Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
SlowBloke
Aug 14, 2017
If you are the kind of dipshit that runs a virus on a prod machine, there is no excuse to not set up this https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview

Adbot
ADBOT LOVES YOU

SlowBloke
Aug 14, 2017

Achmed Jones posted:

do you actually think the person was thinking ahead?

He was an admin on a mspaint discord so no.

SlowBloke
Aug 14, 2017

ZeusCannon posted:

Im gonna out myself as an idiot for a moment here and ask a probably dumb question.

For the people syncing their keepass are you all using an associated token for the database to restrict access as well as the u/pw? Ive always been shy about syncing since duplicating the database always felt less secure.

Depending on the keepass database importance, i set up a yubikey to execute a challenge as MFA on critical ones. KeepassXC does it natively (guide at https://keepassxc.org/docs/#faq-yubikey-2fa) on win/mac/linux, keepassium does it on ios/ipados.

SlowBloke
Aug 14, 2017

Powerful Two-Hander posted:

hooooly poo poo did I just find a fuckup

we have a cloud platform that uses sso across the company domain(s), so when you go to it and enter powerfultwohander@company.com, it forces sso against our idp (you can probably see where this is going), but only if the domain is yours.

so if you go to it and enter the email address as powerfultwohander@yospos.com it just reverts to username and password and you can then upload whatever you like!

loving lmao. not only did it security not think of this (neither did until just now but it's not my job), but the vendor didn't think to mention it and their solution to it is absolute trash (just ip restrict to that domain your morons).

bonus: we don't monitor outbound data on the main domain account anyway lol

this is gonna ruin at *least* two people's days

Isn't that standard keycloak behaviour? I don't think you can do much to mitigate it.

SlowBloke
Aug 14, 2017

Achmed Jones posted:

el mero mero is right. there's a ton of people who won't use totp but will uses sms mfa. they are much better off with sms mfa than no mfa. that there's another better (but less user friendly) choice is irrelevant and misses the point

If they are on that level of non-technical, iOS has native TOTP and security key in the os at the tip of their finger(or face).

SlowBloke
Aug 14, 2017

post hole digger posted:

random question but what is considered the standard for enterprise wifi these days? is it still certificate-based 802.1x managed by radius with adfs issuing the certs? do any companies have any interesting alternatives to that model? in particular, the adfs component of it? how is azure ad as an adfs replacement for x.509 certs?

its been a while since ive had to do any wireless networking poo poo and im curious what this landscape looks like these days

edit: i found this, which looks very interesting. i was never a super strong windows admin, but never liked working with adfs. anyone have any experience with this in particular? https://redmondmag.com/articles/2022/02/14/azure-active-directory-certificate-based-authentication-preview.aspx

The very high end cloud-managed wifi from aruba will let you do client enroll with an app that checks the client security stance and use saml for credentials so you can use mfa for extra security.

SlowBloke
Aug 14, 2017

Subjunctive posted:

Question from a friend: Is there a security key that exists that supports U2F and FIDO2, has a fingerprint scanner and NFC or BT?

If you can skip u2f, feitian makes one https://www.ftsafe.com/Products/FIDO/Bio

SlowBloke
Aug 14, 2017

mystes posted:

Is it really possible for a device to support fido2 without supporting u2f? IIRC fido2 is just u2f with an additional mode that allows keys to be stored on the device so I don't think it should be possible, and I would guess that this is just some sort of mistake in the feature comparison table.

The underlying logic is the same but the user side api are different(ctap1+uaf vs ctap2+webauthn2), so it's possible that they only expose the current ones. A lot of sites calls fido2 as second factor u2f when it's not a fido1 api call.

SlowBloke
Aug 14, 2017

Midjack posted:

80 bucks a month is enough to get a subsidized decent phone and good enough data plan for work only, isn't it?

I can get a 5g unlimited plan for 20€/month and an iphone 14 for 30€/month (33 installments) easy so yeah.

SlowBloke
Aug 14, 2017

infernal machines posted:

i am sincerely regretting having implemented azure information protection for a client

dealing with sensitivity labels on documents, and the myriad of sharing options in onedrive is just enough of a divergence from their usual workflow that they absolutely cannot get it right, and they're starting to get pissed off rather than taking the time to learn how it works (we've had multiple demo sessions and done one-on-one training with several of them, no one retains anything).

aip was a hard requirement to move them to cloud hosted infrastructure, which they wanted because they have people working across the country and they were getting annoyed with the limitations of the remote access system. now, instead, they're getting annoyed by the workflow changes and it appears everyone but a few of the partners are willing to throw access controls and data security to the wind because no one can remember the steps to do anything for longer than a single work day

i'm not sure if there's a lesson here, or a point to this, other than apparently security is impossible, because even if you can make it work, no one wants it.

If this was a greenfield deploy why did you use AIP instead of MIP? AIP isn't natively integrated in sharepoint/onedrive/office but relies on several moving parts to work compared to the mostly transparent MIP.

SlowBloke
Aug 14, 2017
I do am curious to see how the google equivalent of MIP works, every big google tenant i interacted with had a security stance of "YOLO".

SlowBloke
Aug 14, 2017

dpkg chopra posted:

ok someone correct me if I’m wrong

my company is a contractor for BigTech Co. and I’ve recently been added to that team

as part of the remote onboarding process, BigTech Co. requires that we do an ID verification process.

one of the steps of that verification process is

a) adding the BigTech Co. email to our device accounts
b) Installing an App on our phone
2) On iOS going to Settings -> General -> Device Management and “Trusting” BigTech Co.

this is essentially just adding the certificates so that BigTech Co can remotely manage my device no?

I ask because my employer does not give us work devices as we do not use our phones for work purposes so I’m 100% not comfortable doing this

If it’s just a siloed certificate for the purposes of Id verification that I can just remove afterwards then that’s less worth escalating for

On iPhone you can have a managed device or a supervised device. Supervised is far more powerful in the remote management options but require the device to be set up using ABM at purchase or with configurator(and then wiped). Managed will still provide lot of data so I strongly advise to contact your company to have them send you a cheap burner phone.

SlowBloke
Aug 14, 2017

Beeftweeter posted:

afaik configurator doesn't work anymore? i'm not sure you can do that with modern ios versions

I've used it two days ago on an iPadOS 16.4 device to enroll it onto ABM so no, it still works fine.

SlowBloke
Aug 14, 2017

Beeftweeter posted:

oh huh. maybe i was thinking of configuration utility? i haven't done MDM stuff in a real long time

The apple original MDM solution that talked to an Apple MacOS Server (Profile Manager and Managed Preferences) is no longer functional, maybe you were remembering that? Every active MDM solution will ask you to tinker with Configurator 2 (forcing you to get at least one MacBook and one iPhone since there is no windows build)
Intune has this flow to enable supervised on devices purchased outside of ABM https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-manually-add-devices-in-apple-business-manager-abm-or/ba-p/2328462

SlowBloke
Aug 14, 2017

zero knowledge posted:

fortunately the EU is bringing back the glory days of EV with eIDAS and QWACs so you'll get to have those asinine arguments forever.

The only change is rather than reselling geotrust certs, your cert provider will resell one from a EIDAS enabled CA.

SlowBloke
Aug 14, 2017
Isn't ZIP files password protection trivially easy to unlock? I remember 7zip clamoring their password protection being the sole decent implementation when it was new :corsair:

SlowBloke
Aug 14, 2017

Soricidus posted:

the classic algorithm, which I don’t think anything still uses, was cryptographically broken. modern zip files have to be brute forced, iirc they aren’t gpu resistant or anything but a strong enough password can be secure

I think windows explorer still uses the old ZipCrypto method, not AES-256 like winzip or others.

SlowBloke
Aug 14, 2017

nudgenudgetilt posted:

how does keepassxc's mfa support actually secure the data though? is the yubikey being used for a cryptographic operations, or is it keepassxc just "lol, yeah, you got the static yubikey and master password, take what you need"

It uses the OTP generator part of the yubikeys, keepassxc docs are kinda lame but keepassium uses the same logic to work and explain how to set them up

https://keepassium.com/articles/how-to-use-yubikey/

You set up a seed on one of the two HMAC-SHA1 slots on one(better if multiple) yubikey and it will provide the codes if the correct button is pressed.

SlowBloke
Aug 14, 2017

PIZZA.BAT posted:

i've spent like 30 seconds looking but it doesn't look like this has ios integration :\

Keepassium works on ios, the same keepass file can be opened on keepassxc on windows, mac and linux with chrome and firefox browser plugins.

SlowBloke
Aug 14, 2017

MrMoo posted:

New business model on cloud now, charge $21 per user per month to log logins, :lol:

You get access log at every tier, it's just retention over 30 days is paid for. At about 1€/$ every 500k logins for a year retention. Whoever did that article never used 365 beside opening outlook.

SlowBloke
Aug 14, 2017

well-read undead posted:

so to turn this discussion another way: what’s a SIEM people do like? or, rephrased, what’s least bad?

We are happy with Sentinel. It might not be the best for huge environments but fits us fine.

SlowBloke
Aug 14, 2017

The Fool posted:

There were also professionally made ones like ERD and the Best Buy Geek Squad one.

ERD was based on WinPE, and there were a handful of others like that


Towards the end of my tenure there I built a WinPE usb disk for the shop that I worked at.

Microsoft still expects to be paid for DART, which is the only reliable way to unlock passwords on nvme drives(the usual offline windows password & registry editor seems to croak on newer bitlocked nvme drives). You get it if you have e/a 3 or 5 licenses in your tenant.

SlowBloke
Aug 14, 2017

Jenny Agutter posted:

apparently Naomi Wu got silenced for talking about a vuln in a popular Chinese third party keyboard, in addition to all the other stuff that makes her unpopular with the CCP. https://www.hackingbutlegal.com/naomi-wu-and-the-silence-that-speaks-volumes/

Being a public figure with an uyghur boyfriend is a sure fire way to get the rozzers attention, double so raising awareness of hidden backdoors in commonly used software for the domestic market. It was a matter of time sadly.

SlowBloke
Aug 14, 2017

Sywert of Thieves posted:

It's 99% background info & fluff. I gave up reading it after 10 pages when it still wasn't getting to the point.

I was so badly written they omitted the LGBT angle(which i learned from the replies here) that was relevant in the grand scheme of things while having pages worth of white noise.

SlowBloke
Aug 14, 2017

Zamujasa posted:

i think isp-enforced equipment should be banned out of existence :v: but even then i've owned one of the "good" cable modems and that one did authentication by sending your username/password as part of the query string in an ajax call rather than just, you know, using a form post

It is in Europe! But ISP give zero fucks, hiding behind a "if you really want, we'll let use your kit but at higher prices and less services for the trouble".

To be really honest, most of the ISP here used technicolor(which are decent) for their vdsl to gpon routers but their new xgspon services are using sagem(which are poo poo) so that pretty much killed my interest in upgrading.

SlowBloke fucked around with this message at 11:20 on Aug 21, 2023

SlowBloke
Aug 14, 2017

Cybernetic Vermin posted:

and to be clear i don't mean "just add nonsense to software", i mean that 7zip is up there with gnome in the category of "lets just do the barest possible minimum copy of a thing that already existed" which is the worst kind "community" effort

If you want 7zip with a slightly more windows aligned ux there is nanazip, it also uses modern api for extensions(windows will auto populate unused extensions) and menus(it works with windows 11 contextual menu).

SlowBloke
Aug 14, 2017

Volmarias posted:

Same but I also recognize that we are all turbo nerds who like nice, neat model trains filing systems domain name organizations, and the rest of the world probably doesn't care even when they understand.

Italy has also second level domains for cities or counties with sometimes either shortened or full length if not both. Thankfully very few people uses them since it generated incredibly long domains and made seo hell.

SlowBloke
Aug 14, 2017

Potato Salad posted:

is a yubikey still safe or did they gently caress a duck too

NXP just notified the world that they got hacked and the attacker kept accessing data, searching for chip schematics and microcode for several years.

https://arstechnica.com/security/2023/11/hackers-spent-2-years-looting-secrets-of-chipmaker-nxp-before-being-detected/

Several FIDO2 key makers, yubico included, uses NXP chips.

SlowBloke
Aug 14, 2017

mystes posted:

Is it possible to gently caress up the fido2 authentication flow in such a way that the browser will ask for a pin even when no pin is set? Asking because bank of america now seems to have figured out a way to to do this, which I guess would be a problem if you couldn't just say "nah I don't feel like using fido2 right now"

it could be some sort of firefox bug although I'm not getting it on other sites though so maybe I should try it on a different computer/browser

Webauthn/fido2 can require a pin during credential enrollment and logon. It's up to the website to require it or not, Microsoft 365 account will mandate it for instance.

https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement

SlowBloke fucked around with this message at 21:13 on Dec 11, 2023

SlowBloke
Aug 14, 2017

Subjunctive posted:

so if not Ubiquiti/Unifi, what’s the hotness for in-wall APs and PoE switches and stuff?

Once i grown tired of unifi bullshit, i moved to zyxel nebulaflex. If you feel that the government is watching you you can run them standalone, otherwise you can run them on cloud-based management.

SlowBloke
Aug 14, 2017

Pile Of Garbage posted:

someone has setup a fake notepad++ download website, notepad[.]plus, and the og author is mad: https://www.bleepingcomputer.com/news/security/notepad-plus-plus-needs-your-help-in-parasite-website-shutdown/

If the dev wasn't such a pissbaby about code signing, this wouldn't be an issue.

https://www.bleepingcomputer.com/news/software/notepad-no-longer-code-signed-dev-wont-support-overpriced-cert-industry/

SlowBloke
Aug 14, 2017

rjmccall posted:

i’m not sure what that mechanical process would even be except essentially making governments act as cas

Welcome to eidas hell, we have such sights to show you.

Adbot
ADBOT LOVES YOU

SlowBloke
Aug 14, 2017

Captain Foo posted:

caught up on The Wayne Thesis, and lol

Secfuck 18.52: Cruel Wayne Thesis.

  • 1
  • 2
  • 3
  • 4
  • 5