|
BlankSystemDaemon posted:And at least KeePass does it right, because it requires you to interact with it, instead of just filling it in automatically. It's actually configurable. You can have it do nothing, fill it in, or fill it in and submit.
|
# ? Feb 26, 2024 00:42 |
|
|
# ? May 11, 2024 10:08 |
|
I think some people on something awful need to get 1pass
|
# ? Feb 26, 2024 05:48 |
|
I never thought I'd be a compliance person, but here I am studying up for a PCI certification... I have to say compared to some other compliance regulations it seems pretty well spelled out and descriptive.
|
# ? Feb 28, 2024 17:44 |
|
BaseballPCHiker posted:I never thought I'd be a compliance person, but here I am studying up for a PCI certification... card brands don't like losing money It's generally nice that it's specific, until you hit some case where their language makes your existing solution a pain in the rear end. I know some people struggled with dated language with modern stuff like Kubernetes. At least with PCI 4.0 they introduced the customized approach instead of having to fill out a compensating controls worksheet for every single control where you're doing something different than the DSS spells out
|
# ? Feb 28, 2024 18:03 |
|
I just kept getting brought into meetings with teams saying we want to do XYZ for PCI, and I'd have no idea if it was actually necessary or not or if they were totally misunderstanding some regulation or listening to a dumb auditor. This all came to a head when an auditor told someone in my org that we had to disallow copy/paste on all systems in scope for PCI.... I for sure dont want to work in compliance, but its a big part of the industry and I cant seem to totally ignore it anymore.
|
# ? Feb 28, 2024 19:41 |
|
Nobody wants to work in compliance. It’s often a place of exile.
|
# ? Feb 28, 2024 19:42 |
|
I had someone tell me that the EU were mandating EDR and it turns out they'd seen an article talking about Event Data Recorders in vehicles and were trying it on in a sales pitch about some endpoint security software.
|
# ? Feb 28, 2024 19:43 |
|
Sickening posted:Nobody wants to work in compliance. It’s often a place of exile. I'd believe it. We've been prepping to get our ducks in a row for CMMC, and I've hated every moment of it.
|
# ? Feb 28, 2024 19:51 |
|
Sickening posted:Nobody wants to work in compliance. It’s often a place of exile. That tracks with my org somewhat. The people who couldnt hack it in technical roles but who we still liked all ended up in compliance.
|
# ? Feb 28, 2024 20:09 |
|
BaseballPCHiker posted:This all came to a head when an auditor told someone in my org that we had to disallow copy/paste on all systems in scope for PCI.... I don't remember what regulation they were quoting, but I worked for a place where IT said the failed password attempt lockout couldn't ever reset on success. So if you typed your password wrong three times, your account would be locked. Even if those three times were months apart. At a place that operated 24/7 and IT only worked day shift during the week.
|
# ? Feb 28, 2024 20:29 |
|
I came into the infosec business via compliance, and I still kinda like it and will go back to it eventually when I'm done being a product owner for a GRC tool. I'm not really technical though, and got into this career because the entire country suddenly needed anyone who could spell GDPR in five tries.
|
# ? Feb 28, 2024 21:10 |
|
Compliance is my whole thing but I use my powers for good, to dig through the morass of things that say no, to get my boss to a yes without using silver bullets. It's entertaining even if it can be mind numbing at times.
|
# ? Feb 28, 2024 22:53 |
|
BaseballPCHiker posted:I just kept getting brought into meetings with teams saying we want to do XYZ for PCI, and I'd have no idea if it was actually necessary or not or if they were totally misunderstanding some regulation or listening to a dumb auditor. This all came to a head when an auditor told someone in my org that we had to disallow copy/paste on all systems in scope for PCI.... Likely in reference to this? Requirement 3.4.2: When using remote access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need. If you are starting from scratch and do not know, I would say first understand your PCI type and level, which will drive which requirements you need to implement. Thereafter work like hell to be SAQ A, unless you are a service provider, in which case work like hell to descope as much as possible. Securitymetrics published a fairly usable guide to help with understanding the whole ordeal: https://www.securitymetrics.com/lp/pci/pci-guide I am currently stuck in PCI hell, please send help
|
# ? Feb 29, 2024 17:53 |
|
Yeah, step one of compliance should always be "what do we actually need?", followed by "what's the first step to actually getting there in a realistic way?". Way too many people start at maximum everything, to be implemented in 6 months. Without bothering anyone else. Both tech and legal types in compliance tend to forget to look at the big picture and context. Also start by figuring out what you're actually doing in your business and then what kind of IT you are using for it. This can often take a year to get straight.
|
# ? Feb 29, 2024 19:22 |
|
Compliance in companies comes with some problems. The people you need to do it right are probably wanting to do cooler work. The responsibility and accountability being asked to be accepted by the team is usually completely opposite of the agency they have. Winning is just status quo and losing is a giant death sentence too often.
|
# ? Feb 29, 2024 19:30 |
|
at my previous job the company sold SOC/PCI/etc escrow/proxy services that tokenized and detokenized stuff between buyers and payment processors and merchants, for places like Wayfair and McDonalds—compliance scope reduction as a service, if you will. they were also working on a compliance sort of tool like Vanta, and that tool was to be nicely integrated into the management surfaces to all the evidence was automatically generated and monitored, meaning that our customer would find out that someone had moved out of the compliance posture approximately when it happened, rather than while they were scrambling to get the evidence together for their auditor at renewal. (mostly the idea was that we would prevent things from ending up out of posture, but there were some things that only became an issue with hindsight, IIRC) while I was there the CSO reported to me, so I got to learn a lot more about the practical elements of compliance management and attestation for the first time, and the biggest things I learned were
also, if you’re going to be in that game, it’s easier on your sales team if 95% of your engineering staff aren’t in Ukraine, even before the war
|
# ? Feb 29, 2024 19:38 |
|
BonHair posted:Yeah, step one of compliance should always be "what do we actually need?", followed by "what's the first step to actually getting there in a realistic way?". Way too many people start at maximum everything, to be implemented in 6 months. Without bothering anyone else. Both tech and legal types in compliance tend to forget to look at the big picture and context. One of my favorite sections of The Phoenix Project is the one where the new CTO, who is basically an avatar of IT competence, tells the security guy who's convinced he's the lone prophet of IT best practice that most of his pushes for better security are completely irrelevant, and walks him through all the non-IT controls that make the security guy's cherished worst case scenarios impossible. I started out feeling bad for the poor security guy, so seeing him yanked up short like that was also an eye-opener for me.
|
# ? Feb 29, 2024 22:38 |
BonHair posted:Yeah, step one of compliance should always be "what do we actually need?", followed by "what's the first step to actually getting there in a realistic way?". Way too many people start at maximum everything, to be implemented in 6 months. Without bothering anyone else. Both tech and legal types in compliance tend to forget to look at the big picture and context. https://www.youtube.com/watch?v=I2rhwnY6Bg4
|
|
# ? Mar 1, 2024 00:16 |
|
Rescue Toaster posted:I'm dealing with a lovely device that has ancient HTTPS and modern firefox is officially reporting "gently caress You" when connecting to it. This is why I have a Win7 VM with IE 11 a bunch of old USB stick non-install versions of chrome and Firefox for this reason. Comes in real handy when working with medical stuff.
|
# ? Mar 2, 2024 05:35 |
|
I Miss Snausages posted:Comes in real handy when working with medical stuff.
|
# ? Mar 2, 2024 05:54 |
|
Studying Security+ after 15 years in IT Ops/Infra and it's very cool. "Oh THAT'S what that's called" "Oh THAT'S why we did that" "Oh THAT'S what my boss told us to do incorrectly with massive risk"
|
# ? Mar 2, 2024 08:55 |
|
This is slowly getting better with more wireless stuff like Bluetooth sensors and such. Much of the outdated stuff is because of stringent regulations of "electromedical" devices, that is, stuff connected to the mains on one side, and to a patient on the other. Certifying that gear is expensive as gently caress, so once a hw-configuration is certified it will be static for the lifetime of the device, and not be compatible with newer OSes and such. But with Bluetooth you can air gap the patient from the mains, and thus run the sw on newer devices with less hassle while the patent sensors runs on batteries.
|
# ? Mar 2, 2024 18:21 |
|
Sickening posted:Nobody wants to work in compliance. It’s often a place of exile. I feel seen.
|
# ? Mar 2, 2024 20:43 |
|
This might be more appropriate for a mobile phone thread, but it's also security related. I've heard that it's a good idea to disable wifi when you're away from home, because big box stores like Walmart have their own APs setup to log hotspot scans from mobile devices. Who knows what that data is used for, but presumably, over time, companies could use it to figure out that I buy frozen pizza and lube every other Friday. Is disabling wifi on mobile devices when you leave home still sound advice if you're paranoid and/or privacy-minded? On iOS, I have an option in the control center to "disconnect nearby wifi until tomorrow." Is that sufficient, or should wifi actually be disabled in the settings? Or is this all a bunch of nonsense?
|
# ? Mar 3, 2024 14:56 |
|
Windows Phone had location-aware Wi-Fi toggles; maybe iOS has the same? Either way I spent a good thirty seconds wondering how the lube and pizza go together so I dunno what Walmart’s going to infer without more spending than your ad tracking brings in.
|
# ? Mar 3, 2024 15:03 |
|
iOS uses random MAC addresses when scanning for Wi-Fi networks
|
# ? Mar 3, 2024 15:03 |
|
vanity slug posted:iOS uses random MAC addresses when scanning for Wi-Fi networks Shumagorath posted:Windows Phone had location-aware Wi-Fi toggles; maybe iOS has the same? Either way I spent a good thirty seconds wondering how the lube and pizza go together so I dunno what Walmart’s going to infer without more spending than your ad tracking brings in. mekyabetsu fucked around with this message at 15:15 on Mar 3, 2024 |
# ? Mar 3, 2024 15:10 |
|
mekyabetsu posted:I know that iOS has the private MAC address option, but does that kind of tracking use MAC addresses? I recall reading somewhere that it could also use SSIDs, so that if your home network's SSID is "ABC" an AP that is collecting data would log when a phone entered the area and scanned for "ABC". Do phones even send out SSID names when they scan for wifi? No, they don’t. You might not be reading very reliable things.
|
# ? Mar 3, 2024 15:16 |
|
Subjunctive posted:No, they don’t. You might not be reading very reliable things. Or I just made it up in my head, which is equally likely. Thanks for the education. I really do appreciate it.
|
# ? Mar 3, 2024 15:18 |
|
Subjunctive posted:No, they don’t. You might not be reading very reliable things. They did a decade or so ago (one of our demos used an SDR to de-anonymize phones by doing exactly that) but I haven't checked on it recently. If you're organized enough to do that, though, you can just set up an imsi catcher. Walmart is probably not doing that, and anyone who is isn't interested in you. e: an article on probe requests https://blog.spacehuhn.com/probe-request flakeloaf fucked around with this message at 15:25 on Mar 3, 2024 |
# ? Mar 3, 2024 15:23 |
|
flakeloaf posted:They did a decade or so ago (one of our demos used an SDR to de-anonymize phones by doing exactly that) but I haven't checked on it recently. If you're organized enough to do that, though, you can just set up an imsi catcher. Walmart is probably not doing that, and anyone who is isn't interested in you. are you talking about connecting to unadvertised SSIDs? I don’t recall anything in the WiFi scanning protocol that has an SSID outbound from the scanning device E: I forgot about directed probes, of course. I thought they were only used for connecting to unadvertised SSIDs, but that could be incorrect! Subjunctive fucked around with this message at 15:29 on Mar 3, 2024 |
# ? Mar 3, 2024 15:25 |
|
Subjunctive posted:are you talking about connecting to unadvertised SSIDs? I don’t recall anything in the WiFi scanning protocol that has an SSID outbound from the scanning device I imagine that's how it worked, yeah; the phone was sending out probe requests for its familiar but un-advertised networks and my device (with the manual I didn't read, about the spec I also did not read) picked 'em up so I could see things like MARRIOTT 346 from among the consenting few who'd left their phones on. Not to alarm you or anything mekyabetsu , these are not things ordinary users need to concern themselves with. Anyone doing this knows what they're doing is wrong.
|
# ? Mar 3, 2024 15:28 |
|
iOS won't use their native MAC by default but it will keep using the same generated MAC on a previously joined SSID, which, if joined by a user specific password or a user-bound session out of a captive portal, could be used by the infrastructure owner to track customers. Yes, i know this is deep tinfoil territory but it's still a weakness of the system.
|
# ? Mar 3, 2024 16:55 |
|
Need a combo of and
|
# ? Mar 3, 2024 17:31 |
|
mekyabetsu posted:This might be more appropriate for a mobile phone thread, but it's also security related. I've heard that it's a good idea to disable wifi when you're away from home, because big box stores like Walmart have their own APs setup to log hotspot scans from mobile devices. Who knows what that data is used for, but presumably, over time, companies could use it to figure out that I buy frozen pizza and lube every other Friday. No, this hasn't been a thing for a long time with MAC randomization. Some APs could be broadcast in scans but people really misinterpreted how that worked. The only APs that were ever broadcast by your phone were for networks with hidden APs (which are dumb and you probably don't have any saved, and if you do -- don't).
|
# ? Mar 3, 2024 19:25 |
|
Considering the store also has video recordings of your face while you sample the lube in aisle 5, you don't need to worry. Even if they have your mac address, that basically only tells them that the same guy keeps coming in every Friday, they presumably don't have anything to link it to. Unless of course you allow Google to track your location, in which case why are you not worried about that way more?
|
# ? Mar 3, 2024 19:41 |
|
BonHair posted:Considering the store also has video recordings of your face while you sample the lube in aisle 5, you don't need to worry. Even if they have your mac address, that basically only tells them that the same guy keeps coming in every Friday, they presumably don't have anything to link it to. Unless of course you allow Google to track your location, in which case why are you not worried about that way more? Because that's less likely to be abused than Walmart (or really the company they hire to do it) linking you and giving that info to others?
|
# ? Mar 3, 2024 20:53 |
|
apseudonym posted:The only APs that were ever broadcast by your phone were for networks with hidden APs (which are dumb and you probably don't have any saved, and if you do -- don't).
|
# ? Mar 4, 2024 16:23 |
|
It reminds me of the "Free Public Wifi" ad-hoc network. If you "connected" to it once, windows would remember and broadcast it forever. Are ad-hoc networks still part of the wifi standard?
|
# ? Mar 4, 2024 17:34 |
|
|
# ? May 11, 2024 10:08 |
|
Guy Axlerod posted:It reminds me of the "Free Public Wifi" ad-hoc network. If you "connected" to it once, windows would remember and broadcast it forever. Yes, as of 802.11ax
|
# ? Mar 4, 2024 18:44 |