|
I signed up for some government DOD webinar a while back and today when I tried to join it prompted me to download some adobe installer from dhs.gov -- thanks but no thanks
|
#
?
Sep 28, 2018 00:00
|
|
|
|
| # ? May 19, 2024 10:06 |
|
|
What's funny is that fed it is such a poo poo show that it really could've been a benign installer for Connect or something, redistributed with an expired agreement
|
|
#
?
Sep 28, 2018 00:39
|
|
|
Martytoof posted:I signed up for some government DOD webinar a while back and today when I tried to join it prompted me to download some adobe installer from dhs.gov -- thanks but no thanks The funny thing is, working at DoD as a contractor, why they do that. It's because they severely restrict the firewalls for sites in the middle of nowhere and need to connect remotely (think satellite or in the middle of the ocean.) They block everything but only the stuff you need to sign or encrypt using the CACs.
|
|
#
?
Sep 28, 2018 01:43
|
|
|
Oh I'm sure it's benign, but the optics of it are just funny. Yes, certainly no shenanigans with spyware to worry about 
|
|
#
?
Sep 28, 2018 16:20
|
|
|
Anyone deployed or played around with Vera for DRM? If so, thoughts? It’s one of the options we’re looking to deploy along with AIP. Vera seems more attractive without having a mature classification and labeling system in place as a functional prerequisite.
|
|
#
?
Sep 29, 2018 04:26
|
|
|
Diva Cupcake posted:Anyone deployed or played around with Vera for DRM? If so, thoughts? I do not know of any attacks on Veradocs/Vera DRM. They look very new so that is to be expected. Looks from their description of software features to require the rootest of root kits to be installed to do anything with the DRM so that's nice.
|
|
#
?
Sep 29, 2018 05:28
|
|
|
https://news.sky.com/story/senior-tory-mps-phone-numbers-exposed-in-app-flaw-11512323
|
|
#
?
Sep 29, 2018 15:15
|
|
|
Thanks Ants posted:https://news.sky.com/story/senior-tory-mps-phone-numbers-exposed-in-app-flaw-11512323
|
|
#
?
Sep 29, 2018 16:53
|
|
|
Don't worry! They fixed it! https://twitter.com/dawnhfoster/status/1046065575196340224 Probably still way out of compliance with GDPR though
|
|
#
?
Sep 29, 2018 17:17
|
|
|
These are the same people who think the Irish border and rail overcrowding can be solved with Technology™, mind you.
|
|
#
?
Sep 29, 2018 17:37
|
|
|
How encrypted are your mainstream email services? Say I want to email a KeePass DB file to myself from my gmail to my outlook account or vice versa. I'm assuming that mail is encrypted when it traverses Google's mail infrastructure but is TLS used when it makes its way to Microsoft's mail exchange and then encrypted throughout their infrastructure into my mailbox? I'm just using a KeePass file as an example. I'm interested to learn how normal plain text emails are handled, too. Is it a shitshow, whereby there's a likelihood of email passing across the web in plain at some point? This is a purely hypothetical question, as I don't have anything that important but learning poo poo like this helps me decide on good working practises for when I do have stuff I'd rather not get schniffed at.
|
|
#
?
Sep 30, 2018 03:48
|
|
|
apropos man posted:How encrypted are your mainstream email services?
|
|
#
?
Sep 30, 2018 04:09
|
|
|
Isn't this just the usual delegated access via oauth business? Non story imo
|
|
#
?
Sep 30, 2018 04:20
|
|
|
Yeah... if you care about the security of an email at all, encrypt it yourself before sending. There's way way too many opportunities for someone else to read it in transit if the source material was plain text. Like just in your example, Google and Microsoft now both have your Keepass DB. The transmission between them was hopefully TLS encrypted, which is well and good, but so what? Once it comes out of that tunnel it's unencrypted again.
|
|
#
?
Sep 30, 2018 04:24
|
|
|
Christ! It just gets worse all the time, doesn't it.
|
|
#
?
Sep 30, 2018 21:02
|
|
|
Rufus Ping posted:Isn't this just the usual delegated access via oauth business? Non story imo Yes, but its easier to fit the meme than understand the issue.
|
|
#
?
Sep 30, 2018 21:19
|
|
|
apropos man posted:Christ! It just gets worse all the time, doesn't it. The Media? Yes, it does.
|
|
#
?
Sep 30, 2018 22:10
|
|
|
apropos man posted:Christ! It just gets worse all the time, doesn't it. Everything? Yes, it does.
|
|
#
?
Sep 30, 2018 22:53
|
|
|
Rufus Ping posted:Isn't this just the usual delegated access via oauth business? Non story imo "Apps that you've granted access to your Gmail account can access your Gmail account" as a headline doesn't generate many clicks.
|
|
#
?
Sep 30, 2018 22:57
|
|
|
On that subject, I would like to see more sane defaults for delegating access via APIs to third-party applications in both G Suite and Office 365. Default it to requiring an administrator to whitelist the applications, with an explanation of what is going on / email notifications sent to administrators the first time people try connecting third-party addons. As MFA gets deployed in more places it's not uncommon to see phishing emails claiming to be a file sharing notification requesting the user grants an app full access to their account, rather than throwing a fake login screen at them.
|
|
#
?
Sep 30, 2018 23:01
|
|
|
Many moons ago we were building a social API for Firefox and wanted a way to post on behalf of a user without being empowered to read things like DMs or even tweets/G+ings for private accounts. Google quite promptly added a way to get such a low-privilege access token, while Twitter’s product management refused to believe that anyone would want to skip on slurping up all the private content they could.
|
|
#
?
Oct 1, 2018 00:36
|
|
|
Subjunctive posted:Many moons ago we were building a social API for Firefox and wanted a way to post on behalf of a user without being empowered to read things like DMs or even tweets/G+ings for private accounts. Google quite promptly added a way to get such a low-privilege access token, while Twitter’s product management refused to believe that anyone would want to skip on slurping up all the private content they could. Twitter seems super dev hostile/ignorant, how accurate is that assessment?
|
|
#
?
Oct 1, 2018 00:58
|
|
|
apseudonym posted:Twitter seems super dev hostile/ignorant, how accurate is that assessment? This was a long time ago, but their platform people all seemed to be learning basic principles as they went. It might be better now, though I suspect they still don’t have their A team on it.
|
|
#
?
Oct 1, 2018 01:02
|
|
|
I mean, they're actively hostile to developers using their api, such as the recent "API apocalypse" which has made third-party clients noticeably worse. Around the same time I believe there were related changes that make things like (non-hostile, useful/artful/entertaining) bots much harder to create/operate. They basically have no idea why people enjoy(ed) their platform and are happily relying on the social graph/snowball effect to keep users around while they tighten things up to make it more advertiser-friendly. I don't have useful anecdata on the infosec side of things, though.
|
|
#
?
Oct 1, 2018 01:48
|
|
|
Seems at least mildly relevant to this thread https://www.buzzfeed.com/ryanhatesthis/this-woman-says-the-guardians-in-house-security-expert Also reminds me of that joke posted a while ago about the guy asking a woman at an infosec con for her number
|
|
#
?
Oct 2, 2018 01:02
|
|
|
Via SecFuck threadmrmcd posted:https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
|
|
#
?
Oct 4, 2018 12:50
|
|
|
Proteus Jones posted:Via SecFuck thread So who else is going to inspect their server hardware for tiny bumps that could hack their entire system?
|
|
#
?
Oct 4, 2018 14:49
|
|
|
 Is there a more technical write up of this anywhere? It’s obnoxious trying to reverse engineer the dumbed down descriptions of CPU caches and whatnot to get at what is really going on.
|
|
#
?
Oct 4, 2018 14:55
|
|
|
Proteus Jones posted:Via SecFuck thread this comment to the story on HN is pretty nuts quote:I have worked in card payment industry. We would be getting products from China with added boards to beam credit card information. This wasn't state-sponsored attack. Devices were modified while on production line (most likely by bribed employees) as once they were closed they would have anti-tampering mechanism activated so that later it would not be possible to open the device without setting the tamper flag.
|
|
#
?
Oct 4, 2018 15:28
|
|
|
For any poor son of a bitch that has to run SEP in their environment, the firewall module on 14.2 starts making GBS threads itself once through moving more than 500mbit through an interface on a fairly beefy server. I have no idea how they are accomplishing this for something that should only be interrogating new sessions but there you go. Disable it and use the host firewall. This may have been occurring back on 14.0 but I noticed the problems with the 14.2 rollout and I believe they did some major re-writes on the latest version.
|
|
#
?
Oct 4, 2018 15:39
|
|
|
Docjowles posted:
It's an ongoing investigation that's probably classified, so no. But also I'd take most of the technical stuff with a grain of salt, because it's several layers of telephone away from the real source. Bloomberg got info from anonymous government officials, but that probably wasn't the spooks examining the server mobos and dissecting spy chips. Reporters get that information from bureaucrats or military guys in the DoD who read the file, and may not know exactly how a CPU cache works themselves.
|
|
#
?
Oct 4, 2018 17:51
|
|
|
I'll find out in a bit here.
|
|
#
?
Oct 4, 2018 18:10
|
|
|
I do like how, in a story about China spying on america, this bit:quote:U.S. spy agencies drew on the prodigious tools at their disposal. They sifted through communications intercepts, ... even tracked key individuals through their phones
|
|
#
?
Oct 4, 2018 18:52
|
|
|
Klyith posted:I do like how, in a story about China spying on america, this bit: Yeah, it should really be highlighted imo. It's hypocritical to attack China over this, yet give the US a free pass.
|
|
#
?
Oct 4, 2018 18:55
|
|
|
Intelligence agencies are going to do their craft. It's also not irrational to have an asymmetrical response in favor of "your side" when these things are uncovered.
|
|
#
?
Oct 4, 2018 20:15
|
|
|
I will say that if I'm going to have governments compromising my digital electronics, I'd prefer them to be governments that are in some way beholden to me.
|
|
#
?
Oct 5, 2018 01:15
|
|
|
Cup Runneth Over posted:I will say that if I'm going to have governments compromising my digital electronics, I'd prefer them to be governments that are in some way beholden to me. Adorable. You think your own government somehow gives a poo poo about you or is somehow accountable to you.
|
|
#
?
Oct 5, 2018 01:21
|
|
|
Governments are for the rich and the protection of their assets.
|
|
#
?
Oct 5, 2018 01:24
|
|
|
CLAM DOWN posted:Adorable. You think your own government somehow gives a poo poo about you or is somehow accountable to you. I didn't say that. But the US government is made up of people I could conceivably drive to, grab, and shake. Can't do that with China.
|
|
#
?
Oct 5, 2018 01:36
|
|
|
|
| # ? May 19, 2024 10:06 |
|
|
Cup Runneth Over posted:I didn't say that. But the US government is made up of people I could conceivably drive to, grab, and shake. Can't do that with China. Your reasoning is dumb, but hey this is a dumb world in 2018.
|
|
#
?
Oct 5, 2018 01:47
|
|