|
hackbunny posted:like I have a password and I need to use it both for authentication and to encrypt/verify a database. if using two key derivation functions, for their intended usage, is rolling my own protocol then I dunno what I'm supposed to do instead Why are yoy not just: Hash once, use as symmetric decryption key for a nonce that is itself used to decrypt the raw data. Hash second time and store as verifier if anyone might be trying this inside of a trusted service. The hashing parameters could be the same for both functions.
|
# ? Apr 28, 2016 02:24 |
|
|
# ? Jun 3, 2024 16:13 |
|
It's probably something like these, https://en.wikipedia.org/wiki/TACLANE Lots of vendors do it nowadays, but 10 year's ago you needed that. And they were often locked in tamper-proof cages.
|
# ? Apr 28, 2016 02:43 |
|
https://twitter.com/afreak/status/725508559580987393
|
# ? Apr 28, 2016 03:16 |
|
Cocoa Crispies posted:well it's not like anyone but the befuddled use bitcoin Phone posted:PAIN!
|
# ? Apr 28, 2016 04:12 |
|
The surgeons at my hospital have decided answering pages is for proles so they bought 6 iPhones for various people around the hospital and now want us to group text patient identifiable information whenever we send for a patient. There's no pin to unlock the screen because it gets handed over frequently at shift changes so whoever steals one first is going to have a record of everyone who went to emergency theatre from today and what operation they had.
|
# ? Apr 28, 2016 06:37 |
|
Loving Africa Chaps posted:The surgeons at my hospital have decided answering pages is for proles so they bought 6 iPhones for various people around the hospital and now want us to group text patient identifiable information whenever we send for a patient. this is illegal, you know
|
# ? Apr 28, 2016 06:47 |
|
Powercrazy posted:It's probably something like these, this pushes my Strong-Looking Hardware button i think i'm either the dual redundant dual redundant power supplies, the battery, or the ZEROIZE PRESS 3X button that or the network interface sets for PLAIN TEXT and CIPHER TEXT
|
# ? Apr 28, 2016 06:49 |
|
atomicthumbs posted:this pushes my Strong-Looking Hardware button tac lanes fuckin own
|
# ? Apr 28, 2016 06:55 |
|
atomicthumbs posted:this is illegal, you know I've pointed this out on the departmental email including links to hscic guidance but looks like it's still going ahead! All my nightshifts are on obstetrics from now on and a consultant holds it during the day so at least I don't have to physically touch it.
|
# ? Apr 28, 2016 07:10 |
|
Loving Africa Chaps posted:I've pointed this out on the departmental email including links to hscic guidance but looks like it's still going ahead! tell the feds so you get ~BLACKMAILED~ into 20 years of audits i guess
|
# ? Apr 28, 2016 07:18 |
|
keseph posted:Why are yoy not just: this is exactly what I do to encrypt the storage: I derive (HKDF) a key from the master key derived (PBKDF2) from the password, and use it to decrypt+verify (AES-GCM) a random key that encrypts the storage. I forget why I'm not using the master key directly and I pass it through HKDF first, though keseph posted:Hash second time and store as verifier if anyone might be trying this inside of a trusted service. The hashing parameters could be the same for both functions. isn't this what I'm doing already, too? I derive (HKDF) a separate key as a hash twice removed of the password. I will probably eventually drop everything and use the storage layer to both verify the password and detect when the user is switching between passwords... but I'm afraid the storage library doesn't have a "verify key" function yet, just "open with key, reset storage if the key is wrong"
|
# ? Apr 28, 2016 07:45 |
|
atomicthumbs posted:this pushes my Strong-Looking Hardware button im the fill hole
|
# ? Apr 28, 2016 08:06 |
|
https://isecguy.wordpress.com/2016/04/25/flaw-allowed-anyone-to-modify-take-control-over-any-as-domain/ .as domain registry ran on pre-2000 code that stored passwords as plaintext and used the domain name in base64 as the sole auth control
|
# ? Apr 28, 2016 08:47 |
|
wizardhacking
|
# ? Apr 28, 2016 10:02 |
|
spankmeister posted:What's in the box!? charger, warranty card, headphones, microfiber cloth, manual, your wife's head, a coupon for free download.
|
# ? Apr 28, 2016 10:45 |
|
earbuds, vampire teeth, chopsticks with helper, Spider Man 3 bluray (opened)
|
# ? Apr 28, 2016 12:27 |
|
atomicthumbs posted:this pushes my Strong-Looking Hardware button lmao a cik, what is this, 1987
|
# ? Apr 28, 2016 13:22 |
|
atomicthumbs posted:this pushes my Strong-Looking Hardware button No red/black? pff
|
# ? Apr 28, 2016 13:24 |
|
Loving Africa Chaps posted:I've pointed this out on the departmental email including links to hscic guidance but looks like it's still going ahead! You do realize that if you continue to do this you can also be found culpable in this illegal activity right?
|
# ? Apr 28, 2016 13:27 |
|
Enjoy your newfound moral dilemma of doing the right thing and getting fired for "unsatisfactory performance" in a year and black balled, or dealing with the vague threat of criminal culpability from a law that has never resulted in a prosecution.
|
# ? Apr 28, 2016 13:31 |
|
Malloc Voidstar posted:https://isecguy.wordpress.com/2016/04/25/flaw-allowed-anyone-to-modify-take-control-over-any-as-domain/ lol the first comment is someone saying they found this problem in 2008 and the registrar ignored it then
|
# ? Apr 28, 2016 13:31 |
|
Volmarias posted:Enjoy your newfound moral dilemma of doing the right thing and getting fired for "unsatisfactory performance" in a year and black balled, or dealing with the vague threat of criminal culpability from a law that has never resulted in a prosecution. And that's the dilemma. If know it's poo poo, and I'm not trying to act morally superior. Just giving him the heads up is all.
|
# ? Apr 28, 2016 13:32 |
|
minivanmegafun posted:lol the first comment is someone saying they found this problem in 2008 and the registrar ignored it then Well, what are you going to do? Go with another registrar for .as? I have a .as domain, this doesn't fill me with warm fuzzies, but my options are "bear it" and "pull the domain that a bunch of your stuff is inextricably tied to."
|
# ? Apr 28, 2016 13:40 |
|
ratbert90 posted:You do realize that if you continue to do this you can also be found culpable in this illegal activity right? comedy option, report it to HHS and find out if there are any whistle-blower protections (there probably aren't) http://www.hhs.gov/hipaa/filing-a-complaint/index.html Now by reading this and not reporting it, you're SUPER double in trouble if something happens
|
# ? Apr 28, 2016 14:06 |
|
Volmarias posted:Well, what are you going to do? Go with another registrar for .as? volmari.as?
|
# ? Apr 28, 2016 14:12 |
|
ratbert90 posted:And that's the dilemma. If know it's poo poo, and I'm not trying to act morally superior. Just giving him the heads up is all. "That guy knew it was wrong and didn't try to physically stop us it's his fault!!!"
|
# ? Apr 28, 2016 14:27 |
|
ewiley posted:comedy option, report it to HHS and find out if there are any whistle-blower protections (there probably aren't) maybe not in that order
|
# ? Apr 28, 2016 14:32 |
|
BeOSPOS posted:volmari.as? Yep. It's basically just storage and ad hoc hosting, but I still get mail relayed through there too.
|
# ? Apr 28, 2016 14:32 |
|
Looooool cloudflair
|
# ? Apr 28, 2016 14:39 |
|
Parallel Paraplegic posted:"That guy knew it was wrong and didn't try to physically stop us it's his fault!!!" More like: That guy knew it was wrong and still continued to send texts out.
|
# ? Apr 28, 2016 14:41 |
|
Parallel Paraplegic posted:im the fill hole pour your bits iin here
|
# ? Apr 28, 2016 14:42 |
|
Loving Africa Chaps posted:The surgeons at my hospital have decided answering pages is for proles so they bought 6 iPhones for various people around the hospital and now want us to group text patient identifiable information whenever we send for a patient. there are a number of hipaa compliant secure text apps that you can get for them and you can stick them on ur exchange server for MDM. its not that bad and your pager system is probably ancient and terrible. We have a bunch of customers using DocbookMD and then a few who use onpage and dochalo. also it makes more sense at that point for them to use their own phones so they don't have to transfer them around.
|
# ? Apr 28, 2016 14:43 |
|
The hardest part about setting up docbookmd is trying to get your doctors' NPIs. they sure as poo poo don't know what they are and what you have in your credentialing system is wrong.
|
# ? Apr 28, 2016 14:45 |
|
ratbert90 posted:More like: That guy knew it was wrong and still continued to send texts out. Meh, doing thing with explicit approval from management is 99% of the time an employee's get out of jail free card. Unless you're murdering someone in a Nazi death camp, 'just following orders' is actually a valid defense. You're not personally responsible for securing your employers process, just following it consistently and correctly. They may have compensating controls on the back-end that he's unaware of.
|
# ? Apr 28, 2016 14:48 |
|
ewiley posted:Meh, doing thing with explicit approval from management is 99% of the time an employee's get out of jail free card. Unless you're murdering someone in a Nazi death camp, 'just following orders' is actually a valid defense. You're not personally responsible for securing your employers process, just following it consistently and correctly. They may have compensating controls on the back-end that he's unaware of. If it was me I would CYA with at least a email from management, if not a printed and signed document explicitly saying it's ok for me to do this. Edit* I have done this twice in my career, and both times management backed off and told me to forget about doing it. Making somebody else culpable is the easiest way to get illegal activities to stop pretty quick.
|
# ? Apr 28, 2016 14:49 |
|
ewiley posted:Meh, doing thing with explicit approval from management is 99% of the time an employee's get out of jail free card. Unless you're murdering someone in a Nazi death camp, 'just following orders' is actually a valid defense. You're not personally responsible for securing your employers process, just following it consistently and correctly. They may have compensating controls on the back-end that he's unaware of. Tell that to the VW engineers who just randomly decided to cheat emissions standards completely by themselves because they're weird and quirky. At least like, save an email or something with your boss saying "hey everyone do this dumb illegal thing it's our new policy!" in a safe place.
|
# ? Apr 28, 2016 14:50 |
|
Volmarias posted:Enjoy your newfound moral dilemma of doing the right thing and getting fired for "unsatisfactory performance" in a year and black balled, or dealing with the vague threat of criminal culpability from a law that has never resulted in a prosecution. nah if he brought it up with his hospitals lawyers they'll drop a bag of poo poo on the docs so fast because they know its a terrible and pointless risk when there are easy ways to do it correctly.
|
# ? Apr 28, 2016 14:51 |
|
Shaggar posted:nah if he brought it up with his hospitals lawyers they'll drop a bag of poo poo on the docs so fast because they know its a terrible and pointless risk when there are easy ways to do it correctly. I forgot that hospitals have lawyers on retainer specifically for this. This is probably the correct answer, as it seems like Shaggar knows his poo poo when it comes to infosec in hospitals. Also, this is what I imagine all hospital lawyers to be like: https://www.youtube.com/watch?v=u1ZtaaFZDcI&hd=1
|
# ? Apr 28, 2016 14:54 |
|
Parallel Paraplegic posted:Tell that to the VW engineers who just randomly decided to cheat emissions standards completely by themselves because they're weird and quirky. Yeah but VW engineers legit deserve to burn in hell against the firewall
|
# ? Apr 28, 2016 14:57 |
|
|
# ? Jun 3, 2024 16:13 |
|
ewiley posted:Yeah but VW engineers legit deserve to burn in hell is that one contiguous chain? it is isn't it? JFC
|
# ? Apr 28, 2016 15:10 |