|
I’ve been having a really rough time rolling out phishing resistant MFA in YubiKeys as FIDO2 for Entra ID. About half the people in my test group can’t get prompted to present their FIDO2 key in the Microsoft iOS / iPadOS apps: they just get a “we need more information” screen or something that lets them select on the Microsoft dialog “Use security key” but doesn’t launch the system prompt. Things that work great with FIDO2: Windows logins browser Entra logins (all platforms) iOS and iPadOS Mail.app (System accounts) Things that are hit and miss: iOS and iPadOS Outlook or office apps Things that don’t work at all: macOS Mail.app Not sure if I need to add Conditional Access policies or that would gently caress things up more. It’s like it really wants to use the Microsoft Authenticator Push with numbers if the user has ever set it up, and the policy tells it no, and it mostly can’t figure out what to do and hangs up.
|
#
?
Feb 7, 2024 23:42
|
|
|
|
| # ? May 23, 2024 13:33 |
|
|
MustardFacial posted:Maybe just migrate to another VPN appliance at this point. We already had a new one in testing, but Security said YOLO last week and pushed the new appliance on basically no notice. A couple of things are still broken, but it's been relatively smooth.
|
|
#
?
Feb 8, 2024 00:01
|
|
|
https://fortiguard.fortinet.com/psirt/FG-IR-24-015
|
|
#
?
Feb 9, 2024 02:38
|
|
|
Serious Hardware/Software Crap > The Infosec Thread: may allow a remote unauthenticated attacker to execute arbitrary code
|
|
#
?
Feb 9, 2024 02:43
|
|
|
I know they have their own problems but at least remote access tools like Prisma access or ZPA don’t leave crap like this exposed at the edge
|
|
#
?
Feb 9, 2024 03:34
|
|
|
Very Public Network
|
|
#
?
Feb 9, 2024 04:00
|
|
|
flakeloaf posted:Very Public Network
|
|
#
?
Feb 9, 2024 12:51
|
|
|
flakeloaf posted:Very Public Network 
|
|
#
?
Feb 9, 2024 14:11
|
|
|
rafikki posted:I know they have their own problems but at least remote access tools like Prisma access or ZPA don’t leave crap like this exposed at the edge Isn't Prisma Access basically a cloud VPN anyways?
|
|
#
?
Feb 9, 2024 15:24
|
|
|
Super-NintendoUser posted:Isn't Prisma Access basically a cloud VPN anyways? Yeah, but you’re not exposing a client vpn gateway to the world. Of course, now you’re trusting Palo themselves not to get popped…
|
|
#
?
Feb 9, 2024 15:56
|
|
|
I guess Ivanti is doing a full code review in light of the multiple 0-days, and are uncovering all of the bugs: https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
|
|
#
?
Feb 9, 2024 18:52
|
|
|
This has been my Friday.
|
|
#
?
Feb 9, 2024 19:41
|
|
|
https://twitter.com/FP_Champagne/status/1755691837531078820?s=20 Incredible.
|
|
#
?
Feb 10, 2024 00:57
|
|
|
Ah yes car thieves will be deterred by making their tools illegal
|
|
#
?
Feb 10, 2024 01:09
|
|
|
Fingers crossed they ban portable computers.
|
|
#
?
Feb 10, 2024 01:09
|
|
|
I WISH I could get my flipper to do something useful like be an opener for my garage door or car doors
|
|
#
?
Feb 10, 2024 01:42
|
|
|
Can't stop a sea can full of cars but we have big plans for a device the size of a wallet, and those plans involve making it illegal to have a thing it was already illegal to have in circumstances that make it seem like you're using it to steal cars
|
|
#
?
Feb 10, 2024 01:42
|
|
|
Hed posted:I WISH I could get my flipper to do something useful like be an opener for my garage door or car doors Same. Where are these people who figured out how to make the flipper do anything more comolicated then bad keyboard and cloning keycards?
|
|
#
?
Feb 10, 2024 01:47
|
|
|
MustardFacial posted:I guess Ivanti is doing a full code review in light of the multiple 0-days, and are uncovering all of the bugs: "Really really really really late QA" and then on to beta! 
|
|
#
?
Feb 11, 2024 19:35
|
|
|
Defenestrategy posted:Same. Where are these people who figured out how to make the flipper do anything more comolicated then bad keyboard and cloning keycards? Yeah that's kind of the issue - this ban is toothless. They ban the tools, but you can easily replicate those tools. Its typical politician thought process.
|
|
#
?
Feb 12, 2024 12:46
|
|
|
Looks like my Flipper Zero will gather more dust than it already is. e: Just make it illegal to be subject to radio frequencies duh. You have no idea the amount of sensitive data that is flowing through my body right this second. some kinda jackal fucked around with this message at 13:06 on Feb 12, 2024 |
|
#
?
Feb 12, 2024 12:55
|
|
|
And here I was thinking of grabbing one to replace the extremely janky remote for my apartment building's underground parkade. Still might.
|
|
#
?
Feb 12, 2024 13:09
|
|
|
CommieGIR posted:Yeah that's kind of the issue - this ban is toothless. They ban the tools, but you can easily replicate those tools. I bet they will still be sold on Amazon anyway, with a weird description like all those weird "Oil filters" on aliex or ebay.
|
|
#
?
Feb 12, 2024 13:10
|
|
|
SlowBloke posted:I bet they will still be sold on Amazon anyway, with a weird description like all those weird "Oil filters" on aliex or ebay. "Unique remote and pet ID scanner!"
|
|
#
?
Feb 12, 2024 13:14
|
|
|
https://www.youtube.com/watch?v=p4OGQQPMiXQ
|
|
#
?
Feb 12, 2024 14:09
|
|
|
Buying a drinking bird toy to just mash the "stop breach" button 24/7 Just in case
|
|
#
?
Feb 12, 2024 14:50
|
|
|
SlowBloke posted:I bet they will still be sold on Amazon anyway, with a weird description like all those weird "Oil filters" on aliex or ebay. i searched for oil filters and just got oil filters, what do you mean?
|
|
#
?
Feb 12, 2024 17:32
|
|
|
Achmed Jones posted:i searched for oil filters and just got oil filters, what do you mean? suppressors
|
|
#
?
Feb 12, 2024 17:53
|
|
|
Achmed Jones posted:i searched for oil filters and just got oil filters, what do you mean?  It seems like every year a couple dumbasses get busted for ordering them off AliExpress. https://www.brandonsun.com/local/2023/07/26/absolute-discharge-in-silencer-case
|
|
#
?
Feb 12, 2024 18:02
|
|
|
lol nice  thanks!
|
|
#
?
Feb 12, 2024 20:07
|
|
|
Apologize for the weirdness of this post but this is the best place I could think to ask this question in the new lovely internet. So I’m getting back into information security after decades on the sidelines. I’m looking to start building out some hacking tools and I even did a PoC of some of these ideas oh way back when before covid. My question is when you have common scripting languages in windows, do eval() type functions typically get flagged by heuristic detection in endpoint security? Pretty much every good idea I have revolves around eval but I can’t be the first to see the utility and I the times I’ve had to use such functions in normal well written programs I can probably count on one hand so it might look suspicious.
|
|
#
?
Feb 13, 2024 16:25
|
|
|
Coxswain Balls posted:
You can register those, apparently, so everyone getting in federal trouble over them is doing it over the $200 stamp which, lol.
|
|
#
?
Feb 13, 2024 16:26
|
|
|
evil_bunnY posted:You can register those, apparently, so everyone getting in federal trouble over them is doing it over the $200 stamp which, lol. We're talking specifically about Canada, since that's where the Flipper Zero ban is taking place. Suppressors are prohibited items here.
|
|
#
?
Feb 13, 2024 16:58
|
|
|
Internet Old One posted:Apologize for the weirdness of this post but this is the best place I could think to ask this question in the new lovely internet.
|
|
#
?
Feb 13, 2024 16:59
|
|
|
Coxswain Balls posted:We're talking specifically about Canada, since that's where the Flipper Zero ban is taking place. Suppressors are prohibited items here. 
|
|
#
?
Feb 13, 2024 18:39
|
|
|
evil_bunnY posted:You can register those, apparently, so everyone getting in federal trouble over them is doing it over the $200 stamp which, lol. ha, i can chime in here. it's not about the $200, it's about the "I'm not gonna put my name on a GOVERNMENT LIST! then they'll come to GET MY GUNS and MURDER MY FAMILY RUBY RIDGE WACO AND SO ON" which is to say - it's even _dumber_ than if it were about $200. it's just childish NO I DONT WANNA
|
|
#
?
Feb 13, 2024 18:50
|
|
|
I just looked it up and the NFA is from 1934. Back in the 30's $200 was LOT of money, it was designed to be prohibitively expensive. The number was never indexed against inflation. Nowadays most gun people spend heaps on their hobby and $200 is nbd.
|
|
#
?
Feb 13, 2024 19:23
|
|
|
Achmed Jones posted:ha, i can chime in here. it's not about the $200, it's about the "I'm not gonna put my name on a GOVERNMENT LIST! then they'll come to GET MY GUNS and MURDER MY FAMILY RUBY RIDGE WACO AND SO ON" I don't actually know how deep the freedom to own murder weapons runs, but I can also imagine a few people who get denied in their request to get a suppressor on account of they're not allowed guns at all, so they bought all their guns privately without receipts. Edit: other fun Amazon products are novelty bottle openers that just so happen to fit into seatbelt buckles. Which, aside from the dumb impulse to drive without a seatbelt is fantastic because of the beer association. Also reviews of fish antibiotics that were definitely used on people. BonHair fucked around with this message at 19:41 on Feb 13, 2024 |
|
#
?
Feb 13, 2024 19:36
|
|
|
Achmed Jones posted:ha, i can chime in here. it's not about the $200, it's about the "I'm not gonna put my name on a GOVERNMENT LIST! then they'll come to GET MY GUNS and MURDER MY FAMILY RUBY RIDGE WACO AND SO ON" They do have to be fingerprinted and are subject to a waiting list, which has been "behind" for curiously long periods of time before. There's a host of other restrictions too, like letting the chief law enforcement officer know. I can see why vulnerable folks would prefer not to rouse cop attention. It's not like it's pay the $200 and go.
|
|
#
?
Feb 13, 2024 20:47
|
|
|
|
| # ? May 23, 2024 13:33 |
|
|
Authy is ending support for their desktop app next month, March 19. Is there a good alternative that similarly uses the same account across both mobile and desktop? I don't want to drag my phone out every time I have to log in to a place.
|
|
#
?
Feb 13, 2024 21:19
|
|
