|
Famethrowa posted:PII is often discussed on these calls and we'd like to know if it is going into some fly by night AI transcription companies DB. many of them store the entire call (video, audio, screenshare) for some vaguely handwaved length of time. You will never be able to be certain. The other party may have a software on their computer listening on everything and sending it to who knows where. Using a bot on the meeting may be rude but at least it's honest. If you want to prevent this you need to do face to face meetings and strip search everyone to make sure they aren't wearing a wire.
|
# ? Aug 24, 2023 02:25 |
|
|
# ? May 24, 2024 15:21 |
|
The Iron Rose posted:If you give people the ability to have temporary admin access on demand, then not having local admin is an inconvenience for users with few (not zero) tangible security benefits. Someone determined to install bad software will be able to do so, and anyone who phishes credentials can just lie to your IT team about what they want to install. So you say “okay we need a video call”, to which I say “have you seen what AI impersonators can do?”. If you’re not remote then an in person visit is hard to beat, and this calculus changes. But that’s a very expensive policy to implement. Well, thanks for the detailed and thoughtful response, but I need to make it clear that I'm a Desktop guy with literally no control and barely any input on any of that. You are whole worlds deeper into the technical stuff than I am. I only have to deal with the results. Also, probably 80 percent of our users are non-technical who wouldn't know what Docker is unless it's related to boats, much less know how to run it, but they can sure gently caress some poo poo up by fiddling with random control panels and settings that they are allowed to do so by being admin. What I'm saying is that I'm not so concerned about willful destruction, more so about accidental stupidity. Frankly, if we get hacked, and the world finds out about it, we're sunk. We make the stuff to keep other people from getting compromised. Thankfully, we do actually eat our own dog food, and, for the most part, practice what we preach. The local admin thing just irritates me.
|
# ? Aug 24, 2023 19:31 |
|
Saukkis posted:If you want to prevent this you need to do face to face meetings and strip search everyone to make sure they aren't wearing a wire. oh come on, don't pretend that there's no middle ground between "allow everything, do nothing" and "100% bulletproof stripsearch compliance." that way lies terrible security engineering.
|
# ? Aug 24, 2023 19:57 |
|
In the realm of ridiculously improbable secrecy practices, I always enjoyed the idea of having people stand in a magnet chamber before stepping into a faraday cage conference room that was sound proofed and passing out through magnet chamber again. Also the "Get Smart" Cone of Silence.
|
# ? Aug 24, 2023 20:14 |
|
Saukkis posted:You will never be able to be certain. The other party may have a software on their computer listening on everything and sending it to who knows where. Using a bot on the meeting may be rude but at least it's honest. the first is a fair point, appreciate the grounding. it's just such a wild west of data usage so it's hard to feel ahead of all the ways data could be compromised by bad vendors. the second, well, unfortunately that's just GRC. we kinda have to be this paranoid about governance. we get pressed on all sides, legal, compliance, external auditors etc.
|
# ? Aug 24, 2023 20:38 |
|
Darchangel posted:Well, thanks for the detailed and thoughtful response, but I need to make it clear that I'm a Desktop guy with literally no control and barely any input on any of that. You are whole worlds deeper into the technical stuff than I am. I only have to deal with the results. This is fair enough and I understand your perspective. I still urge you to implement EDR, conditional access policies, MFA, compromised password detection in your identity provider, role based access control, automated user on/offboarding, access request approval automation, backups, and so on. Again, if a single compromised laptop - especially for nontechnical and unprivileged users! - causes your company to go out of business, you have bigger problems and blocking local admin will not meaningfully stop that in any way. Local admin removal is a last mile effort. It should not be the first thing you implement, and if you have temporary admin access requests, the removal is not especially meaningful vis a vis improving your security posture.
|
# ? Aug 24, 2023 21:23 |
|
[In extremely Hank Hill voice] Do I look like I know what a Docker is?
|
# ? Aug 24, 2023 21:44 |
|
I am once again trying to De-google my non-work life, and i'm looking for a good alternative to Drive. I already pay for a proton business account, so I have up to 500gb of proton drive, but that's pretty small and there isn't currently a way to buy more storage.
|
# ? Aug 29, 2023 15:39 |
|
I have never used it but I’ve heard good things about backblaze.
|
# ? Aug 29, 2023 16:24 |
|
I was a former Backblaze customer and liked them. At the time they didnt have a linux client when I made the switch to that at home and so I dropped them. I use s3 and a script now and it works pretty well for my simple needs.
|
# ? Aug 29, 2023 17:10 |
|
If you don't mind spending the money, a Synology device with a couple NAS HDD's in it is probably the most privacy-centric method there is as the data does not leave your house, and you still get Drive-like features. Otherwise, an S3 bucket can be really cheap if it's only for documents and stuff but that's literally just storage, and it comes down to how much you trust any cloud provider to not OCR or scan your data (I'm sure you could encrypt it before you send it up to S3 to be extra safe.) Ultimately, we all pay to play. Be it in money, time, or privacy.
|
# ? Aug 29, 2023 17:11 |
|
i use dropbox. it gets worse every year but it's still not so bad that i can be bothered switching. if i switched it'd probably be to microsoft's thing
|
# ? Aug 29, 2023 17:11 |
|
MustardFacial posted:If you don't mind spending the money, a Synology device with a couple NAS HDD's in it is probably the most privacy-centric method there is as the data does not leave your house, and you still get Drive-like features. Otherwise, an S3 bucket can be really cheap if it's only for documents and stuff but that's literally just storage, and it comes down to how much you trust any cloud provider to not OCR or scan your data (I'm sure you could encrypt it before you send it up to S3 to be extra safe.) I have a Synology NAS but eventually I'd like to migrate to something less subject to entshitification. I haven't upgraded to DSM 7 OS yet, I don't remember the exact reason for that but I remember coming to the conclusion that it wasn't worth it, but I'll have to cross that bridge eventually. However, what I do like is the ease of use and all the personal cloud features. I also have it running Jellyfin (Plex replacement) in a docker container but can also run VMs and a bunch of other things. It's a neat box. But on topic, for geographic redundancy I have a digital ocean space (also works with s3 buckets) that I pay for to sync a subset of my backups to every night directly from the NAS and it works well. If you're considering Synology I'd have a look at the roadmap and see if you're alright with the direction they're taking. Might be worth it to just start with FreeNAS or something along those lines. e: Synology is removing USB support from DSM 7, I think there are workarounds for this but that was one of the reasons why I avoided it for the time being. digitalist fucked around with this message at 17:57 on Aug 29, 2023 |
# ? Aug 29, 2023 17:44 |
|
Head Bee Guy posted:I am once again trying to De-google my non-work life, and i'm looking for a good alternative to Drive. I already pay for a proton business account, so I have up to 500gb of proton drive, but that's pretty small and there isn't currently a way to buy more storage. Have you looked into self-hosting? Either at home or a dedicated cloud server, and maybe just spin up Nextcloud?
|
# ? Aug 29, 2023 19:50 |
|
Weaponized Autism posted:Have you looked into self-hosting? Either at home or a dedicated cloud server, and maybe just spin up Nextcloud? I’ve definitely considered it, but ~$500 upfront for a Nas is a little hard to swallow at the moment. I do have an old macbook pro that I’ve just started dicking around with as a home server. Would I be able to reliably spin up a next cloud instance off an external hdd attached to that thing, or would that be painfully slow?
|
# ? Aug 29, 2023 20:34 |
|
Head Bee Guy posted:I’ve definitely considered it, but ~$500 upfront for a Nas is a little hard to swallow at the moment. I wouldn't. USB is really unreliable unless you have a way to SATA connect it to your laptop and I wouldn't want to risk corruption. even an old gaming computer with the graphics card removed would be better.
|
# ? Aug 29, 2023 21:06 |
|
How is USB storage itself unreliable? Is there something wrong with macOS’s block storage driver that I haven’t encountered yet? There exist lovely USB external drives, just as there are lovely NVMe drives and everything before them (deathstar nostalgia goes here), but I don’t know why “is attached via USB” would make something less reliable. There are performance limits, but USB 3.2 can go pretty quick if you pick the right parts. E: On re-read I don’t actually know what it means to “SATA connect” a USB drive, so I’m extra confused.
|
# ? Aug 29, 2023 21:10 |
|
Subjunctive posted:How is USB storage itself unreliable? Is there something wrong with macOS’s block storage driver that I haven’t encountered yet? perhaps it's an old bias but the old wisdom was that usb attached to external drives were often notoriously poor build quality and world be on long enough to overheat and cause issues. maybe a superstition at this point? and I was unclear, I meant a hdd not specifically an external.
|
# ? Aug 29, 2023 21:22 |
|
it's old wisdom but relevant in the right circumstances 1. spinning rust is unreliable 2. spinning rust that is being moved around and regularly being powered off is even more unreliable add to that manufacturers that did custom controllers and/or custom fde, you had a real mess when a drive failed
|
# ? Aug 29, 2023 21:43 |
|
But you can buy any drive you like and stick it in a USB enclosure, have it work just fine. Have people figured out a way to gently caress up making a USB enclosure? My tiny USB/NVMe caddy was like $6 from AliExpress works great.
|
# ? Aug 29, 2023 21:46 |
|
It really feels strange to me for people to expect the huge only storage to both be free and have privacy. De-googling yourself is just choosing another party to sell your data at this point. If its free, you are the product. If paying is out of your price range, then your wants are going to need to change.
|
# ? Aug 29, 2023 21:53 |
|
A lot of external hdds are white label NAS drives fwiw, at least with western digital this can be true. The main problem with an external drive vs cloud or NAS is lack of any raid redundancy.
|
# ? Aug 29, 2023 21:54 |
The main problem with USB is how comparatively easy it is to disconnect a drive in the middle of a write, and how easy it is to have a drive be intermittently disconnected and reconnected in quick succession - with the latter being a big source of issues.
|
|
# ? Aug 29, 2023 21:57 |
|
Subjunctive posted:But you can buy any drive you like and stick it in a USB enclosure, have it work just fine. Have people figured out a way to gently caress up making a USB enclosure? My tiny USB/NVMe caddy was like $6 from AliExpress works great. given how often people report getting crappy soldering and suspect builds from aliexpress, I would not trust a regular backup solution using a USB enclosure like that. at least with WD they supposedly have QA processes before attaching the USB to a drive.
|
# ? Aug 29, 2023 22:01 |
|
I can see the soldering on the (tiny, simple) PCB because you have to remove the case to install a drive, and it all looks fine to me! I wouldn’t use it long term because it sticks out in a fragile-feeling way from the port but a USB bulk storage controller is AFAIK a totally solved piece of the BOM and I’m surprised that people are having trouble with that being broken. The Sandisk Extreme Pro SSDs are an example of how anyone can gently caress stuff up, but I think that’s a problem on their SSD firmware and not the USB-speaking part. I’ve got NVMe attached to my Raspberry Pi 4s via USB3 (Argon makes a cute little case that connects and everything) and it works great. SMART/thermal monitoring and the whole deal. If it fails I suspect it will not be because of the USB element, and it’s sure handy to be able to image it or transfer stuff off just by plugging the drive into another computer’s USB port. USB is great these days except for the version naming, which is pure rear end in a top hat.
|
# ? Aug 29, 2023 22:16 |
|
Sickening posted:De-googling yourself is just choosing another party to sell your data at this point. Unless you build it yourself.
|
# ? Aug 29, 2023 22:47 |
|
when people go off of google, they land on paid solutions (fastmail, protonmail) for exactly that reason. i dont think there are too many people leaving google to sign up for the same thing with a different name. it's also very odd to say Sickening posted:It really feels strange to me for people to expect the huge only storage to both be free and have privacy when as far as i know, all players in this space are paid products with tiny free intro plans that are not worth mentioning for the purposes under discussion. this includes google.
|
# ? Aug 30, 2023 16:33 |
|
Achmed Jones posted:when as far as i know, all players in this space are paid products with tiny free intro plans that are not worth mentioning for the purposes under discussion. this includes google. This is a recent thing though, since you used to be able to abuse gmail/gdrive for free to store a couple TB of data, if you went through the right hoops.
|
# ? Aug 30, 2023 16:38 |
|
Subjunctive posted:This is a recent thing though, since you used to be able to abuse gmail/gdrive for free to store a couple TB of data, if you went through the right hoops. You were doing so at the cost of your own data privacy though, that's Sickening's point. To expect free cloud storage that isn't going to siphon off all of your data is a fool's errand. When you're not paying for the product, you are the product.
|
# ? Aug 30, 2023 17:00 |
|
The tools I remember for sticking stuff in gdrive had the option to encrypt them, as you would imagine. Wouldn’t you want to encrypt things even if you’re paying for the storage?
|
# ? Aug 30, 2023 17:04 |
|
There’s a lot of value beyond the actual data itself, how and when it’s used can provide a lot of context and ultimately value to companies like google who can use it in conjunction with other behavioral data streams to make and sell predictions/ads. I’m sure encryption helps but the object isn’t necessarily the data itself but the metadata engaging with it generates.
|
# ? Aug 30, 2023 17:08 |
|
I’m pretty curious about what Google can learn from me sticking encrypted blobs into gdrive once a week or whatever. What about that activity is informative to them? And why wouldn’t any paid cloud storage provider extract those same delicious and powerful signals as well, if only to sell them on to others?
|
# ? Aug 30, 2023 17:13 |
|
A physical NAS or whatever seems like it only addresses half the threats a cloud solution does though. I'm specifically thinking about fire, but realistically, any compromised computer is gonna have access to the NAS, so it's a pretty bad security that way. Basically the main thing you're protecting against is catastrophic hardware failure. Not saying it's bad, it's just a much smaller piece of protection.
|
# ? Aug 30, 2023 17:18 |
|
Subjunctive posted:I’m pretty curious about what Google can learn from me sticking encrypted blobs into gdrive once a week or whatever. What about that activity is informative to them? They can tie it to your google account or other ways to identify you, cross reference your searches or use of other sites that use google analytics or otherwise share analytics with google, and use that information to sell more targeted ads when it picks up that you are running out of storage space physically or just bought a bunch more storage space and may be looking for more backup storage or any other number of things. E: other companies usually aren’t in the business of selling targeted ads so don’t really track you to that extent
|
# ? Aug 30, 2023 17:21 |
|
Kibner posted:They can tie it to your google account or other ways to identify you, cross reference your searches or use of other sites that use google analytics or otherwise share analytics with google, and use that information to sell more targeted ads when it picks up that you are running out of storage space physically or just bought a bunch more storage space and may be looking for more backup storage or any other number of things. I think this is science fiction, not a material privacy risk for using a fresh gmail account to store encrypted backups, to be honest. I guess maybe your threat model is different than mine. E: ISPs don’t sell ads, but they sure do sell traffic data to companies that do (transitively). There’s usually a few hops between the signal collection (like location cues collected from some F2P mobile shitgame) and the person buying the ad targeted at “goes to downtown Toronto for work”. (Being able to target against anything that specific is itself pretty much science fiction, mostly because it’s not a useful signal for enough advertisers that it’s worth collecting or trying to derive.) Subjunctive fucked around with this message at 17:29 on Aug 30, 2023 |
# ? Aug 30, 2023 17:26 |
|
Yeah, the value comes when it's combined with other behavioral data streams, what/when/how you upload whatever files to google on its own isn't worth that much. And if you want to expand on this, even more value gets added when you can expand the accumulation of an individual's behavioral data to a community, nation, state, etc. The value is really an emergent property of the totality of information that's being collected. As individuals in the infosec thread we're probably not, as a group, as subject to these dynamics as your average person. If you want to get lost in the weeds, I've come across a few videos that explain well, I usually link this one https://www.youtube.com/watch?v=hIXhnWUmMvw but truth be told I'm not a huge fan of the pacing nor her delivery but the idea is explained well enough. I watched about 10 minutes of this one and it seemed better but I haven't seen it in its entirety so hopefully it doesn't suck. https://www.youtube.com/watch?v=2s4Y-uZG5zk I did read her book though. Also, I'm not presenting this as gospel, but it's an important idea that more people should probably be familiar with. e: maybe that vid isn't the best, skip to 16-17 minutes to avoid some/most of the fluff. I should probably just stick to sharing the first one, it's slow as the target audience is your average person, but is better organized/more methodical. digitalist fucked around with this message at 18:01 on Aug 30, 2023 |
# ? Aug 30, 2023 17:38 |
|
THESE MOTHERFUCKERS DON’T HAVE A WAF!!
|
# ? Aug 31, 2023 21:24 |
|
Not even a whiff of a waf?
|
# ? Aug 31, 2023 21:37 |
|
A poor waf in his underwear (iykyk)
|
# ? Aug 31, 2023 21:44 |
|
|
# ? May 24, 2024 15:21 |
|
some kinda jackal posted:Not even a whiff of a waf? Not even a waft of a whiff of a waf.
|
# ? Sep 1, 2023 08:26 |