|
Can I still buy a jaz drive, I was always jealous of those. A whole gigabyte of storage, in your pocket.
|
# ? Sep 3, 2022 08:28 |
|
|
# ? May 26, 2024 04:15 |
|
more falafel please posted:Can I still buy a jaz drive, I was always jealous of those. A whole gigabyte of storage, in your pocket. On an actual loving hard drive platter in a caddy, it was amazing and made me think of the old fridge-sized HDs with cartridges on top
|
# ? Sep 3, 2022 14:32 |
|
There's a known issue with MS Defender where a new feature they've added, Inbound Connection Filtering, can start blocking traffic unexpectedly. No fix as of this week, workaround is: Set-MpPreference -DisableInboundConnectionFiltering $true Then stop and start WD service sc.exe stop windefend sc.exe start windefend It *also* will block Putty sessions - you connect and log in to sshd, but then it blocks responses to the client. Just spent a couple hours trying to figure out why ssh was hanging then 'ohhhhhhh'. Instant fix. "Inbound connection filtering is a new Network protection feature, so there will be no lost functionality or risk for disabling the feature". Yeah go gently caress yourself Microsoft.
|
# ? Sep 4, 2022 20:46 |
|
So MS Defender is...a firewall now?
|
# ? Sep 4, 2022 23:02 |
|
Faster these days to list what Defender isn’t.
|
# ? Sep 4, 2022 23:04 |
|
Ynglaur posted:So MS Defender is...a firewall now? I can't remember when it wasn't
|
# ? Sep 5, 2022 05:42 |
|
Chaser: it took MS 3 days to identify this "known issue" during a major incident where our Citrix VDI was basically non-functional for thousands of client machines. We tested it in minutes and implemented it in an hour. Down three days with MS involved from hour 3.
|
# ? Sep 5, 2022 06:06 |
|
Sickening posted:So for all of you that read this thread I want to give you some insider info. I was very bored this morning and I was intrigued by this post because for some reason I didn't know mom and pop pharmacies were a thing. So I pulled up google maps and flew around my area looking for one. Finally found one with their own website and domain. Hmm, wonder what shodan says about the open ports on this IP address? Surely just normal business ports right, 443, maybe 25? Oh, cool. What do you all think the secret port knocking code is to unlock the bonus level (445)? FungiCap fucked around with this message at 12:08 on Sep 5, 2022 |
# ? Sep 5, 2022 12:01 |
|
FungiCap posted:I was very bored this morning and I was intrigued by this post because for some reason I didn't know mom and pop pharmacies were a thing. Who do you think is sending you all the pharma ads???
|
# ? Sep 6, 2022 07:16 |
|
FungiCap posted:
Knock on them in the following order: 6,9,4,2,0
|
# ? Sep 6, 2022 13:32 |
|
I don't know if I'm saying the quiet part out loud, but four years into working with Thales-now-Entrust HSMs and I feel like this whole ecosystem is built on technology and software that is held together by hacks and barely thought out beyond "we wrote it once in 1996 and lol who got time to come up with something better??" It just feels so incredibly clunky, and every time I run into a problem the answer is some weird hack or esoteric setting that no human on earth would think to implement.
|
# ? Sep 8, 2022 13:42 |
|
Just out of curiosity, are you using on-prem hardware? I'm evaluating Azure Dedicated HSM v Thales DPOD (SaaS HSM) for a future project and I'm curious what types of issues you run into.
|
# ? Sep 8, 2022 14:01 |
|
I'm using on-prem nShield devices, but when I took the entrust training they out and out told me that the Azure aaS is just a stack of nShield boxes so I think you're getting basically the same experience. Right now I think you get dedicated units since a device can only service a single security world/domain, though they mentioned that future firmware will allow for multiple security worlds which probably leads to colocation opportunities so your risk profile/tolerance with the aaS model might change at that point. Can't speak to Thales DPOD sadly since I mostly work with nShields -- my only other experience with HSMs is Thales PayShield line for mobile wallet stuff, but that was probably six or seven years back at this point when ApplePay and GooglePay were first getting stood up. I'm finding it hard to pinpoint any specific issues that have outright blocked me, but just the whole ecosystem with the hardservers and RFS servers and remote administration feels really bolted together and is a lot of moving parts, especially when you need to try to troubleshoot when the application team invariably complains that the HSM is being a bottleneck. Logging for troubleshooting is mostly done at the PKCS11 level and if you suspect the trouble is at the hardserver->HSM level then (ANECDOTALLY) good luck getting their support to give you any specific instructions instead of generally pointing you at some KB article. They have some super smart guys working there - if you get Walter as your support rep then you're in good hands. If you don't, then.. well.. So I also complain but it's been four years for fairly smooth sailing other than it's just a big tangled web. Looking at an nShield deployment gives me the same feeling I get when I look at a rack that has no cable management or coherent layout. Yeah, this is a working setup, but good luck with all that. I'm happy to chat if you have any specific questions on my non-NDA'd nShield experiences, feel free to drop me a PM some kinda jackal fucked around with this message at 14:41 on Sep 8, 2022 |
# ? Sep 8, 2022 14:13 |
|
Lots of hardware is like that - generally a brilliant person/team comes up with the initial concept, but when the secondary crew (not-so brilliant) comes afterwards, they're tasked with just "get (new) function working" and the product slowly falls apart.
|
# ? Sep 8, 2022 14:35 |
|
Yeah, support has generally been hosed in the past but we've insulated ourselves with a Thales-specific vendor for upcoming implementation. Luckily with most HSMs it's generally set it and forget it. The cloud based solutions with Azure and Thales are still same hardware SafeNet Luna, FIPS 140-2/L3 validated, etc.. just not in our data center. I'll reach out if I have anything specific though. Thanks!
|
# ? Sep 8, 2022 14:41 |
|
No prob! The SafeNet stuff (at least the stuff that isn't just their rebranding of PayShield -- at that point I think it was just PayShield and not Luna Payment bla bla bla) is something that I haven't really been exposed to but have always been curious about. Always wonder how the other half lives
some kinda jackal fucked around with this message at 14:45 on Sep 8, 2022 |
# ? Sep 8, 2022 14:43 |
|
lmao https://twitter.com/WSJ/status/1567943389139591173
|
# ? Sep 8, 2022 20:08 |
|
if there's a future where Twitter dies, Elon dies, and mudge walks away rich, that would be hilarious
|
# ? Sep 8, 2022 20:52 |
|
https://twitter.com/wbm312/status/1567981004555698176 Why would a payment platform need a security team, anyway?
|
# ? Sep 8, 2022 22:12 |
|
wonder who gets to keep them PCI compliant now, lol
|
# ? Sep 8, 2022 22:19 |
|
An outsourced MSSP for checkmark compliance maybe. Not a great look. Probably not doing well on finances.
|
# ? Sep 8, 2022 22:59 |
|
I'm uh.. I'm not sure Patreon could make itself less appealing. But here we are. e: lol their MSSP is just going to start lobbing false positive alerts over the fence to who now? Their infrastructure team? Developers? This is such a laugh because I'm not involved some kinda jackal fucked around with this message at 23:31 on Sep 8, 2022 |
# ? Sep 8, 2022 23:04 |
|
Famethrowa posted:wonder who gets to keep them PCI compliant now, lol You see, they're already compliant, the thing is already implemented, so there's really no need to keep a team working on something they already have. My money says they'll get a new team and explain that the old team had a bad culture that didn't care for the business. By which they mean "said stuff was unsecure and that money should be spent fixing it"
|
# ? Sep 9, 2022 15:00 |
|
This is great https://www.linkedin.com/posts/danieladaramola_mentoringmatters-ugcPost-6972620299229900800-tJkK?utm_source=share&utm_medium=member_android Video
|
# ? Sep 9, 2022 18:15 |
|
BonHair posted:You see, they're already compliant, the thing is already implemented, so there's really no need to keep a team working on something they already have.
|
# ? Sep 9, 2022 18:39 |
|
Diva Cupcake posted:Outsourced it is. When I think of aspects of an organization that should be outsourced to the lowest bidder, security is definitely number one.
|
# ? Sep 9, 2022 20:37 |
|
Absurd Alhazred posted:When I think of aspects of an organization that should be outsourced to the lowest bidder, security is definitely number one. Especially when transactions are your entire business and you absolutely need to be PCI compliant.
|
# ? Sep 9, 2022 21:02 |
|
eh, sox404 / pci / whatever compliance via MSSPs isn't necessarily totally rear end mostly rear end but it can be passable if they made this move because of the salaries of five people though, yeah maybe they're going the rear end route
|
# ? Sep 9, 2022 21:10 |
|
Diva Cupcake posted:Outsourced it is. I hope whoever made this decision is also the person whose mailbox is now filling up with tier1 SOC escalations about "excessive firewall deny pls investigate" lol The phrase "isn't this what we pay YOU to do" will be uttered at Patreon within five days; I would bet money on that.
|
# ? Sep 9, 2022 21:43 |
|
Potato Salad posted:eh, sox404 / pci / whatever compliance via MSSPs isn't necessarily totally rear end Yeah but MSSPs as your ONLY security resource rarely goes well. To augment a dedicated team? Sure. Most MSSPs are made of Analysts trying to get their foot in the door and quickly rotating out for a better gig.
|
# ? Sep 9, 2022 22:39 |
|
One of our biggest security firms has a system that is set up so that to update the code, you log on through labyrinthian multi-hop terminal server connections to India and code directly, with a second delay for keypresses etc. Because it had to be SO secure. The database of all their alarm installations and all other crap that this system uses? It runs MySQL 5.1 on 32-bit Windows Server, and is exposed to the internet (MySQL login: root) via PHPMyAdmin 3.2, powered by Apache 2.2.11 And the password is… hideous Looks like it was all updated in 2011 at the latest. I just… can’t even. Yes they’ve been told about SSH pubkey access etc but no they won’t do anything.
|
# ? Sep 10, 2022 16:12 |
|
F4rt5 posted:And the password is… hideous An easy win is to change the password to hideous1!
|
# ? Sep 10, 2022 23:09 |
|
I will preface this by saying I'm not very strong on certificates. I have a case where I am trying to get single sign on working on wireless clients and I can't seem to get the presented certificate in an acceptable format for windows. SSO isn't going to work unless the cert chain is perfect, I get that, but there has to be something else I am missing here. Basically, the clients will not trust the radius cert without user interaction, even though I created a CSR using the NAC's openssl and ran that through the same windows cert server that the domain root comes from. I'm running out of things to try. It feels like I have a context out of whack in there somewhere.
|
# ? Sep 12, 2022 15:04 |
|
Is it an actual trust issue, or are you just seeing clients prompted to use that cert when they try doing RADIUS auth? My understanding of WPA Enterprise in Windows was that to avoid users having to do anything you had to deploy the connections through group policy / config management and the certificates were part of that.
|
# ? Sep 12, 2022 15:07 |
|
Thanks Ants posted:Is it an actual trust issue, or are you just seeing clients prompted to use that cert when they try doing RADIUS auth? My understanding of WPA Enterprise in Windows was that to avoid users having to do anything you had to deploy the connections through group policy / config management and the certificates were part of that. It's prompting on a seemingly valid certificate that it should trust. It's a big enough org, I'll have to grab one of the server folks to check anything on that side. I've done this using a full windows NPS but it always seems to get weird when there's non-microsoft in the mix.
|
# ? Sep 12, 2022 15:12 |
|
As much as it pains me to say, unless you have strict regulatory requirements, wpa2/3 enterprise with peap(password) is more than adequate for a conventional ad infra.
|
# ? Sep 12, 2022 15:56 |
|
SlowBloke posted:As much as it pains me to say, unless you have strict regulatory requirements, wpa2/3 enterprise with peap(password) is more than adequate for a conventional ad infra. It's all WPA2 using PEAP. I'm just trying to streamline it as much as I can. Things like password changes are *very* cumbersome, and usually clients have to forget/re-add the secure network. More often than not, users can't be arsed and just hop on the public and VPN in, as convoluted as that is
|
# ? Sep 12, 2022 16:02 |
|
Farking Bastage posted:It's all WPA2 using PEAP. I'm just trying to streamline it as much as I can. Things like password changes are *very* cumbersome, and usually clients have to forget/re-add the secure network. More often than not, users can't be arsed and just hop on the public and VPN in, as convoluted as that is You can set it up to use the AD profile password so the password change is transparent as long as the user always changes the password before expiration.
|
# ? Sep 12, 2022 16:29 |
|
SlowBloke posted:You can set it up to use the AD profile password so the password change is transparent as long as the user always changes the password before expiration. That's the problem i'm having with the certificate. If you try to do it programmatically in any way, it just fails and blames the cert.
|
# ? Sep 12, 2022 16:41 |
|
|
# ? May 26, 2024 04:15 |
|
Farking Bastage posted:hop on the public and VPN This is your new supported and recommended configuration.
|
# ? Sep 12, 2022 16:50 |