|
MustardFacial posted:I don't think anybody is advocating for being a BOFH, and one of the main goals of an effective cyber team should be to work with other teams to find equitable solutions and not just throw mandates over the wall and tell them to figure it out. However, both teams have to be equally invested. If cyber has gone through the effort of approving multiple terminal apps for people to choose from and they're still going "But that's not my favourite one though!" Then that's on them to get i a huff about. Resources aren't endless, there has to be flexibility from both sides.  There is a point that entitlement has gone too far. A point where the culture can't change without massive purges.
|
#
?
Feb 16, 2024 00:29
|
|
|
|
| # ? May 14, 2024 00:14 |
|
|
MustardFacial posted:I don't think anybody is advocating for being a BOFH, and one of the main goals of an effective cyber team should be to work with other teams to find equitable solutions and not just throw mandates over the wall and tell them to figure it out. However, both teams have to be equally invested. If cyber has gone through the effort of approving multiple terminal apps for people to choose from and they're still going "But that's not my favourite one though!" Then that's on them to get in a huff about. Resources aren't endless, there has to be flexibility from both sides. I think we're talking past each other here, I agree entirely that both sides have to give with the caveat that if this terminal app has a feature that's a valuable part of their workflow then it's worth working with them on a solution. People don't typically get to the point of tears over trivial differences, and working with them to figure out how to adapt their workflow is gonna yield a better result. (Ignore all of this if they just really like retro CRT shaders or something like that)
|
|
#
?
Feb 16, 2024 00:39
|
|
|
corgski posted:I think we're talking past each other here, I agree entirely that both sides have to give with the caveat that if this terminal app has a feature that's a valuable part of their workflow then it's worth working with them on a solution. People don't typically get to the point of tears over trivial differences, and working with them to figure out how to adapt their workflow is gonna yield a better result. I am always willing to have a conversation with someone about whatever new gadget they want to implement. But they have to be willing to prove to me what this new gadget does that the other 6 almost identical approved gadgets don't. If their request doesn't meet that low water mark then it's going to be denied for reasons x, y, and z and I will recommend them an approved gadget that I think would be the closest to what they are looking for. With the understanding that yes it may not meet every single requirement, but 90% ain't bad. If they continue to insist that the gadget be approved and do not consider reasons x, y, or z, or any of the recommended options then that person will get a business friendly "Eat my goddamn poo poo." If they can prove that this new gadget offers value in a new way that none of the other gadgets do, then by all means we can look into it further. With the understanding that it may fail our security review at any time. MustardFacial fucked around with this message at 01:14 on Feb 16, 2024 |
|
#
?
Feb 16, 2024 01:10
|
|
|
I admit as a manager I’ve gotten a mildly perverse thrill from denying stupid requests for those users who don’t like the approved product that the business is already heavily invested in.
|
|
#
?
Feb 16, 2024 14:41
|
|
|
I had to call my brokerage, Fidelity, today and the robot on the phone asked me to "enter your password, if you need to use letters use the letters on the keypad". How are they able to compute that me typing in 4868372 for my password is the same thing as Hunter2 without saving Hunter2 in plaintext? Please tell me there's a totally secure way to do this.
|
|
#
?
Feb 16, 2024 22:05
|
|
|
There isn't. A canadian bank, I want to say RBC, caught hell for that same thing like a decade ago. E: okay there is: in theory they could hash all 16000 variations of that sequence and check them all against your password hash, but they almost definitely are not doing this flakeloaf fucked around with this message at 22:18 on Feb 16, 2024 |
|
#
?
Feb 16, 2024 22:13
|
|
|
When you set your password, they compute the number sequence it would become, and store a hash of that? Basically the same way you can make passwords case-insensitive or whatever.
|
|
#
?
Feb 16, 2024 22:20
|
|
|
flakeloaf posted:There isn't. A canadian bank, I want to say RBC, caught hell for that same thing like a decade ago. No, please, I refuse to believe. I just looked it up and Fidelity is managing $12.6 trillion dollars ($12,600,000,000,000) in assets.
|
|
#
?
Feb 16, 2024 22:21
|
|
|
Subjunctive posted:When you set your password, they compute the number sequence it would become, and store a hash of that? I'll be amazed if it's hashed
|
|
#
?
Feb 16, 2024 22:21
|
|
|
Thanks Ants posted:I'll be amazed if it's hashed yeah I dunno who actually audits that stuff, but it was certainly hashed at FB where we did multiple password variations, so it’s entirely possible if someone wanted to spend 15 minutes writing and testing the code
|
|
#
?
Feb 16, 2024 22:22
|
|
|
why are there "multiple password variations"
|
|
#
?
Feb 16, 2024 22:24
|
|
|
They might have intended to hash it but their janky IVR setup was probably "well it can take an entry and compare it with a database field, is that enough?" and so it never happened
|
|
#
?
Feb 16, 2024 22:24
|
|
|
Boris Galerkin posted:why are there "multiple password variations" so that people can log in with capslock set, or with their phone autocapitalizing the first letter, rather than having to do a password reset and never finishing it (or just abandoning that account and creating a new one, which was quite common in some demographics) the attacking IP and account are going to get blocked long before a brute force online attack gets anywhere, and it’s a pretty small shrinking of the search space anyway there are some articles out there with the math, and Alec Muffett (who else?) did a talk about the FB password infrastructure that’s on video somewhere
|
|
#
?
Feb 16, 2024 22:31
|
|
|
Boris Galerkin posted:why are there "multiple password variations" Because hunter2 using a dialpad could be 7^3 different passwords not actually hunter2. Dont check my math i did poorly in combinatorics.
|
|
#
?
Feb 16, 2024 22:31
|
|
|
I got it wrong too - there are 4 letters on 7 - so it'd be 4^6 * 5 = 20480
|
|
#
?
Feb 16, 2024 23:30
|
|
|
I wonder if anyone ever went to the trouble to make the hashcat rules for this. Like, crack the number sequence first, then create a mask based on the known letters (or number) for each position.
|
|
#
?
Feb 17, 2024 00:43
|
|
|
Yeah but then you’d have to hack it over the phone and no one has ever done any advanced hacking via telephony tech.
|
|
#
?
Feb 17, 2024 01:15
|
|
|
DTMF brute forcing sounds like hell. just the constant beeping, infecting your dreams
|
|
#
?
Feb 17, 2024 01:59
|
|
|
There are far nobler uses for that tech
|
|
#
?
Feb 17, 2024 02:04
|
|
|
i'll just whistle to enter my password
|
|
#
?
Feb 17, 2024 02:09
|
|
|
The Fool posted:i'll just whistle to enter my password oh hey joybubbles
|
|
#
?
Feb 17, 2024 06:40
|
|
|
Entering your password on a phone keypad is silly. You could just type it on any convenient nearby keyboard and they could use machine learning on the sound of the key presses to determine what keys you were hitting. https://arstechnica.com/gadgets/2023/08/type-softly-researchers-can-guess-keystrokes-by-sound-with-93-accuracy/
|
|
#
?
Feb 18, 2024 02:07
|
|
|
Dipshit: okay so why are cars being stolen Auto manufacturers: well it's not us Hyundai: *sweats silently* Kia: *frozen in place* Auto manufacturers: it's the kids Dipshit: ah okay yeah it's gotta be the kids
|
|
#
?
Feb 18, 2024 20:35
|
|
|
I ordered my Flipper the day that the government first talked about the ban, and it arrived unhindered. That reseller is “out of stock” now, though. Looking forward to surrendering it in an amnesty programme for twice what I paid, and then ordering a variant one from abroad with the profits.
|
|
#
?
Feb 18, 2024 22:56
|
|
|
the honourable minister of innovation, everyone
|
|
#
?
Feb 18, 2024 23:34
|
|
|
managing to get correctly community-noted on xitter should vacate his seat and trigger a by-election
|
|
#
?
Feb 18, 2024 23:36
|
|
|
1password mfa doesn’t work for my credit union 
|
|
#
?
Feb 20, 2024 00:28
|
|
|
Head Bee Guy posted:1password mfa doesn’t work for my credit union No bank in Europe will allow third party mfa due to PSD3 restrictions if it makes you feel any better.
|
|
#
?
Feb 20, 2024 08:33
|
|
|
People itt seem to be pretty big on 1Password. Is it really that much better than Bitwarden? Asking because for personal use Bitwarden is about the third of what 1Password is asking, and I'm kind of assuming that if Bitwarden is secure enough, so it has to be about missing major features or general UX.
|
|
#
?
Feb 20, 2024 13:03
|
|
|
Bitwarden the product may be fine. Bitwarden the company is wearing goat horns for having left open a known vulnerability with autofill (already a dodgy feature) for four years https://www.itpro.com/security/cyber-security/370288/bitwarden-to-release-fix-for-four-year-old-vulnerability
|
|
#
?
Feb 20, 2024 13:22
|
|
|
Thanks for the link. Indeed seems like a pretty big oof for a company whose main service is securing your passwords.
|
|
#
?
Feb 20, 2024 13:27
|
|
|
Yeah, I don’t trust autofill on anything, really.
|
|
#
?
Feb 20, 2024 14:49
|
|
|
Pretty much every password manager has been bitten by autofill and/or browser extension issues, but 4 years is a big oof.
|
|
#
?
Feb 20, 2024 16:20
|
|
|
Badly Jester posted:People itt seem to be pretty big on 1Password. Is it really that much better than Bitwarden? Asking because for personal use Bitwarden is about the third of what 1Password is asking, and I'm kind of assuming that if Bitwarden is secure enough, so it has to be about missing major features or general UX. My rule of thumb has been if you want to self host, use bitwarden, if you want to not worry about it 1password. Or apple keychain if you happen to only own apple products.
|
|
#
?
Feb 20, 2024 16:21
|
|
|
flakeloaf posted:Bitwarden the product may be fine. They left it in for compatibility but the feature was turned off by default. Also when you turned it back on, it gave you a warning that the feature was dangerous. Which is not the same as fixing the feature to begin with granted, but they're not on the level of LastPass, or Secret Server, or any of those sketchy ones that come with a VPN service.
|
|
#
?
Feb 20, 2024 19:29
|
|
|
I'm dealing with a lovely device that has ancient HTTPS and modern firefox is officially reporting "gently caress You" when connecting to it. An old Firefox 88 says the device uses TLS 1.0, TLS_RSA_WITH_3DES_EDE_CBC_SHA 112Bit. Which, yeah... But old firefox could connect with the about:config tls deprecated setting on. The cert is RSA 1024. Modern Firefox version 100+ refuses outright regardless of settings, I'm assuming everything has been compiled out. openssl won't even handshake enough to report literally anything even with -security_debug_verbose switch. The device's management interface is already on a VLAN, but even then I question going to http. Or maybe these algorithms are so absolutely pathetic these days that it's effectively no effort compared to http. Is there some setting in modern firefox or chromium I'm missing? Building my own version of something? A VM with an old version of firefox that only connects to that VLAN and never gets updated forever?
|
|
#
?
Feb 21, 2024 04:55
|
|
|
What the gently caress even is that thing? Please don’t say it lives in a power plant.
|
|
#
?
Feb 21, 2024 05:05
|
|
|
just use HTTP if this is at home. if it’s at work tell your boss it broke and the vendor needs to fix it
|
|
#
?
Feb 21, 2024 05:05
|
|
|
throw a reverse proxy in front of it don't break any possible device trying to connect one-by-one until it maybe works
|
|
#
?
Feb 21, 2024 05:06
|
|
|
|
| # ? May 14, 2024 00:14 |
|
|
Badly Jester posted:People itt seem to be pretty big on 1Password. Is it really that much better than Bitwarden? Asking because for personal use Bitwarden is about the third of what 1Password is asking, and I'm kind of assuming that if Bitwarden is secure enough, so it has to be about missing major features or general UX. I have 1Password on my work laptop, and this may just be it comboing badly with all the other various security apps they have installed, but I get a lot of problems with 1P asking me to log in repeatedly or getting confused about what sites it does and doesn't have logins for, sometimes I can click the icon and it will fill it in, sometimes the icon does nothing. Meanwhile I've had 0 issues with Bitwarden detecting/filling in stuff on my personal devices. Rescue Toaster posted:I'm dealing with a lovely device that has ancient HTTPS and modern firefox is officially reporting "gently caress You" when connecting to it. Got a support ticket today from a customer getting a connection error between one of our products and an AD server. Pretty sure the cause was them upgrading our product to a version that depreciated several ciphers in TLS1.2, while their AD lives on an old Server 2008 machine 
|
|
#
?
Feb 21, 2024 06:52
|
|
