|
Rust Martialis posted:Or don't use Azure because it's noncompliant with GDPR. what
|
#
?
Apr 11, 2024 18:15
|
|
|
|
| # ? May 1, 2024 18:46 |
|
|
Rust Martialis posted:Or don't use Azure because it's noncompliant with GDPR. Keep going
|
|
#
?
Apr 11, 2024 18:17
|
|
|
Rust Martialis posted:Or don't use Azure because it's noncompliant with GDPR. Allegedly noncompliant. I'm on team "yeah, it's all noncompliant with GDPR", but it's not entirely settled, especially since Microsoft has a functioning monopoly on AD and basic office software. As I see it, it's legally clear but politically impossible that all the big American cloud providers are noncompliant due to USA not being a safe third country. There's a German state/Bundesland moving to LibreOffice and Linux for this reason, but I doubt many will follow before Schrems V at the earliest.
|
|
#
?
Apr 11, 2024 18:46
|
|
|
Germany still uses fax extensively. I'm not sure they are a great example.
|
|
#
?
Apr 11, 2024 18:53
|
|
|
Subjunctive posted:Why is that? I’m curious. This is just my opinion and I realize that it might be a really hot take (with a touch of greybeard linux nerd): MS seems to be making a push to make as many of their tools as possible GUI-focused, browser-based, with the best experience in Edge (especially if you pony up for the copilot licenses). Not only does this feel like the shittiest kind of vendor lock-in, but they change UX, naming conventions, and menu structures so often that it's almost impossible to get used to the tools they do provide. Take KQL queries, for example:  Who wants to write code in a tiny pane in a browser? These queries can get long and complex. I want to write them in an actual IDE and then run them from a terminal and output to a file. This outputs to the bottom pane and has to be separately exported as a csv. Also, because it's all browser-based and written in Ajax and JS, it's really slow. Nothing feels snappy or performant. I would estimate that a good chunk of my day is spent just waiting for the page to load and give me the data. If I could write out a simple query in a terminal and get back only text, all of this would be way faster. This part is more  speculation on my part, but I feel that these pushes toward making more easy-to-use GUI interfaces and more "AI-powered" tools while minimizing (or outright depricating) CLI/powershell are an attempt to de-skill and disempower skilled tech labour. If everything is a single-pane of glass pretty dashboard and you can ask an AI to find all of the high-risk sign-ins for you, then you can hire any rando off the street for minimum wage to do the job. It's not like they need to actually know anything beyond "make sure line doesn't go into the red zone. If it does, ask Copilot to fix it."[edit] I know that Graph and Azure Bicep exist. They may be the saving grace, I just haven't looked into them too much yet. MustardFacial fucked around with this message at 19:07 on Apr 11, 2024 |
|
#
?
Apr 11, 2024 19:01
|
|
|
spankmeister posted:Germany still uses fax extensively. I'm not sure they are a great example. This is true, and bad, but from a security perspective, it's at least more transparent than the alternatives? I don't know about the encryption on faxes though, but I assume it's either absent or crackable with a Gameboy. And less jokingly, the transition from fax to Linux is probably easier than Microsoft to Linux.
|
|
#
?
Apr 11, 2024 19:07
|
|
|
BonHair posted:This is true, and bad, but from a security perspective, it's at least more transparent than the alternatives? I don't know about the encryption on faxes though, but I assume it's either absent or crackable with a Gameboy. It's an analogue phone line. You can crack it with a tape recorder.
|
|
#
?
Apr 11, 2024 19:09
|
|
|
Wasn't fax sticking around more to do with being able to pull phone company records that show a call being placed from your fax number to someone else's and that it lasted long enough for a fax to have been sent? Maybe some people are still insisting that a digitally signed document with the IP addresses recorded wouldn't stand up in court. The only thing fax has going for it is that someone can slap a document down and dial a number and the document appears at the other side, something that all scan-to-email type solutions or proprietary internet fax services managed to not achieve.
|
|
#
?
Apr 11, 2024 19:13
|
|
|
Apparently, faxes also give you receipts for delivery, meaning you can be sure that it did indeed reach someone on the other end (and misdialing a valid fax number is considered unlikely).
|
|
#
?
Apr 11, 2024 19:20
|
|
|
Email has all those things. Germany is just old fashioned and resistant to change.
|
|
#
?
Apr 11, 2024 19:23
|
|
|
Thanks Ants posted:Wasn't fax sticking around more to do with being able to pull phone company records that show a call being placed from your fax number to someone else's and that it lasted long enough for a fax to have been sent? Maybe some people are still insisting that a digitally signed document with the IP addresses recorded wouldn't stand up in court. That's not really 'proof' though. All someone would have to do is tap the analog line (which could be done outside of the perimeter) to be able to send and recieve from soneone else's number. Also, many places that still use fax often use digital fax services which have all the usual security issues with internet connected stuff along with the last mile analog hole. It's really just old laws and procedures that entities are afraid to update due to lack of knowledge technology along with the low cost of just buying a fax machine and an analog phone line as opposed to supporting some other technology. Something to mull over. PHI data can be (and IS) trasmitted over SMTP through automated means and is fully secure (look up HISP and Direct Secure Messaging). You can build these solutions to be far more secure and audited than FAX, but no one wants to do it because the current laws say fax is good enough and it's cheap.
|
|
#
?
Apr 11, 2024 19:27
|
|
|
spankmeister posted:Email has all those things. Germany is just old fashioned and resistant to change. Look you can't sign your signature and triple stamp an email with ink like you can with a faxed paper. It's just not the same.
|
|
#
?
Apr 11, 2024 19:56
|
|
|
BonHair posted:Allegedly noncompliant. The EDPB has already ruled that use of Office365 is illegal under a related privacy law applicable to EU organizations. https://www.edps.europa.eu/press-pu...s-and-bodies_en This isn't GDPR, but it's going to come in time, because there is simply no way that the USA offers equivalent rights as GDPR. As you say, politicians like to pretend there is, but the courts keep overturning their patchwork. The EDPB put out guidance some months ago that states clearly there are simply *no* contractual terms that can make the use of any hyperscale cloud provider compliant with EU-GDPR. Likewise there really are no technical controls short of fully encrypting data at all times that allow use of a US-linked cloud. EDPB - European Data Privacy Board 
Rust Martialis fucked around with this message at 21:03 on Apr 11, 2024 |
|
#
?
Apr 11, 2024 20:34
|
|
|
“Acceptable risk, imo” -literally every multinational corporation in existence.
|
|
#
?
Apr 11, 2024 21:16
|
|
|
I thought Microsoft had a Germany data center set that was totally independent of and disconnected from their US assets, for exactly the “the data must not leave Europe” scenario, complete with some ownership cutout that put them outside US warrant jurisdiction but I might have imagined that
|
|
#
?
Apr 11, 2024 21:24
|
|
|
It will be one of those laws that nobody enforces and gets repealed, it would make things like Intune management of laptop fleets impossible.
|
|
#
?
Apr 11, 2024 21:31
|
|
|
Subjunctive posted:I thought Microsoft had a Germany data center set that was totally independent of and disconnected from their US assets, for exactly the “the data must not leave Europe” scenario, complete with some ownership cutout that put them outside US warrant jurisdiction They do! But depending on the interpretation of the Patriot Act, it doesn't make a difference.
|
|
#
?
Apr 11, 2024 21:38
|
|
|
Thanks Ants posted:It will be one of those laws that nobody enforces and gets repealed, it would make things like Intune management of laptop fleets impossible. Allow me to introduce you to Max Schrems and his quite successful history in the EU court system enforcing GDPR rights, overturning Safe Harbor and Privacy Shield. The inability of some (primarily American) computer security people to comprehend the fact that the EU actually is serious about data privacy is always striking. Rust Martialis fucked around with this message at 21:44 on Apr 11, 2024 |
|
#
?
Apr 11, 2024 21:39
|
|
|
I get it, but if you tell every EU company they cannot legally use M365 then nobody is going to comply. Either it bounces MS into splitting their EU cloud services out into a separate company or there's a backlash against all the privacy laws.
|
|
#
?
Apr 11, 2024 21:42
|
|
|
spankmeister posted:They do! But depending on the interpretation of the Patriot Act, it doesn't make a difference. yeah I thought that’s why the ownership cutout thing was done and honestly the Patriot act and FISA courts really mean whatever the US govt wants them to I guess the risk is that the beneficial ownership would let Satya force the operators to snoop?
|
|
#
?
Apr 11, 2024 21:43
|
|
|
Thanks Ants posted:I get it, but if you tell every EU company they cannot legally use M365 then nobody is going to comply. Either it bounces MS into splitting their EU cloud services out into a separate company or there's a backlash against all the privacy laws. I mean they already have gov cloud, why not spin out into EU Cloud increase the cost by like 10% and make it be compliant?
|
|
#
?
Apr 11, 2024 21:47
|
|
|
Rust Martialis posted:Allow me to introduce you to Max Schrems and his quite successful history in the EU court system enforcing GDPR rights, overturning Safe Harbor and Privacy Shield. I understand how serious the EU are about data privacy, but the EU is a political body that people vote for. If they decide that you can be prosecuted for putting your data in SharePoint Online while there are zero serious non-American competitors in this space (especially when you consider Windows endpoint management, argue it's antitrust if you want) then it will take very little for political operators who already don't like the EU to run an entire campaign around "the EU are making your five-person business rent datacentre space, buy a server and employ someone to manage it, did you vote for that??".
|
|
#
?
Apr 11, 2024 21:51
|
|
|
Thanks Ants posted:I get it, but if you tell every EU company they cannot legally use M365 then nobody is going to comply. Either it bounces MS into splitting their EU cloud services out into a separate company or there's a backlash against all the privacy laws. While I've long been expecting the EU to blink first, the EU courts as yet do not give a gently caress about Microsoft's business model. At some point unless the US repeals the Patriot Act, a new Schrems court case will hit the CJEU again about private use of M365. And Microsoft will lose, because the US does not meet and has never met the requirements set out in GDPR. And no waffling by trade negotiators can bridge that fundamental gap in US law. As pointed out the European Data Privacy Board has already prohibited in the last month the use of M365 by the EU itself. It's subject to a more stringent law than GDPR, but the suits will come.
|
|
#
?
Apr 11, 2024 21:58
|
|
|
Defenestrategy posted:I mean they already have gov cloud, why not spin out into EU Cloud increase the cost by like 10% and make it be compliant? I really think MS has been betting on the EU folding. Like others I frankly expected the EU business sector to lean on the regulators to stop kicking over the EU/US data sharing regimes... but the courts keep enforcing GDPR and also Vestager keeps fining Facebook or Google a billion dollars periodically for anticompetitive behavior. They made me a convert - they're really serious about enforcing the laws. Having fought with MS to reveal all their data sub-processors outside the EU and what they do in Azure - they won't, by the way - my suspicion is that the number of features you can provide in an EU-only Azure stack might be so limited that MS couldn't sell it. Everything MS says about GDPR compliance should be taken as absolute lies, incidentally. Plus it's not like Azure is *inexpensive* ffs Rust Martialis fucked around with this message at 22:15 on Apr 11, 2024 |
|
#
?
Apr 11, 2024 22:11
|
|
|
Rust Martialis posted:Allow me to introduce you to Max Schrems and his quite successful history in the EU court system enforcing GDPR rights, overturning Safe Harbor and Privacy Shield. I get the impression its more for show than for practical purpose.
|
|
#
?
Apr 11, 2024 22:37
|
|
|
The number of people that care more about the schrems lawsuit compared to functionality could fit in a storage locker, and every "Germany is moving to linux because it's better for privacy" fsf fan forgets that they always go back to windows+office eventually, once the optics make it convenient. I routinely have to witness the homegrown alternatives brought by the desire to make a stand against the big services and it's always amateur hour. Every time i hear gaia-x i start shaking.
|
|
#
?
Apr 11, 2024 22:48
|
|
|
Testing out KASM as a poor man's PAW solution. For the whopping two hours I spent setting it up, it works well. Latency and performance is nowhere near citrix vdi though...
|
|
#
?
Apr 11, 2024 22:57
|
|
|
SlowBloke posted:The number of people that care more about the schrems lawsuit compared to functionality could fit in a storage locker, and every "Germany is moving to linux because it's better for privacy" fsf fan forgets that they always go back to windows+office eventually, once the optics make it convenient. I routinely have to witness the homegrown alternatives brought by the desire to make a stand against the big services and it's always amateur hour. Every time i hear gaia-x i start shaking. Our Munich office houses our risk and compliance org and while they’re relatively more attuned to privacy implications, absolutely none of our overall IT leadership is banging the drum to move away from E5. We’re leaning in further. I assume almost most orgs are the same.
|
|
#
?
Apr 12, 2024 00:06
|
|
|
SlowBloke posted:The number of people that care more about the schrems lawsuit compared to functionality could fit in a storage locker, and every "Germany is moving to linux because it's better for privacy" fsf fan forgets that they always go back to windows+office eventually, once the optics make it convenient. I routinely have to witness the homegrown alternatives brought by the desire to make a stand against the big services and it's always amateur hour. Every time i hear gaia-x i start shaking. And for that I can't just take it seriously. I have loving uk software devs who can't all agree on what "rights" they have on their work computer (not even GDPR related) and I am at my loving limit. I am all for real concerns of privacy, but this is loving theater.
|
|
#
?
Apr 12, 2024 02:35
|
|
|
https://techcrunch.com/2024/04/10/apple-warning-mercenary-spyware-attacks/ https://appleinsider.com/articles/24/04/11/apple-warns-of-a-mercenary-spyware-attack-on-iphones Is there any context as to why people are suddenly(?) getting warnings from Apple about being explicitly targeted?
|
|
#
?
Apr 12, 2024 02:55
|
|
|
Boris Galerkin posted:https://techcrunch.com/2024/04/10/apple-warning-mercenary-spyware-attacks/ They’ve done it before, and the article pretty much says so quote:
|
|
#
?
Apr 12, 2024 04:06
|
|
|
https://security.paloaltonetworks.com/CVE-2024-3400 Have a good day, everyone. 
|
|
#
?
Apr 12, 2024 12:15
|
|
|
Accipiter posted:https://security.paloaltonetworks.com/CVE-2024-3400 Only affects PAN-OS systems running GlobalProtect VPN software *with* telemetry enabled, running 10.2, 11.0 or 11.1. Also: quote:Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). Ahhh, just heard a customer has given us a 3-day window next year to upgrade SAP/HANA for them and that every day over three days will cost them $200M. Love to feel that instant tension in the air and the squeak of tightening arseholes. Rust Martialis fucked around with this message at 14:00 on Apr 12, 2024 |
|
#
?
Apr 12, 2024 12:41
|
|
|
Rust Martialis posted:Only affects PAN-OS systems running GlobalProtect VPN software *with* telemetry enabled, running 10.2, 11.0 or 11.1. Telemetry is enabled by default on PAN-OS 11 and up.
|
|
#
?
Apr 12, 2024 15:42
|
|
|
MustardFacial posted:Telemetry is enabled by default on PAN-OS 11 and up. And only useful to you if you’re using AIOps. Not production impacting to turn it off.
|
|
#
?
Apr 12, 2024 16:07
|
|
|
bull3964 posted:That's not really 'proof' though. All someone would have to do is tap the analog line (which could be done outside of the perimeter) to be able to send and recieve from soneone else's number. Also, many places that still use fax often use digital fax services which have all the usual security issues with internet connected stuff along with the last mile analog hole. Part of the idea is that it would be very difficult to modify a fax in transit. Assuming that you had some method to validate the document that'd been sent, you would know that you didn't get sent a replay, or something someone sent via tapping your line. Then again this is also the idea with ISDN that you can't easily tap and modify that, and it is also a dead technology. Phone company took my BRI some years ago now. Faxes are dying the slow death, and anyone maintaining them would behoove themselves to spend the time to find a paper in-and-out solution using a MFP or something.
|
|
#
?
Apr 12, 2024 16:41
|
|
|
Partycat posted:Part of the idea is that it would be very difficult to modify a fax in transit. Assuming that you had some method to validate the document that'd been sent, you would know that you didn't get sent a replay, or something someone sent via tapping your line. Then again this is also the idea with ISDN that you can't easily tap and modify that, and it is also a dead technology. Phone company took my BRI some years ago now. Faxes are dying the slow death, and anyone maintaining them would behoove themselves to spend the time to find a paper in-and-out solution using a MFP or something. Yeah, but we solved that ages ago for electronic documents with various encryption technologies. Validation in the low resolution analog realm is a little tough. Beyond that you are just relying on phone company records and the time/dates that are manually set in the cheap quartz clocks of these fax devices. That's also the rub, you only start investigating and maybe uncovering evidence of a replay/alterations after you discover something that doesn't look right. So, there's an additional failure point. Besides, you don't even have to alter documents for this to be an issue. You could just silently capture all documents that could be retrieved wirelessly and skim whatever data you find since encryption is non-existent.
|
|
#
?
Apr 12, 2024 17:08
|
|
|
My employer (a Government of Canada agency) paid for me to take CISSP training, and I passed the exam two weeks ago. I'm just not sure what to do next, as I'm T1 help desk and I'm not sure how to map my work into the 5 year experience requirement - and the greybeards in Networks have been reluctant to let anyone at lower levels get any access to even view basic security functions in Defender. Anyone have any insights on how the work experience thing works for CISSP, or how to map job responsibilities to the domains?
|
|
#
?
Apr 13, 2024 01:26
|
|
|
Thanks Ants posted:I understand how serious the EU are about data privacy, but the EU is a political body that people vote for. If they decide that you can be prosecuted for putting your data in SharePoint Online while there are zero serious non-American competitors in this space (especially when you consider Windows endpoint management, argue it's antitrust if you want) then it will take very little for political operators who already don't like the EU to run an entire campaign around "the EU are making your five-person business rent datacentre space, buy a server and employ someone to manage it, did you vote for that??". I respectfully think that you are fundamentally misreading just how popular data privacy is with European voters, and how serious they are about it. The courts and administrators feel comfortable telling Microsoft to gently caress off right now because they know where public sentiment heavily leans here. Potato Salad fucked around with this message at 01:41 on Apr 13, 2024 |
|
#
?
Apr 13, 2024 01:37
|
|
|
|
| # ? May 1, 2024 18:46 |
|
|
I suspect GDPR enforcement wrt O365 is going to look something like this: 1. MSFT violates GDPR 2. EU levies a nominal-by-Microsoft-standards fine 3. MSFT prices the fine into their business model 4. goto 1
|
|
#
?
Apr 13, 2024 06:34
|
|
