|
Potato Salad posted:Well, so was the outrage about the fact that it's difficult to set up a Google authenticator, or that it's easy for someone to accidentally install the wrong app? so you go to add second factor authentication to your microsoft account on microsoft's site. it asks you: do you use android, ios, windows phone, or another device? if you say android, it links you the official microsoft app directly on google's play store. if you say ios, it links you their official app in the itunes store. if you say windows phone, it links the official app in the microsoft store. only if you say, "i have another device" does it say "idk look for an app on whatever weird store you have, here's the same standard QR code + enter your app's generated code thing you use for other apps". because they're, again, not going to go around vetting whatever weird app is available on the store for an old blackberry curve or some offbrand tizen phone or whatever. this is precisely why wiggly wayne's post was so stupid: he showed searching the microsoft store for mobile apps, when in fact if you had a windows phone microsoft already told you, use https://www.microsoft.com/en-us/store/p/authenticator/9wzdncrfj3rj?rtc=1 Wiggly Wayne DDS posted:yeah i was pointing out the obvious for when you literally search authenticator and go with the list of results, but that's the windows store experience really which again, it never tells you to search the windows store in the first place soooooooooooooo
|
# ? Mar 14, 2018 22:29 |
|
|
# ? Jun 7, 2024 17:32 |
|
shut up shut up shut up
|
# ? Mar 14, 2018 22:36 |
|
a credible person steps forward: https://twitter.com/aionescu/status/974028647307849730
|
# ? Mar 14, 2018 22:38 |
|
What sick name did they give this vulnerability? I propose H.Y.P.E.R Venom but someone think of a good acronym for hyper.
|
# ? Mar 14, 2018 22:42 |
|
cansecwest got some good talks so far rip faith in TPM
|
# ? Mar 14, 2018 23:41 |
|
Salt Fish posted:What sick name did they give this vulnerability? I propose H.Y.P.E.R Venom but someone think of a good acronym for hyper.
|
# ? Mar 14, 2018 23:43 |
|
Wiggly Wayne DDS posted:a credible person steps forward: infosec aziz ansari moment
|
# ? Mar 15, 2018 00:08 |
|
I'm RYZENFALL
|
# ? Mar 15, 2018 00:13 |
|
titaniumone posted:
really?
|
# ? Mar 15, 2018 01:15 |
|
BattleMaster posted:I'm RYZENFALL The #AMDflaws II: Ryzenfall
|
# ? Mar 15, 2018 03:34 |
|
i propose SPACE LASER SKULL
|
# ? Mar 15, 2018 13:52 |
|
dumb nerds are just using words they saw in video games and lazy portmanteaus
|
# ? Mar 15, 2018 14:47 |
|
spankmeister posted:https://www.youtube.com/watch?v=DRnDBPQIEmo nice, you wrote "smörgåsbord" :D if you only have a few linux boxes spread around running systemd-journald and nothing else, what's the best log aggregator?
|
# ? Mar 15, 2018 15:27 |
|
spankmeister posted:https://www.youtube.com/watch?v=DRnDBPQIEmo This your speech? Nice, going to watch the rest later. We've been logging with ELK/Logstash.
|
# ? Mar 15, 2018 15:40 |
|
Not mine, Lain's
|
# ? Mar 15, 2018 16:26 |
|
fishmech posted:this is precisely why wiggly wayne's post was so stupid: he showed searching the microsoft store for mobile apps, when in fact if you had a windows phone microsoft already told you, use https://www.microsoft.com/en-us/store/p/authenticator/9wzdncrfj3rj?rtc=1 this is also why the idea that Microsoft shouldn’t tell users with weird devices to “search for ‘authenticator’ in your App Store” is so stupid: if that step weren’t included then even security conscious people will start searching the wrong store or even the open internet for their authenticator... as has been so amply demonstrated in this thread
|
# ? Mar 15, 2018 16:35 |
|
it’s 2018 there should really be an authenticator app bundled with every mobile OS
|
# ? Mar 15, 2018 17:27 |
|
Lutha Mahtin posted:really? physical security of tpm appears to have truly been an afterthought and MITMing many tpms is nearly trivial. the spec makes many things optional that should have been mandatory so there are quite a few mistakes.
|
# ? Mar 15, 2018 18:25 |
|
US says Russia hacked energy grid, punishes 19 for meddlingquote:That alert, published online by Homeland Security, said the hacking effort was a “multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks” to gain access and plant malware, which was then used to monitor activity as well as to move laterally into other, larger industrial control systems.
|
# ? Mar 15, 2018 18:48 |
|
McGlockenshire posted:In one case, the alert said, hackers downloaded a small image from a company’s human resources page that when blown up was actually “a high-resolution photo that displayed control systems equipment models and status information in the background.” Haha, the good old 10 meg jpeg displayed at 100 by 100 pixels.
|
# ? Mar 15, 2018 19:01 |
|
the MO of anyone allowed to post content to a sharepoint site really. also uploading images that don't have a 1:1 aspect ratio and then get squished all up and poo poo/
|
# ? Mar 15, 2018 19:04 |
|
https://twitter.com/trailofbits/status/974345028498804737
|
# ? Mar 15, 2018 19:21 |
|
this is literally the technical bits from that "whitepaper" without any of the obvious marketing or financial gunk. nothing new. I'm honestly impressed at how elaborate this stock scam is
|
# ? Mar 15, 2018 19:23 |
|
Lain Iwakura posted:Stop shaggaring... Audio keeps cutting out.
|
# ? Mar 15, 2018 19:28 |
|
Kazinsal posted:this is literally the technical bits from that "whitepaper" without any of the obvious marketing or financial gunk. nothing new. Isn't that what a technical summary is? Take out the cruft and fluff and just leave technical information.
|
# ? Mar 15, 2018 20:42 |
|
Kazinsal posted:this is literally the technical bits from that "whitepaper" without any of the obvious marketing or financial gunk. nothing new. their takeaway was that people were worried about about the "disclosure issues" and not the whole rest of it
|
# ? Mar 15, 2018 21:36 |
|
cheese-cube posted:pretty sure we have one resident schannel pro, i shamefully cannot remember but they posted nice cipher suite lists plus recommended ECC curve combos, was very handy BangersInMyKnickers posted:Crypto Config Boogaloo 2017 Edition BangersInMyKnickers posted:I'm dropping DSA/DSS ciphers from servers because TLS1.3 goes RSA-only and your CA probably isn't issuing DSA certs anyway. Still on for clients for compatibility reasons. anthonypants fucked around with this message at 21:45 on Mar 15, 2018 |
# ? Mar 15, 2018 21:41 |
|
Good news, I am revising our AD policies this spring that will probably correspond with the spring creators update so I'll update accordingly.
|
# ? Mar 15, 2018 21:43 |
|
BangersInMyKnickers posted:Good news, I am revising our AD policies this spring that will probably correspond with the spring creators update so I'll update accordingly.
|
# ? Mar 15, 2018 21:45 |
|
DH implementations aren't looking so hot these days so I'd probably drop them entirely for ECDH, there are very few clients that support DH that don't also support ECDH and if its legacy RSA is still an ok fallback. We'll see what's going on with curve availability, hopefully MS starts adding some additional modern curves instead of just x25519
|
# ? Mar 15, 2018 21:46 |
|
https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.htmlquote:The Trump administration accused Russia on Thursday of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will.
|
# ? Mar 15, 2018 23:04 |
|
they're right though
|
# ? Mar 15, 2018 23:06 |
|
spankmeister posted:they're right though Not saying they aren't. it's just how many times does the energy sector need to warned and/or compromised before they start taking this poo poo seriously. I can remember these conversations over a decade ago.
|
# ? Mar 15, 2018 23:08 |
|
some sectors see availability as more important than security, which makes sense when you think of lost of big business security consulting/systems/products that just neglect availability (one of the CIA services) when not purposely shithousing it
|
# ? Mar 15, 2018 23:10 |
|
quote:U.S. national security officials said the FBI, Department of Homeland Security and intelligence agencies had determined that Russian intelligence and others were behind a broad range of cyberattacks beginning a year ago that have infiltrated the energy, nuclear, commercial, water, aviation and manufacturing sectors. Wiggly Wayne DDS fucked around with this message at 23:19 on Mar 15, 2018 |
# ? Mar 15, 2018 23:14 |
|
Proteus Jones posted:Not saying they aren't. it's just how many times does the energy sector need to warned and/or compromised before they start taking this poo poo seriously. I can remember these conversations over a decade ago. And to think nobody's holding 'em to the fire right now over operating Critical Infrastructure outside even basic safeguarding standards
|
# ? Mar 15, 2018 23:16 |
|
Wiggly Wayne DDS posted:good read thanks Well, poo poo. I completely missed his post. Sorry for duping.
|
# ? Mar 15, 2018 23:17 |
|
it's worth reading the original report https://www.us-cert.gov/ncas/alerts/TA18-074A they include bitly links used in the campaign that show lack of compartmentalisation: https://bitly.com/2m0x8IH+ (analytics link, safe to click)
|
# ? Mar 15, 2018 23:20 |
|
https://twitter.com/matt_odell/status/974384961603231744 https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/
|
# ? Mar 16, 2018 00:49 |
|
|
# ? Jun 7, 2024 17:32 |
|
Coxswain Balls posted:Audio keeps cutting out. Yeah. I am sorry. I wish it didn't. I'll be writing the slides into a blog post hopefully soon. I am in the midst of moving so I have some stuff on my plate
|
# ? Mar 16, 2018 00:49 |