|
CommieGIR posted:No matter how many times we try 'Open the meeting with a joke', it never carries well with the executive team. That really sucks. Our execs have been totally fine with us memeing in our readouts, and we're a pretty big, serious place most of the time. The last one was Shrek themed. I gave a talk on LLM security and how it challenges our fundamental assumptions about security testing and the theme was around LLMs being like a creepy little kid: 
Ellipson fucked around with this message at 20:11 on Dec 7, 2023 |
#
?
Dec 7, 2023 20:09
|
|
|
|
| # ? May 24, 2024 07:07 |
|
|
eonwe posted:The study materials I found to be useful were the following: Mile wide, inch deep. I really should use that test voucher at some point... if it still even works?
|
|
#
?
Dec 7, 2023 23:22
|
|
|
I effectively communicate with the organization through a series of frinkiac.com memes Like to the point I've had to catch myself because I was putting something org specific into the meme generator.
|
|
#
?
Dec 8, 2023 01:45
|
|
|
Crossposting from the IT thread. I have a question about azure multitenant authentication. I’ve got a dev team building a service that runs in an AWS EKS cluster. It fetches an extra ID token (currently via a client ID and secret, soon by submitting a client ID and Cognito token). It then invokes an azure function running in the tenant for each of our customers, which we write and deploy via bicep/arm templates/gallery applications/whatever. The point is that it’s our code executing in their environment. There’s no cross tenant private link. The azure function accepts any valid entra token, but our application code decodes the submitted JWT and validates the submitted client_id before proceeding further. This sort of seems insane to me, because we’re effectively turning the client_id into a preshared key. I don’t actually see a way to forge the client id mind you since we’re filtering for validly issued tokens, but something about this still seems wrong. Our security team okayed it but accepting all tokens and using the client_id for validation seems really weird to me imo. I think a better model would be to use a multitenant ad application to represent our client service running in EKS, have customer specific spns and federated credentials that trust our Cognito identity pool (so we can generate unique client credentials per customer) and then just add the SPN in the client tenant to the client azure function. Am I barking up the wrong tree here? Is this actually a perfectly safe way of implementing client credential flows? My instincts say no, but I don’t actually see any obvious flaws here.
|
|
#
?
Dec 8, 2023 06:21
|
|
Cat Army 
|
Sickening posted:Turns out the employee is an extreme privacy nut in their personal life and don't have the impulse control to not let it spill over into their working life. I’m so confused, is this a “everyone has local admin” shitstorm? Even our devs get our standard locked down laptop, they have environments they can install poo poo on but their laptop is our image and approved software only.
|
|
#
?
Dec 8, 2023 07:43
|
|
|
The Iron Rose posted:Crossposting from the IT thread. Where is the jwt coming from? You should be validating the issuer field and signature to make sure it comes from a trusted source.
|
|
#
?
Dec 8, 2023 14:07
|
|
|
 Count the red flags!
|
|
#
?
Dec 11, 2023 05:23
|
|
|
Its the best Serial Number - first out the door!
|
|
#
?
Dec 11, 2023 15:40
|
|
|
Sickening posted:
oh no
|
|
#
?
Dec 11, 2023 16:21
|
|
|
It’ll be worth a lot one day, you’ve got yourself a real collector’s item
|
|
#
?
Dec 11, 2023 16:22
|
|
|
Let me spoil it for anyone else who hasn't played the game, only the microsoft driver is normal. Your drive name shouldn't contain "rom".The serial shouldn't be bogus. Your firmware being AEL ROM is just spitting in your face. The interface being gen 1 means that they went max greed and gave me the oldest hardware possible. Another counterfeit NVME drive from amazon. At this point I am not buying any solid state drives from amazon.
|
|
#
?
Dec 11, 2023 16:32
|
|
|
It's just an SD card glued onto a PCB with some cheap SD to PCI bridge chip, right?
|
|
#
?
Dec 11, 2023 16:32
|
|
|
Thanks Ants posted:It's just an SD card glued onto a PCB with some cheap SD to PCI bridge chip, right? I have already returned it this morning (amazon gives zero shits about you reporting counterfeits) , but it was actually REALLY convincing due to the samsung stickers being able to cover up things. I would have posted a pic of the hardware. It looks normal, except when you inspect the board and components up close. Its max capacity is about 32gb so most people using it for an OS might take a few weeks to notice.
|
|
#
?
Dec 11, 2023 16:40
|
|
|
https://terrapin-attack.com/ Happy Christmas At least this doesn't look as bad as the log4shell from 2 Christmas' ago
|
|
#
?
Dec 19, 2023 23:29
|
|
|
quote:To perform the Terrapin attack in practice, we require MitM capabilities at the network layer (the attacker must be able to intercept and modify the connection's traffic). Additionally, the connection must be secured by either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC. However, our scan indicates an extensive adoption of these encryption modes; therefore, Terrapin applies to most real-world SSH sessions. Requiring MitM makes this a lot less severe than "any drat Java app, even behind proxies". Still, worth removing old and weak cipersuites.
|
|
#
?
Dec 20, 2023 00:04
|
|
|
Yeah, extremely less severe versus Log4J where it was "Lol, nice public facing app, oops I'm inside your server executing arbitrary commands"
|
|
#
?
Dec 20, 2023 15:12
|
|
|
fluppet posted:https://terrapin-attack.com/ so far as I can tell, there isn't a patch for this yet the mitigation is pretty straightforward though edit: I guess this isn't the sort of thing that you would actually have a patch for, unless openSSH were to enforce new defaults Potato Salad fucked around with this message at 16:12 on Dec 20, 2023 |
|
#
?
Dec 20, 2023 15:45
|
|
|
Dear infosec thread, as I look back on this year I realize most of my job is to look at solutions and be pissed off that they dont have required controls or follow various compliance rules.
|
|
#
?
Dec 20, 2023 17:17
|
|
|
Defenestrategy posted:Dear infosec thread, as I look back on this year I realize most of my job is to look at solutions and be pissed off that they dont have required controls or follow various compliance rules. don't doxx me
|
|
#
?
Dec 20, 2023 17:28
|
|
|
Oh you don’t support mTLS? How about OAuth2 or SAML? Anything roadmapped? Got it. We’ll be in touch.
|
|
#
?
Dec 20, 2023 17:48
|
|
|
Diva Cupcake posted:Oh you don’t support mTLS? How about OAuth2 or SAML? Anything roadmapped? Got it. We’ll be in touch. My biggest headache this year has been navigating microsoft licensing and being pissed off that our current set of licensing doesn't include something and that requires an upcharge to PISS3 license or a Buttz1 license
|
|
#
?
Dec 20, 2023 18:01
|
|
|
Defenestrategy posted:My biggest headache this year has been navigating microsoft licensing and being pissed off that our current set of licensing doesn't include something and that requires an upcharge to PISS3 license or a Buttz1 license Oh hey we must work at the same place. Our PISS3 license used to be sufficient for everything, but now all new features are being moved up one tier.
|
|
#
?
Dec 20, 2023 19:40
|
|
|
It's almost like Microsoft has more or less a monopoly on a lot of stuff and they just keep upping the price, because your alternative is starting from scratch, and that's not going to happen. Also you would still need your PISS3 license to get all your bits to talk together and use your AD.
|
|
#
?
Dec 20, 2023 19:55
|
|
|
Defenestrategy posted:My biggest headache this year has been navigating microsoft licensing and being pissed off that our current set of licensing doesn't include something and that requires an upcharge to PISS3 license or a Buttz1 license This is why I rearchitected on Linux with GNU Cloaca. Everything is a mess and it all just gets stuck together but there's only one big hole now to worry about.
|
|
#
?
Dec 20, 2023 20:02
|
|
|
BonHair posted:It's almost like Microsoft has more or less a monopoly on a lot of stuff and they just keep upping the price, because your alternative is starting from scratch, and that's not going to happen. Also you would still need your PISS3 license to get all your bits to talk together and use your AD. it's crazy seeing initiatives like "we are exploring turning off NonMucrosoftProduct in order to extract more value from our Microsoft licensing" well, not crazy. It's just really strong traction I guess
|
|
#
?
Dec 20, 2023 20:16
|
|
|
Arivia posted:This is why I rearchitected on Linux with GNU Cloaca. Everything is a mess and it all just gets stuck together but there's only one big hole now to worry about. 
|
|
#
?
Dec 21, 2023 05:00
|
|
|
BonHair posted:It's almost like Microsoft has more or less a monopoly on a lot of stuff and they just keep upping the price, because your alternative is starting from scratch, and that's not going to happen. Also you would still need your PISS3 license to get all your bits to talk together and use your AD. Microsoft’s early investment in a GUI LDAP is still paying off today. Everyone used AD because it was easier to manage than the command line Linux LDAP and we’re all running off the skeletons for those original orgs to this day.
|
|
#
?
Dec 21, 2023 18:35
|
|
|
Man I feel exhausted from a work debate today. Someone needs access keys to setup a log forwarder for our Org Cloudtrail logs. I recommended we setup some sort of role based access using IAM roles anywhere (which to be fair I've never used before but its well documented and probably the way to go moving forward) and short term credentials as an alternative. I got a whole lot of pissing and moaning in response and how to just let them use access keys. Theyre pissed enough theyre cc'ing my manager and raising a huge fuss about it. I guess they could, and if they set them up for rotation using secrets manager it wouldnt be the end of the world. But Ive done so much work ridding ourselves of as many IAM users with keys as I could and switching to using roles and identity center that I hate to take any steps back.
|
|
#
?
Dec 21, 2023 19:44
|
|
|
CommieGIR posted:Its the best Serial Number - first out the door! Oh serial numbers. We use an in-house inventory system to track hardware lifecycles. And by "in-house" I mean the mothership in Switzerland hired a consultancy to develop it and now we're their only client. Steady money I guess. Anyway, lab systems are almost 100% outside of the normal ecosystem (and for good reason). One of the ways I manage them is with a nice huge database full of hardware details. There are lots of good reasons to pull data out of my DB and flow it into ServiceNow, so I was helpful when that was proposed. The first import caused a minor panic. It turns out that the inventory tool assumes that serial numbers are globally unique.  That's reasonably safe when you only deal with large, established OEMs like Dell and HP. The group I support buys instruments worth six figures that come with PCs to run them. A lot of those are from big companies that get the PCs from Dell or HP. We also buy instruments from startups who are hand assembling them in a suite in an industrial park. A lot of those also build the PC that's going to run the instrument. That means that my database had 35 systems with a serial number of "To be filled by OEM" and 12 more with "123456789". This required some adaptions on the part of the inventory people. The quantities are now 12 and 14. We've gained some, which is.... Not My Concern
|
|
#
?
Dec 21, 2023 20:05
|
|
|
Wasn't sure where else to post this. Anyone know of a trusted modern guide to dealing with being party to a data breach? (Meaning your information is out there, not you worked for a company that had one.) I haven't kept up with this information for the last 12 years or so. I'd typically just Google it, but I'm a little afraid of how far the misinformation machine might have extended, and I'm being relied on to get the information for someone else who was also affected.
|
|
#
?
Dec 27, 2023 16:01
|
|
|
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/ Long-term, probably US, operation targeting Kaspersky researchers. Used a bunch of 0days plus an maybe-intentionally-left-laying-around bug. Good read, plus there's a CCC presentation on it: https://streaming.media.ccc.de/37c3/relive/11859 Starts at ~26m.
|
|
#
?
Dec 27, 2023 20:04
|
|
|
Magnetic North posted:Wasn't sure where else to post this. Anyone know of a trusted modern guide to dealing with being party to a data breach? (Meaning your information is out there, not you worked for a company that had one.) I haven't kept up with this information for the last 12 years or so. I'd typically just Google it, but I'm a little afraid of how far the misinformation machine might have extended, and I'm being relied on to get the information for someone else who was also affected. I usually refer people here when I get asked this kind of question: https://www.identitytheft.gov/
|
|
#
?
Dec 27, 2023 20:08
|
|
|
On a similar note, is there an up-to-date and trustworthy resource about poo poo you could maybe do better to keep your info sec? I know privacytools.io exists but my understanding is they're more focused on pushing affiliate links and crypto than they are on actual security.
|
|
#
?
Dec 28, 2023 15:50
|
|
|
disaster pastor posted:On a similar note, is there an up-to-date and trustworthy resource about poo poo you could maybe do better to keep your info sec? I know privacytools.io exists but my understanding is they're more focused on pushing affiliate links and crypto than they are on actual security. From what perspective? Cis controls are pretty good as far as I know, as technical stuff you can implement if you want to improve security, but it's more high level than "install this gadget/patch". I'm also a sucker for ISO 27001 because I believe governance should be a low hanging fruit in most organisations.
|
|
#
?
Dec 28, 2023 22:23
|
|
|
disaster pastor posted:On a similar note, is there an up-to-date and trustworthy resource about poo poo you could maybe do better to keep your info sec? I know privacytools.io exists but my understanding is they're more focused on pushing affiliate links and crypto than they are on actual security. I like https://thenewoil.org/, PrivacyGuides (since it's easy to simply avoid affiliate links anyways), IntelTechniques (if you're looking into extreme privacy), and even Kevin Mitnik's book The Art Of Invisibility (once you get get over all his dumb quips).
|
|
#
?
Dec 28, 2023 22:32
|
|
|
BonHair posted:From what perspective? Cis controls are pretty good as far as I know, as technical stuff you can implement if you want to improve security, but it's more high level than "install this gadget/patch". I'm also a sucker for ISO 27001 because I believe governance should be a low hanging fruit in most organisations. Mostly home/personal, sorry for not specifying. Blurb3947 posted:I like https://thenewoil.org/, PrivacyGuides (since it's easy to simply avoid affiliate links anyways), IntelTechniques (if you're looking into extreme privacy), and even Kevin Mitnik's book The Art Of Invisibility (once you get get over all his dumb quips). Thanks! I wasn't aware of thenewoil. Interesting to see PrivacyGuides, I didn't think they were recommended? My (admittedly haphazard) understanding was that there was a falling out a couple years ago and privacytools.io was the "trusted" offshoot until they just decided to push crypto and poo poo while PG was just a garbage content farm, but by the time I heard about the drama it was long past and I couldn't have cared less about it anyway, so I may have missed important details.
|
|
#
?
Dec 28, 2023 23:16
|
|
|
disaster pastor posted:to see PrivacyGuides, I didn't think they were recommended? My (admittedly haphazard) understanding was that there was a falling out a couple years ago and privacytools.io was the "trusted" offshoot until they just decided to push crypto and poo poo while PG was just a garbage content farm, but by the time I heard about the drama it was long past and I couldn't have cared less about it anyway, so I may have missed important details. Sorry, I get privacyguides and privacytools mixed up all the time and forget who the good one was.
|
|
#
?
Dec 29, 2023 04:31
|
|
|
Blurb3947 posted:Sorry, I get privacyguides and privacytools mixed up all the time and forget who the good one was. Not saying you're wrong, I genuinely don't know!
|
|
#
?
Dec 29, 2023 04:57
|
|
|
disaster pastor posted:Mostly home/personal, sorry for not specifying. Lockdown mode on iOS if you might be targeted by large well resourced groups or intelligence agencies. Use a password manager or a physical notebook of unique random passwords if physical security isn’t an issue. (Don’t use lastpass) Keep everything up to date and wipe/recycle anything that doesn’t get security updates anymore.
|
|
#
?
Dec 29, 2023 06:25
|
|
|
|
| # ? May 24, 2024 07:07 |
|
|
Evis posted:Lockdown mode on iOS if you might be targeted by large well resourced groups or intelligence agencies. Use a password manager or a physical notebook of unique random passwords if physical security isn’t an issue. (Don’t use lastpass) Keep everything up to date and wipe/recycle anything that doesn’t get security updates anymore. I'm not now and have never been on LastPass, but what's the deal with it? Is it just really unsecure or something? I've never seen it mentioned anywhere but here.
|
|
#
?
Dec 29, 2023 16:51
|
|
