|
IANAL but isn’t taking a user database containing information submitted for the purpose of having a working home security system, and then using it to cross-reference people with lots of Twitter followers for marketing purposes a GDPR no-no?
|
#
?
Jun 15, 2018 00:58
|
|
|
|
| # ? May 18, 2024 16:40 |
|
|
Thanks Ants posted:IANAL but isn’t taking a user database containing information submitted for the purpose of having a working home security system, and then using it to cross-reference people with lots of Twitter followers for marketing purposes a GDPR no-no? given that the person in question works for the Field Museum (in Chicago), the security company probably doesn't care about the GDPR.
|
|
#
?
Jun 15, 2018 01:17
|
|
|
*jumps out of bushes wearing Jason mask* "GDPR!!!!!!!"
|
|
#
?
Jun 15, 2018 02:29
|
|
|
poisonpill posted:*jumps out of bushes wearing Jason mask* If you had posted this exact thing on Twitter like 2 weeks ago you'd probably be an internet sensation with 200k favorites
|
|
#
?
Jun 15, 2018 02:32
|
|
|
Thanks Ants posted:IANAL but isn’t taking a user database containing information submitted for the purpose of having a working home security system, and then using it to cross-reference people with lots of Twitter followers for marketing purposes a GDPR no-no? Even the Wild Wild Midwest must have some kind of privacy laws.
|
|
#
?
Jun 15, 2018 04:45
|
|
|
Absurd Alhazred posted:Even the Wild Wild Midwest must have some kind of privacy laws.
|
|
#
?
Jun 15, 2018 14:47
|
|
|
Absurd Alhazred posted:Even the Wild Wild Midwest must have some kind of privacy laws. That's quite the incorrect assumption you've made, unless "No Trespassing" signs count for "some kind of privacy laws."
|
|
#
?
Jun 15, 2018 14:53
|
|
|
Absurd Alhazred posted:Even the Wild Wild Midwest must have some kind of privacy laws. What reality do you live in where privacy laws in America are a thing? It sounds nice.
|
|
#
?
Jun 15, 2018 15:17
|
|
|
Hold up there, don't want to slow down the JOB CREATORS
|
|
#
?
Jun 15, 2018 15:19
|
|
|
BangersInMyKnickers posted:The documentation says you only need PKI if you don't have kerberos for system authentication (or go noauth yolo and rely on the firewall). Hopefully that's true, since I'm banking on it. Test environment is still locked up in a zone while I wait for firewall rules to get opened so I can get it pulling logs. Interesting. I didn't catch that at all. Well, that's nice  . RE: test environment, I literally cannot get anything stood up because our pipeline terrible so I am forced to write my own local one. I'm using https://github.com/VirtualEngine/Lability to manage my free trial media for this project. So far I've only got 2 VMs and a private switch auto building because I've never used DSC before, but it seems like this'll work for me, at least to PoC before I ask for small changes in existing environments.
|
|
#
?
Jun 15, 2018 16:25
|
|
|
Jowj posted:Interesting. I didn't catch that at all. Well, that's nice Jessica Payne did a couple things about WEF over the last couple years that go over a lot of the useful detail. Use source-computer initiated instead of collector-initiated so the log server itself is just a privilege-less black hole. The content is all over WinRM so it auto negotiates Kerberos Auth and session encryption if in the same or trusted domains and requires that or TLS so as noted PKI is only needed across domain trust boundaries. If PSRemoting works, WEF will work. If you do go across domains, deliver the public cert in the same GPO that configures the client to target the log server in the first place.
|
|
#
?
Jun 15, 2018 17:12
|
|
|
https://twitter.com/WeldPond/status/1007668993669378048
|
|
#
?
Jun 16, 2018 07:01
|
|
|
xposted from the yospos thread:quote:what are secgoons using for appsec tools?
|
|
#
?
Jun 19, 2018 18:30
|
|
|
If you find something that covers both Go and Erlang, please be sure to report back!
|
|
#
?
Jun 19, 2018 19:41
|
|
|
I'm not expecting to find something that covers the whole stack but I don't really want to glue together something for every language/ecosystem.
|
|
#
?
Jun 19, 2018 20:07
|
|
|
Sonarqube for SAST and Whitesource or Black Duck for SCA? No idea if they support Erlang but they do support Go
|
|
#
?
Jun 19, 2018 20:11
|
|
|
CLAM DOWN posted:Sonarqube for SAST and Whitesource or Black Duck for SCA? No idea if they support Erlang but they do support Go I did a POC of WhiteSource and I was completely underwhelmed. Some folks here have used BlackDuck in the past and the amount of false positives put them off. Might be worth another look, though. SourceClear was better but they got bought by CA so until the lifetime and pricing of that product shakes out I'm not about to drop $$.
|
|
#
?
Jun 19, 2018 22:38
|
|
|
https://twitter.com/SwiftOnSecurity/status/1011412172369465345 Don't Google your own crypto.
|
|
#
?
Jun 26, 2018 02:00
|
|
|
The bad roleplay twitter account thinks "FIDO U2F" is the make and model of a 2FA dongle, but "FIDO" is the name of the consortium, and "U2F" is an authentication standard. The first link in the Google results on the article they're talking about is, indeed, an Amazon page for an old Yubico key, but the description should be clear enough for anyone who ends up there.
|
|
#
?
Jun 26, 2018 03:47
|
|
|
hot take: Swift On Security is bad in every way and always has been
|
|
#
?
Jun 26, 2018 04:06
|
|
|
No I think telling people to search for something and then buying the first thing that pops up is probably unwise.
|
|
#
?
Jun 26, 2018 04:16
|
|
|
CLAM DOWN posted:hot take: Swift On Security is bad in every way and always has been Swift On Security is literally Taylor Swift tweeting about infosec and I will not be convinced otherwise. 
|
|
#
?
Jun 26, 2018 04:30
|
|
|
Absurd Alhazred posted:Swift On Security is literally Taylor Swift tweeting about infosec and I will not be convinced otherwise. Taking the most absurd possible answer in these trying times is always the right answer.
|
|
#
?
Jun 26, 2018 04:41
|
|
|
Methylethylaldehyde posted:Taking the most absurd possible answer in these trying times is always the right answer. 
|
|
#
?
Jun 26, 2018 05:00
|
|
|
She keeps bumping into guys at parties trying to impress her with their bad professional opinions and just dumps them to Twitter
|
|
#
?
Jun 26, 2018 12:38
|
|
|
Trying to impress people with your bad opinions is a pretty good summary of the security industry, tbh
|
|
#
?
Jun 26, 2018 13:21
|
|
|
Also my posts
|
|
#
?
Jun 26, 2018 13:39
|
|
|
Docjowles posted:Trying to impress people with your bad opinions is a pretty good summary of the security industry, tbh Security is a brilliant field of trying to elaborate the best theory with the worst practice.
|
|
#
?
Jun 26, 2018 15:08
|
|
|
CLAM DOWN posted:hot take: Swift On Security is bad in every way and always has been
|
|
#
?
Jun 26, 2018 18:30
|
|
|
I just finished Spam Nation and enjoyed reading it. Does anyone have any recommendations for other narrative-based books about hacking or security? Surveillance Valley is also on my list.
|
|
#
?
Jun 26, 2018 18:34
|
|
|
my bitter bi rival posted:I just finished Spam Nation and enjoyed reading it. Does anyone have any recommendations for other narrative-based books about hacking or security? Surveillance Valley is also on my list. I enjoyed Kingpin, as I recall.
|
|
#
?
Jun 26, 2018 18:36
|
|
|
my bitter bi rival posted:I just finished Spam Nation and enjoyed reading it. Does anyone have any recommendations for other narrative-based books about hacking or security? Surveillance Valley is also on my list. The Cuckoo's Egg.
|
|
#
?
Jun 26, 2018 19:08
|
|
|
Judge Schnoopy posted:Security is a brilliant field of trying to elaborate the best theory with the worst practice. HIPPA: Multifactor, 15 minute lockout period, robust auditing. REAL HIPPA: USB mouse jiggler, fired nurse's username and password on a stickynote taped to the monitor, auditing disabled because it recording all these things and made management look bad.
|
|
#
?
Jun 26, 2018 19:42
|
|
|
Methylethylaldehyde posted:HIPPA: Multifactor, 15 minute lockout period, robust auditing.
|
|
#
?
Jun 26, 2018 19:51
|
|
|
So I had a question based on someone's thread they made on the spurr of the moment in the subforum: outside of cryotographies general application of controlling access to information, are there other applications for the techniques involved? Like would it be possible to use things learned there to generate random numbers, or to find natural patterns in nature that might have a sort of incidental obfuscation of the actual pattern due to some aspect of the phenomena? Just curious what kind of crossover it can have with other sciences.
|
|
#
?
Jun 26, 2018 21:31
|
|
|
my bitter bi rival posted:I just finished Spam Nation and enjoyed reading it. Does anyone have any recommendations for other narrative-based books about hacking or security? Surveillance Valley is also on my list. Cuckoo’s Egg is obviously the great but if your inner BBS hacker teen didn’t love “Masters of Deception: The Gang That Ruled Cyberspace” then you’re wrong.
|
|
#
?
Jun 26, 2018 23:49
|
|
|
Diva Cupcake posted:Cuckoo’s Egg is obviously the great but if your inner BBS hacker teen didn’t love “Masters of Deception: The Gang That Ruled Cyberspace” then you’re wrong. I got that one and “Where Wizards Stay Up Late” for Christmas from my parents when I was in college (prior to dropping out). Both are great reads.
|
|
#
?
Jun 27, 2018 00:55
|
|
|
Lain Iwakura posted:The Cuckoo's Egg. I picked this one up in high school in the discount pile at Waldenbooks. Maybe one of my better life choices.
|
|
#
?
Jun 27, 2018 18:35
|
|
|
We're in a situation where we have seasonal load for our border firewall traffic and we're in a down cycle. We're logging all inbound drops to Splunk at the moment and we're going to blow through our license in a spectacular manner once the next cycle hits. The people running the service are just sorta sitting there fretting about it but not actually doing any load shedding and are trying to play chicken with the execs to get more money for more ingest license. Apparently the border firewall accounts for about half our ingest rate and drops are a huge portion of those. The ops people don't want to lose visibility, but the vast majority of those are coming from garbage ISPs full of crap that nobody cares about. My thought as a compromise position was to import SpamHaus or whoever's RBL in to a deny rule one above the default deny with no logging to load shed a bunch of poo poo that we don't care about, and even that they are iffy on. It's an incredibly stupid situation and I am trying to steer these children away from impending doom and likely getting their asses fired for not doing due diligence and if anyone has dealt with something similar and can weigh in on border firewall log load shedding tactics I would love to have someone else involved with this.
|
|
#
?
Jun 28, 2018 20:45
|
|
|
|
| # ? May 18, 2024 16:40 |
|
|
I have no real insights, but I’d probably try to measure what’s taking up the bulk of the data and blocking those if it makes sense to.
|
|
#
?
Jun 28, 2018 20:54
|
|