|
BiohazrD posted:[img-obamas-blackberry] THINK OPSEC 
|
#
?
Jun 1, 2016 09:01
|
|
|
|
| # ? Jun 3, 2024 17:46 |
|
|
Actually it's apparently a windows phone? But not like the new Windows phone. The one that looks like Windows 95
|
|
#
?
Jun 1, 2016 10:51
|
|
|
our customer uses coreworx for project management related activities. the application is a massive pile of garbage and today i found another reason why: coreworx has a feature where it will send out email notifications to uses when workflows, transmittals, etc are updated. if a user has no email address set on their account in the application then it instead of just not sending them a message it will send the message to noemail@noemail.com. this happens to be a registered domain (website just redirects to dumb pages), with an MX record that certainly appears to be owned by someone other than the vendor. we discovered that our customer's prod coreworx instance was sending ~2 million emails to noemail@noemail.com per month. apparently that default address is hardcoded in a DLL file somewhere but can be overwritten in a config file, something which the app support guys forgot to do. tl;dr garbage software will disclose information to an unknown third-party by default
|
|
#
?
Jun 1, 2016 11:59
|
|
|
BiohazrD posted:Actually it's apparently a windows phone? But not like the new Windows phone. The one that looks like Windows 95 i heard modified android
|
|
#
?
Jun 1, 2016 12:24
|
|
|
Maximum Leader posted:i heard modified android
|
|
#
?
Jun 1, 2016 13:33
|
|
|
kalstrams posted:i saw some article today about 1r grand android "secphone" http://www.engadget.com/2016/05/31/solarin-labs-moshe-hogeg-interview/
|
|
#
?
Jun 1, 2016 13:37
|
|
|
doctorfrog posted:https://www.kickstarter.com/projects/preevio/silentkeys-a-keyboard-that-protects-your-privacy-a
|
|
#
?
Jun 1, 2016 14:15
|
|
|
Volmarias posted:If only there were some sort of bearer document you were provided at birth meant to be used for identity purposes, zone sort of certificate you could show that is generally accepted as a foundational form of ID. Some sort of "birth certificate" if you will. a birth certificate would be one set of credentials stored in this system and would be the norm for establishing identity for us born citizens. You would also make it entirely digital so you no longer need a stupid piece of paper you have to keep safe somewhere.
|
|
#
?
Jun 1, 2016 15:50
|
|
|
are notarized emails/faxes a thing? sometimes you have to mail b.certs
|
|
#
?
Jun 1, 2016 15:51
|
|
|
right this would replace that requirement.
|
|
#
?
Jun 1, 2016 15:54
|
|
|
how so
|
|
#
?
Jun 1, 2016 15:56
|
|
|
instead of the person requesting a birth cert to verify identity (which is stupid cause it doesn't actually provide identification) they ask you to authenticate with the government and then the government provides that identity verification. then you proceed without having given this 3rd party any privileged information. they only need to know that you are who you say you are and if they trust the government to do that verification for them, then they don't need to know the implementation details behind the verification.
Shaggar fucked around with this message at 16:00 on Jun 1, 2016 |
|
#
?
Jun 1, 2016 15:58
|
|
|
that authentication could be through an oauth redirect to a government sign in page or it could be through a chip and pin auth with a smart card or any other token based auth mechanism. point is the sensitive data is only handled by the central ID provider and the 3rd party requesting verification doesn't need to see it or care about it.
|
|
#
?
Jun 1, 2016 15:59
|
|
|
and we'll put these terminals in every govt bldg and the data servers at the OPM?
|
|
#
?
Jun 1, 2016 16:00
|
|
|
idk what terminals you mean. this would be internet facing. if you've ever signed into an application using your Microsoft/twitter/facebook/goog creds instead of creating a login for that application, you've used oauth. what I'm proposing is the same system but where the identity provider is the government. the government already stores this information about you in various systems (ex: your tax records) so it would be a matter of consolidating the relevant info to form an identity for each citizen. for sure the technology is the easy part, and the politics and policy behind it would be extremely hard but its doable and would solve many many problems irl.
|
|
#
?
Jun 1, 2016 16:04
|
|
|
hackbunny posted:THINK OPSEC would unironically rock a sectera phone for a few weeks
|
|
#
?
Jun 1, 2016 16:05
|
|
|
Shaggar posted:idk what terminals you mean. this would be internet facing. if you've ever signed into an application using your Microsoft/twitter/facebook/goog creds instead of creating a login for that application, you've used oauth. what I'm proposing is the same system but where the identity provider is the government. like this  but in reverse, wherein the government's identity registrar does the authorizations for a third party or OGDs also lol if you demand faxes in tyool 2016 when scanners and printers and encryption already exist
|
|
#
?
Jun 1, 2016 16:10
|
|
|
we have this in sweden and it works well as far as i can tell (which is not far) https://www.bankid.com/en/
|
|
#
?
Jun 1, 2016 16:11
|
|
|
looking to get some input on what kind of network flowchart software you guys are using, right now i'm trying ms visio but the E S T H E T I C S are all wrong that or give me a decent monospaced technical font to use the secfuck part of all of this is that i learned that my client's previous it guy posted our production layout on the "rate my network diagram" subreddit with actual addresses and enumeration a while ago
|
|
#
?
Jun 1, 2016 16:11
|
|
|
surebet posted:looking to get some input on what kind of network flowchart software you guys are using, right now i'm trying ms visio but the E S T H E T I C S are all wrong i use visio and it blows and i deal with it, but I don't have to do much. u could try omnigraffle or something idk?
|
|
#
?
Jun 1, 2016 16:13
|
|
|
flakeloaf posted:like this yes basically. they already do this in some of the tiny white people countries in europe
|
|
#
?
Jun 1, 2016 16:14
|
|
|
Shaggar posted:that authentication could be through an oauth redirect to a government sign in page or it could be through a chip and pin auth with a smart card or any other token based auth mechanism. point is the sensitive data is only handled by the central ID provider and the 3rd party requesting verification doesn't need to see it or care about it.
|
|
#
?
Jun 1, 2016 16:15
|
|
|
flakeloaf posted:also lol if you demand faxes in tyool 2016 when scanners and printers and encryption already exist but there's existing case law for fax Testiclops posted:we have this in sweden and it works well as far as i can tell (which is not far) is sweden still trying to get rid of physical cash to push ppl to use banking more?
|
|
#
?
Jun 1, 2016 16:17
|
|
|
so the example for getting a bank account would be you go to the banks webzone and click create account, they send you to the gov ID provider to authenticate, the gov asks you to allow the bank to know the details required for the bank to create the account, you allow, the bank gets the info from the gov at which point they create your account using that information. in the best scenario they don't even keep demographic info on you. they get a long duration token that they can use to access a gov webapi on your behalf to grab your demos as needed. everyone likes this because it eliminates the banks liability for your demos since they aren't storing it and you get better security. all tokens generated for use with the bank are specific to the bank so in the event of a breach the government terminates the banks access to their system in one click and all the tokens are instantly invalid without breaking anything for any other applications.
|
|
#
?
Jun 1, 2016 16:18
|
|
|
Triglav posted:is sweden still trying to get rid of physical cash to push ppl to use banking more? uh idk but i've handled cash exactly once the past five months
|
|
#
?
Jun 1, 2016 16:22
|
|
|
If the bank needs to know if you are a citizen of the US, for example, they aren't going to say "hey gov id provider, give me this persons birth cert". they say "hey gov id provider, give me the us_citizen claim" then the id provider sends back a us_citizen claim in your token with a true/false value. the bank doesn't care how you became a citizen, all it cares about is that you are one and if the us government says you are then that's all they need.
|
|
#
?
Jun 1, 2016 16:22
|
|
|
if they can expand this system to all services it could be good for big data proactive policing
|
|
#
?
Jun 1, 2016 16:22
|
|
|
flakeloaf posted:like this without saying it's the best solution, forcing people to print out stuff and fax it over makes some sense when you work in an environment where you need to redact tons of stuff, which is the case for me (lot's of financial & technical information docs to and from federal agencies where they only need partial visibility) it's my understanding that since the phone lines all run on voip anyway, you functionnaly have end-to-end encryption too, so you'd need to compromise the endpoint fax, which might be a challenge on a dedicated fax machine without you having physical access where it goes to poo poo is that the departments i deal with who use fax a lot will only use fax, they're completely air gapped, to an extend where if i need to talk to someone i fax over a request and withing 3 to 5 business days i get a call back yes if you miss the call you have to resend the request and wait another 3-5 days, poo poo sucks
|
|
#
?
Jun 1, 2016 16:24
|
|
|
Triglav posted:if they can expand this system to all services it could be good for big data proactive policing yes exactly. that's just one of the many benefits of such a system.
|
|
#
?
Jun 1, 2016 16:26
|
|
|
Shaggar posted:yes exactly. that's just one of the many benefits of such a system. yeah, i'm not so sure i want them to know if i'm paying for something that's technically illegal
|
|
#
?
Jun 1, 2016 16:28
|
|
|
otoh the idea of a mismanaged government auth system where a hacker can exploit vulns and can now digitally sign stuff in my name scares the poo poo out of me. yes, having to go to my bank in person and show ID is a pain in the rear end but at the very least if the bank fucks up and grants some dude with a fake id access to my account, then they're on the hook once you give them the out of saying "oh, well, the government's oauth system said it was you not our problem, go sue the governement or whatever gently caress you" then it just becomes super sketchy.
|
|
#
?
Jun 1, 2016 16:29
|
|
|
Triglav posted:but there's existing case law for fax
|
|
#
?
Jun 1, 2016 16:31
|
|
|
prefect posted:yeah, i'm not so sure i want them to know if i'm paying for something that's technically illegal they wouldn't know what you're buying, only that you allowed Bank of America access to your basic demos. right now if they want to know what you're buying they just ask boa and boa gives it to them. that part doesn't change.
|
|
#
?
Jun 1, 2016 16:32
|
|
|
Ur Getting Fatter posted:otoh the idea of a mismanaged government auth system where a hacker can exploit vulns and can now digitally sign stuff in my name scares the poo poo out of me. if the bank gives someone with a fake id an account in your name you are absolutely on the hook until you prove it wasn't you. it would be the same with a government oauth type system, but with the added bonus of multi factor auth and other protections that would make stealing your account much harder.
|
|
#
?
Jun 1, 2016 16:37
|
|
|
surebet posted:without saying it's the best solution, forcing people to print out stuff and fax it over makes some sense when you work in an environment where you need to redact tons of stuff, which is the case for me (lot's of financial & technical information docs to and from federal agencies where they only need partial visibility) i'm disappointed and ashamed that these solutions are better than the hackneyed technoversions that we nerds think are better it's a lot harder to gently caress up a black marker or scissors on a piece of paper than it is to get caught drawing an eraseable black box around text in an adobe document. it's similarly hard to get people in technophobic places like law offices to understand or install or use or care about encryption still, there's something in my nerd brain that says printing a thing out on a piece of paper, then taking it to a machine that turns it into a digital copy and sends it to a printer far away so someone else can take that printout and put it back into a computer is really goofy
|
|
#
?
Jun 1, 2016 16:37
|
|
|
stealing this from the kickstarter thread:doctorfrog posted:https://www.kickstarter.com/projects/preevio/silentkeys-a-keyboard-that-protects-your-privacy-a   200$
|
|
#
?
Jun 1, 2016 16:38
|
|
|
another thing is if someone opens something in your name with a fake id across the country, you probably wont know about it for months. if someone grants a bank access to your id via oauth you can know instantly and instantly revoke it.
|
|
#
?
Jun 1, 2016 16:40
|
|
|
surebet posted:stealing this from the kickstarter thread: im the bitcoin in "Secure Online Activities"
|
|
#
?
Jun 1, 2016 16:43
|
|
|
surebet posted:stealing this from the kickstarter thread: so it's a usb stick with a "secure" browser named after the microsoft man, and also it's got a keyboard on it for some reason
|
|
#
?
Jun 1, 2016 16:44
|
|
|
|
| # ? Jun 3, 2024 17:46 |
|
|
getting hacked costs time, money, or worst e: wait isn't any breach, no matter the size, just time/money? are they insinuating i could die
|
|
#
?
Jun 1, 2016 16:45
|
|
