|
my goth gf posted:what's a fips a miserable pile of standards according to google anyway because i don't actuallu know
|
# ? May 5, 2017 23:35 |
|
|
# ? May 15, 2024 20:24 |
|
power botton posted:A bunch of our customers love FIPS mode and last year we finally updated all our poo poo so that it would work with FIPS enabled and I have no clue what it does but its very important to the enterprise i turned it on in thunderbird once just to see what it did and then could never turn it back off again the whole time i used it and it didn't seem to do anything except break some features
|
# ? May 6, 2017 00:17 |
|
fips is a collection of now out of date crypto standards the feds require for any software they buy. unless you're selling to the feds you don't want to use fips.
|
# ? May 6, 2017 00:18 |
|
if i had to guess i'd say a soc auditor said we should be using it
|
# ? May 6, 2017 00:25 |
|
my goth gf posted:what's a fips fell down and i deleted my cipher suite somebody helped me up and asked me if i deleted my cipher suite i said "yeah" so then they said "oh so that mean we gon, you gon switch it on then?" i said "yeah, fipsmode, fipsmode is the greatest"
|
# ? May 6, 2017 00:52 |
|
Shaggar posted:fips is a collection of now out of date crypto standards the feds require for any software they buy. unless you're selling to the feds you don't want to use fips. And idiots think it is Bible for what they need to adopt in their organisation even if they have no real reason to
|
# ? May 6, 2017 00:59 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 01:01 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 01:00 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 01:00 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 01:29 |
|
https://twitter.com/matthew_d_green/status/860237158447271938
|
# ? May 6, 2017 01:50 |
|
behind the shitposts: i set up my computer to turn "flipmode" into "ɟlıdmode" which made it hard to search for
|
# ? May 6, 2017 01:56 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 02:10 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 02:23 |
|
https://twitter.com/taviso/status/860679110728622080
|
# ? May 6, 2017 03:15 |
|
it's tavis time motherfuckers
|
# ? May 6, 2017 03:19 |
|
Is it RDP? I bet it's RDP. Maybe SMB? Let's go Old School with a new twist, UDP packet Fragments -> buffer overrun, but the packets are IPv6!
|
# ? May 6, 2017 03:25 |
|
ate poo poo on live tv posted:Is it RDP? I bet it's RDP.
|
# ? May 6, 2017 03:24 |
|
my body is ready
|
# ? May 6, 2017 03:38 |
|
turn all computers off imo
|
# ? May 6, 2017 03:43 |
|
redleader posted:turn all computers off imo no truer words
|
# ? May 6, 2017 03:54 |
|
redleader posted:turn all computers off imo but how will we poo poo post?
|
# ? May 6, 2017 04:01 |
|
any bets on expected patch time? time to public disclosure from patch hitting a server? sudden pull of the update after it's been reversed due to no qa?
|
# ? May 6, 2017 04:23 |
|
Meat Beat Agent posted:it's tavis time motherfuckers A Pinball Wizard posted:my body is ready
|
# ? May 6, 2017 04:25 |
|
Zil posted:but how will we poo poo post? smoke signals
|
# ? May 6, 2017 04:52 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 05:11 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 05:51 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings secfuck thread bringing the hits
|
# ? May 6, 2017 06:33 |
|
having worked with military customers in the past idk what the fuss is about fips mode just disables some poo poo and requires that all certs be generated with that poo poo disabled. on the other hand now i occasionally have to deal with SMB customers so i imagine when i tell them that they need to hire a dedicated computer toucher they hire some fuckwit who wasnt in the military but worked with peeps who got their gi bill and went on to be successful computer touchers after their stint touching computers in the military and heard said successful person mention fips as a requirement for miltiary networks at some point. what im tryna say is MILITARY. GRADE. ENCRYPTION. customer confidence inspired.
|
# ? May 6, 2017 06:48 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 07:21 |
|
Zil posted:but how will we poo poo post? my goth gf posted:smoke signals
|
# ? May 6, 2017 08:14 |
|
anatoliy pltkrvkay posted:having worked with military customers in the past idk what the fuss is about fips mode just disables some poo poo and requires that all certs be generated with that poo poo disabled. it's really in vogue with uk banks and corporates too, probably because of those three magic words. it's not actually a bad baseline as such things go (god knows it's better than how the majority of companies have things set up), it's just like ten years out of date.
|
# ? May 6, 2017 08:29 |
|
https://img-9gag-fun.9cache.com/photo/ajXGN30_460sv.mp4
|
# ? May 6, 2017 11:11 |
|
goddamnedtwisto posted:it's really in vogue with uk banks and corporates too, probably because of those three magic words. it's not actually a bad baseline as such things go (god knows it's better than how the majority of companies have things set up), it's just like ten years out of date. it's something policymakers can turn into a checklist that's really all
|
# ? May 6, 2017 17:05 |
|
goddamnedtwisto posted:it's really in vogue with uk banks and corporates too, probably because of those three magic words. it's not actually a bad baseline as such things go (god knows it's better than how the majority of companies have things set up), it's just like ten years out of date. The base document is old, but stuff like the approved ciphers are kept at least somewhat up to date (http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf) Even some of the requirements of the base standard aren't bad, it includes things like requiring the use of a good source of entropy for your crypto system, something that is easy to screw up on things like embedded devices, verification that all the ciphers/hashes/etc are implemented correctly. The problems are more with the certification itself which has some big problems: 1. It's really complicated. FIPS 140-2 is only 70 pages, but to actually pass certification there's info scattered in a bunch of other places, like the annex above, or the implementation guide that's over 1000 pages last I checked. This means you'll probably need a consultant that keeps up with everything just to pass. 2. Certification is really slow. I don't know what the backlog is now, but in the past it was 9+ months from when you submitted your documents to when you actually got certified assuming no problems were found. 3. You have to follow the product's security policy in order it to actually use it in the correct way. Since as others have mentioned this is just a checklist item for most companies, they probably aren't actually doing this. I recall hearing one time that Cisco sold way more FIPS boxes than security kits, meaning that most of those devices were not running in an approved manner. 4. This is a really big one, but once you've gotten certification you can not make any changes within the cryptographic boundary. If you do the new code/device is not considered certified. Find a security flaw and fix it? That new version is not certified even though it's objectively more secure. I think this is gotten around sometimes by saying that the new version is based on a FIPS version, but it's stupid that something like that can even happen. IIRC this may stem from the standard before FIPS 140 being only for hardware devices where respinning a chip was way less common than making a software change. Anyway I don't do FIPS anymore so none of this is my problem now.
|
# ? May 6, 2017 22:07 |
|
https://twitter.com/bcrypt/status/860735972756963328
|
# ? May 6, 2017 22:09 |
|
what
|
# ? May 6, 2017 22:36 |
|
tavis tweeted that he figured out a key part of one of his lastpass exploits in the shower
|
# ? May 6, 2017 22:37 |
|
Cocoa Crispies posted:as a shorty playing in group policy settings
|
# ? May 6, 2017 22:36 |
|
|
# ? May 15, 2024 20:24 |
|
vOv posted:tavis tweeted that he figured out a key part of one of his lastpass exploits in the shower oh haha, i remember that
|
# ? May 6, 2017 22:40 |