|
Google authenticator doesn't support cloud backups but does support device to device setup flowsSubjunctive posted:can apps opt out of accessibility access? apseudonym fucked around with this message at 17:55 on Apr 6, 2020 |
# ? Apr 6, 2020 17:53 |
|
|
# ? Jun 2, 2024 00:51 |
|
ZeusCannon posted:Isnt the google 2fa now tied to the google account its "linked" to? I coulda sworn they added a migration feature. i am positive it does not
|
# ? Apr 6, 2020 18:00 |
|
iirc even the push notification Google 2fa doesn't transfer between devices, unless you specifically set it to push to all devices
|
# ? Apr 6, 2020 19:12 |
pseudorandom name posted:secure operating systems don't allow one app to inspect the state of another app dtrace makes it possible to snoop on passwords, and there are even ways to make it easy
|
|
# ? Apr 6, 2020 20:55 |
|
D. Ebdrup posted:any os with sufficient debug tracing can let root snoop on passwords, for example windows, macos, probably ios, and freebsd all have dtrace We all know this, no one is trying to defend against a rooted device here, they're trying to prevent Stanislav in Novosibirsk from signing into your account using a password they found and pulling your 2FA without your realization. Obviously if they've popped your Google account they probably have your email and it's game over because so many places go "oh no 2FA???? Well I guess that's ok if you're resetting the password instead!" but it doesn't hurt to do this.
|
# ? Apr 6, 2020 22:17 |
|
cinci zoo sniper posted:wait what, zoom is still using 128-bit aes ecb keys in some cases?? yeah, the same thing came up in the voip/sip protocols. the reason usually ends of being bandwidth savings, you can tell when there is dead-air on audio or little motion on video feeds without seeing the actual payload and use that info to pull some bandwidth saving tricks. clever, but overall a bad idea to save a buck for anything with true privacy concerns
|
# ? Apr 6, 2020 22:21 |
|
Volmarias posted:We all know this, no one is trying to defend against a rooted device here, they're trying to prevent Stanislav in Novosibirsk from signing into your account using a password they found and pulling your 2FA without your realization. If you've given a malicious app accessibility framework access then that's the equivalent of giving it full control over your device. Don't do that. It's intentional that the accessibility framework can do anything that you the user can do - the alternative is that the device is not actually usable by someone who needs the accessibility framework.
|
# ? Apr 7, 2020 00:06 |
|
BangersInMyKnickers posted:yeah, the same thing came up in the voip/sip protocols. the reason usually ends of being bandwidth savings, you can tell when there is dead-air on audio or little motion on video feeds without seeing the actual payload and use that info to pull some bandwidth saving tricks. clever, but overall a bad idea to save a buck for anything with true privacy concerns I'm not going to fault them for using a bandwidth saving cipher given the situation we're in. Buuttt I'm sure they've been using it all along and don't deserve any credit.
|
# ? Apr 7, 2020 01:00 |
|
edit: i was pages behind, n/m
|
# ? Apr 7, 2020 02:08 |
|
Pinterest Mom posted:3.0.2 (Apr 6 2020) are the little easter eggs in the TOTP code meant to be letter O or number 0 ?
|
# ? Apr 7, 2020 02:15 |
|
Raere posted:I'm not going to fault them for using a bandwidth saving cipher given the situation we're in. Buuttt I'm sure they've been using it all along and don't deserve any credit. of course they've been doing it all along, they're conserving bandwidth to improve their bottom line, not out of generosity.
|
# ? Apr 7, 2020 02:21 |
|
D. Ebdrup posted:any os with sufficient debug tracing can let root snoop on passwords, for example windows, macos, probably ios, and freebsd all have dtrace Any OS that let's you dtrace other things isn't a secure OS tho
|
# ? Apr 7, 2020 02:21 |
|
any OS that lets you use it at all or even look at it isn't sufficiently secure imo
|
# ? Apr 7, 2020 02:30 |
|
Shame Boy posted:any OS that lets you use it at all or even look at it isn't sufficiently secure imo
|
# ? Apr 7, 2020 03:16 |
|
apple will review your entitlements and there’s a subset of keys that will require you to explain to a human a really really good reason you need to use it before they approve your app. dtrace is almost certainly on that list if it’s even available on the publish to App Store target (haven’t checked) and there’s also a way to flag a process as invisible to dtrace, not sure if that’s usable by non-Apple devs though
|
# ? Apr 7, 2020 03:28 |
|
haveblue posted:apple will review your entitlements and there’s a subset of keys that will require you to explain to a human a really really good reason you need to use it before they approve your app. dtrace is almost certainly on that list if it’s even available on the publish to App Store target (haven’t checked) Apple enables some pretty scary entitlements but dtrace on a production phone would be a pretty insane.
|
# ? Apr 7, 2020 07:30 |
|
I googled dtrace and I got topic appropriate my little pony fanart
|
# ? Apr 7, 2020 09:42 |
Shame Boy posted:any OS that lets you use it at all or even look at it isn't sufficiently secure imo abigserve posted:I googled dtrace and I got topic appropriate my little pony fanart the most-often used depiction of beastie, the bsd daemon, was drawn by john lasseter and certainly looks like something out of disney
|
|
# ? Apr 7, 2020 12:36 |
|
D. Ebdrup posted:ah yes, the academia gambit disney also tied it back in as well in 2013 with a movie about bsd, it was called frozen
|
# ? Apr 7, 2020 12:51 |
|
|
# ? Apr 7, 2020 13:38 |
|
Jabor posted:If you've given a malicious app accessibility framework access then that's the equivalent of giving it full control over your device. Don't do that. You're violently agreeing with me, I think?
|
# ? Apr 7, 2020 14:44 |
abigserve posted:disney also tied it back in as well in 2013 with a movie about bsd, it was called frozen
|
|
# ? Apr 7, 2020 15:33 |
|
lomarf
|
# ? Apr 7, 2020 15:49 |
i completely ended up with stomach cramps from laughing so much at that
|
|
# ? Apr 7, 2020 16:27 |
|
Thats fuckin amazin
|
# ? Apr 8, 2020 02:03 |
|
abigserve posted:disney also tied it back in as well in 2013 with a movie about bsd, it was called frozen
|
# ? Apr 8, 2020 13:16 |
|
https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/ this is a fun short read
|
# ? Apr 8, 2020 13:55 |
|
https://twitter.com/swagitda_/status/1247620482473627649 when covid phishing is outlawed something something click here (actually, it's bad)
|
# ? Apr 8, 2020 14:46 |
|
It's a good thing criminals are united behind not trying to exploit this crisis for personal gain.
|
# ? Apr 8, 2020 15:34 |
|
i dunno about you, but if i was working for a company trying to secure their business, my goals would be a bit different from the goals of a criminal attacking that company. to use a physical security analogy, i'm not going to around breaking windows to get in even though i can see where a criminal might do that.
|
# ? Apr 8, 2020 15:41 |
|
if the extent of your phishing preparedness is showing "ah yes, people can fall prey to phishing", you've got lovely security. At least focus on what to do once someone has been phished or in trying to detect it happening and do some disaster preparedness rather than just doing the security equivalent of pulling on people's shoelaces while they're not looking and going "uh they were not tied super hard I guess! that's a trip hazard!!"
|
# ? Apr 8, 2020 15:45 |
|
MononcQc posted:
We're rapidly going in that direction lol
|
# ? Apr 8, 2020 16:34 |
|
some pen tester once said that his company doesn’t live phish anymore, they just pull a name out of a hat and a manager goes to that person, tells them they’re part of a security exercise, and instructs them to open a particular file, then some prescribed interval of time later report to their infosec team that they opened a suspect file. this brings the result of compromise but also means that there’s nobody to unfairly blame since you can assume anyone can get phished by a clever enough attacker and this way your initial point of compromise is in on the scheme. it’s it quite as organic but way less likely to result in phish awareness as the only change that gets made.
|
# ? Apr 8, 2020 16:51 |
|
or they drag me to the front of the room and remind them yet again not to shut their brains off in the face of allegedly-urgent emails a half-hour of training saves me and the incident team hundreds of hours of cleanup, and if it didn't stick or you just weren't listening this year then go ahead and email me for the ninth time about whether it's safe to click this or that, whatever idc just don't break our poo poo
|
# ? Apr 8, 2020 17:49 |
|
flakeloaf posted:or they drag me to the front of the room and remind them yet again not to shut their brains off in the face of allegedly-urgent emails oh yeah, there’s definitely value in that! the tendency the pen tester described was that the entire org blamed the person who clicked on the phish as the sole reason the compromise happened and rather than working on incident response and protection of their intranet against insider attacks, the org just went WELL IF YOU DUMMIES WOULDN’T GET PHISHED WE WOULDN’T HAVE A PROBLEM so literally the only change they made was running the training you described.
|
# ? Apr 8, 2020 18:05 |
|
after years of having an entirely worthless filtering system that happily let through any and all phishing mail pretending to be from office 365, microsoft has added a new quarantine notification about suspected phishing messages, that looks exactly like the phishing messages it's supposed to be quarantining. thanks microsoft. very helpful.
|
# ? Apr 8, 2020 18:12 |
|
Midjack posted:oh yeah, theres definitely value in that! the tendency the pen tester described was that the entire org blamed the person who clicked on the phish as the sole reason the compromise happened and rather than working on incident response and protection of their intranet against insider attacks, the org just went WELL IF YOU DUMMIES WOULDNT GET PHISHED WE WOULDNT HAVE A PROBLEM so literally the only change they made was running the training you described. Perhaps there is value in both sending phishing emails, and also running incident response training, rather than just one or the other????
|
# ? Apr 8, 2020 18:23 |
|
The greatest value of phishing tests is being able to delete obnoxious emails from office boomers because "it looked like phishing".
|
# ? Apr 8, 2020 18:29 |
|
Volmarias posted:Perhaps there is value in both sending phishing emails, and also running incident response training, rather than just one or the other???? wasn't my pen test or my client, it's what this guy told me his company did. i like the idea of separating the two so you don't just blame bob from accounting for all of your compromise.
|
# ? Apr 8, 2020 18:38 |
|
|
# ? Jun 2, 2024 00:51 |
|
just send an email with the results of the phishing tests but it's a phishing email, security team has trained people to trust their emails rather than just delete them like they should with all the other emails
|
# ? Apr 8, 2020 20:07 |