|
I mean I want one in the sense that it's a thing that I don't already own, which exists on planet earth, and could keep me entertained for five minutes. But I also have a hundred other hardware interface gadgets that I already don't use so there's no reason I should own this even if it weren't $400
|
# ? Jun 13, 2023 17:28 |
|
|
# ? May 27, 2024 04:06 |
|
CLAM DOWN posted:I want one of these but they're like $400 CAD which is hard to justify. Yeah they're pretty rough in price up here. I managed to turn mine into a pineapple though (among other things), so hey 2-for-1 toys aren't a bad deal.
|
# ? Jun 13, 2023 17:28 |
|
ChubbyThePhat posted:Yeah they're pretty rough in price up here. I managed to turn mine into a pineapple though (among other things), so hey 2-for-1 toys aren't a bad deal. I think they're pretty neat and fun to do projects with, but definitely for the kinds of people who have a decent amount of disposable income for gadgets rather than a must have part of a physical pentest tool kit. I did a few basic projects and now it collects dust on my desk, because I don't get to fun projects these days.
|
# ? Jun 13, 2023 17:38 |
|
some kinda jackal posted:There are infosec influencers? oh man, it's so bad out there. they lean on the anonymous branding so hard.
|
# ? Jun 13, 2023 17:50 |
|
CLAM DOWN posted:I want one of these but they're like $400 CAD which is hard to justify. Good lord. Is that from import/border fees? They're $200 with a nice little case in the US.
|
# ? Jun 13, 2023 18:53 |
|
Wizard of the Deep posted:Good lord. Is that from import/border fees? They're $200 with a nice little case in the US. it's always: -currency conversion (dollar is not great right now) -shipping -duty and it's often all 3!
|
# ? Jun 13, 2023 19:00 |
|
For fucks sake please, everyone, have a working public security contact for your company. You don't have to run a hackerone vrp and I know "you website has critical security problem" beg-bounty emails sucks but _please_ just have security@mydumbcompany.com work and check it every couple of days. I've been trying to make contact with like 10-15 companies with "yo I got at least roles/editor in your project" messages and it's all bounces. Bunch of fintech, PII, health provider apps and now I need to decide which of these are important / hosed enough that I have to hunt down sec contacts from LinkedIn or from internal data to drop notes from the sky. If you made a product to handle money, sensitive, or PII data then be responsible and take it seriously. Fuuuuuck.
|
# ? Jun 14, 2023 01:38 |
|
JehovahsWetness posted:For fucks sake please, everyone, have a working public security contact for your company. You don't have to run a hackerone vrp and I know "you website has critical security problem" beg-bounty emails sucks but _please_ just have security@mydumbcompany.com work and check it every couple of days. I pushed for security.txt implementation at all my clients when I was in consulting, most said it wasn’t worth the time. Orgs can’t be bothered to even monitor a simple inbox.
|
# ? Jun 14, 2023 02:35 |
|
For fucks sake people, please stop using ipsec and move to wireguard
|
# ? Jun 14, 2023 03:13 |
|
jaegerx posted:For fucks sake people, please stop using ipsec and move to wireguard Good luck with that. IPsec vpn isn't going anywhere for a while. Though wireguard rocks.
|
# ? Jun 14, 2023 03:54 |
|
JehovahsWetness posted:For fucks sake please, everyone, have a working public security contact for your company. You don't have to run a hackerone vrp and I know "you website has critical security problem" beg-bounty emails sucks but _please_ just have security@mydumbcompany.com work and check it every couple of days. If they listened to random strangers reporting security problems, they wouldn't only have a lot more work to do, but they'd have to admit that they hosed things up in the first place.
|
# ? Jun 14, 2023 04:06 |
|
CommieGIR posted:Good luck with that. IPsec vpn isn't going anywhere for a while. Arent most opensource vpn solutions just front ends for wireguard?
|
# ? Jun 14, 2023 04:12 |
|
Defenestrategy posted:Arent most opensource vpn solutions just front ends for wireguard? Tailscale sure is, though I don't think it counts as a VPN in the traditional sense. Unrelated, I upped my KDF iterations in BitWarden since they've recently upped their default recommendation from 100k to 600k. I went down a little bit of a rabbit hole comparing PBKDF2 vs Argon2id encryption options. Based on my scholarly research browsing r/bitwarden it sounds like Argon is slower/less supported, but does a lot better at protecting shorter passphrases, but after a certain point in passphrase strength the benefits become irrelevant. Like sure, taking 100,000 years to break my password is better than only taking 10,000, but either way works for me. Omni claims my passphrase has over 200 bits of entropy already, so I feel OK about just bumping my iterations up above 1 million and leaving everything else as is.
|
# ? Jun 14, 2023 04:36 |
jaegerx posted:For fucks sake people, please stop using ipsec and move to wireguard Until I can hand someone a profile and not have to guide+provide support for setting up WireGuard, I'm sticking with IPsec. I assume Microsoft and Apple will implement it eventually, and then I'll switch. Takes No Damage posted:Tailscale sure is, though I don't think it counts as a VPN in the traditional sense. PBKDF2 is just everywhere because it's part of PKCS#5. If you absolutely need to conform to PKCS#5 or you are in a memory-constrained environment, you can take the geli -i approach and have the number of iterations decided by the speed of the CPU.
|
|
# ? Jun 14, 2023 08:57 |
|
BlankSystemDaemon posted:Counterpoint: no. That’s exactly what Tailscale does for you. If they can log into their email provider, they can get on your tailnet under your control.
|
# ? Jun 14, 2023 12:54 |
|
Remember that cloudfluencer guy who kept insinuating that Amazon has been compromised in a big way? Apparently after weeks of stalling, the story is now out: https://practical-tech.com/2023/06/13/how-an-amazon-fire-kids-tablet-was-allegedly-used-to-stalk-a-security-pro/ Looks like under the right circumstances someone who has physical access to an Alexa-enabled device (formerly) tied to your account can use it to gain access to your Amazon activity, even if you have deregistered the device. Notably, this includes listening in on recordings. Sounds like a hot mess, but hardly the widespread and major issue cloutguy promised.
|
# ? Jun 14, 2023 13:13 |
Subjunctive posted:That’s exactly what Tailscale does for you. If they can log into their email provider, they can get on your tailnet under your control. With IPsec, I can send them a file, they double-click it, and I have to put in as little thought as they do.
|
|
# ? Jun 14, 2023 13:14 |
|
Badly Jester posted:Remember that cloudfluencer guy who kept insinuating that Amazon has been compromised in a big way? Apparently after weeks of stalling, the story is now out: https://practical-tech.com/2023/06/13/how-an-amazon-fire-kids-tablet-was-allegedly-used-to-stalk-a-security-pro/ so the rough situation is that a spy feature can be used maliciously?
|
# ? Jun 14, 2023 13:30 |
|
In essence, yeah. I guess the real problem is that the device his stalking ex used as a bug no longer showed up in his list of Amazon devices, so he (somewhat reasonably) assumed it'd be safe.
|
# ? Jun 14, 2023 13:35 |
|
Klyith posted:If your 4 word passphrase is 4 words in the top 10,000 by frequency, it can now be cracked by a single 4090 in ~55.5 hours vs SHA1 hashing. Let's say you speak Engish, Finnish, Spanish and German so instead of CorrectHorseBatteryStaple you do OikeaCaballoBatteryKlammer, would that put you in the clear?
|
# ? Jun 14, 2023 15:57 |
|
that sounds like a bog standard internet of poo poo security risk, just amplified by its creepiness. lol again at his posts.
|
# ? Jun 14, 2023 16:10 |
|
Influencers are the worst
|
# ? Jun 14, 2023 16:29 |
|
Thanks Ants posted:people using the internet are the worst
|
# ? Jun 14, 2023 16:31 |
|
Thanks Ants posted:people are the worst
|
# ? Jun 14, 2023 17:56 |
|
BlankSystemDaemon posted:I'd still need to handhold ab unch of people into installing tailscale. winget install tailscale
|
# ? Jun 14, 2023 18:33 |
|
[error] unable to access Microsoft Store as someone decided Windows LTSC branch was more secure.
|
# ? Jun 14, 2023 18:36 |
|
Good move for anyone using Purview Information Protection/AIP with Purview moving to AES256-CBC by default starting in August. NIST removed ECB as an acceptable mode last year but AES128-ECB was still used to maintain backwards compatibility with legacy versions of Office. https://techcommunity.microsoft.com...on/ba-p/3831909
|
# ? Jun 15, 2023 14:05 |
|
ShoeFly posted:I pushed for security.txt implementation at all my clients when I was in consulting, most said it wasn’t worth the time. Orgs can’t be bothered to even monitor a simple inbox. sales@example.com always exists I had a fun one this past week. We use Trellix for AV and I caught an escalation for a couple of cases where it was blocking an Excel add-in used by some of our chemists and quarantining anything they opened and some of the executable. I gather some data and put in an AV exclusion request. People restore from quarantine and... no go, macros still won't run. We get hands-on, do some experimentation (we do science here!), and discover that any workbook that had been quarantined is now broken, but files that hand't been are fine. We restore from backup and people get back to doing science. To quote the vendor tech, the software is made up of "obfuscated and encrypted VB macros". If you want the complete and undivided attention of your AV program, that's exactly what you do.
|
# ? Jun 15, 2023 14:35 |
|
I like a more personal touch with my infosec support: Every company needs a Gary
|
# ? Jun 16, 2023 00:50 |
|
New moveit zero day https://nakedsecurity.sophos.com/2023/06/15/moveit-mayhem-3-disable-http-and-https-traffic-immediately/amp/ Tl/Dr: if it’s on your network turn it the gently caress off immediately No CVE as of yet Edit: to be clear, this is a DIFFERENT zero day from the one earlier this month navyjack fucked around with this message at 02:05 on Jun 16, 2023 |
# ? Jun 16, 2023 02:02 |
|
MOVEit the gently caress off your network
|
# ? Jun 16, 2023 02:20 |
|
some kinda jackal posted:MOVEit the gently caress off your network
|
# ? Jun 16, 2023 09:28 |
|
MOVEit execs this week: It’s funny because I don’t have that poo poo anywhere in my network, i mean, but by the grace of god, right? Tomorrow it’s some other lovely bespoke enterprise system that gets thoroughly eviscerated. Only a matter of time some kinda jackal fucked around with this message at 11:35 on Jun 16, 2023 |
# ? Jun 16, 2023 11:32 |
|
What is MOVEit even for? Saving an sftp line in some admin script?
|
# ? Jun 16, 2023 11:46 |
|
I think it’s just commercial file movement for enterprise. Your FTP, sftp, web based upload/download file exchange solution. Probably includes a bunch of automation and data piping if I had to guess, but honestly haven’t given it a second look. A non-trivial amount of the modern payments ecosystem still relies on processes that SFTP reconciliation files around at the end of the day, for example. So yeah, you could stand up an SFTP server on OpenSSH and script the backend, but this probably does a bunch of things on the backend that you’d have to script out and support. It also ticks a lot of enterprise boxes around “vendor support contracts” in case something goes wrong and.. welp.. the joke writes itself some kinda jackal fucked around with this message at 11:58 on Jun 16, 2023 |
# ? Jun 16, 2023 11:53 |
|
Absurd Alhazred posted:What is MOVEit even for? Saving an sftp line in some admin script? It's a file locker platform. You want to send files to boomers that can only handle email? You upload it to the moveit servers and then send the link to the other recipients.
|
# ? Jun 16, 2023 16:59 |
|
So like SharePoint, or Dropbox links?
|
# ? Jun 16, 2023 23:43 |
|
Absurd Alhazred posted:So like SharePoint, or Dropbox links? Infosec nerds will require sharepoint to only work on authenticated sessions, no anonymous links.(I know cause i fought that battle and lost, so our people use wetransfer to move content around behind our backs).
|
# ? Jun 17, 2023 07:52 |
|
Did something big break? cr0y fucked around with this message at 17:01 on Jun 17, 2023 |
# ? Jun 17, 2023 16:59 |
|
|
# ? May 27, 2024 04:06 |
|
lmao
|
# ? Jun 17, 2023 17:13 |