|
Defenestrategy posted:For example lets say you want into $enterprise_app Seems like it'd be easier on the second factor person's side to just make your account have the proper permissions to do your job and then never need to get the mfa pushes.
|
# ? Jul 18, 2021 18:30 |
|
|
# ? May 26, 2024 09:08 |
|
Ynglaur posted:I didn't realize Hashicorp Vault did that. That's nice for things like break glass accounts or your root AWS account credentials. Just curious, can it support different authentication providers? E.g. "Oops our corporate Active Directory just got pwned, so shut off access to Hashicorp Vault from that AD domain, but you have to login with two Okta accounts to do this." I'm probably not explaining this very well, but hopefully it mostly makes sense. You can't easily turn off access in the way I think you're describing. I think you might be misunderstanding the difference between retrieving a secret, and unsealing the vault. Unsealing is essentially the last step in starting up the application against an existing set of vault data. Sealing and unsealing controls Vault's access to its own secrets. At its core, Vault is just database software that's highly optimized for one use case: secure encrypted storage of small pieces of data, along with extensive access control and audit logging. The database master key is encrypted with Shamir's secret sharing, so if an attacker gets a copy of the DB and enough Shamir key shares, they can open it up locally, and there's no way for you to stop them, just like you couldn't stop them from decrypting an encrypted text file if they have the ciphertext and the key. You unseal the vault either by sending key shares to the API endpoint that accepts them, or by Vault requesting keys on startup from an HSM or cloud KMS. If you're just talking about revoking clients' access to secrets, then sure, that's easy in Vault or any other secret management system. It'd be up to you to define policies and authentication providers that would require you to bounce through two different Okta logins to accomplish "turn off access," though.
|
# ? Jul 18, 2021 19:29 |
|
Defenestrategy posted:For example lets say you want into $enterprise_app .....wouldn't it just be far easier to setup or implement MFA and let that do that for you? I don't think anyone wants to play door guard for an enterprise app.
|
# ? Jul 18, 2021 21:12 |
|
The Guardian are doing a big thing on spyware https://www.theguardian.com/news/2021/jul/18/huge-data-leak-shatters-lie-innocent-need-not-fear-surveillance
|
# ? Jul 18, 2021 22:12 |
|
The amnesty piece is well worth the time
|
# ? Jul 18, 2021 22:32 |
|
Thanks for this detailed response!
|
# ? Jul 18, 2021 23:13 |
|
Was there now a 3rd printnightmare hole found over the weekend?
|
# ? Jul 19, 2021 22:43 |
|
Sickening posted:Was there now a 3rd printnightmare hole found over the weekend? Yup. Microsoft just gave up and told everyone to disable print spooler everywhere. https://arstechnica.com/gadgets/2021/07/disable-the-windows-print-spooler-to-prevent-hacks-microsoft-tells-customers/
|
# ? Jul 19, 2021 22:50 |
|
Internet Explorer posted:Yup. Microsoft just gave up and told everyone to disable print spooler everywhere. At least this one doesn't have a PoC available to everyone. I think. Please?
|
# ? Jul 20, 2021 13:56 |
|
Sickening posted:Was there now a 3rd printnightmare hole found over the weekend? Fourth, depending on how you count. CVE-2021-1675 (patched in June security update), CVE-2021-34527 (RCE, patch now available but had some reported issues), CVE-34481 (local-only exploit, no patch), and now this new RCE which doesn't have a CVE number yet (CERT Vuln #131152) and which also doesn't have a patch. Printing was a mistake.
|
# ? Jul 20, 2021 14:01 |
|
SolusLunes posted:At least this one doesn't have a PoC available to everyone. I think. Please? Well, uhh, about that... https://twitter.com/gentilkiwi/status/1416429860566847490
|
# ? Jul 20, 2021 14:04 |
|
Every day is the day I think about leaving infosec for a less stressful profession like working in a garden centre or bomb defusal.
|
# ? Jul 20, 2021 14:33 |
|
Martytoof posted:Every day is the day I think about leaving infosec for a less stressful profession like working in a garden centre or bomb defusal. apparently you don't even need to weigh explosives before lazily detonating them in inhabited neighborhoods bomb defusal for local cops sounds like a nice grift
|
# ? Jul 20, 2021 17:20 |
|
Potato Salad posted:apparently you don't even need to weigh explosives before lazily detonating them in inhabited neighborhoods "Ehhhhhh, that looks to be about 12 lbs..... Fire in the hole!"
|
# ? Jul 20, 2021 17:34 |
|
DrDork posted:Well, uhh, about that... https://twitter.com/gentilkiwi/status/1416429860566847490 Martytoof posted:Every day is the day I think about leaving infosec for a less stressful profession like working in a garden centre or bomb defusal.
|
# ? Jul 20, 2021 17:56 |
|
I continue to love working in Infosec despite the insanity because I get the thrill of rubbing these vulnerabilities in Management face as part of my job.
|
# ? Jul 20, 2021 17:57 |
|
Looks like all printers are insecure, let's get rid of them entirely and go paperless
|
# ? Jul 20, 2021 18:05 |
|
I assume that despite it's privileged execution status, the windows print spooler is a horrendous wobbly tower of legacy code with a core design that dates back to 3.11, and if Microsoft tries to do a ground-up replacement, it'd break every printer out there because trying to get the printer manufacturers new, high quality drivers would be like herding cats?
|
# ? Jul 20, 2021 18:07 |
|
Thanks Ants posted:Looks like all printers are insecure, let's get rid of them entirely and go paperless Oh man remember the paperless office? Wild stuff.
|
# ? Jul 20, 2021 18:17 |
|
Pablo Bluth posted:I assume that despite it's privileged execution status, the windows print spooler is a horrendous wobbly tower of legacy code with a core design that dates back to 3.11, and if Microsoft tries to do a ground-up replacement, it'd break every printer out there because trying to get the printer manufacturers new, high quality drivers would be like herding cats? Spot on. They tried to update the printer driver system in a fairly minor way back in March, and for a few weeks older printer drivers made by Kyocera & Ricoh caused a BSOD any time they tried to print. The somewhat plausible way they could force a new printer driver architecture would be to move all existing printer drivers into a VM, and have a virtual printer to translate jobs into the legacy system. Otherwise it's a complete no-go, because the printer companies aren't gonna write new drivers for old hardware.
|
# ? Jul 20, 2021 18:21 |
|
Pablo Bluth posted:I assume that despite it's privileged execution status, the windows print spooler is a horrendous wobbly tower of legacy code with a core design that dates back to 3.11, and if Microsoft tries to do a ground-up replacement, it'd break every printer out there because trying to get the printer manufacturers new, high quality drivers would be like herding cats? probably but microsoft should still do it because gently caress printers.
|
# ? Jul 20, 2021 18:53 |
|
Couldn't they do something like CUPS, where the drivers are just host architecture-agnostic descriptions of the capabilities of the printer? I've never had to install a vendor-provided driver on MacOS, and there's ppds for basically every printer. Not that CUPS hasn't had its share of problems, but AFAIK you don't need a binary blob for every printer model.
|
# ? Jul 20, 2021 19:18 |
|
more falafel please posted:Couldn't they do something like CUPS, where the drivers are just host architecture-agnostic descriptions of the capabilities of the printer? I've never had to install a vendor-provided driver on MacOS, and there's ppds for basically every printer. Not that CUPS hasn't had its share of problems, but AFAIK you don't need a binary blob for every printer model. That and a time machine could be a solution, yes.
|
# ? Jul 20, 2021 19:21 |
|
It's a ploy to get everybody using Azure Universal Print
|
# ? Jul 20, 2021 21:10 |
|
In case the most recent printer news wasn't enough to make you love printers forever: https://www.bleepingcomputer.com/news/security/16-year-old-bug-in-printer-software-gives-hackers-admin-rights/ quote:"A 16-year-old security vulnerability found in an HP, Xerox, and Samsung printers driver allows attackers to gain admin rights on systems using the vulnerable driver software. the internet was a mistake, printers are worse SolusLunes fucked around with this message at 14:58 on Jul 21, 2021 |
# ? Jul 21, 2021 14:55 |
|
Klyith posted:The somewhat plausible way they could force a new printer driver architecture would be to move all existing printer drivers into a VM, and have a virtual printer to translate jobs into the legacy system. Otherwise it's a complete no-go, because the printer companies aren't gonna write new drivers for old hardware. That already exists, it’s called universal print. The sole blocker is being expensive as gently caress(and being a chore to push printers using gpo)
|
# ? Jul 21, 2021 19:57 |
|
Sorry if this isn't the right thread, but I can't find the old Your Operating System has Poor Operational Security thread or whatever it was called. Is an aftermarket TPM worth having on a home-built gaming computer? I haven't read up on them in a while but I remember from a training class I had that they make swapping hardware more difficult, and it seems like as far as your data security Bitlocker with a strong password is sufficient? I'm completely willing to be wrong though.
|
# ? Jul 22, 2021 03:05 |
|
Are you worried about people breaking into your house and stealing a drive out of your computer? Otherwise I would say no.
|
# ? Jul 22, 2021 03:15 |
|
BaseballPCHiker posted:Are you worried about people breaking into your house and stealing a drive out of your computer? Otherwise I would say no. If you are worried about that, might I suggest you have bigger problems than a dead comedy forum could solve
|
# ? Jul 22, 2021 03:22 |
|
22 Eargesplitten posted:Sorry if this isn't the right thread, but I can't find the old Your Operating System has Poor Operational Security thread or whatever it was called. Is an aftermarket TPM worth having on a home-built gaming computer? I haven't read up on them in a while but I remember from a training class I had that they make swapping hardware more difficult, and it seems like as far as your data security Bitlocker with a strong password is sufficient? I'm completely willing to be wrong though. You should be fine without one. If you wanted to avoid typing a strong password then a TPM would be useful, but even then you should probably just use the one built into your CPU and make sure you have safe backups of your bitlocker key. As far as swapping hardware, TPM boards can be even harder to swap between computers than CPUs because there's no standardization. But other than decrypting your drive, which you should have a backup for, that shouldn't be much of a problem.
|
# ? Jul 22, 2021 03:30 |
|
Defenestrategy posted:If you are worried about that, might I suggest you have bigger problems than a dead comedy forum could solve James Mickens’ Mossad/Not-Mossad threat model continues to be relevant. James Mickens, "This World of Ours" posted:Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them.
|
# ? Jul 22, 2021 03:34 |
|
Yeah, I felt like bitlocker should be enough for keeping your poo poo safe if someone robs your house (although they're probably just going to take it to a pawn shop) but I'm not an Infosec professional, just a computer janitor. I started using it after my house got broken into while I was at work. I was lucky enough that they didn't steal my T430, presumably because it looks like it's 15-20 years old. A friend asked me if having the Standard Hardware Security setup not available was a problem, I told her that I didn't really think it was worth getting a TPM installed, which is required for that as far as I understand. Are Secure Boot, Core Isolation, or Memory Integrity worth it? I'm really not clear what they do aside from only starting signed software at boot and keeping a walled garden for your system processes, I'm not sure what the pros and cons are aside from that, especially with regards to performance with resource hog software like Photoshop and video games. She is in no way, shape, or form someone that would be specifically targeted for anything so her main risks are opening shady attachments (which I warned her about but she has been scared into doing it in the past, thankfully only in the Chrome previewer) and downloading stuff that she shouldn't, both of which are training issues and it's not my responsibility to get her to stop doing dumb stuff. E: I introduced a paranoid friend of mine to the Mossad Vs Not Mossad threat model, but I'm pretty sure he still runs Qubes on his home computer. I get the feeling he has stuff in his past he's afraid of coming back to bite him but I haven't asked because it's none of my business and if he does have secrets they're more easily kept the fewer people know about them. 22 Eargesplitten fucked around with this message at 03:57 on Jul 22, 2021 |
# ? Jul 22, 2021 03:54 |
|
What are some interesting software developer career directions I could take if I wanted to spend my time practicing applied cryptography?
|
# ? Jul 22, 2021 05:37 |
|
22 Eargesplitten posted:Sorry if this isn't the right thread, but I can't find the old Your Operating System has Poor Operational Security thread or whatever it was called. Is an aftermarket TPM worth having on a home-built gaming computer? I haven't read up on them in a while but I remember from a training class I had that they make swapping hardware more difficult, and it seems like as far as your data security Bitlocker with a strong password is sufficient? I'm completely willing to be wrong though.
|
# ? Jul 22, 2021 11:19 |
|
Mantle posted:What are some interesting software developer career directions I could take if I wanted to spend my time practicing applied cryptography? How do you feel about government work?
|
# ? Jul 22, 2021 18:50 |
|
DrDork posted:How do you feel about government work? I'm not philosophically opposed to the idea of working for government, but I prefer more of a counterculture environment. Could I get that in some sort of government contracting role?
|
# ? Jul 22, 2021 19:07 |
|
Oh they paid. https://twitter.com/BleepinComputer/status/1418273133157564419
|
# ? Jul 22, 2021 19:31 |
|
22 Eargesplitten posted:Are Secure Boot, Core Isolation, or Memory Integrity worth it? Yes, with asterisks. Secure boot is a bit meh -- it's not a ton of protection for a home user, and can get in the way of booting other OSes or utilities like memtest+ (the open source one, not the commercial one). I don't think there's been any big malware recently that used the boot sector as a method for attack, which is what secure boot would protect against. Some of them have trashed the MBR as a way to do more damage, but that's different. But if the only thing you're ever going to boot is windows, or a windows USB installer stick, you'll see zero difference with your system. Core Isolation & Memory Integrity has performance drawbacks on CPUs older than intel 8th gen or AMD ryzen 2000 (desktop) / 3000 (mobile). It's a non-trivial hit, 10-20% or more for some particular tasks. This is the reason for the extremely small support list for Windows 11, MS wants to make it a standard feature. If you have a new PC it's good though. If none of those asterisks are a big deal to you they're good to turn on, but they also aren't silver bullets. e: 22 Eargesplitten posted:A friend asked me if having the Standard Hardware Security setup not available was a problem, I told her that I didn't really think it was worth getting a TPM installed, which is required for that as far as I understand. Any PC recent enough to meet the Core Isolation & Memory Integrity CPU requirements also has TPM 2.0 built into the chipset & CPU. You just need to turn it on in the BIOS. OTOH turning on TPM does nothing if you're not using bitlocker on the system volume (or windows hello for business). It doesn't do much for malware security at all. Klyith fucked around with this message at 02:52 on Jul 23, 2021 |
# ? Jul 23, 2021 02:35 |
|
Mantle posted:I'm not philosophically opposed to the idea of working for government, but I prefer more of a counterculture environment. Could I get that in some sort of government contracting role? How do you feel about bitcoin?
|
# ? Jul 23, 2021 02:47 |
|
|
# ? May 26, 2024 09:08 |
|
Mantle posted:I'm not philosophically opposed to the idea of working for government, but I prefer more of a counterculture environment. Could I get that in some sort of government contracting role? Every three-letter government agency uses small armies of contractors, yeah. For applied crypto there might be some specialty shops, but your big names like Deloitte, Leidos, etc., aren't bad places to poke around at, either, if that's the route you want to go. None of them are going to really be "counter-culture," though. DARPA is always doing weird stuff, and from what I've heard has a less "you need to come to the office in a suit" sort of culture, so maybe worth a look. Biowarfare posted:How do you feel about bitcoin? Yeah, that's kinda the other option. There are plenty of people willing to pay money for THE BLOCKCHAIN, you just have to kinda admit to yourself before going in that there's almost no chance that whatever you're working on will see the light of day or ever actually make an impact anywhere. Just another boondoggle some excited C-suite dude decided they NEEDED to blow some money on to get investors excited or whatever. The only option I'm really aware of that combines crypto + counterculture would be research: either academic-backed or through some sort of security research firm. In both cases the bar for joining is high.
|
# ? Jul 23, 2021 05:17 |