|
Diva Cupcake posted:lol. lmao. I think most orgs are using SaaS but still. And here I thought the problem is that it's an inferior Wiki with annoying JIRA integration.
|
#
?
Jun 3, 2022 00:54
|
|
|
|
| # ? May 29, 2024 17:20 |
|
|
Diva Cupcake posted:lol. lmao. I think most orgs are using SaaS but still. Gfdi my last upgrade for the last jira cve is next week, and now this?
|
|
#
?
Jun 3, 2022 02:09
|
|
|
Diva Cupcake posted:lol. lmao. I think most orgs are using SaaS but still. Yeah we have on prem Conflucne we're decom'ing but its thankfully not internet facing.
|
|
#
?
Jun 3, 2022 02:48
|
|
|
Excellent time for us to have just bought cloud Confluence licenses.
|
|
#
?
Jun 3, 2022 02:49
|
|
|
So, uh, maybe my zero trust model is appropriate after all.
|
|
#
?
Jun 3, 2022 04:25
|
|
|
some kinda jackal posted:So, uh, maybe my zero trust model is appropriate after all. seccomp and walk backwards into hell
|
|
#
?
Jun 3, 2022 05:07
|
|
|
Great, going to fail my next audit because our confluence web shell doesn't have a login banner
|
|
#
?
Jun 3, 2022 11:48
|
|
|
Is anyone using cryptomator to create a "secure" file enclave on shared storage? I want to throw some backups of my personal documents (passport, various licenses, etc) on iCloud Drive where I can get to them from my Mac and iOS devices, but don't trust that I won't accidentally or forgetfully enable icloud drive on my work mac or something. Probably paranoid but whatever. I currently store these in a password protected encrypted DMG on iCloud already, but since you can't open a DMG on iOS I'm kind of hosed if I need to refer to them while not on my laptop. Cryptomator seems to do the thing and source is available. It doesn't seem very shady so I'm willing to just fork out the $16 one-time IAP for lifetime updates. If the app disappears I can always just compile and sideload myself with my developer ID. I can count on one hand the number of times I've had to access these files, but when I did it was usually when I was on a mobile device. Not sure if there's a better alternative. This is just after thirty minutes of googling, and seems to be a workable solution.
|
|
#
?
Jun 15, 2022 13:53
|
|
|
some kinda jackal posted:Is anyone using cryptomator to create a "secure" file enclave on shared storage? I used TrueCrypt for years for this, VeraCrypt now.
|
|
#
?
Jun 15, 2022 14:15
|
|
|
https://www.hertzbleed.com/ a few of my computer toucher friends are talking about this e. quote:Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure. Raine fucked around with this message at 17:58 on Jun 15, 2022 |
|
#
?
Jun 15, 2022 15:21
|
|
|
some kinda jackal posted:Is anyone using cryptomator to create a "secure" file enclave on shared storage? Its simple, but I'm just using gpg for this type of thing. It can encrypt(and sign) and you can just keep your keys somewhere safe.
|
|
#
?
Jun 15, 2022 15:38
|
|
|
Anybody anticipating any funtimes with IE 11 dipping out today? My company has a standalone solution for our smart credentials but I know at least a few customers (mostly big gov't agencies) have been keeping IE around just to use the browser Java applet  Unrelated: 
|
|
#
?
Jun 15, 2022 23:12
|
|
|
What will South Korea do without IE for banking?
|
|
#
?
Jun 16, 2022 00:16
|
|
|
Raine posted:https://www.hertzbleed.com/ The fix: Disable all forms of clock speed changing. Boost clocks must be disabled for security reasons.
|
|
#
?
Jun 16, 2022 00:33
|
|
|
Takes No Damage posted:Unrelated: Son of a bitch. I completely missed the significance of that.
|
|
#
?
Jun 16, 2022 17:52
|
|
|
Darchangel posted:Son of a bitch. I completely missed the significance of that. For Matrix 2, Smith decides "this is my sequel" and conducts injection attacks.
|
|
#
?
Jun 16, 2022 18:23
|
|
|
Chronojam posted:For Matrix 2, Smith decides "this is my sequel" and conducts injection attacks. DDOS, surely?
|
|
#
?
Jun 16, 2022 19:16
|
|
|
Chronojam posted:For Matrix 2, Smith decides "this is my sequel" and conducts injection attacks. Obviously you didn’t see the fourth one.
|
|
#
?
Jun 16, 2022 19:47
|
|
|
Microsoft has just announced defender for individuals https://www.microsoft.com/en-ww/microsoft-365/microsoft-defender-for-individuals On windows, you get pretty much nothing more than stock windows defender(no XDR). On macOS, iOS and android you get pretty much the same features of defender for endpoint beside microsoft tunnel.
|
|
#
?
Jun 16, 2022 21:27
|
|
|
Raine posted:https://www.hertzbleed.com/ For anyone curious how the gently caress this could be working the short version of this is: A) The power a CPU consumes does depend on the overall number of 0's and 1's in the data being worked on. This is because static ram (ie registers, ie flip-flops) consume different amounts of power depending on their state. This isn't shocking but... B) Some crypto algorithms can result in a large difference in the number of 0's or 1's in the data as they decrypt something either successfully or unsuccessfully, in a way that can reveal info about the key. "In our attack, we show that, when provided with a specially-crafted input, SIKE’s decapsulation algorithm produces anomalous 0 values that depend on single bits of the key. Worse so, these values cause the algorithm to get stuck and operate on intermediate values that are also 0 for the remainder of the decapsulation. When this happens, the processor consumes less power and runs at a higher frequency than usual, and therefore decapsulation takes a shorter wall time." Obviously this instance with SIKE is fairly egregious it seems, but any time there's been existing power side channel attacks this could be translated to a frequency/timing attack with presumably varying degrees of difficulty. EDIT: Seems like it's going to be tough to allow userspace applications to routinely request cpu throttling to be temporarily disabled to execute some algorithm in a constant-wall-time context. Even if you could do something like request the kernel to schedule a certain function in a context that only returns after a constant wall time, you could use some other query channel to determine the current CPU speed most likely. The paper even suggested they could get data from AES-NI instructions implying the extra power draw of the AES engine in the core was affecting the overall throttling of the CPU. Rescue Toaster fucked around with this message at 16:14 on Jun 20, 2022 |
|
#
?
Jun 20, 2022 14:45
|
|
|
Rescue Toaster posted:Obviously this instance with SIKE is fairly egregious it seems, but any time there's been existing power side channel attacks this could be translated to a frequency/timing attack with presumably varying degrees of difficulty. Both AMD and Intel rated this as "medium" on the vuln scale because it only works when the cryptography functions are basically the only thing running on the CPU. Otherwise the random noise of other workloads will make it very difficult to see the effects of these minuscule 1/0 differences. So for an attacker, running a second process to oracle out the state of the CPU via how fast it complete won't work. That process itself will alter the CPU speed you're trying to measure, and there's no chance that your oracle busywork is more delicate and finer-grained than the AES hardware. So rather than trying to solve this by having the crypto set the CPU into static clockspeed, you can: 1. Easy solution: block everything from seeing the clockspeed -- default userspace already is, and in cloud computing it should be easy to block VMs from getting super-granular stats of the host CPU. 2. For the extra-paranoid, change your SIKE or whatever other potentially vulnerable application to spawn a thread of extra make-work during sensitive key decryption. Alternately: run F@H on all your servers for extra security
|
|
#
?
Jun 22, 2022 17:12
|
|
|
BRB adding crypto miner to my list of mandated security agents for server deployments
|
|
#
?
Jun 23, 2022 11:37
|
|
|
Hows everyones day going? I just found two compromised IAM accounts being accessed from Tor exit nodes. My urgent appeals to have keys at the very least deactivated were met with scorn as that could affect production, and I was unable to convince the powers to be to at least change the IAM password. Now that person was able to create a new role and I get to spend more time chasing this poo poo down. Anyone hiring? Thinking its time to bounce only 7 months in. Have to just pull the bandaid quick sometimes I guess.
|
|
#
?
Jun 23, 2022 18:57
|
|
|
|
|
#
?
Jun 23, 2022 19:35
|
|
|
BaseballPCHiker posted:Hows everyones day going? Post the company name so we can short them. (No I'm just kidding don't do that)
|
|
#
?
Jun 23, 2022 19:44
|
|
|
BaseballPCHiker posted:Hows everyones day going? LMAO if you don't have the authority to take down possible compromised accounts and/or keys.
|
|
#
?
Jun 23, 2022 20:05
|
|
|
Sickening posted:LMAO if you don't have the authority to take down possible compromised accounts and/or keys. I take it you havent seen many of my posts in here since Ive started at this place. Its so god drat bad. I've had a major move, and a baby in the timeframe so I'm really treading water until things settle down. If I stay until November I wont have to pay back my sign on bonus too. Just have to make it until then.... Or find something before the economy takes a turn for the worse. I dont know. This place is 100% going to end up in the news at some point and I dont want to be associated with them when it does.
|
|
#
?
Jun 23, 2022 20:21
|
|
|
Sounds like a situation that calls for having everything in writing with timestamps (emails) and then trying not to involve yourself too much and just coast.
|
|
#
?
Jun 23, 2022 20:24
|
|
|
BonHair posted:Sounds like a situation that calls for having everything in writing with timestamps (emails) and then trying not to involve yourself too much and just coast.
|
|
#
?
Jun 23, 2022 20:36
|
|
|
BonHair posted:Sounds like a situation that calls for having everything in writing with timestamps (emails) and then trying not to involve yourself too much and just coast. Yeah, sometimes all you can do is cover your rear end and leave the glue huffers to their scissors footrace.
|
|
#
?
Jun 23, 2022 20:37
|
|
|
BaseballPCHiker posted:I take it you havent seen many of my posts in here since Ive started at this place. Its so god drat bad. Have you thought more about that whole "narc on them to their insurance companies" idea at all? In other professions you can get bounties for doing that... Though I don't know if they give them for reporting things that would just cause the insurance to be cancelled, rather than actual fraud.
|
|
#
?
Jun 23, 2022 20:49
|
|
|
If you need to leave early, you can negotiate as part of your offer that the new place will give you a bonus to pay off the old place. But also just CYA and stop caring.
|
|
#
?
Jun 23, 2022 21:25
|
|
|
Happiness Commando posted:If you need to leave early, you can negotiate as part of your offer that the new place will give you a bonus to pay off the old place. I think this is good advice. Might as well start looking now and see where you end up.
|
|
#
?
Jun 23, 2022 21:49
|
|
|
Man, that reminds me of a few jobs back, working for a mom and pop webhost back in 2001. Someone popped one of our web servers and instead of just pulling the literal plug to stop any activity, my manager at the time decided we should have a big meeting to discuss what we were going to do, because he didn't want availability impacted. Meanwhile dude just rm -rf / 'd the server so yea
|
|
#
?
Jun 23, 2022 23:00
|
|
|
nobody in infosec gives a poo poo if you worked at a place during a breach unless it was directly your fault. and if you're at the level where they'd be able to actually say it was directly your fault, you're also at the level where nobody gives a poo poo about breaches. instead, they'd give a poo poo about stock prices. and stock price don't care about breaches - after 6 months the impact is gone and so long as you have a convincing story about making a poo poo-ton of money at the expense of security you'd probably be fine
Achmed Jones fucked around with this message at 00:09 on Jun 24, 2022 |
|
#
?
Jun 24, 2022 00:07
|
|
|
BaseballPCHiker posted:Hows everyones day going? Document for evidence and brace for impact
|
|
#
?
Jun 24, 2022 05:22
|
|
|
Achmed Jones posted:nobody in infosec gives a poo poo if you worked at a place during a breach unless it was directly your fault. It's actually a plus if you have that kind of real world IR experience.
|
|
#
?
Jun 24, 2022 07:05
|
|
|
yeah good point
|
|
#
?
Jun 24, 2022 07:43
|
|
|
Just treat the IAM accounts like an ant farm or aquarium and watch what they do. At best it could teach you something, at worst it's entertaining.
|
|
#
?
Jun 24, 2022 08:56
|
|
|
|
| # ? May 29, 2024 17:20 |
|
|
BonHair posted:Sounds like a situation that calls for having everything in writing with timestamps (emails) and then trying not to involve yourself too much and just coast. Klyith posted:Have you thought more about that whole "narc on them to their insurance companies" idea at all? In other professions you can get bounties for doing that... Happiness Commando posted:If you need to leave early, you can negotiate as part of your offer that the new place will give you a bonus to pay off the old place. Show up collect the paychecks and move on. Achmed Jones posted:nobody in infosec gives a poo poo if you worked at a place during a breach unless it was directly your fault. and if you're at the level where they'd be able to actually say it was directly your fault, you're also at the level where nobody gives a poo poo about breaches. instead, they'd give a poo poo about stock prices. and stock price don't care about breaches - after 6 months the impact is gone and so long as you have a convincing story about making a poo poo-ton of money at the expense of security you'd probably be fine CommieGIR posted:Document for evidence and brace for impact spankmeister posted:It's actually a plus if you have that kind of real world IR experience. Cup Runneth Over posted:Just treat the IAM accounts like an ant farm or aquarium and watch what they do. At best it could teach you something, at worst it's entertaining.
|
|
#
?
Jun 24, 2022 14:04
|
|