|
"why are you asking me for my username and password to logon instead of using SSO, that's bad security practice as it's training people to enter credentials into random sites when prompted by a link they get emailed" "it's an oracle product it does not support SSO" really? really? i mean oracle are awful but they don't support any SSO in tyool 2019? or is it more likely that you just don't know how to set it up? bonus points: the email says "please click this link and logon as there is an invoice awaiting payment". no standard branding/formatting at all, not even a name of recipient or detail on what the invoice is and the link is a garbled mess pointing to a server instance with no internal cname. it's like they're trying to train people to get phished.
|
#
¿
Apr 26, 2019 09:05
|
|
|
|
| # ¿ Mar 25, 2023 05:30 |
|
|
ewiley posted:I once had the privilege of briefly administering oracle identity manager and i wanted to promptly kill myself afterwards. This was 10 years ago so I'm sure it's improved since then the copyright tag on the app says "2017" but I'm gonna assume the deployment is at least 5 years older than that
|
|
#
¿
Apr 26, 2019 21:47
|
|
|
Jabor posted:changing the password regularly (e.g. daily) is also a good way to make people actually look it up in the appropriate system every time, instead of writing it on a post-it or something just get one of those old flip calendars and write the password for that day on each page, ez
|
|
#
¿
Apr 27, 2019 12:17
|
|
|
Midjack posted:toilet paper with a new password on each square. gonna quote an old thread title here: "i need tp for my security hole"
|
|
#
¿
Apr 27, 2019 17:23
|
|
|
chemosh6969 posted:They get poo poo done nobody show trump this story or he'll be calling up Liam Neeson and demanding he castrate some random Libyans or whatever the current target is (Yemen maybe?)
|
|
#
¿
Apr 29, 2019 23:40
|
|
|
BIGFOOT EROTICA posted:lol dell ha, we use a similar basic "request source" check on an internal web service to validate that requests come from a legitimate requestor (one of two other internal webservers basically) and ive been trying to think of a way to make it more robust by adding extra auth layers/checks to it because it feels wrong and like there's a request spoofing/mitm vuln...though tbh if someone is spoofing on mitm'ing our internal network we're boned already regardless anyway turns out i'm more security conscious than dell lmao edit: the obvious answer would be "authenticate the account id of the calling process" but for some dumb reason our webserver accounts don't have normal identity profiles and the team that "manage" the iis hosts won't let us configure them to work around this Powerful Two-Hander fucked around with this message at 10:50 on May 4, 2019 |
|
#
¿
May 4, 2019 10:38
|
|
|
"please enter a memorable word in case you forget your pasword or username", ok that's dumb so ill mash the keyboard to make it a random string and put it in keepass....  edit: my keyboard mashing is evidently insufficiently random. Also I tried an actual word and it rejected it for having "3 or more sequential letters". Hope your memborable word doesn't contain "nop"!
|
|
#
¿
May 8, 2019 18:28
|
|
|
Shame Boy posted:i want that database to get compromised so i can see how many people used "boners" or "weed" or "gently caress" flakeloaf posted:does sequence include sequence on the keyboard? would "powerful" be no good? yeah i think "PowerfulWeedBoners" is ok, please don't share this though as it's secret!!!!
|
|
#
¿
May 8, 2019 18:50
|
|
|
Sagebrush posted:take every developer and sysadmin who came up with these policies and break them upon the wheel "to login, please enter characters 9, 17 and 23 of your password"
|
|
#
¿
May 8, 2019 22:11
|
|
|
Lutha Mahtin posted:a russian cryptolocker author is really mad that somebody released a decrypter for his malware. "shoes you booze" indeed Security fuckup megathread: you booze, you lose (your aes keys)
|
|
#
¿
May 10, 2019 13:16
|
|
|
Sereri posted:Blow it out your aes lmao
|
|
#
¿
May 10, 2019 15:32
|
|
|
idk my cat is kind of a dick but he's never hacked my router ... as far as I know
|
|
#
¿
May 22, 2019 22:48
|
|
|
looks like email scammers are trying a new tactic: a scam within a warning about a scam. i think that's what he's getting at anyway.quote:
|
|
#
¿
May 27, 2019 21:55
|
|
|
Squinky v2.0 posted:Nigerian bank scammers using segmented marketing aimed at their core demographic of people who are currently entangled in a Nigerian bank scam It's like some sort of scammer pyramid scheme where you get scammed and have to scam your way out by pretending to help people who've been scammed then scamming them and turning them into scammers what I'm saying here is that it's scammers all the way down.
|
|
#
¿
May 28, 2019 18:09
|
|
|
Vomik posted:so I'm hanging out in bar with my raspberry pi zero W surrounded by hotspots and yet zero connection
|
|
#
¿
Jun 8, 2019 23:19
|
|
|
Krankenstyle posted:got a phishing mail with a weird reply-to field late 90s grunge band webring member spotted
|
|
#
¿
Jun 14, 2019 07:29
|
|
|
some guy in America keeps signing up to job sites with my email address so he probably wonders why he's never receiving anything. I also receive bank notifications on my other account with the same name, presumably from the same guy. Once I got an invite to a family bbq and I think I did reply all to that and tell them to get their poo poo together and tell the guy to use the right address. or maybe I goatse'd the entire family idk it was a long time ago
|
|
#
¿
Jun 25, 2019 08:33
|
|
|
Agile Vector posted:remember someday that you will be a gullible moron i have a boney moroni to remind me that someday ill be a skeleton moron. but a skeleton moron who can dance
|
|
#
¿
Jul 2, 2019 18:59
|
|
|
You Am I posted:lol and Jaguar and Land Rover are owned by the Indians. Nah TVR disappeared years ago an account of "shoddily hammered together in a shed" and "only runs for 5 minutes before overheating or having its gearbox implode" no longer being up to spec for a sports car Shaggar posted:Marriott is American. BA fines are probably a Brexit thing No the information Commissioner is a UK org, they just got new powers to fine companies based on turnover after the Facebook fine for stealing everyone's data and an election and a referendum was capped at £500k so they're showing off. I really hope Facebook fucks up again and gets slammed with a fine in the billions.
|
|
#
¿
Jul 11, 2019 07:57
|
|
|
flakeloaf posted:just gonna leave this here, i suspect i may need it later I'm 100% "zero-knowledge encryption"
|
|
#
¿
Jul 11, 2019 17:57
|
|
|
Stymie saved me a self probe there because I can't accurately quote the post and have it make sense but "half life: full life consequences" is always worth a listen he said and did a back flip
|
|
#
¿
Jul 14, 2019 00:04
|
|
|
ewiley posted:Yep nobody would run a network over a simple power cable it at least has the decency to look shocked about it
|
|
#
¿
Aug 1, 2019 16:37
|
|
|
toss up between security fuckup and terrible programmers quote:Digital bank Monzo has urged nearly 480,000 customers to change their pins after it left banking information exposed to unauthorised staff for six months.
|
|
#
¿
Aug 5, 2019 16:33
|
|
|
infernal machines posted:secfucks are immaculate, created by the whims of a capricious god if the fuckups didn't exist, it would be necessary for us to create them
|
|
#
¿
Aug 5, 2019 20:01
|
|
|
give them some credit, getting such poor performance out of a database when the use case is basically "list stuff linked to this key" is pretty impressive
|
|
#
¿
Aug 5, 2019 23:18
|
|
|
lol
|
|
#
¿
Aug 12, 2019 20:41
|
|
|
ymgve posted:*nervously clicks link, reads article, sees name of site, sighs in relief* lol. at work the it sec team did a demo thing in the cafeteria of entering your email on haveibeenpwned and I did it and just as I hit enter thought "gently caress I've had this email address for like 20 years and I was a dumbass teen, I'd this gonna return porn?" but no, it was fortunately just xbox mod forums (lol) and rpg codex or something (double lol)
|
|
#
¿
Aug 25, 2019 01:10
|
|
|
Shame Boy posted:why would they force you all to do that poo poo in public? or are you saying you were just doing it as a demo to other people? it was basically a "you're all probably hosed, use strong passwords ok?" thing, so actually probably a good thing to do given the average failure rate on our lovely phishing tests is like 60%. they got some interns to do it, it was all optional and they were getting ignored so I thought" hey I'll do it, what's the worst that can come up? " crazysim posted:The porn stuff is behind email verification. They are categorized as sensitive breaches like Ashley Madison. drat brb gonna see how embarrassed past me is gonna make me Powerful Two-Hander fucked around with this message at 02:01 on Aug 25, 2019 |
|
#
¿
Aug 25, 2019 01:58
|
|
|
Soricidus posted:there are advantages to not being the only person who shows up when a prospective boss googles your name i share a name with a guy who got executed in texas so I'm basically invisible to google edit: I'll qualify that with a "casual". ofc LinkedIn gets me so rip also it's not like I have a very common last name either, and yet some dingus still keeps on signing me up to job banks. poor fucker must be wondering why nobody is replying to him. Powerful Two-Hander fucked around with this message at 22:42 on Aug 26, 2019 |
|
#
¿
Aug 26, 2019 22:39
|
|
|
Wiggly Wayne DDS posted:how did you escape i was 3 at the time and they never suspected me at all, I just pinned it on the other guy and went for a nap.
|
|
#
¿
Aug 26, 2019 22:42
|
|
|
Cocoa Crispies posted:
judge Dredd's gun but its authentication to post
|
|
#
¿
Sep 3, 2019 11:51
|
|
|
add in The Core ~*~HACK THE PLANET~*~
|
|
#
¿
Sep 6, 2019 18:13
|
|
|
holy lmao our homebrew system for managing "secure" access to database creds logs them in plaintext in an area accessible from all user sessions I'm either gonna get thanked or fired for flagging this lmao
|
|
#
¿
Sep 11, 2019 18:33
|
|
|
Soricidus posted:come to Europe. uk banks all hand out chip devices where you stick in your debit card and enter your pin to get a one-time code, or some of them just have authenticated tokens that are the same principle but the thing-you-have is the token rather than the card what no they don't, not all anyway. HSBC and santander use fingerprint id on mobile now, with the HSBC app generating one time logon/signing codes for Web access as well. and HSBC were way behind on their mobile app compared to others until recently so I'd assume the rest are better. edit: before that HSBC used a custom key generator pad thing... santander idk, natwest used the card reader thing but I think have stopped. Powerful Two-Hander fucked around with this message at 22:34 on Sep 12, 2019 |
|
#
¿
Sep 12, 2019 22:32
|
|
|
Rufus Ping posted:yeah the only british banks i'm aware of that use a cardreader for 2fa are (were?) nationwide and lloyds business, and the latter forces you to set a memorable phrase which can be used to bypass it oh yeah nationwide were the ones with the card reader, not natwest and yes santander web access sucks: enter your security number (6 digits) and then like letters 2,4 and 7 from your login password or something,which is a pain in the rear end when you set that password to a 12 character random string.
|
|
#
¿
Sep 13, 2019 07:19
|
|
|
CRIP EATIN BREAD posted:why not both? trip report: so far thanked but not fired. they're at least hiding or clearing the logs and I assume the idiot that logged the creds has been given a talking to. for my part i said that this is just general poking around poo poo I do all the time, I wasn't specifically trying to break things but better me and I flag it than someone else. also I pointed out that because we inexplicably only allow sql logins to databases, any access method we have will require credentials to be available in plaintext so there's always a window where they could be logged. Like I could add one line to one process and I'd get dbo account passwords written out instantly. At least if the dbs were on domain accounts that wouldn't be viable.
|
|
#
¿
Sep 13, 2019 23:38
|
|
|
i mean yeah no poo poo if you didn't lock the door it isn't locked
|
|
#
¿
Sep 17, 2019 21:37
|
|
|
Carbon dioxide posted:I'm in a hotel and the room has this electronic safe where you lock it by setting a 4 digit PIN and unlock it by punching in the same code again. it's unlikely its networked but the hotel will absolutely have a master code and/or key that unlocks it. quite possibly both are available from the manufacturer and are the same across all units edit: also 99/100 times it's gonna be the DOB of the person in the room because that's the easiest low friction number that a random opportunistic burglar that gets into the room isn't going to know Powerful Two-Hander fucked around with this message at 10:02 on Sep 18, 2019 |
|
#
¿
Sep 18, 2019 09:58
|
|
|
did you try "!" as an answer? i hate that poo poo though. I had to call up to change an address on an overseas currency card because the lovely app will happily take your credit card details to top up, but can't handle address changes and inexplicably neither can the website and a) they asked for the 16 digit card number which the rest of their site says they won't do (but is actually logical because how the gently caress else are they going to id the card?) and b) asked for a standard security question answer of mothers maiden name. I guess I forgot to lie on that one because it was the real one and not "weedlord bonerhitler" or whatever. I guess I'm the fuckup here for not having a consistent fallback tho
|
|
#
¿
Sep 18, 2019 14:52
|
|
|
|
| # ¿ Mar 25, 2023 05:30 |
|
|
flakeloaf posted:/dev/aynrandom, the objective-oriented rng is a man not entitled to the seed of his prng?
|
|
#
¿
Sep 19, 2019 14:54
|
|