|
jaegerx posted:Not to be anti mod here but the fact that most of the world cup apps by qatar are basically invading all your privacy so the world cup is kinda a topic. World cup... Apps? What on earth?
|
#
?
Nov 23, 2022 19:18
|
|
|
|
| # ? May 24, 2024 13:55 |
|
|
There are two – one is a mandatory Covid-19 tracing app, the other is possibly mandatory for visitors from abroad. Both have insane levels of tracking and permissions.
|
|
#
?
Nov 23, 2022 20:28
|
|
|
KozmoNaut posted:There are two – one is a mandatory Covid-19 tracing app, the other is possibly mandatory for visitors from abroad. Both have insane levels of tracking and permissions. Insane? They’re reading txt messages and poo poo.
|
|
#
?
Nov 23, 2022 22:36
|
|
|
jaegerx posted:Insane? They’re reading txt messages and poo poo. Pretty sure that's what they mean by "insane".....
|
|
#
?
Nov 23, 2022 22:57
|
|
|
CLAM DOWN posted:Pretty sure that's what they mean by "insane"..... https://appleinsider.com/articles/22/11/20/eu-warns-against-downloading-qatar-world-cup-apps
|
|
#
?
Nov 23, 2022 23:51
|
|
|
jaegerx posted:https://appleinsider.com/articles/22/11/20/eu-warns-against-downloading-qatar-world-cup-apps Yes?!?! We know??
|
|
#
?
Nov 24, 2022 00:02
|
|
|
CLAM DOWN posted:Yes?!?! We know?? No need to get angry just because you don't understand
|
|
#
?
Nov 24, 2022 02:16
|
|
|
|
|
#
?
Nov 24, 2022 16:47
|
|
|
The Fool posted:hachyderm.io
|
|
#
?
Nov 25, 2022 12:07
|
|
|
Do any of you who have to deal with DoD 8140 compliance know if you have to keep the cert current to maintain the compliance? For example my sec+ renewal comes up december of next year, do I lose 8140 compliance if I let it lapse? I get the feeling it does, just checking though.
|
|
#
?
Nov 28, 2022 19:20
|
|
|
Defenestrategy posted:Do any of you who have to deal with DoD 8140 compliance know if you have to keep the cert current to maintain the compliance? For example my sec+ renewal comes up december of next year, do I lose 8140 compliance if I let it lapse? I get the feeling it does, just checking though. If it was a requirement to get the job it might be a requirement to keep the job.
|
|
#
?
Nov 28, 2022 20:10
|
|
|
e: found a better thread. sorry for the interruption!
abelwingnut fucked around with this message at 20:16 on Nov 28, 2022 |
|
#
?
Nov 28, 2022 20:12
|
|
|
Sickening posted:If it was a requirement to get the job it might be a requirement to keep the job. This. I wouldn't let it lapse.
|
|
#
?
Nov 28, 2022 20:14
|
|
|
Defenestrategy posted:Do any of you who have to deal with DoD 8140 compliance know if you have to keep the cert current to maintain the compliance? For example my sec+ renewal comes up december of next year, do I lose 8140 compliance if I let it lapse? I get the feeling it does, just checking though. I feel like this is something you should be asking the lawyer your company has since you deal with government contracts.
|
|
#
?
Nov 28, 2022 20:40
|
|
|
Defenestrategy posted:Do any of you who have to deal with DoD 8140 compliance know if you have to keep the cert current to maintain the compliance? For example my sec+ renewal comes up december of next year, do I lose 8140 compliance if I let it lapse? I get the feeling it does, just checking though. Might be worth your time and have a good ROI to get one of the certifications that automatically renew your Sec+ instead of taking it again. CySA+ and Pentest+ both renew Sec+, Net+, and A+ when you get it, so, depending on your interests and what other certs you might have, I’d do one of those instead of chewing old soup.
|
|
#
?
Nov 28, 2022 22:25
|
|
|
Have they talked about the details of twitters coming encrypted DMs? Proper E2E or…?
|
|
#
?
Nov 28, 2022 22:41
|
|
|
AlternateAccount posted:Have they talked about the details of twitters coming encrypted DMs? Proper E2E or…? End-to-Elon encryption
|
|
#
?
Nov 28, 2022 22:44
|
|
|
Sir Bobert Fishbone posted:End-to-Elon encryption New thread title, please.
|
|
#
?
Nov 28, 2022 22:49
|
|
|
AlternateAccount posted:Have they talked about the details of twitters coming encrypted DMs? Proper E2E or…? “just vibes” I wouldn’t be surprised if it’s never implemented due to not having the engineering capacity to add it
|
|
#
?
Nov 28, 2022 22:52
|
|
|
navyjack posted:Might be worth your time and have a good ROI to get one of the certifications that automatically renew your Sec+ instead of taking it again. CySA+ and Pentest+ both renew Sec+, Net+, and A+ when you get it, so, depending on your interests and what other certs you might have, I’d do one of those instead of chewing old soup. You might be right that this is the year to get the pen+.
|
|
#
?
Nov 28, 2022 23:24
|
|
|
AlternateAccount posted:Have they talked about the details of twitters coming encrypted DMs? Proper E2E or…? I was adjacent to the team that built E2E and disappearing mode for FB Messenger and it was a lot of work—and we already owned WhatsApp to ask questions of. If you want it to work with multiple client devices you have to make some tricky choices around key management. Plus the abuse stuff, since you still want people to be able to report abusive messages that are encrypted, and you want to make sure that the message they report is actually what was sent. I hear that an early attempt at doing Signal-style E2E at Twitter fell part because Moxie (who was advising) went on a long untraceable sailing vacation and while it was stalled various political forces killed it.
|
|
#
?
Nov 29, 2022 02:07
|
|
|
Subjunctive posted:I was adjacent to the team that built E2E and disappearing mode for FB Messenger and it was a lot of work—and we already owned WhatsApp to ask questions of. If you want it to work with multiple client devices you have to make some tricky choices around key management. Plus the abuse stuff, since you still want people to be able to report abusive messages that are encrypted, and you want to make sure that the message they report is actually what was sent. Lol. Yeah e2ee runs headlong into "password resets and lost devices are a thing". You can either have a secure messaging service or you can shoot for a billion users with the pudding-brains of your average journalist. You can hold their keys, or you can do like (many? most?) every other service and outsource the secure key storage and recovery to icloud/gdrive, but ultimately somebody's changing user nappies and can access their poo poo.
|
|
#
?
Nov 29, 2022 23:22
|
|
|
Have any of you done OSWE for a web app pentesting cert? Based on the work I'm doing these days (working for a web-facing software company) OSWE might be more relevant than OSCP, although probably a fair amount more challenging as well. I am comfortable writing and reading source code to a degree (mainly Python and Perl) but am coming from a sysadmin background, not software engineering. I really want to give an OS cert a go this year, and the fact theyre on sale right now might be enough to push me over the edge. I am pretty confident I could pass OSCP with some practice, I have done a bunch of vulnhub boxes before and had my GCIH (now expired) up until this fall. I think I'd get a lot out of OSCP still, and its been one of my goals for a long time, but OSWE has my interest as well.
|
|
#
?
Nov 29, 2022 23:22
|
|
|
Harik posted:You can hold their keys, or you can do like (many? most?) every other service and outsource the secure key storage and recovery to icloud/gdrive, but ultimately somebody's changing user nappies and can access their poo poo. Yeah blegh any third party in possession of keys defeats the purpose.
|
|
#
?
Nov 30, 2022 03:00
|
|
|
they don’t have to have access to the keys to the messages, even if they have access to the keys to the account, given PFS. it means you can’t fill in a conversation on a device from before it joined, but it also means that you don’t have to worry about your message history being retroactively owned because someone shuffled your SIM
|
|
#
?
Nov 30, 2022 05:41
|
|
|
Subjunctive posted:they don’t have to have access to the keys to the messages, even if they have access to the keys to the account, given PFS. it means you can’t fill in a conversation on a device from before it joined, but it also means that you don’t have to worry about your message history being retroactively owned because someone shuffled your SIM pfs requires individual device keys and multi-recipient messages which is fine for apps but where do you store that device key for the website? There's no great answer there - create a new device key automatically trusted by all your contacts because someone knew your twitter password? Require everybody to re-verify your ID if you login from a internet cafe when traveling? The security posture of a messaging system robust against hostile state actors strongly conflicts with people who just want to DM their friends. Losing your message history is a nonstarter for a lot of people. There's important poo poo in there - invites, dates, reminders - that normal people will flip their poo poo at losing for incomprehensible "security" reasons. E: and that's not even getting into next-of-kin problems. People want wildly different things to happen to their social media when they pass. A queer teen who's not 'out' to their parents doesn't want them to get their DMs and harass their friends, but a husband may want his wife to be able to notify his contacts that he's gone. These are completely incompatible needs, pick which one gets your support and which gets told to pound sand. Harik fucked around with this message at 19:29 on Nov 30, 2022 |
|
#
?
Nov 30, 2022 19:25
|
|
|
Gang, at my last gig we used intruder and really like the simplicity UI that was wrapped around what is essentially nessus run on my client machines and could be ran unlimited times. I'd like to get a similar functionality and they do have a cheaper service ($858\mo vs $577\mo) running on OpenVAS (any feedback?) but max user count is two users which is really limiting. Open to suggestions for a comparable solution?
|
|
#
?
Nov 30, 2022 22:39
|
|
|
Harik posted:E: and that's not even getting into next-of-kin problems. People want wildly different things to happen to their social media when they pass. A queer teen who's not 'out' to their parents doesn't want them to get their DMs and harass their friends, but a husband may want his wife to be able to notify his contacts that he's gone. These are completely incompatible needs, pick which one gets your support and which gets told to pound sand. yeah, different companies have different practices here. I believe that my “legacy contact” on FB gets to see my friend list and post as me, but doesn’t see any private messages your web page can broker to your mobile device for key and crypto management, which I think is what WhatsApp used to do at least. you can also require 2FA in order to issue a key, but again the stakes are lower in the presence of PFS because you only have the window under detection/remediation that’s at risk, rather than your entire previous history of platform usage. if private data breaches only revealed the new data generated while the attacker had live access, they would be a lot less harmful!
|
|
#
?
Dec 1, 2022 02:16
|
|
|
If I want to dip my feet into RFID card/fob cloning, where do I go? 300EUR for a Proxmark v3 is a little out of my snack bracket.
|
|
#
?
Dec 2, 2022 09:08
|
|
|
bolind posted:If I want to dip my feet into RFID card/fob cloning, where do I go? 300EUR for a Proxmark v3 is a little out of my snack bracket. https://dangerousthings.com/product/proxmark3-easy/
|
|
#
?
Dec 2, 2022 10:14
|
|
|
Or 75 eurobux: https://www.digitalkey.it/en/sensor-readers-rfid/144-proxmark3-v3-easy-512m-kit-nfc-rfid-5-tag-di-test-793596617942.html Thanks!
|
|
#
?
Dec 2, 2022 13:43
|
|
|
If you're looking for something more portable the Flipper Zero has been coming in stock on their US store intermittently as well. Probably less capable than the Proxmark stuff but the first thing I did when mine arrived the other day was clone the RFID tag for my apartment gym. Definitely more expensive, but it also does other things with short range radio and IR.
|
|
#
?
Dec 2, 2022 15:23
|
|
|
I have had both a Flipper Zero and a proxmark 3 easy. The Flipper Zero is sort of a neat toy but it’s really bad at doing the things it’s advertised at doing. The RFID specifically is incredibly hit or miss. Unless you are looking at T5577 type stuff exclusively I would save your money on the flipper and just go with a proxmark (which has been able to handle any 125khz and NFC stuff I’ve thrown at it) That said the bad usb and IR stuff is kind of handy to have with the Flipper. I was a kickstart backer and ended up selling mine for $500 when they were in super high demand. I don’t regret that.
|
|
#
?
Dec 2, 2022 15:54
|
|
|
Yes, absolutely. The flipper is a toy. The "pentest tool" parts are trying to get people to justify buying the fun nerd toy. It is in no way comparable to proper tools. If you get a flipper expecting it to be more useful than a proxmark you're gonna be really sad at the end of the day. The fact that something _could_ be used on an engagement does not mean that t _should_ be so used. I kickstarted it too and while I didn't sell it, hearing people recommend it for...anything professional, really, gets a big "oh come onnnnnnn" response from me.
|
|
#
?
Dec 3, 2022 07:11
|
|
|
Achmed Jones posted:Yes, absolutely. The flipper is a toy. The "pentest tool" parts are trying to get people to justify buying the fun nerd toy. It is in no way comparable to proper tools. Professionally hand it to the new intern and tell him to use it. If he succeeds then he passes, if he fails but knows why he failed, he passes. If he tries, fails and attempts to baffle with bullshit, see if he's good enough at that to go into sales?
|
|
#
?
Dec 3, 2022 09:59
|
|
|
It's a fun toy to be sure. But yeah a Proxmark will beat it's rear end any day.
|
|
#
?
Dec 3, 2022 20:47
|
|
|
Methylethylaldehyde posted:If he tries, fails and attempts to baffle with bullshit, you will be responsible for the lies they've spun to management as they ride off into the sunset with a commission
|
|
#
?
Dec 4, 2022 18:52
|
|
|
What ever happened to sip/stir wasnt that supppsed to kill off scam callers? Am i misremembering something?
|
|
#
?
Dec 5, 2022 19:48
|
|
|
I think that was the intention, but carrier adoption has been really slow from what I recall and they keep extending the deadline for when it needs to go into effect.
|
|
#
?
Dec 5, 2022 20:26
|
|
|
|
| # ? May 24, 2024 13:55 |
|
|
Last week or the week before they bounced a carrier for not complying. I forget the name of the carrier; it was something bland like World Global Communications of Western North Carolina.
|
|
#
?
Dec 5, 2022 21:57
|
|
