|
DuckConference posted:Sure it's good in general. I mean I have it turned on for gmail. But why deal with the hassle for, say, dropbox when all of my bank accounts are protected with only 6 digit passwords and have no option for anything better? "I got keylogged and all my money is gone, but thank god they didn't get some random spreadsheets." You have to be trolling right?
|
#
?
Dec 6, 2016 15:56
|
|
|
|
| # ? May 18, 2024 04:06 |
|
|
That might actually be one of the dumbest things I've ever read.
|
|
#
?
Dec 6, 2016 15:58
|
|
|
Guys my motorcycle has lovely brakes so what's the use in wearing a helmet?
|
|
#
?
Dec 6, 2016 16:26
|
|
|
Boris Galerkin posted:(On the other hand some companies we worked with did request we have our IT guys encrypt everything onto enterprise grade hard drives and physically mail those as opposed to sending data ~via the cloud~ so it wasn't all bad .) Yeah, it was. "The cloud" is just a buzzword for a family of applications and hosted services. It can range from "hey, I put the user passwords and stored credit cards on Dropbox, password is sup3rs3cr3t" to a secure application that happens to be hosted on the same platform Amazon or Google use for their own sensitive information. If an organization completely rejects integrating with anything hosted in the cloud, it's possible that they're dealing with incredibly sensitive information that can't be trusted to outside systems. If that's what is going on, they should be sending the hard drives handcuffed to people with guns, not through the mail. That's bad. But, it's a lot more likely that somebody, somewhere, heard that "the cloud isn't secure" and now they don't use the cloud, because they believe the foundation of good security is Some Guy Said. That's even worse.
|
|
#
?
Dec 6, 2016 18:32
|
|
|
OSI bean dip posted:So 2FA is garbage because your bank uses an antiquated system? My point was that I am selective about where to use it and I don't turn it on for absolutely everything because the hassle wouldn't be worth it for protecting something trivial.
|
|
#
?
Dec 6, 2016 18:55
|
|
|
DuckConference posted:My point was that I am selective about where to use it and I don't turn it on for absolutely everything because the hassle wouldn't be worth it for protecting something trivial. So how do you define "trivial" and does it apply just to you or in general?
|
|
#
?
Dec 6, 2016 18:58
|
|
|
How often are you logging into dropbox that the additional 20 seconds to type a 2FA code is a hassle? Do you keep clearing your cookies or something?
|
|
#
?
Dec 6, 2016 19:02
|
|
|
Every bank I've ever dealt with indemnified against losses from someone compromising your account anyway.
|
|
#
?
Dec 6, 2016 19:33
|
|
|
Boris Galerkin posted:Because my information is worth more than [temporary, reversible] access to my bank account. Anyway, California required anyone working on their stuff to get fingerprinted in California - I guess other states just don't do it right or something. So every few months my company would grab all the latest hires, rent a car, and do a day-trip to the nearest CA city for everyone to get fingerprinted. When we got there, the police were busy, and left us alone in the room with the fingerprint computer for almost an hour. Posted on the wall next to the computer were instructions for how to use it, including things like which icon to double-click and exactly which menu items to select. The very first step was to log on, and the username and password were helpfully included in the instructions. "Administrator/12345" Another time I was working with a Sheriff's dept in FL and had some questions about what I was seeing in their database, so I called the vendor who provided the software to the department. She conferenced in a deputy at the Sheriff's office to talk about it and then decided to log into their live system to see if what I was seeing matched what was in production. While I was still on the call, I got to hear this snippet of conversation: Vendor: "I can never remember, what's the Sheriff's password?" Deputy: "It's 'arrest', all lowercase." Vendor: "That's right, it really should be easier for me to remember."
|
|
#
?
Dec 6, 2016 19:39
|
|
|
My bank uses a "security image", but not a lot of good it would do anyways if someone did manage to login to my account. The only thing they could do is transfer money back and forth between my own accounts, see my balances, oh and maybe pay one of my bills. My bank is a bit backwards technologically, because that is the extent of functionality you have when logged into their "online-banking".
|
|
#
?
Dec 6, 2016 19:39
|
|
|
OSI bean dip posted:So how do you define "trivial" and does it apply just to you or in general? I mean it's going to be specific to what the person is using the service for. Someone's Dropbox could be very sensitive and worth using 2-factor for, but many peoples' aren't.
|
|
#
?
Dec 6, 2016 19:43
|
|
|
Can I have the password to your Dropbox account? Like, what the gently caress is even your point? Things that don't contain secure information don't need to be secured? Gee, thanks for that knowledge bomb. Back in the real world, we understand that people who set up a Dropbox account don't think "hey, this isn't as secure as it needs to be... maybe I shouldn't put my tax returns here." IF a location can potentially store sensitive data it should be secured using reasonable steps. 2FA is a reasonable step. No, it's not going to stop Mossad, but it is going to stop a million other circumstances. God drat.
|
|
#
?
Dec 6, 2016 20:12
|
|
|
DuckConference posted:I mean it's going to be specific to what the person is using the service for. Someone's Dropbox could be very sensitive and worth using 2-factor for, but many peoples' aren't. Please keep your fecklessly idiotic security advice to yourself. There is no reason to advocate for not having 2FA turned on because somehow you think it's not worth it for one's cat pictures. If a service offers it, then it's a good thing to turn on if you're capable of using it.
|
|
#
?
Dec 6, 2016 20:17
|
|
|
DuckConference posted:I mean it's going to be specific to what the person is using the service for. Someone's Dropbox could be very sensitive and worth using 2-factor for, but many peoples' aren't. PM me your username/password so I can use your dropbox since you don't seem to care about any amount of security.
|
|
#
?
Dec 6, 2016 20:18
|
|
|
CLAM DOWN posted:PM me your username/password so I can use your dropbox since you don't seem to care about any amount of security. By the way, VanCitySec is on Thursday. I'll likely will be there.
|
|
#
?
Dec 6, 2016 20:20
|
|
|
Internet Explorer posted:Back in the real world, we understand that people who set up a Dropbox account don't think "hey, this isn't as secure as it needs to be... maybe I shouldn't put my tax returns here." IF a location can potentially store sensitive data it should be secured using reasonable steps. 2FA is a reasonable step. No, it's not going to stop Mossad, but it is going to stop a million other circumstances. To add on to this, most people don't have an organized system in place to review and improve their security posture. That is to say, normal people don't have quartly reviews of their Dropbox content to reconsider their risk in the updated environment. So taking the less secure option opens you up to the whole world of future risks. Sure your 3D scans of your butt might seem safe now, until you buy a tesla with rear end ID and forget you have those scans sitting in a folder on drop-box, until your tesla gets stolen by a 3D printed fake butt. That's all assuming you have perfect knowledge of current risks, which is also not true for anyone. The idea that "I'm a nobody, I'm not worth hacking" is backwards, instead when you get hacked it will be because you're an easy enough target to make it worthwhile.
|
|
#
?
Dec 6, 2016 20:29
|
|
|
OSI bean dip posted:Please keep your fecklessly idiotic security advice to yourself. There is no reason to advocate for not having 2FA turned on because somehow you think it's not worth it for one's cat pictures. If a service offers it, then it's a good thing to turn on if you're capable of using it. More fun if they have them in a folder called "pictures of Snowball" and their security question for paypal is their cat's name.
|
|
#
?
Dec 6, 2016 21:08
|
|
|
Trabisnikof posted:Sure your 3D scans of your butt might seem safe now, until you buy a tesla with rear end ID and forget you have those scans sitting in a folder on drop-box, until your tesla gets stolen by a 3D printed fake butt. This is the world I want to live in.
|
|
#
?
Dec 6, 2016 21:11
|
|
|
sms 2fa kind of useless|sucks rear end compared to proper 2fa though, if anything the additional weakest-links make things worse sometimes esports friend had phone numbers cloned to new sims or something, sms 2fa passed, 2fa disabled, and accounts compromised because of it
|
|
#
?
Dec 6, 2016 23:30
|
|
|
Biowarfare posted:sms 2fa kind of useless|sucks rear end compared to proper 2fa though It's not great, but it's better than relying on just a password. Biowarfare posted:esports friend had phone numbers cloned to new sims or something, sms 2fa passed, 2fa disabled, and accounts compromised because of it Yeah, that's a risk. But I think using only a password is worse. in general an average user is probably more likely to have their web account compromised as opposed to their phone cloned.
|
|
#
?
Dec 6, 2016 23:32
|
|
|
how did that make security worse exactly
|
|
#
?
Dec 6, 2016 23:33
|
|
|
Wiggly Wayne DDS posted:how did that make security worse exactly account was "recovered" using the phone number, without having the i guess for the average normal user, sms 2fa might be ok, but then you get into all sorts of bullshit where people change phones or numbers and lose their accounts permanently, and there's also the whole problem with places treating a phone number as god compared to everything else for recovery purposes, and then you have the issue where many providers (such as google fi, and many of the new MVNOs springing up) are actually voip numbers in databases, and get rejected for 2fa even if valid -- i can't use my google fi number in many places because they're just like "abusive voip number - gently caress off" Impotence fucked around with this message at 23:38 on Dec 6, 2016 |
|
#
?
Dec 6, 2016 23:35
|
|
|
oh so it wasn't a second factor then
|
|
#
?
Dec 6, 2016 23:37
|
|
|
Biowarfare posted:sms 2fa kind of useless|sucks rear end compared to proper 2fa though, if anything the additional weakest-links make things worse sometimes A SQL injection vulnerability or poorly coded debug mode of some service makes a username and password useless too, so let's just not bother at all right? The point of 2FA using SMS isn't that it's bulletproof (it's not), but it's there to add an extra level of pain-in-the-rear end. Lain Iwakura fucked around with this message at 23:41 on Dec 6, 2016 |
|
#
?
Dec 6, 2016 23:38
|
|
|
Wiggly Wayne DDS is correct. That's not 2FA. That's an authorized phone number for account recovery.
|
|
#
?
Dec 6, 2016 23:40
|
|
|
I guess my complaint is more against companies that treat phone numbers as god when you add one, instead of strictly as a dumb 2FA receiver (and not treating a 2FA number separately than a contact number tied to an account's profile)
|
|
#
?
Dec 6, 2016 23:42
|
|
|
https://twitter.com/jeremydlarson/status/806258064303263744
|
|
#
?
Dec 7, 2016 00:00
|
|
|
From the A/T cons and scams thread:504 posted:My brand new staff member (night shift) gave me the best present ever. People are the weakest link in your security framework.
|
|
#
?
Dec 7, 2016 03:42
|
|
|
Absurd Alhazred posted:From the A/T cons and scams thread: There is no facepalm big enough 
|
|
#
?
Dec 7, 2016 17:42
|
|
|
OSI bean dip posted:By the way, VanCitySec is on Thursday. I'll likely will be there. Apparently it is cancelled for this month.
|
|
#
?
Dec 7, 2016 18:01
|
|
|
Was it so people didn't have to brave the snow?
|
|
#
?
Dec 7, 2016 18:29
|
|
|
ChubbyThePhat posted:Was it so people didn't have to brave the snow? Supposedly because it's Christmastime and people are starting to disappear.
|
|
#
?
Dec 7, 2016 18:44
|
|
|
OSI bean dip posted:Apparently it is cancelled for this month. rip ChubbyThePhat posted:Was it so people didn't have to brave the snow? Likely, vancouver is currently making GBS threads itself
|
|
#
?
Dec 7, 2016 18:43
|
|
|
Curious, what's the thread's personal policy or advisement for physical password storage, as inscribed a notebook or something? As in, having a hard copy backup of at least your password database password and suitable instructions for use so your next-of-kin can unlock your cat pics when you're quite dead? Is it "don't do it, under any circumstances, you idiot," "safety deposit box only," "folded up in a sock drawer," in the easily lock-picked fire safe, etc.
|
|
#
?
Dec 7, 2016 19:54
|
|
|
doctorfrog posted:Curious, what's the thread's personal policy or advisement for physical password storage, as inscribed a notebook or something? As in, having a hard copy backup of at least your password database password and suitable instructions for use so your next-of-kin can unlock your cat pics when you're quite dead? Is it "don't do it, under any circumstances, you idiot," "safety deposit box only," "folded up in a sock drawer," in the easily lock-picked fire safe, etc. My parents have a sheet of paper locked in their fire safe that has some of my more important login credentials, for use in the unlikely event I get run over by a cement mixer and am either dead or in a coma. It's not the greatest from a standpoint of paranoid security, but they're old and non-technical. It'd take them all day just to figure out how to install keepassx, let alone actually use it. Come to think of it, I should update that paper, it's been a while. Thanks for the reminder.
|
|
#
?
Dec 7, 2016 20:02
|
|
|
doctorfrog posted:Curious, what's the thread's personal policy or advisement for physical password storage, as inscribed a notebook or something? As in, having a hard copy backup of at least your password database password and suitable instructions for use so your next-of-kin can unlock your cat pics when you're quite dead? Is it "don't do it, under any circumstances, you idiot," "safety deposit box only," "folded up in a sock drawer," in the easily lock-picked fire safe, etc.
|
|
#
?
Dec 7, 2016 20:35
|
|
|
Ugh these recruiters keep sending us these certificate whores who don't have any real world experience and don't know anything except what you can learn in a training manual. Who hires these people?
|
|
#
?
Dec 8, 2016 22:40
|
|
|
People who still buy IBM.
|
|
#
?
Dec 8, 2016 22:42
|
|
|
Mustache Ride posted:Ugh these recruiters keep sending us these certificate whores who don't have any real world experience and don't know anything except what you can learn in a training manual. You should be able to find out by looking at their resumes, unless the answer is 'no-one yet'.
|
|
#
?
Dec 8, 2016 22:47
|
|
|
|
| # ? May 18, 2024 04:06 |
|
|
Mostly consulting groups it seems. What a waste of time the past 2 interviews have been.
|
|
#
?
Dec 8, 2016 22:56
|
|