|
power botton posted:the weakest part of AD is all the servers and desktops storing kerberos tickets and hashes in memory to get retrieved with mimikatz et al, but MS keeps adding new features to minimize that. the chance of your average Fortune 500/1000 enabling them is nonexistent but hey. don't post shaggar's blog Hah the shaggar wishes he would be that good
|
#
?
Feb 12, 2017 15:12
|
|
|
|
| # ? May 17, 2024 11:30 |
|
|
Bhodi posted:imo the weakest part of AD is how easy it lets you shoot yourself in the security foot, like for example making domain-wide admin service accounts that have access to everything, never expire, and never require password changes yeah fair enough theres lots of stupid choices that you can configure. I love the storing passwords with reversible encryption or PASSWORD_NOT_REQD flags.
|
|
#
?
Feb 12, 2017 15:30
|
|
|
social media sites should have a 'duress password' the way home alarm systems do. When you use that special password, the site goes mostly empty for the user account so you can prevent to have nothing on there 
|
|
#
?
Feb 12, 2017 15:51
|
|
|
MononcQc posted:social media sites should have a 'duress password' the way home alarm systems do. When you use that special password, the site goes mostly empty for the user account so you can prevent to have nothing on there This has the same problem that FDE systems with alternate passwords have: "no, i don't believe you, show me your real account" even though that's the only one.
|
|
#
?
Feb 12, 2017 15:56
|
|
|
Volmarias posted:This has the same problem that FDE systems with alternate passwords have: "no, i don't believe you, show me your real account" even though that's the only one. have the duress password also trigger a message to your lawyer with your sign-in location so they can try and come scoop you?
|
|
#
?
Feb 12, 2017 16:13
|
|
|
uncurable mlady posted:have the duress password also trigger a message to your lawyer with your sign-in location so they can try and come scoop you? If you can afford a lawyer and plan ahead for poo poo like this, you probably should design an app to help people who can't or don't.
|
|
#
?
Feb 12, 2017 17:08
|
|
|
endlessmonotony posted:If you can afford a lawyer and plan ahead for poo poo like this, you probably should design an app to help people who can't or don't. no don't thats how SV started
|
|
#
?
Feb 12, 2017 17:11
|
|
|
have the duress password irreversibly lock the account for two weeks better yet have the duress password delete your stupid account
|
|
#
?
Feb 12, 2017 17:19
|
|
|
it may surprise you to discover that it's well-covered ground at many of the companies who make these services
|
|
#
?
Feb 12, 2017 17:21
|
|
|
I'm surprised the duress fingerprint which forces re-entry of the PIN (since that occasionally happens anyway, at least on Android) isn't already a thing. Bonus points if it flushes memory contents, but baby steps.
|
|
#
?
Feb 12, 2017 17:31
|
|
|
James Baud posted:I'm surprised the duress fingerprint which forces re-entry of the PIN (since that occasionally happens anyway, at least on Android) isn't already a thing. can't you just turn the phone off? iOS requires a pin after boot before fingerprints start working
|
|
#
?
Feb 12, 2017 17:33
|
|
|
you nerds are trying to create a technical solution for a real easy problem: become a shutin
|
|
#
?
Feb 12, 2017 17:37
|
|
|
a witch posted:can't you just turn the phone off? iOS requires a pin after boot before fingerprints start working Yes, but let's say you didn't do that and are being compelled to fingerprint unlock... Darn, it asked for the PIN anyway even though I complied.
|
|
#
?
Feb 12, 2017 17:47
|
|
|
Bhodi posted:imo the weakest part of AD is how easy it lets you shoot yourself in the security foot, like for example making domain-wide admin service accounts that have access to everything, never expire, and never require password changes to be fair, MSAs didn't exist until like 2012
|
|
#
?
Feb 12, 2017 17:48
|
|
|
James Baud posted:Yes, but let's say you didn't do that and are being compelled to fingerprint unlock... Darn, it asked for the PIN anyway even though I complied. is that going to be interpreted as destruction of evidence?
|
|
#
?
Feb 12, 2017 18:19
|
|
|
Subjunctive posted:is that going to be interpreted as destruction of evidence? My theory goes: "indistinguishable from regular behavior" (as you do get occasional PIN prompts despite fingerprint), but I'm basing that on how the Nexus 5x and Pixel work, dunno about other phones.
|
|
#
?
Feb 12, 2017 18:24
|
|
|
Subjunctive posted:it may surprise you to discover that it's well-covered ground at many of the companies who make these services not really. it's also not surprising that they don't implement said features.
|
|
#
?
Feb 12, 2017 19:43
|
|
|
James Baud posted:My theory goes: "indistinguishable from regular behavior" (as you do get occasional PIN prompts despite fingerprint), but I'm basing that on how the Nexus 5x and Pixel work, dunno about other phones. Generally I'm not convinced there are many situations where they'll just go "darn, foiled by this clever nerd" and not just make your life rather unpleasant.
|
|
#
?
Feb 12, 2017 21:31
|
|
|
apseudonym posted:Generally I'm not convinced there are many situations where they'll just go "darn, foiled by this clever nerd" and not just make your life rather unpleasant. Ye olde rubber hose cryptanalysis
|
|
#
?
Feb 12, 2017 21:49
|
|
|
Volmarias posted:This has the same problem that FDE systems with alternate passwords have: "no, i don't believe you, show me your real account" even though that's the only one. the solution i heard once is where you have two alternate passwords, one of which has a bunch of stuff that's really embarrassing (fetish porn or whatever) but not actively compromising
|
|
#
?
Feb 12, 2017 22:16
|
|
|
vOv posted:the solution i heard once is where you have two alternate passwords, one of which has a bunch of stuff that's really embarrassing (fetish porn or whatever) but not actively compromising It has the disadvantage of not being "the real account" as defined by the conclusion that your interrogator has already drawn, so while unfortunate it's unlikely to do much. apseudonym posted:Generally I'm not convinced there are many situations where they'll just go "darn, foiled by this clever nerd" and not just make your life rather unpleasant. Pretty much this. What a shame, you're failing to cooperate, time to go to a detention center where your rights don't exist because technically you're still at the border until you "smarten up". Subjunctive posted:is that going to be interpreted as destruction of evidence? This too. I wouldn't be surprised either way.
|
|
#
?
Feb 12, 2017 22:24
|
|
|
since this thread is off the rails into border sec anyway, fyi canadians: http://www.cbc.ca/beta/news/politics/pre-clearance-border-canada-us-1.3976123 thanks trudeau, ya gently caress glad i'm not a permanent resident
|
|
#
?
Feb 12, 2017 22:35
|
|
|
Cold on a Cob posted:since this thread is off the rails into border sec anyway, fyi canadians: Shut up
|
|
#
?
Feb 12, 2017 22:40
|
|
|
yeah, so cbp is forcing american citizens returning to america to unlock their phones on entry. and in this case copying data from the work-issued phones of people working for other government agencies. tl;dr: stay the gently caress away from the border for the foreseeable future
|
|
#
?
Feb 12, 2017 23:10
|
|
|
apseudonym posted:Generally I'm not convinced there are many situations where they'll just go "darn, foiled by this clever nerd" and not just make your life rather unpleasant. why would they do that? Volmarias posted:Pretty much this. What a shame, you're failing to cooperate, time to go to a detention center where your rights don't exist because technically you're still at the border until you "smarten up". why would that happen?
|
|
#
?
Feb 12, 2017 23:12
|
|
|
also in the news: you don't have to provide us with your decrytion key, but we will hold you in jail indefinitely until you give us your unencrypted data so we can build a case against you. you're being held for contempt, because the court ordered you to hand over in-the-clear data to investigators, but you haven't actually been charged with a crime.
|
|
#
?
Feb 13, 2017 00:10
|
|
|
hackbunny posted:why would they do that? Why would they not, they can assume that you were using duress mode if they dont like you and treat you accordingly. I don't think duress modes actually work in practice, the claim that they'd help you against a repressive government sounds like a good way to get a dissident murdered. infernal machines posted:also in the news: you don't have to provide us with your decrytion key, but we will hold you in jail indefinitely until you give us your unencrypted data so we can build a case against you. I mean, yeah? That's been the legal precedent and its not like they're going to say "darn, foiled by this clever nerd" when you refuse to provide them access.
|
|
#
?
Feb 13, 2017 00:23
|
|
|
apseudonym posted:I mean, yeah? That's been the legal precedent and its not like they're going to say "darn, foiled by this clever nerd" when you refuse to provide them access. there isn't precedent - all the cases have been mooted before they got to a high enough court to get a definitive ruling on exactly how it works
|
|
#
?
Feb 13, 2017 00:29
|
|
|
and the issue specifically here is using the all writs act to end run around 5th amendment protections on the basis of "actually, we're not asking for your password, we're asking for the data protected by that password" while holding you indefinitely, without a charge. you don't have to supply the data so they can look for something to charge you with, but you'll never leave prison again either.
|
|
#
?
Feb 13, 2017 00:32
|
|
|
Also, from the article:quote:Rawls was thrown in the slammer on September 30, 2015 "until such time that he fully complies" (PDF) with a court order to unlock his hard drives. A child-porn investigation focused on Rawls when prosecutors were monitoring the online network, Freenet. They executed a search warrant in 2015 at Rawls' home. The authorities say it's a "foregone conclusion" that illicit porn is on those drives. But they cannot know for sure unless Rawls hands them the alleged evidence that is encrypted with Apple's standard FileVault software. then do you loving job and put it in front of a jury
|
|
#
?
Feb 13, 2017 00:34
|
|
|
hobbesmaster posted:Also, from the article: not that i don't agree with you or anything but the minute the jury hears "this man has child porn but he's such a clever hacker monster that he's hidden it from us, the police! he could have pictures of YOUR OWN CHILD on that hard drive!" they'll arrive at the same conclusion anyway
|
|
#
?
Feb 13, 2017 03:15
|
|
|
sure, so what? that would be the proper legal method of doing this, instead of indefinite detention on no charges. if they can make the case to a jury of his peers, that's the way the system is supposed to work. saying, "nah, we know it's on there but we're not gonna charge him until this is a slam dunk" is bullshit a nation of laws sort of relies on the government obeying its own rules, even when they're inconvenient
|
|
#
?
Feb 13, 2017 03:29
|
|
|
infernal machines posted:sure, so what? that would be the proper legal method of doing this, instead of indefinite detention on no charges. if they can make the case to a jury of his peers, that's the way the system is supposed to work. saying, "nah, we know it's on there but we're not gonna charge him until this is a slam dunk" is bullshit i know, which is why i said i agree 
|
|
#
?
Feb 13, 2017 03:34
|
|
|
apseudonym posted:I mean, yeah? That's been the legal precedent and its not like they're going to say "darn, foiled by this clever nerd" when you refuse to provide them access. but he did foil them? they can't write anywhere that he's a pedophile. it's not a small victory for a pedophile that was caught why do people have to turn instantly dumb and resort to absolutes when certain topics are discussed. no consideration of risk, reward, precedent, just straight to the scenario where they beat you for the password (which is trivial to solve btw: just don't know the password). why the hell would they do that?! (answer: because the solution is too much work and you'd just throw your hands up and pretend it's unsolvable) you desperately want to frame the border police poo poo, how about this: the usa is now the kind of country with an asterisk next to it in international travelers guides
|
|
#
?
Feb 13, 2017 04:49
|
|
|
hackbunny posted:but he did foil them? they can't write anywhere that he's a pedophile. it's not a small victory for a pedophile that was caught quote:why do people have to turn instantly dumb and resort to absolutes when certain topics are discussed. no consideration of risk, reward, precedent, just straight to the scenario where they beat you for the password (which is trivial to solve btw: just don't know the password). why the hell would they do that?! (answer: because the solution is too much work and you'd just throw your hands up and pretend it's unsolvable) There's always been countries where this kind of poo poo was possible and this has been on the minds of people for a while(and CBP has been lovely for a loving while) its not a new thing. We're being 'dumb' because when you're building security features you have to make sure that they actually provide the properties you are promising your users. Promising security you cant deliver, especially against a repressive regime is unethical as gently caress. I don't think any of these duress features have been properly thought through in any of the considerations you listed. Your adversary doesn't care if you don't know your password or if you wont share it, this isn't some sovereign citizen poo poo where you say some magic gotcha and they shrug and give up, they want the access and dont give a gently caress about excuses and if they think you're lying they can be pretty lovely to you.
|
|
#
?
Feb 13, 2017 05:08
|
|
|
apseudonym posted:I wouldn't call being held in contempt of court until he provides access winning. "the worst that could happen", when you're a pedophile and you get caught, handily beats that, I'd say apseudonym posted:I don't think any of these duress features have been properly thought through in any of the considerations you listed. Your adversary doesn't care if you don't know your password or if you wont share it, this isn't some sovereign citizen poo poo where you say some magic gotcha and they shrug and give up, they want the access and dont give a gently caress about excuses and if they think you're lying they can be pretty lovely to you. there are tons of magic gotchas that make people shrug and give up. they're called laws. the usa in particular is full of magic gotcha laws, like all the magic spells around traffic stops. moving in groups, open-carrying firearms, is another magic gotcha that has proven in the past to make police look the other way instead of gratuitously harassing someone. that you would intentionally confuse refusing to pay taxes or whatever part of the social contract is it sovereign citizens want to get out of, with violation of loving rights, makes me furious. what in the gently caress is loving wrong with your head, that you will side with authority unquestioningly, as if nothing could be done so apseudonym, here I am, returning to my country, like the nasa employee from the article. I have taken precautions because, like the nasa employee from the article, I look like An Enemy of the country. I don't know the password to this social media account. my father does, and he has been instructed to contact a lawyer if anyone asks it. he lives outside of your jurisdiction btw YOU DONT LIVE IN A REPRESSSIVE REGIME YOU GIGANTIC WIMP
|
|
#
?
Feb 13, 2017 05:39
|
|
|
hackbunny posted:"the worst that could happen", when you're a pedophile and you get caught, handily beats that, I'd say point of order: they claim he's a pedophile, they haven't proven that, or even charged him with being one. i can't think of too many other reasons he'd spend a year and a half in jail rather than co-operate either, but still.
|
|
#
?
Feb 13, 2017 05:42
|
|
|
boy howdy i sure am enjoying watching this chicken get hosed
|
|
#
?
Feb 13, 2017 05:45
|
|
|
if i put my cell phone in my carry-on but leave the battery and charger in my checked luggage do you think that's enough for them to just say gently caress it? i'm genuinely concerned about returning from my trip because as a trans woman i get enough poo poo just from normal tsa for setting off their dumb body scanner. i don't even want to know what the dedicated hillbillies in cbp would do to me.
|
|
#
?
Feb 13, 2017 05:47
|
|
|
|
| # ? May 17, 2024 11:30 |
|
|
car go bep bep quote this if you agree
|
|
#
?
Feb 13, 2017 05:49
|
|
