|
Ring is really, really good at security. https://twitter.com/fs0c131y/status/1207614905865637889
|
#
?
Dec 21, 2019 05:19
|
|
|
|
| # ? May 25, 2024 10:07 |
|
|
BangersInMyKnickers posted:Open communication and honesty with the userbase is probably the biggest lesson we haven't learned yet. We made decisions in secret (sometimes even internally between teams in security) and do not solicit feedback for initiatives that will impact the entire org. Our relationship with other departments is often hostile and they more often than not fight us or withhold important information as a result. Not exactly productive in the context of security if your userbase is trying to undermine you every step of the way. azurite posted:I'd say it's common, since it rings true for me too. I'm on the other end of it. Our security team operates in the shadows and is usually an irritating presence when they peek out to ask for information for things they should already know, berate us for violating policies they created without buy-in, or when they break critical business apps with their mostly secret infrastructure. The final point is the greatest, because they reveal themselves after we've been troubleshooting under pressure for hours. Yup. Longer rant deleted. Communication, empathy, org alignment, accountability would be great to see. Security is important. Everyone rational accepts that things might get harder; even that there will be an business impact from those controls. IMHO, treating your IT community (and org overall) as partners will improve your org’s security posture far more than a can-neither-confirm-nor-deny or i-am-the-law attitude will.
|
|
#
?
Dec 21, 2019 06:23
|
|
|
PCjr sidecar posted:Yup. Longer rant deleted. Communication, empathy, org alignment, accountability would be great to see. I think people can stomach i-am-the-law when it comes from people they respect or at least give them confidence that they know what they are talking about. Far too often in my career at least, have I come across infosec personnel who aren't technical and that is kind of insane.
|
|
#
?
Dec 21, 2019 06:27
|
|
|
Sickening posted:Far too often in my career at least, have I come across infosec personnel who aren't technical and that is kind of insane. Is that a not-technical in that they know what is a bad thing but don't know how to remediate or why? As in "Maybe we shouldn't have telnet on this machine as the only way to communicate, but I don't know how to have the machine use only SSH on it?" or in the sense of "I know telnet is bad because books say its bad, but I don't know why telnet bad"
|
|
#
?
Dec 21, 2019 19:11
|
|
|
I would say the latter, but replace "books" with "scans." Edit: To be clear, I'm not saying INFOSEC PEOPLE BAD. There's bad employees everywhere. azurite fucked around with this message at 22:01 on Dec 21, 2019 |
|
#
?
Dec 21, 2019 21:57
|
|
|
Defenestrategy posted:Is that a not-technical in that they know what is a bad thing but don't know how to remediate or why? As in "Maybe we shouldn't have telnet on this machine as the only way to communicate, but I don't know how to have the machine use only SSH on it?" or in the sense of "I know telnet is bad because books say its bad, but I don't know why telnet bad" Both. Knowing why something is bad should be required before you ask someone to secure/change something. Also having a moderate understanding of what the remediation looks like or its alternatives. The infosec person communicating to infrastructure to remove telnet shouldn't be someone you aren't confident has ever even used telnet in their career. I not saying infsec needs to be a master of every system, but they should be respected enough to not be considered novices of using a computer. You run into less friction that way.
|
|
#
?
Dec 21, 2019 22:19
|
|
|
Biowarfare posted:You'll want to blacklist bugsnag.
|
|
#
?
Dec 22, 2019 00:11
|
|
|
https://twitter.com/yashar/status/1208841110405046272 Don't use ToTok.
|
|
#
?
Dec 23, 2019 04:22
|
|
|
....is that like TikTok?? I've never heard of ToTok.
|
|
#
?
Dec 23, 2019 04:34
|
|
|
Defenestrategy posted:
|
|
#
?
Dec 23, 2019 13:26
|
|
|
evil_bunnY posted:I'd refer them to HR and not even feel a little bit bad about it Yup.
|
|
#
?
Dec 23, 2019 14:19
|
|
|
CLAM DOWN posted:....is that like TikTok?? I've never heard of ToTok. Sounds like you wouldn't, unless you were in the UAE.
|
|
#
?
Dec 23, 2019 20:55
|
|
|
Darchangel posted:Sounds like you wouldn't, unless you were in the UAE. I'd suggest the people there switch to Signal for secure comms, but oops, it turns out it's blocked in the UAE. And ever since Amazon forced OpenWhisper to stop using domain fronting, the censorship actually started working pretty effectively. I imagine you could still sneak a connection through with a VPN to the outside world, but that's not really viable for the 99% of people who aren't already IT nerds.
|
|
#
?
Dec 24, 2019 01:02
|
|
|
This is the price you pay for accepting the Queen's favor: https://twitter.com/MaryCreaghMP/status/1211209541448347649
|
|
#
?
Dec 29, 2019 09:58
|
|
|
Why does everyone hate Cyberghost VPN? I think they provide a good service, even though their parent company isn't. I still think they are generally good.
|
|
#
?
Dec 29, 2019 14:20
|
|
|
Absurd Alhazred posted:This is the price you pay for accepting the Queen's favor: Thank you article for telling us what the data beach even was, instead of spending the entire time harping on about how awful it is that wealthy and powerful people may have to endure the same stuff as us
|
|
#
?
Dec 29, 2019 14:31
|
|
|
Billa posted:Why does everyone hate Cyberghost VPN? I think they provide a good service, even though their parent company isn't. I still think they are generally good. I've never even heard of it, let alone hate it.
|
|
#
?
Dec 29, 2019 19:04
|
|
|
CLAM DOWN posted:I've never even heard of it, let alone hate it. Username/Post combo win
|
|
#
?
Dec 30, 2019 06:29
|
|
|
Beccara posted:Username/Post combo win What
|
|
#
?
Dec 30, 2019 07:01
|
|
|
Beccara posted:Username/Post combo win 
|
|
#
?
Dec 30, 2019 15:09
|
|
|
Someone saw Pwnagotchi and decided to take it to its inevitable conclusion https://flipperzero.one/
|
|
#
?
Dec 31, 2019 01:02
|
|
|
Seems like Firefox doesn't want to eat self-signed SSL certificates for running a local DNS-over-HTTPS server. Why? Because I'd like to try to get ESNI in it to work, and currently it only does so using the DoH resolver. :|
|
|
#
?
Dec 31, 2019 02:33
|
|
|
Combat Pretzel posted:Seems like Firefox doesn't want to eat self-signed SSL certificates for running a local DNS-over-HTTPS server. Why? Because I'd like to try to get ESNI in it to work, and currently it only does so using the DoH resolver. :| Buy a domain name and use LetsEncrypt. Domains are like  a year if you don’t get a .com.
|
|
#
?
Dec 31, 2019 03:06
|
|
|
Oh heh, I actually do have a domain for my email crap. --edit: And my registrar supplies free SSL certs. Yay. --edit: It works. Neat. Combat Pretzel fucked around with this message at 04:19 on Dec 31, 2019 |
|
#
?
Dec 31, 2019 03:30
|
|
|
If your registrar hadn't provided free certs, that's when Let's encrypt would have been useful.
|
|
#
?
Dec 31, 2019 11:07
|
|
|
Lambert posted:If your registrar hadn't provided free certs, that's when Let's encrypt would have been useful. I think it's only Extended Validation you have to pay for nowadays, if your provider is the least bit good.
|
|
#
?
Dec 31, 2019 14:35
|
|
|
I had to use Let's Encrypt after all, because my registrar's certificates were only generated for a www hostname. Now if Firefox had an indicator as to whether it's using ESNI or not, that'd be nice. Just to see who's doing it, if at all (with what being still in the works).
|
|
#
?
Dec 31, 2019 15:25
|
|
|
Firefox has enough damned indicators; worst of all is the site protection one which always has to loving animate one loving way or another. Arguably, every single add-on that has to have its own set of colors that flashes on and off as well as notification icons is worse, but not by much. EDIT: This is not the Firefox thread.. BlankSystemDaemon fucked around with this message at 17:19 on Dec 31, 2019 |
|
#
?
Dec 31, 2019 17:06
|
|
|
Could be an additional field in the flyout on the padlock icon.
|
|
#
?
Dec 31, 2019 17:14
|
|
|
Tapedump posted:Could you please elaborate on this? I'm curious It's just another analytics beacon that should be blocked by pihole by default. It is at least blocked by Firefox/EasyPrivacy by default.
|
|
#
?
Jan 1, 2020 12:20
|
|
|
Is 2020 the year that all the analytics beacons start adopting the botnet approach of using randomly generated second-level domain names?
|
|
#
?
Jan 1, 2020 12:29
|
|
|
D. Ebdrup posted:Is 2020 the year that all the analytics beacons start adopting the botnet approach of using randomly generated second-level domain names? I’ve always wondered why they haven’t just assimilated themselves into 1st party domains. Either by providing a CDN service, or allowing customers to run a data collection proxy.
|
|
#
?
Jan 1, 2020 13:59
|
|
|
Horse Clocks posted:I’ve always wondered why they haven’t just assimilated themselves into 1st party domains. Either by providing a CDN service, or allowing customers to run a data collection proxy. Isn't that exactly what they've started doing, and all the browser devs aside from Brave suddenly start making excuses for the poor put-upon advertisers when questioned about closing the loophole despite all the other anti-tracking poo poo they had no problem implementing?
|
|
#
?
Jan 1, 2020 23:58
|
|
|
Horse Clocks posted:I’ve always wondered why they haven’t just assimilated themselves into 1st party domains. Either by providing a CDN service, or allowing customers to run a data collection proxy. D. Ebdrup posted:Is 2020 the year that all the analytics beacons start adopting the botnet approach of using randomly generated second-level domain names? The ones these days that aren't simple GA will at minimum: - Use inline-JS to set a cookie and localStorage and some other things to indicate an attempt is being made - Attempt to load JS from the default analytics domain - Repeatedly attempt to load JS from randomly generated cloudfront and akamai subdomains - Attempt to load JS from firstparty proxy - If any of the above happens, this is also logged, to indicate that the user is attempting to block these scripts and should be considered bad Usually also random script filenames also, to prevent blanket blocks, and on top of that, very amusing things like a fake sourceMappingUrl that instead returns an "empty file" sourcemap and also logs the fact that you just tried to visit it, and your user session should be considered bad or dangerous.
|
|
#
?
Jan 2, 2020 13:04
|
|
|
Kerning Chameleon posted:Isn't that exactly what they've started doing, and all the browser devs aside from Brave suddenly start making excuses for the poor put-upon advertisers when questioned about closing the loophole despite all the other anti-tracking poo poo they had no problem implementing? Ublock Origin on Firefox (but not other browsers) can block those as well.
|
|
#
?
Jan 2, 2020 19:38
|
|
|
Lambert posted:Ublock Origin on Firefox (but not other browsers) can block those as well. I've been adding manual rules out the rear end and I'm still seeing some of them get by. Keep in mind these are not CNAMEs to a known endpoint (like "stats.example.com IN CNAME collector.example.net"), but directly requesting xxx.cloudfront.net/yyy.js, which is the annoying part.
|
|
#
?
Jan 2, 2020 22:54
|
|
|
Combat Pretzel posted:Now if Firefox had an indicator as to whether it's using ESNI or not, that'd be nice. Just to see who's doing it, if at all (with what being still in the works). I also do not understand why this is not a thing, given their new love for DNS->HTTPS.
|
|
#
?
Jan 2, 2020 23:51
|
|
|
https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/quote:In October 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious. We purchased a UMX U683CL to better assist our customers and verify their claims.
|
|
#
?
Jan 10, 2020 21:05
|
|
|
The CVE the entire internet has been anticipating for the last 2 days: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 quote:A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
|
|
#
?
Jan 14, 2020 19:13
|
|
|
|
| # ? May 25, 2024 10:07 |
|
|
I honestly am more interested in how this will change the Xbox homebrew scene.
|
|
#
?
Jan 14, 2020 19:29
|
|
