anthonypants posted:

according to this article, the dutch saw the russians phishing the us state department in november (what year?), and they told the nsa, and the nsa and fbi responded within 24 hours? and then the state department took down their email servers "for a whole weekend in order to upgrade the security"

then they describe what a phishing attack is, then they talk about what the dutch and american hacker teams do. besides, i don't even remember any big news coming from state department emails. there were the emails on hillary's personal server, which wasn't at the state department, and there was the podesta emails, who also didn't work for the state department. seems like this has less to do with the us election than russia's facebook spend

spankmeister posted:

Yeah the article kind of sucks (and so does the translation imo) but if this is true then it's pretty awesome imo that they managed to gain such a level of access

Reuters posted:

Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O) and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

Reuters revealed in October that Hewlett Packard Enterprise (HPE.N) software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.

Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department's intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.

fishmech posted:

there is such a thing as falling for scammy companies that will you sell you it, probably.

Dadbod Apocalypse posted:

oops!

Tech firms let Russia probe software widely used by U.S. government


https://www.reuters.com/article/us-usa-cyber-russia/tech-firms-let-russia-probe-software-widely-used-by-u-s-government-idUSKBN1FE1DT

infernal machines posted:

how is this an oops? if they want to sell software to the russians this is sop

BangersInMyKnickers posted:

lol this is literally routine poo poo that we do [...] but now [russia is doing it] and waa-waa-waa

Dadbod Apocalypse posted:

oops!

Tech firms let Russia probe software widely used by U.S. government


https://www.reuters.com/article/us-usa-cyber-russia/tech-firms-let-russia-probe-software-widely-used-by-u-s-government-idUSKBN1FE1DT

anthonypants posted:

PCjr sidecar posted:

oh no the russians might be able to figure out that sep is poo poo

Dadbod Apocalypse posted:

PCjr sidecar posted:

oh no the russians might be able to figure out that sep is poo poo

anthonypants posted:

have you looked at the current state of standardized infosec testing and certification

anthonypants posted:

have you looked at the current state of standardized infosec testing and certification

Hed posted:

I’m not really familiar with them because I don’t make decisions based off someone’s testing and certification. Can you be more explicit about what you’re getting at?

anthonypants posted:

Evis posted:

The reversers I know can read binary better than source so I’m not sure this matters at all.

e: edited this for accuracy

Jewel posted:

https://twitter.com/fs0c131y/status/956628910308982785

Jewel posted:

https://twitter.com/fs0c131y/status/956628910308982785

Jewel posted:

https://twitter.com/fs0c131y/status/956628910308982785

Jonny 290 posted:

any yosposter has a standing offer to come pet the cats if they visit denver, but im smokin u out and we dont play around

Jewel posted:

https://twitter.com/fs0c131y/status/956628910308982785

Cocoa Crispies posted:

*woop*woop* it’s the android police

*woop*woop* it’s a site for the obese

Cocoa Crispies posted:

*woop*woop* it’s the android police

*woop*woop* it’s a site for the obese

Cocoa Crispies posted:

*woop*woop* it’s the android police

*woop*woop* it’s a site for the obese

Cocoa Crispies posted:

*woop*woop* it’s the android police

*woop*woop* it’s a site for the obese

Cocoa Crispies posted:

*woop*woop* it’s the android police

*woop*woop* it’s a site for the obese

Hed posted:

I was trying to point out that I haven’t seen licensure solve the purported problems in other engineering fields so I don’t see how going down the path in software and infosec would make a difference.
In other words, proposals sound great around the dinner table but based on how I believe it would be legislated it would accomplish little positive. State by state licensure and leaving industry exemptions (which industry would demand being in any legislation in the US) would make it completely pointless while raising barriers to entry, a net negative for society.
If I really wanted to put a dent in the problem I believe the least worst solution would be to put real penalties behind undesired outcomes, in the vein of HIPPA as discussed previously. As it is I’m skeptical because racking up pointless credit monitoring seems to be the currently anchored “penalty” for poor decisions.

Cocoa Crispies posted:

*woop*woop* it’s the android police

*woop*woop* it’s a site for the obese

Cocoa Crispies posted:

*woop*woop* it’s the android police

*woop*woop* it’s a site for the obese