before everything was controlled by two corporations", which is: a) dumb; and; b) wrong, microsoft will fix this (and aws will follow to get to bid for these things) and we'll all be better off because they do.

the post suggesting that pure eu instances are unlikely is particularly weird: as a customer i already trust that the availability zones are almost entirely separate, and it seems perfectly reasonable and desirable that instances where your data is moved into availability zones you've never touched be enumerated. not to mention when your data is moved off of azure entirely for some reason.

My vent yesterday was due to working in the public sector for an awful long time and knowing that a similar document will end up with idiots in the c-suite reading it as "WE MUST RUN AWAY FROM MICROSOFT TO GOOGLE" or even better "WE MUST MOVE ALL OUR WORKLOADS BACK ON-PREMISE CAUSE THE CLOUD CANNOT BE EVER GDPR COMPLIANT REGARDLESS OF THE LAWS REQUIRING ALL WORKLOADS MOVED TO CLOUD". I could write books about hundreds of similar events (like google analytics becoming illegal without any clear legal document and being required to move to a national matomo instance that will show data from three months back since it cannot handle all the data processing) but it would pretty much dox me.

SlowBloke
Aug 14, 2017

Carthag Tuek posted:

apparently some danish scientists did a quantum encryption of a video signal that detects tampering/eavesdropping

requires direct fiber connection though, so not very practical

One of the recent G20 in Trieste had a demo of a quantum videoconference in-between Lubiana, Fiume/Rijeka and Trieste (using a direct fiber connection). Sponsored by TIM-Sparkle.

SlowBloke
Aug 14, 2017

evil_bunnY posted:

Cool, who's attesting that?

Microsoft purview does understand all the PII data we elaborate minus one type(which we manage/hunt for using a different method that will dox me 100% if i explain it here). As it is it will trigger quarantine pretty much immediately and all audits of the 365 groups/personal onedrive used by the staffers that handle pii have shown no leaks.

SlowBloke
Aug 14, 2017

Babies Getting Rabies posted:

* giving a group of nerds access to the proxy for the school network because they helped out with IT. they immediately configured it to replace all images with goatse.

that's legit cool and would presumably make satisfying most of the complaints in that german gdpr thing doable (ie. listing in detail which data is used for what, how and where, and also by which third parties - if the latter happens at all).

that leaves the complaints about the cloud act and fisa 702, which are not gdpr-compatible. there is nothing that microsoft can do about that, though.

It does understand some common types of PII, not all. Markers can be added if needed, this is the stock list https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitive-information-type-entity-definitions?view=o365-worldwide .

SlowBloke
Aug 14, 2017
Word of advice, the fingerprint yubikey requires a pin to be selected during enroll so that if the fingerprint is not viable you can still use it. Most people we seen them use it had stupid simple pins on those since "they always use fingerprints" so they were actually worse than WHfB.

Adbot
ADBOT LOVES YOU

SlowBloke
Aug 14, 2017

Subjunctive posted:

finally got some Yubikeys and what I really want is to have them be used to unlock my password manager and then do everything else from there, I think? my phone has my password manager locked with FaceID which I think is strong enough for my purposes, but Iím not sure how to best go setting up stuff otherwise.

probably put hwauth on my email accounts directly too

how do people generally set this stuff up? will be annoying to carry and slot it all the time but such is the price of constant vigilance

KeepassXC and keepassium use the yubikey as a challenge

https://keepassium.com/articles/how-to-use-yubikey/

But it will make the password auto fill a bit of a mess.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply