|
oh yeah better burn a zero day on a senior security engineer, that's way more reasonable than just paying somebody off journalists, political dissidents, etc have different threat models. generic computer touchers are fine though (even relatively high value computer touchers)
|
# ? Apr 29, 2023 21:08 |
|
|
# ? May 30, 2024 17:41 |
|
cr0y posted:He def can't figure out certs or something Hell I actually had FUN setting up an auto-renewing LetsEncrypt cert for my Ubooquity server through DuckDNS and testing against it with SSLLabs and getting it to show all green
|
# ? Apr 29, 2023 21:14 |
|
Lmao imagine if you got some sick browser 0day and you blow it on the defcon wifi for laughs, instead of selling it for a couple hundred thou
|
# ? Apr 29, 2023 21:18 |
|
spankmeister posted:Lmao imagine if you got some sick browser 0day and you blow it on the defcon wifi for laughs, instead of selling it for a couple hundred thou spankmeister gets it
|
# ? Apr 29, 2023 21:21 |
|
on the other hand i can definitely imagine a certain subset of people doing that, but they'd do it to make your computer, like, play an mp3 of a eugene debs speech or something so you don't really have to worry about them being malicious lol
|
# ? Apr 29, 2023 21:23 |
|
No one needs to blow a zeroday since apparently you can just take your laptop out, boot up mana toolkit and people who should know better will connect to "totally legit hotel wifi uwu"
|
# ? Apr 29, 2023 22:18 |
|
spankmeister posted:Lmao imagine if you got some sick browser 0day and you blow it on the defcon wifi for laughs, instead of selling it for a couple hundred thou
|
# ? Apr 29, 2023 22:27 |
|
Shumagorath posted:Except for all the debtor PII they have…? lmao if you think the debt industry does any protections. They literally sell usb sticks of excel back and forth in walmart parking lots. i've been out of it but is there anything to this amazon account leak?
|
# ? Apr 30, 2023 19:14 |
incoherent posted:lmao if you think the debt industry does any protections. They literally sell usb sticks of excel back and forth in walmart parking lots. This is further complicated by the reality that a blackhat could have some sort of vulnerability that works better/at all when new authentication sessions are established, and might very well use such a claim to get much broader reach. More of an issue is that down-thread, the author implies that he's personally responsible for billions of peoples security because of some podcasting, but even a quick google seems to indicate that he doesn't host or participate in any form of podcast, and is maybe just involved in hosting them? It's entirely too vague for anyone to be able to tell anything from it, yet it still permits the author to claim some sort of victory lap if someone does discover something, even if there's no actual connection. BlankSystemDaemon fucked around with this message at 19:56 on Apr 30, 2023 |
|
# ? Apr 30, 2023 19:52 |
|
incoherent posted:lmao if you think the debt industry does any protections. They literally sell usb sticks of excel back and forth in walmart parking lots. seems like a random influencer ginning things up for whatever a mastodon retweet is. have heard nothing outside of that thread. cybersecurity influencers are the worst. like a nightmare combo of bitcoin guy and haughty greybeard.
|
# ? Apr 30, 2023 19:57 |
|
Famethrowa posted:cybersecurity influencers are the worst. Didn't even cross my mind those exist but simultaneously not surprised. Thanks for reality check my dudes.
|
# ? Apr 30, 2023 20:33 |
|
I paid a little more attention and that guy started complaining about his ex wife so lol
|
# ? May 1, 2023 03:01 |
|
Famethrowa posted:you can do some wifi/Bluetooth fuckery with a esp32 board. deauth attacks, packet capturing, password cracking. Can confirm the deauth works great. Was able to knock my phone off of a rental car's wifi and have it sometimes reconnect to a clone, which was connected to the original wifi. I'm not sure it's anything to worry about, I 'cheated' by already knowing the mac/static ssid/password. I think newer cars either exchange a seed or do some sort of pairing and randomize a few chars of the ssid each time. IMO mine paid for itself just cloning fobs (which the building wanted $125/ea for, gently caress off!) It has everything it needs physically to do libnfc sniffing/mitm, and this was really what I wanted it for... but they still claim to have not done a shred of work on porting it properly. I don't know what's involved, but it seems far outside the scope of the 'minor edits & recompile' work being done to add all sorts of other poo poo to the custom firmwares. Famethrowa posted:cybersecurity influencers are the worst. like a nightmare combo of bitcoin guy and haughty greybeard. As someone who had to fix a huge fuckup for MyFordMobile (A winphone developer dumped the keys from the android app and made a 3rd party app that could unlock/start the car once authed properly), I thought it was really funny that he listed them as one of the companies hes done work for to qualify his statements. Either way I'm glad amazon took him seriously enough to get on the phone with him. It does seem like he's 'lost in the sauce' looking at analytics logs or something though. Was already using a yubikey for them so I'm not worried about it. Easy enough to change your password anyways just in case he's not wrong. New Zealand can eat me fucked around with this message at 05:35 on May 1, 2023 |
# ? May 1, 2023 05:32 |
|
I can't really gauge his credentials and he seems a little full of himself, but if what he's saying is true, we should be able to read an article in the NYT about it soon
|
# ? May 1, 2023 08:36 |
|
No 9ne is immune to security defects, but I wouldn't call Amazon "a retail company that pretends it knows security." AWS has been pretty solid on security.
|
# ? May 1, 2023 11:07 |
|
“I can’t tell you what the problem is, do what I tell you, by the way I advise government agencies and billions of people” is not convincing me you have much
|
# ? May 1, 2023 11:59 |
|
Thanks Ants posted:“I can’t tell you what the problem is, do what I tell you, by the way I advise government agencies and billions of people” is not convincing me you have much I've got a fairly extensive infosec network and no one I know has ever heard of him The general theory I've heard so far is that he found logs of Echos doing wifi site surveys and shipping the results back to Amazon which lol if you wouldn't expect that anyway
|
# ? May 1, 2023 13:18 |
|
Extraordinary claims require extraordinary evidence. Or at least any evidence at all.
|
# ? May 1, 2023 17:06 |
|
Here's a possibly stupid question: I'm getting a new work computer soon, an M1 Macbook Pro. How would I go about checking it over for preinstalled snoopware?
|
# ? May 2, 2023 18:41 |
|
armpit_enjoyer posted:Here's a possibly stupid question: I'm getting a new work computer soon, an M1 Macbook Pro. How would I go about checking it over for preinstalled snoopware? Don't. Just use the thing for work and nothing else. Crowdstrike for example is going to flag your commands for reconnaissance and people are going see you poking around. Just assume it has snoopware and be done with it.
|
# ? May 2, 2023 18:56 |
|
Yea. Work data on work devices, personal data on personal devices. And never the two shall meet.
|
# ? May 2, 2023 18:57 |
|
Sickening posted:Don't. Just use the thing for work and nothing else. Crowdstrike for example is going to flag your commands for reconnaissance and people are going see you poking around. Just assume it has snoopware and be done with it. What if it's a dealbreaker for you and you'd be exiting anyway? Not to do personal stuff on it, to be clear, just to avoid ending up at a company where your APM is being monitored.
|
# ? May 2, 2023 18:59 |
|
Cup Runneth Over posted:What if it's a dealbreaker for you and you'd be exiting anyway? Then assume it does and exit? What is your threshold for snoopware? What do you believe the boundaries should be?
|
# ? May 2, 2023 19:01 |
|
Sickening posted:Then assume it does and exit? What is your threshold for snoopware? What do you believe the boundaries should be? Calling me out on not actually using my laptop for 5 or 6 hours of the day. "Assuming" that a new laptop has this software and exiting an otherwise satisfactory job seems like transparently stupid advice. How would you work at any job if you just left when you got your laptop?
|
# ? May 2, 2023 19:08 |
|
Cup Runneth Over posted:Calling me out on not actually using my laptop for 5 or 6 hours of the day. I think the company has a right to track laptop usage. I also think APM monitoring is equal parts useless and toxic. I would also saying that knowing if it exists is useless to me as my work patterns are going to stay the same, i am not being hired to be a typist. Cup Runneth Over posted:"Assuming" that a new laptop has this software and exiting an otherwise satisfactory job seems like transparently stupid advice. How would you work at any job if you just left when you got your laptop? What is the smart advise then?
|
# ? May 2, 2023 19:10 |
|
Sickening posted:What is the smart advise then? I would say generally, the category of advice where you determine an answer to the question and act conditionally based on evidence.
|
# ? May 2, 2023 19:24 |
|
Cup Runneth Over posted:I would say generally, the category of advice where you determine an answer to the question and act conditionally based on evidence. If a company is wanting to snoop on your APM, you have no control over this. They are going to. If they choose not to tell you, then they choose not to tell you. Can you launch activity monitor and check yourself? Maybe! If you are thinking about opening the terminal and running your own commands to stoop, you are probably going to get flagged. Like if you all you have to go on is a feeling because you are getting a new laptop, its better to just keep doing what you are doing. That is the best advise. Maybe ask your boss? Also reasonable advise. What about the laptop being new is meaningful? Would getting a new laptop be the only way they deploy new software to your computer? this seems doubtful. If they are wanting to snoop, they are already. Sickening fucked around with this message at 19:32 on May 2, 2023 |
# ? May 2, 2023 19:29 |
|
Sickening posted:If you are thinking about opening the terminal and running your own commands to stoop, you are probably going to get flagged. Oh no! Not flagged!
|
# ? May 2, 2023 19:33 |
|
Are you absolutely sure the wifi isn't beaming thoughts into your brain?
|
# ? May 2, 2023 19:48 |
|
yall are being weird, sickening is right. just use the computer normally. which means using it only for work stuff. playing junior IT brigade to see what they're up to won't help anyway, because you have no reasonable way of knowing what the hell /usr/local/bin/mdm_rootkit is reporting, how the reports it generates are being used, etc. if somebody starts making noise because you pooped too long or whatever, then you leave because gently caress that. but throwing a fit because you're afraid that 1) mdm software is running 2) it's collecting stupid invasive metrics 3) those metrics are actually being monitored 4) those monitors will be used in a lovely way isn't really a reasonable strategy
|
# ? May 2, 2023 19:56 |
|
Generally the red line for a lot of people is bossware that activates the webcam & mic. That's a real privacy issue for WFH. IMO what you should do is ask the HR department, via email / in writing, whether the webcam or mic are turned on while you are "at work". They can do that, but they probably can't lie and say they don't if they are. Everything else isn't really your privacy. If they're counting APM and making decisions based on that, then they suck. But they're probably going to suck in many other ways and you'll have reasons to quit or move along regardless. The important part here isn't really the software, it's that they're lovely bosses making lovely decisions. Like, a company might have bossware installed to monitor work machines for actual good reasons, and they're ignoring all the APM bullshit being collected. If you quit that job based on "evidence" of bossware it might be a mistake!
|
# ? May 2, 2023 20:00 |
|
I am the type who covers my camera. I also think that turning on the microphone is going to cross legal boundaries even in the USA. gently caress around and find out cooperate America, because i got money to burn on that lawsuit and I don't mind a potential free retirement event. Anything else is basically fair game.
|
# ? May 2, 2023 20:04 |
|
I am got out of a meeting this morning because some vp was upset that they were prevented from uploading their personal tax filing to their browser on their work computer. They weren't in trouble for doing it, they were just prevented through DLP and were ANGRY. Being told "a document with sensitive information was correctly detected and prevented from an action" wasn't enough. We are going to brawl over feelings now. HR doesn't take this poo poo off my hands enough.
|
# ? May 2, 2023 20:07 |
|
Sickening posted:I also think that turning on the microphone is going to cross legal boundaries even in the USA. gently caress around and find out cooperate America, because i got money to burn on that lawsuit and I don't mind a potential free retirement event. Nope! They may need to put it in the fine print of your employment contract / whatever, but in the USA right now you will lose that lawsuit. The other red line I just thought of is an employer requiring you to install poo poo on your personal phone, which of course you should tell them to gently caress right off. (Unless you work in the financial industry, because the SEC is starting to go after finance companies for not recording communications via like whatsapp and poo poo. But if you work for wall st and make millions of dollars a year you can just deal. Boo hoo.)
|
# ? May 2, 2023 20:12 |
|
Sickening posted:I am got out of a meeting this morning because some vp was upset that they were prevented from uploading their personal tax filing to their browser on their work computer. They weren't in trouble for doing it, they were just prevented through DLP and were ANGRY. My life is this, but with every employee wanting to use gdrive because "it's how I want to do things". I work at a bank and it is explicitly stated in our policy that uploading to cloud storage that isn't our OneDrive or ShareFile is not allowed.
|
# ? May 2, 2023 20:16 |
|
Work stuff on a work laptop, if your job doesn't require you to be actively sending inputs into a computer for 8 hours a day and your manager can't see that then what are you going to do? Drive yourself insane by pretending?
|
# ? May 2, 2023 20:50 |
|
Its a work laptop. Its not yours. Don't do anything on it not work related. Assume everything is captured and logged.
|
# ? May 2, 2023 21:12 |
|
This is why you make friends with IT and just straight up ask whoever is in charge of that stuff if boss just asked for new spyware on the company laptop* *may not be feasible at giant corps.
|
# ? May 2, 2023 22:28 |
|
Try to reinstall it immediately. If they won’t let you or add poo poo on then you’re monitored. I always reinstall my poo poo right away because I tell them I don’t want the manufacturer software on it. Since it’s Apple you’ll want to create a new Apple ID with their email address as well.
|
# ? May 2, 2023 23:32 |
|
|
# ? May 30, 2024 17:41 |
|
Klyith posted:They can do that, but they probably can't lie and say they don't if they are. I bet most companies can lie about that and even if they end up in an actual no-foolin’ trial they’re not really going to take material damages (“HR wasn’t up to date on our IT security policies, which we keep secret to avoid informing attackers” or some such at the limit). If you don’t trust that your company would tell you the truth about that—and any company that would tell you the truth probably wouldn’t record from your mic in the first place—then you should treat it as a hostile device and leave it in your trunk when you’re not using it.
|
# ? May 2, 2023 23:41 |