|
ate all the Oreos posted:i added my phone explicitly for 2fa and immediately started getting push notifications about gosh come check out what your friends are doing!!! yeah, I thought they went back to the good idea, but I guess not
|
#
?
Sep 27, 2018 16:16
|
|
|
|
| # ? Jun 8, 2024 17:53 |
|
|
My Linux Rig posted:I wouldn’t be at all surprised if part of the reasoning behind the cost of adding 2fa was they could gather phone numbers to sell nah, it was done the right way for a long time, and there are very few people who use 2FA and don’t have a registered number otherwise. expensive way to get a few ten-Ks of numbers, versus many others
|
|
#
?
Sep 27, 2018 16:20
|
|
|
Slanderer posted:This is from a few years ago, but it goes deep into why improving the NY subway is so hard (even simple things, like adding countdown clocks). It's extremely good. As everyone in NYC knows the reasons are MTA fat cats and Unions, and that is just a long article saying the same but with insight that overengineered projects are a ticking time bomb. quote:The MTA has had several different generations of countdown clocks and they started proactively installing them in a bunch of stations way before they were ready, so there are some places that have 3 different countdown screens but only 1 works. Also the contract for their installation consists of 'install it at the center of the platform' so there's a bunch of platforms that only have 1 entrance and it's at the very end, so you have to walk halfway down the platform to see when your train is coming. They're like 800x2000 LCDs and somehow the RFP didn't specify MTA Standard Helvetica so they all use Arial and the design is ugly as poo poo. Yay, going from functional to effective digital signage is a PITA. I've gone through so much of this crap, you need a long process of quick iterations and that is completely opposite to what big projects want.
|
|
#
?
Sep 27, 2018 16:59
|
|
|
mrmcd posted:Like "I'm in sales at a new job now have some swag" or literally just a cardboard box of drives with "NOT A ROOTKIT" scrawled on the side? little column a, little column b
|
|
#
?
Sep 27, 2018 17:07
|
|
|
Diva Cupcake posted:lol but completely unsurprising this is, how shall we say, not news as a reminder, anyone can advertise with Facebook
|
|
#
?
Sep 27, 2018 17:44
|
|
|
uefi rootkits aren't just for pocs anymore https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
|
|
#
?
Sep 27, 2018 17:59
|
|
|
Potato Salad posted:this is, how shall we say, not news
|
|
#
?
Sep 27, 2018 18:02
|
|
|
why are people even using facebook at this point? if you need to keep tabs on family just make a dummy account or something.
|
|
#
?
Sep 27, 2018 18:04
|
|
|
anthonypants posted:it's news because facebook employees are constantly tripping over themselves to tell you that this isn't a thing facebook would ever do and you're just being paranoid, it's not news because every single time they're proven wrong I don’t think there are any FB employees in this thread
|
|
#
?
Sep 27, 2018 18:06
|
|
|
Stanley Pain posted:why are people even using facebook at this point? anthonypants fucked around with this message at 18:10 on Sep 27, 2018 |
|
#
?
Sep 27, 2018 18:08
|
|
|
Stanley Pain posted:why are people even using facebook at this point? There's no such thing as a dummy account. They track you even without an account and they know who you are no matter what.
|
|
#
?
Sep 27, 2018 18:12
|
|
|
Stanley Pain posted:why are people even using facebook at this point? my cousin has cancer and posts updates on facebook oh and sometimes i need to hit facebook API endpoints for testing and you have to have a facebook account to use the api
|
|
#
?
Sep 27, 2018 18:17
|
|
|
anthonypants posted:it's news because facebook employees are constantly tripping over themselves to tell you that this isn't a thing facebook would ever do and you're just being paranoid, it's not news because every single time they're proven wrong I first started using this after a FB employee suggested that I can get the additional value of phone data during a free seminar they literally only care about driving engagement
|
|
#
?
Sep 27, 2018 18:41
|
|
|
Salt Fish posted:There's no such thing as a dummy account. They track you even without an account and they know who you are no matter what.  tell me more Kevin Mitnick P.E. posted:my cousin has cancer and posts updates on facebook so using a dummy account in this case would work right? I'm honestly curious why people would willing give their information to facebook for i ask this as someone who has next to 0 social media exposure.
|
|
#
?
Sep 27, 2018 19:27
|
|
|
Stanley Pain posted:
if anyone you've ever known tags you in a photo, which they can do even if you don't have an account, facebook remembers that and correlates it with other things and all sorts of fun shenanigans
|
|
#
?
Sep 27, 2018 19:30
|
|
|
to get back to the dummy account point, i registered one once using totally fake information and it immediately started recommending i become friends with my mom and a bunch of people i went to highschool with. the only way i can imagine this happened is previously i had registered as myself briefly (i don't remember why) and then totally deleted that account, but it must have fingerprinted my browser or something and then a goddamn year later went "lol im on to you fucker" e: to be clear at the time i didn't register as myself and add a bunch of friends and then delete the account, i literally just made one under my real name and some basic info, friended nobody, and deleted it a few weeks later. then a goddamn year after that made a fake account and had it recommend i become friends with a bunch of people i know Shame Boy fucked around with this message at 19:34 on Sep 27, 2018 |
|
#
?
Sep 27, 2018 19:32
|
|
|
ate all the Oreos posted:if anyone you've ever known tags you in a photo, which they can do even if you don't have an account, facebook remembers that and correlates it with other things and all sorts of fun shenanigans *packs up and heads for the mountains* so someone could tag an image of stanley pain, and say this is stanley pain and then facebook now knows who stanley pain is but wouldn't be able to link it back to an actual FB account? interesting.
|
|
#
?
Sep 27, 2018 19:34
|
|
|
Stanley Pain posted:*packs up and heads for the mountains* i mean i think they'd need to correlate a bit more information than a single image but yeah something like that
|
|
#
?
Sep 27, 2018 19:35
|
|
|
Stanley Pain posted:*packs up and heads for the mountains* another fun one is that if someone else uploads their contacts and gives facebook your number, facebook can then give your number to advertisers but you aren't allowed to know facebook has your number and is sharing it, since it is someone else's data
|
|
#
?
Sep 27, 2018 19:36
|
|
|
google "shadow profile" if you want all the horrible details. facebook is maintaining a profile on every individual they are aware of whether they have signed up for facebook or not. this is separate from a personal facebook account if they have one and they won't let you see it
|
|
#
?
Sep 27, 2018 19:40
|
|
|
all of this makes me really happy i'm a hermit living on a mountain without a FB/Google/whateverthefuckgram account. glad my paranoia actually worked for a change  in all seriousness though that is some pretty loving bullshit levels of data mining.
|
|
#
?
Sep 27, 2018 19:54
|
|
|
facebook should only be used over tor, under a fake name, with no facebook contact with anyone you know in real life
|
|
#
?
Sep 27, 2018 19:54
|
|
|
haveblue posted:google "shadow profile" if you want all the horrible details. facebook is maintaining a profile on every individual they are aware of whether they have signed up for facebook or not. this is separate from a personal facebook account if they have one and they won't let you see it Still have an acquaintance who says, "But I never gave them permission to make an account for me"  This is someone who wants to work in infosec in the future
|
|
#
?
Sep 27, 2018 19:56
|
|
|
Lysidas posted:facebook should only be used over a vpn to a nation with strict nonextradition of data and set up by a national, under a fake name, with no facebook contact with anyone you know in real life
|
|
#
?
Sep 27, 2018 19:58
|
|
|
https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf Uh oh.
|
|
#
?
Sep 27, 2018 21:32
|
|
|
Carbon dioxide posted:https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf The case for code integrity Use secure boot, people
|
|
#
?
Sep 27, 2018 21:42
|
|
|
Update your bios and figure out a plan to do so on your entire fleet. There have been numerous conditions discovered where secure boot could be bypassed due to sloppy implementations
|
|
#
?
Sep 27, 2018 21:46
|
|
|
Microsoft should really be checking sigs on everything system related, especially internal autorun on boot crap.
|
|
#
?
Sep 27, 2018 21:55
|
|
|
Shaggar posted:Microsoft should really be checking sigs on everything system related, especially internal autorun on boot crap. lol how you gonna check a signature on code that's already run
|
|
#
?
Sep 27, 2018 21:57
|
|
|
Microsoft should also be throwing warnings on every single piece of unsigned code that gets executed on their platform but I don't think they're very serious about security
|
|
#
?
Sep 27, 2018 21:57
|
|
|
Cocoa Crispies posted:lol how you gonna check a signature on code that's already run isnt the first step of secure boot measuring the firmware
|
|
#
?
Sep 27, 2018 21:58
|
|
|
Cocoa Crispies posted:lol how you gonna check a signature on code that's already run idk what you mean. autochk isn't already running before windows runs it.
|
|
#
?
Sep 27, 2018 21:59
|
|
|
yeah you have to have a chain of trust running back to the moment of power on
|
|
#
?
Sep 27, 2018 21:59
|
|
|
yeah uefi is responsible for clearing the boot loader but everything after that is on Microsoft including things like autochk which are always run on boot.
|
|
#
?
Sep 27, 2018 22:00
|
|
|
BangersInMyKnickers posted:Microsoft should also be throwing warnings on every single piece of unsigned code that gets executed on their platform but I don't think they're very serious about security
|
|
#
?
Sep 27, 2018 22:08
|
|
|
Shaggar posted:Microsoft should really be checking sigs on everything system related, especially internal autorun on boot crap. Temptation....to engage....rising.... Ah gently caress it. Do you know what LoJack for laptops is? Shaggar posted:yeah uefi is responsible for clearing the boot loader but everything after that is on Microsoft including things like autochk which are always run on boot. nhgnnnnnnnnn
|
|
#
?
Sep 27, 2018 22:55
|
|
|
actually, I met Device Guard engineers Tuesday, I'm curious just how early in the boot sequence VSM is created, I'll go harass them again with this
|
|
#
?
Sep 27, 2018 23:04
|
|
|
Potato Salad posted:Temptation....to engage....rising.... yeah its a sketchy uefi module installed by manufacturers for tracking stolen laptops. its essentially a rootkit and exploits a hijacking of a windows system component (autochk) in order to install itself in the os. It is equally easily hijacked by other, more nefarious malware like the one presented in the article. If Microsoft were to have signed this and other components in the boot sequence that particular exploit would not be possible. The separate task of the malware modifying the firmware with its own rootkit requires misconfiguration or exploitation of secure boot. That's on manufacturers and admins to handle properly, but if Microsoft is not checking signatures on the stuff windows is running you may still run into bad ideas like computrace/lojack.
|
|
#
?
Sep 27, 2018 23:31
|
|
|
this sounds familiar. is this the same kind of poo poo lenovo was pulling to push their crapware onto windows installs?
|
|
#
?
Sep 27, 2018 23:38
|
|
|
|
| # ? Jun 8, 2024 17:53 |
|
|
Lysidas posted:facebook should only be used over tor, under a fake name, with no facebook contact with anyone you know in real life you know you can’t hire hit men and hookers on FB right?
|
|
#
?
Sep 28, 2018 01:10
|
|
