|
Defenestrategy posted:Am I having a seizure? ARGs and seizures can be hard to tell apart. Check their post history
|
#
?
Sep 4, 2021 00:37
|
|
|
|
| # ? May 25, 2024 21:13 |
|
|
I was going to go with schizophrenia
|
|
#
?
Sep 4, 2021 02:41
|
|
|
Volmarias posted:I was going to go with schizophrenia i would advise all people who "get" infosec to be careful because that likely means you have a predisposition to etcetera etcetera
|
|
#
?
Sep 4, 2021 02:58
|
|
|
Oh hey it's the ARG weirdo again Bye ARG weirdo
|
|
#
?
Sep 4, 2021 03:08
|
|
|
ProtonMail is in a bit of hot water for handing over the IP address of one of their users, a French climate activist. It seems they received an order from local Swiss law enforcement, which was working with the French authorities via Europol. The buried lede is that Proton is apparently now receiving thousands of these orders per year. To their credit, they're fighting many of them.Yahoo! News posted:ProtonMail’s public disclosures also log an alarming rise in requests for data by Swiss authorities. Users are up in arms, and the company is in damage control mode. Here's a twitter thread from Proton CEO Andy Yen: https://twitter.com/andyyen/status/1434665927631679491 Here's the company's full statement on the matter: https://protonmail.com/blog/climate-activist-arrest/. tl;dr: they're blaming the Swiss government for overstepping, and reassuring users that only metadata can be compromised this way, not the data itself. (But heyyy, how important could metadata be, right?) They also promise to be clearer to their users about what their encryption model does and does not protect against, and they'll be pushing Tor/VPN use a little harder. My hot take is that this looks bad at first, but on reflection, really the only thing Proton is at fault for is implying too much about their security and user protections. The theme of their entire business is user privacy and security, which means they should have done a better job of publicizing the stuff in their transparency report, and educating users about what the company can and cannot be legally forced to do, before an incident like this made news. They certainly didn't lie, but they were less forthcoming than they might have been.
|
|
#
?
Sep 6, 2021 18:29
|
|
|
I love that anybody is shocked that Proton still has to comply with legal requests if threatened. No poo poo.
|
|
#
?
Sep 7, 2021 13:55
|
|
|
CommieGIR posted:I love that anybody is shocked that Proton still has to comply with legal requests if threatened. No poo poo. That was my take away as well. Literally any other company would've done the same.
|
|
#
?
Sep 7, 2021 14:27
|
|
|
My understanding was that a service like this is supposed to make the consequences of their compliance useless. "Yes, we will give you all the metadata it is possible for us to collect, which is nothing/meaningless"
|
|
#
?
Sep 7, 2021 15:42
|
|
|
Absurd Alhazred posted:My understanding was that a service like this is supposed to make the consequences of their compliance useless. "Yes, we will give you all the metadata it is possible for us to collect, which is nothing/meaningless" Apparently that's what they did, and then the government forced them to start collecting data, which they revealed in their transparency report. At least that's what I'm gathering from this.
|
|
#
?
Sep 7, 2021 15:47
|
|
|
p much yeah, France -> Europol -> Swiss authorities forced them to collect the IP address of a user. As an aside, interesting to see how many companies have straight up built law enforcement request portals.
|
|
#
?
Sep 7, 2021 16:07
|
|
|
I guess customers expected them to be entirely incapable of doing this. They perhaps weren't advertising the fact that they were.
|
|
#
?
Sep 7, 2021 16:13
|
|
|
Absurd Alhazred posted:I guess customers expected them to be entirely incapable of doing this. They perhaps weren't advertising the fact that they were. The overlap between countries that have good-enough infrastructure to be able to host something like that, and dont have laws on the books that the authorities can use to enforce something like that, is an ever-shrinking one. BlankSystemDaemon fucked around with this message at 16:25 on Sep 7, 2021 |
|
#
?
Sep 7, 2021 16:22
|
|
|
Tryzzub posted:As an aside, interesting to see how many companies have straight up built law enforcement request portals. Having worked a few of those, I suspect it's often because such requests come with timeline requirements that are...not generous. So having a request be sent to some generic ticketing system that takes a day or two for anyone to look at, then takes another day for the comms back and forth with the LEA to clarify basic details, etc., and now you're backing up against the required reporting date. I mean, it's not like having a portal makes it more likely for a company to get those requests--they're gonna get them regardless. Having a portal just makes life a little easier on whoever has to actually service them on the company's side.
|
|
#
?
Sep 7, 2021 21:32
|
|
|
Had an interesting debate at work yesterday about docker containers. Essentially I was arguing that loading up containers with a poo poo ton of security tools/agents/etc may not be the way to go. We've just made our attack surface that much wider, more susceptible to supply chain attacks. The counter argument was that it hasnt happened with any of our vendors in a major way yet and that the tools are all necessary for compliance reasons. Im not sure I have a strong opinion one way or the other I guess. Just thought it was an interesting discussion.
|
|
#
?
Sep 10, 2021 13:52
|
|
|
I don't know how strictly you have security tools defined but I guess there's other ways to achieve monitoring and "security tooling" than with processes on each container. Things like Twistlock and Aqua don't run in each individual container IIRC and still do some overall monitoring. I also don't have a super strong opinion but it seems like running 200 instances of all your security tools in a K8s cluster would be a recipe for A Bad Time™
|
|
#
?
Sep 10, 2021 14:02
|
|
|
Martytoof posted:I also don't have a super strong opinion but it seems like running 200 instances of all your security tools in a K8s cluster would be a recipe for A Bad Time™ Oh man if you only knew.... Im relatively new, not trying to stir the pot to much at my current job. But the software listed as required for our containers and clusters is pants on head crazy in my eyes. Its such a huge amount of effort to keep things working, and no amount of explaining elasticity to the people in charge seems to work. And its all to appease auditors. I guess I am in finance and there are a ton of industry regulations but it just seems unnecessary to me.
|
|
#
?
Sep 10, 2021 14:27
|
|
|
I'd imagine that would increase the time to spin up new containers as well, which can be an issue in some applications. That said, the point of containers isn't necessarily to run light, but to run with all dependencies in one place. By bundling multiple security tools, you're effectively making those tools hard dependencies for whatever the container is supposed to be doing.
|
|
#
?
Sep 10, 2021 14:34
|
|
|
A lot of container monitoring is just about capturing the logging you should already be capturing. Honestly just follow docker/k8s best practices and it's fine
|
|
#
?
Sep 10, 2021 16:14
|
|
|
Martytoof posted:I don't know how strictly you have security tools defined but I guess there's other ways to achieve monitoring and "security tooling" than with processes on each container. Things like Twistlock and Aqua don't run in each individual container IIRC and still do some overall monitoring. I also don't have a super strong opinion but it seems like running 200 instances of all your security tools in a K8s cluster would be a recipe for A Bad Time™ Yea I'd be curious what security tooling they are running inside all the containers. All the K8S tools I can think of run as daemonset like you mentioned. For us with Twistlock, it's only for 'serverless' platforms like ECS/Lambda where you have to jump through those hoops just to get something with a fraction of the capability. Nukelear v.2 fucked around with this message at 16:21 on Sep 10, 2021 |
|
#
?
Sep 10, 2021 16:18
|
|
|
CommieGIR posted:A lot of container monitoring is just about capturing the logging you should already be capturing. Honestly just follow docker/k8s best practices and it's fine I can easily see where that might break down in the face of an auditor who is adhering to strict letters of the law though. "So you've got 200 instances of debian with no antimalware tools?"
|
|
#
?
Sep 10, 2021 16:19
|
|
|
Martytoof posted:I can easily see where that might break down in the face of an auditor who is adhering to strict letters of the law though. "So you've got 200 instances of debian with no antimalware tools?" I refuse to treat containers like pets.
|
|
#
?
Sep 10, 2021 16:24
|
|
|
Sickening posted:I refuse to treat containers like pets. Its possible that the cost of not doing so is more in fines than you are saving by ignoring the regulations. I find it unlikely in the US, but not impossible, and isn't finance the sector most likely to have it?
|
|
#
?
Sep 10, 2021 16:31
|
|
|
Martytoof posted:I can easily see where that might break down in the face of an auditor who is adhering to strict letters of the law though. "So you've got 200 instances of debian with no antimalware tools?"
|
|
#
?
Sep 10, 2021 16:42
|
|
|
wolrah posted:""Nope, we have one instance of Debian with 200 sandboxes inside. The antimalware runs at the host level, so they're all covered. Moving along." Exactly. Also aren't you going to ask me what security tools I install inside my JVM?
|
|
#
?
Sep 10, 2021 16:45
|
|
|
It bothers me enough to have AV running in VDI. Hosted-based is so much more efficient.
|
|
#
?
Sep 10, 2021 16:47
|
|
|
wolrah posted:""Nope, we have one instance of Debian with 200 sandboxes inside. The antimalware runs at the host level, so they're all covered. Moving along." Thats a sane logical stance that apparently has no impact on the powers that be at my company. I dont understand our requirements for auditors. I wont pretend to understand what legal requirements we face. There are a lot of people that get paid a ton of money to know all of that and to accept and manage risks for the company. I'm just a lowly infosec engineer new to a full time security position and new to this job. But to me requiring something like Symantec Endpoint to run on all containers to get detailed process monitoring seems..... insane?
|
|
#
?
Sep 10, 2021 16:49
|
|
|
To be clear, I'm 100% not advocating for running 200 instances of anything in containers, just saying that it turns into a big dickwaving contest on who can prove their point better to a C-level who may or may not understand the technology involved. This isn't a value judgment, just something I can easily see happening.
|
|
#
?
Sep 10, 2021 16:55
|
|
|
BaseballPCHiker posted:I'm just a lowly infosec engineer new to a full time security position and new to this job. But to me requiring something like Symantec Endpoint to run on all containers to get detailed process monitoring seems..... insane? Not a lawyer and definitely not your lawyer but as someone who fights idiot PCI auditors all the time I've never seen a single case where the stupid poo poo they were asking for was actually required when we asked them to cite their sources. I would assume the same is true in a lot of industries, idiots have a checklist and they don't know how to handle anything that varies from the checklist. Martytoof posted:To be clear, I'm 100% not advocating for running 200 instances of anything in containers, just saying that it turns into a big dickwaving contest on who can prove their point better to a C-level who may or may not understand the technology involved. This isn't a value judgment, just something I can easily see happening.
|
|
#
?
Sep 10, 2021 17:07
|
|
|
Oh yeah for sure, I’m thankfully not in a position to have to spend hours or days arguing with auditors about why something does or doesn’t meet criteria but I just remember it to be the most frustrating thing in the universe. Especially when you turn around and give them some bullshit screenshot that proves nothing and they use it to tick like five compliance checkboxes for logging and monitoring. In short: External auditors pee pee doo doo I’ve moved to application and system architecture with a focus on security so I get to bake all my stuff in from the get-go now and mercifully few arguments about why.
|
|
#
?
Sep 10, 2021 17:47
|
|
|
I work in government but I like auditors because we tell them what we know isn't compliant, but there's no funding for fixing. They ding us, and surprise, there's suddenly resources to fix things.
|
|
#
?
Sep 10, 2021 18:00
|
|
|
Medical field must be different because lol if you think explaining anything to auditor is going to impact the poo poo your gonna eat for not following the letter of the law.
|
|
#
?
Sep 10, 2021 18:13
|
|
|
Mr. Crow posted:Medical field must be different because lol if you think explaining anything to auditor is going to impact the poo poo your gonna eat for not following the letter of the law. Yes, if the actual rule says you must do the stupid poo poo then I guess you're stuck, but in my book this is an "assume the auditors are idiots until proven otherwise" situation,
|
|
#
?
Sep 10, 2021 18:25
|
|
|
Martytoof posted:I can easily see where that might break down in the face of an auditor who is adhering to strict letters of the law though. "So you've got 200 instances of debian with no antimalware tools?" I know we're rolling out Crowdstrike to all our containers, so yeah. Ironically, we had a finding for "No Anti-Malware on your Mainframe" Uhhhhh.....they don't have them?
|
|
#
?
Sep 10, 2021 18:29
|
|
|
My personal pet peeve was how Sarbanes-Oxley's separation of duties somehow became "the person who wrote the code can't deploy it to production." That is not what separation of duties meant. 
|
|
#
?
Sep 10, 2021 18:33
|
|
|
CommieGIR posted:I know we're rolling out Crowdstrike to all our containers, so yeah. Ironically, we had a finding for "No Anti-Malware on your Mainframe" submit iplinfo output and highlight the RELEASE part ta-dah 
|
|
#
?
Sep 10, 2021 18:43
|
|
|
Ynglaur posted:My personal pet peeve was how Sarbanes-Oxley's separation of duties somehow became "the person who wrote the code can't deploy it to production." That is not what separation of duties meant. that's still a good practice in general
|
|
#
?
Sep 10, 2021 18:44
|
|
|
Ynglaur posted:My personal pet peeve was how Sarbanes-Oxley's separation of duties somehow became "the person who wrote the code can't deploy it to production." That is not what separation of duties meant. That's part of it? The point is that one person shouldn't be allowed to write code [containing Russian backdoors] and put it into production [where the backdoors will be used] without at least having some other guy saying "yeah, that's the code we want alright". It's not about you not being allowed to deploy your own code as such, it's about you not getting to both code and approve it for production. Compare to financial separation of duty: you're allowed to request a new desk, and you're allowed to go to the store to get it, but someone has to actually say it's okay and allow you to use the company credit card. And of course always do risk based. If it's internet having bank infrastructure code, maybe get two or more competent people to look over the code, and if it's a dumb intranet reminder thing for who brings cake on Thursday maybe skip the separation of duties entirely. Anyway, auditor talk: in Denmark, we have a very real problem where anyone remotely qualified as an it auditor gets sucked into private consulting/auditing houses (way better pay and career options), leaving government auditors only the terminally incompetent, people with no experience or training and like two guys who are genuinely passionate about oversight of banks. This means that government auditing is not very good, in either the overly focused on details way or just being way too easy to talk yourself out of. Private auditing, which also happens, has an institutional problem of the auditor being paid by the audited, so everything is negotiable in reality, and the auditors know not to rock the boat too much.
|
|
#
?
Sep 10, 2021 20:29
|
|
|
I mean, it's generally good practice to have at least one other person look over your code before you push it through, right?
|
|
#
?
Sep 10, 2021 20:51
|
|
|
Absurd Alhazred posted:I mean, it's generally good practice to have at least one other person look over your code before you push it through, right? For more than one reason, yes. But there's both the "I want to make sure I didn't gently caress up anything" aspect and the more security related aspect of "we want to make sure the coder didn't put anything bad in there". And if you were maliciously putting in stuff, you'd probably forgo asking someone to look over your code. And for that reason, you need some separation of duties type check if the code (in some cases).
|
|
#
?
Sep 10, 2021 21:17
|
|
|
|
| # ? May 25, 2024 21:13 |
|
|
BonHair posted:For more than one reason, yes. But there's both the "I want to make sure I didn't gently caress up anything" aspect and the more security related aspect of "we want to make sure the coder didn't put anything bad in there". And if you were maliciously putting in stuff, you'd probably forgo asking someone to look over your code. And for that reason, you need some separation of duties type check if the code (in some cases). Yeah, absolutely, I'm just saying that even if you don't care about security, you might want your devs` code to, you know, work.
|
|
#
?
Sep 10, 2021 21:35
|
|