|
Alex was good to work with, and will be missed, but I wouldn’t rush to sell $FB on the news.
|
#
?
Mar 19, 2018 23:49
|
|
|
|
| # ? May 29, 2024 01:43 |
|
|
Subjunctive posted:Alex was good to work with, and will be missed, but I wouldn’t rush to sell $FB on the news.
|
|
#
?
Mar 19, 2018 23:51
|
|
|
Indeed.
|
|
#
?
Mar 19, 2018 23:55
|
|
|
Diva Cupcake posted:So this happened. I’m sure everything is fine. He also deleted a bunch of posts: https://twitter.com/alexstamos/status/975069709140877312
|
|
#
?
Mar 20, 2018 01:06
|
|
|
What does "planning to" mean? It certainly doesn't contradict what he said in his tweets.
|
|
#
?
Mar 20, 2018 05:18
|
|
|
Additionally, https://twitter.com/bcrypt/status/975867714475515904
|
|
#
?
Mar 20, 2018 05:47
|
|
|
Wow, he sure knows how to pick'em. Meanwhile: https://twitter.com/MalwareTechBlog/status/976058578678116352  
|
|
#
?
Mar 20, 2018 13:16
|
|
|
The Fool posted:According to this page Resilio traffic is encrypted with AES-128 which is a lower level of security than their own website. FYI AES-256 isn't just 128 with double the key-size, it is it's own algorithm with a key chaining scheme that many researchers believe limit its effectiveness to roughly the same as 128. Both are fine for data in-transit for the most part, I would only be demanding 256 for at-rest.
|
|
#
?
Mar 20, 2018 13:34
|
|
|
Absurd Alhazred posted:Wow, he sure knows how to pick'em. When I was at a conference earlier this year, almost all of us women at one of the con's official parties huddled together at one table in a vain attempt to keep men away. These parties are almost always toxic if you're not a man. It's really obnoxious to have drunk infosec dimwits around you the whole time who are not interested in what you do for a job. On and off I keep thinking about arranging a women's infosec meet in the city at some coffee shop since I want to avoid the trend of drinking-related events.
|
|
#
?
Mar 20, 2018 15:12
|
|
|
BangersInMyKnickers posted:FYI AES-256 isn't just 128 with double the key-size, it is it's own algorithm with a key chaining scheme that many researchers believe limit its effectiveness to roughly the same as 128. Both are fine for data in-transit for the most part, I would only be demanding 256 for at-rest. Outside of quantum computers, I thought there wasn't much point in worrying about AES256 if you were already using 128, even at rest. Any reason for needing 256 other than modern computers don't really care about the slightly slower speed of it, so why not?
|
|
#
?
Mar 20, 2018 15:44
|
|
|
At a defcon, I walked past a man and woman chatting. The man asked her "which hotel did you say you were staying at?" The woman scoffed and replied "my infosec isn't that bad." Thank you for listening to my story.
|
|
#
?
Mar 20, 2018 15:46
|
|
|
duz posted:At a defcon, I walked past a man and woman chatting. The man asked her "which hotel did you say you were staying at?" The woman scoffed and replied "my infosec isn't that bad." Thank you for listening to my story. 
|
|
#
?
Mar 20, 2018 15:50
|
|
|
she meant “opsec”. typical woman, amirite?
|
|
#
?
Mar 20, 2018 15:52
|
|
|
Inept posted:Outside of quantum computers, I thought there wasn't much point in worrying about AES256 if you were already using 128, even at rest. Any reason for needing 256 other than modern computers don't really care about the slightly slower speed of it, so why not? If you can use it and the additional overhead doesn't cause appreciable performance impact for you then there isn't much of a reason not to use it. Any hardware with AES-NI support is going to see practically identical CPU load from either cipher. AES brute forcing is measured in hundreds of years at the moment, but keep in mind that 2DES was broken and 3DES was severely weakened due to their key chaining scheme. Its a complete crap-shoot at this point but it could turn out down the road that AES-256 is actually less secure than 128 because of the chaining scheme. Both are fine and something only supporting AES-128 isn't an indicator of weak security posture.
|
|
#
?
Mar 20, 2018 15:58
|
|
|
http://blog.keigher.ca/2018/03/performing-your-own-dentistry.html Here's a blog post version of my talk. Be prepared for the notes to paragraphs conversion to be sort of janky.
|
|
#
?
Mar 20, 2018 17:53
|
|
|
Lain Iwakura posted:http://blog.keigher.ca/2018/03/performing-your-own-dentistry.html Really good read though.
|
|
#
?
Mar 20, 2018 18:25
|
|
|
BangersInMyKnickers posted:AES brute forcing is measured in hundreds of years at the moment  no.
|
|
#
?
Mar 20, 2018 18:48
|
|
|
Subjunctive posted:she meant “opsec”. typical woman, amirite? Good one
|
|
#
?
Mar 20, 2018 18:48
|
|
|
Yeah I thought the current timeline for this was somewhere around the heat death of the universe. Then again,  may know of some significant weaknesses 
|
|
#
?
Mar 20, 2018 19:19
|
|
|
AES has been vulnerable to sidechannel attacks for a while, but as of a couple years ago, it's gotten cheaper and easier to do. https://www.fox-it.com/nl/wp-content/uploads/sites/12/Tempest_attacks_against_AES.pdf BangersInMyKnickers posted:FYI AES-256 isn't just 128 with double the key-size, it is it's own algorithm with a key chaining scheme that many researchers believe limit its effectiveness to roughly the same as 128. Both are fine for data in-transit for the most part, I would only be demanding 256 for at-rest. I actually did just think that the only difference was key size, so thank you for motivating me to do some more reading.
|
|
#
?
Mar 20, 2018 19:28
|
|
|
Lain Iwakura posted:http://blog.keigher.ca/2018/03/performing-your-own-dentistry.html  for the center cannot hold
|
|
#
?
Mar 20, 2018 19:39
|
|
|
Subjunctive posted:she meant “opsec”. typical woman, amirite? She probably did say opsec, but this is the infosec thread and I'm a dummy.
|
|
#
?
Mar 20, 2018 19:48
|
|
|
Subjunctive posted:she meant “opsec”. typical woman, amirite? Question time! In this day and age, is there a meaningful separation of opsec and infosec? Thoughts, opinions, unfounded and unwarranted confidence?
|
|
#
?
Mar 20, 2018 19:49
|
|
|
Avenging_Mikon posted:unwarranted confidence? Hey! I got an idea for a porn stage name...
|
|
#
?
Mar 20, 2018 19:56
|
|
|
When the hell did 1Password goto some stupid monthly subscription model?
|
|
#
?
Mar 20, 2018 20:05
|
|
|
Avenging_Mikon posted:Question time! Yes, and you're bad if you're unable to appreciate the significant difference between the use of the two! Edit: highly significant difference in contemporary use, what are you talking about?
|
|
#
?
Mar 20, 2018 20:08
|
|
|
cr0y posted:When the hell did 1Password goto some stupid monthly subscription model? It’s been an option for a few years. Unless you’re on Windows, then the poo poo is mandatory.
|
|
#
?
Mar 20, 2018 20:11
|
|
|
Proteus Jones posted:It’s been an option for a few years. Unless you’re on Windows, then the poo poo is mandatory. Eh? Ive been using it for a couple years and get updates regularly. I use it across windows mac and android without the subscription. I just noticed it and im all wtf, I'll happily pay for a good product but these small monthly subscription models piss me off even if the total over a year or two is the same dollar amount. I dont know why
|
|
#
?
Mar 20, 2018 20:16
|
|
|
Potato Salad posted:Yes, and you're bad if you're unable to appreciate the significant difference between the use of the two! Sorry, left it too open ended. These are the basic definitions I'm operating under, for clarity: quote:Operations security is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information. quote:Information Security: the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information If you take adversaries to mean hackers et al, aren't these very connected fields, and to focus on one to the exclusion of the other is detrimental to your ability to do the one you focus on? Obviously they're both large fields, and you can't master absolutely everything, but knowing both would be a boon, it seems.
|
|
#
?
Mar 20, 2018 20:25
|
|
|
|
|
#
?
Mar 20, 2018 20:36
|
|
|
Saying “you want both” isn’t the same as “they are the same thing”, right?
|
|
#
?
Mar 20, 2018 20:38
|
|
|
The Fool posted:AES has been vulnerable to sidechannel attacks for a while, but as of a couple years ago, it's gotten cheaper and easier to do.
|
|
#
?
Mar 20, 2018 20:43
|
|
|
Avenging_Mikon posted:Question time! Both sound dumb and tacticool. Computer security for life 
|
|
#
?
Mar 20, 2018 20:48
|
|
|
Avenging_Mikon posted:
Then there's physical security.
|
|
#
?
Mar 20, 2018 20:52
|
|
|
Subjunctive posted:Saying “you want both” isn’t the same as “they are the same thing”, right? No. But my question is, and what I want discussion on, is is it like being an architect who doesn't know math if you only consider one or the other, or is it more like a driver who doesn't know automotive repair, and you can get by in either field without knowing anything about the other field past "it exists."
|
|
#
?
Mar 20, 2018 21:15
|
|
|
They're not interchangable. There is overlap in goals and the sense that both involve your agents adopting practices intended to accomplish those goals without totally interrupting work. At their core, both involve concepts like authorization, authentication, limitation of scope/need-to-know, and at the core: risk management. Didn't realize you were after an effort post, I'll provide this evening. Potato Salad fucked around with this message at 21:26 on Mar 20, 2018 |
|
#
?
Mar 20, 2018 21:22
|
|
|
cr0y posted:When the hell did 1Password goto some stupid monthly subscription model? A while back, but standalone vaults are making a comeback in the in-
|
|
#
?
Mar 20, 2018 21:38
|
|
|
Meh it's not that expensive, I just wait until I get into the office a couple of times for a free coffee rather than buying one on the way to work.
|
|
#
?
Mar 20, 2018 21:46
|
|
|
Potato Salad posted:They're not interchangable. Potato Salad posted:There is overlap in goals and the sense that both involve your agents adopting practices intended to accomplish those goals without totally interrupting work. At their core, both involve concepts like authorization, authentication, limitation of scope/need-to-know, and at the core: risk management. That's more what I'm saying, there's complimentary goals in each, so taking both in to consideration can have a building affect on each other. Maybe. I don't know! That's part of why I'm trying to get a bit of discussion going past "lol facebook" Potato Salad posted:Didn't realize you were after an effort post, I'll provide this evening. That'd be awesome.
|
|
#
?
Mar 20, 2018 21:47
|
|
|
|
| # ? May 29, 2024 01:43 |
|
|
cr0y posted:Eh? Ive been using it for a couple years and get updates regularly. I use it across windows mac and android without the subscription. If you stay on v4 for Windows you can use Dropbpox, sync folder with other cloud drive service, and local LAN/WLAN sync. It’s fine and AgileBits still pushes out updates for that version. Any newer version of Windows 1Password is “lol subscription to our cloud only”. They currently have Windows v7 of their client in alpha testing and that will give you a choice. I still use v4 client on my game machine (only Windows box I have). iOS/macOS has always been iCloud/Dropbox, sync folder, local LAN/WLAN sync, and subscription.
|
|
#
?
Mar 20, 2018 23:20
|
|