|
Dex posted:more of a gestalt entity, that pays for poo poo Hey there, paying for poo poo buddy.
|
# ¿ May 4, 2016 13:36 |
|
|
# ¿ May 22, 2024 13:47 |
|
Absurd Alhazred posted:If it's the company I think it is then it does in fact stay installed, constantly "suggests" that you buy the full anti-virus, and finds problems like "this web browser you never use has some kind of edge-case vulnerability if you are dumb enough to use it, but if you want us to automatically fix it you'll need to buy our full suite." To follow up here: this vendor's tool was installing itself and being obnoxious, so we have removed it from the program until they remedy that. We do not want to be recommending tools to our users that result in AV software being installed. Thanks for the report, Absurd!
|
# ¿ May 4, 2016 22:06 |
|
math + commonly used = heuristics No?
|
# ¿ May 5, 2016 12:34 |
|
It is challenging to imagine a more dangerous bug. ring0 RCE, file opening not required...it's gorgeous. Easier and more powerful to exploit than anything malware might otherwise do to infect a machine.
|
# ¿ May 17, 2016 03:59 |
|
22 Eargesplitten posted:TBH in that dude's situation and knowing how likely it would be to lead to the government deciding he was doing unauthorized pen tests, I'd be pretty tempted just to let it go and make it someone else's problem. Same, and I could fight that suit better than most.
|
# ¿ May 18, 2016 00:40 |
|
Good, maybe someone will go clear out all my unread notifications.
|
# ¿ May 18, 2016 14:55 |
|
Cugel the Clever posted:No--I entered my password on account creation and then it emailed it back to the address I provided. Isn't that particularly awful security policy? Yes.
|
# ¿ May 19, 2016 01:58 |
|
online friend posted:found your problem FireEye sure didn't
|
# ¿ Jun 5, 2016 13:27 |
|
I'd also like "persistent" and "transparent". Maybe "patented".
|
# ¿ Jun 7, 2016 20:47 |
|
We're gonna need a bigger toxic chemical fire.
|
# ¿ Jun 14, 2016 17:36 |
|
And capture traffic on the target host so you can detect asymmetric blocks.
|
# ¿ Jun 15, 2016 22:58 |
|
PBS posted:Realistically, what separates lastpass from any other company that I have to place a fair amount of trust in to keep my money/information/etc secure? (If anything beyond the obvious that it stores my passwords for all other services) If PayPal or your bank get owned, they're going to eat the damages, not you. If LastPass gets owned you might get an apology email. (And as you say, the purpose of the basket is to hold all your eggs.)
|
# ¿ Jul 28, 2016 03:13 |
|
Sickening posted:The bank doesn't eat anything. The sellers of whatever the unauthorized person bought eats them. If your bank is breached to the extent that there are customer losses, I'm pretty sure they and their insurers are going to write some cheques. But let's say they don't: does that somehow oppose the point I was making?
|
# ¿ Jul 28, 2016 03:25 |
|
Thanks Ants posted:You can always MITM your iPhone traffic and see what the app is doing if you require some confirmation that your passwords aren't being sent to some botnet in China. As long as they're not trying to hide from that, which is not hard to do. Basically you have to reverse the binary if you want confidence.
|
# ¿ Jul 28, 2016 13:51 |
|
It's much easier to get hostile content into a browser than into an app, and typically that hostile content operates in a more flexible environment (scripting, wide access to system APIs). Faked email, Twitter "viruses", compromised ad networks, takeover of non-https sites on public wifi, site hacking. Even if an app exposes a URL scheme, it tends to be quite narrow. I think WebBT is fine and necessary, but it's definitely a different security landscape from BT-privileged apps.
|
# ¿ Aug 16, 2016 14:44 |
|
EVIL Gibson posted:Apps are sort of the reverse. They are much more vulnerable to trusting the client too much/giving way more information than the client app actually needs or is providing. No, I'm talking about the way you can launch an fb:// URL on iOS or Android and trigger some action in the Facebook app.
|
# ¿ Aug 18, 2016 17:20 |
|
Rufus Ping posted:or use Signal, which uses exactly the same protocol as WhatsApp (and Google Allo's and Facebook Messenger's e2e modes), and is free, and is open source, and whose users aren't almost exclusively German And as long as you build from source, you know that you're getting the right thing.
|
# ¿ Aug 27, 2016 03:20 |
|
FeloniousDrunk posted:This PRNG looks reasonable, but under an MIT license. I'm aiming to keep the whole thing in one file. So keep it in one file. MIT doesn't preclude that. Then delete that file.
|
# ¿ Sep 4, 2016 11:29 |
|
Rufus Ping posted:I like to think I provided a decent amount of actual feedback and criticism before taking the piss out of him Your wind-up was exemplary.
|
# ¿ Sep 5, 2016 15:19 |
|
Maneki Neko posted:You weren't issued a bottle of hard alcohol for your desk during orientation? That was probably more than 10 days ago, so he or she is due for a refill. I used to administer a high-visibility bug bounty program ~10 years ago, and I would have given my left pinky to throw the whole mess at HackerOne.
|
# ¿ Sep 26, 2016 22:42 |
|
Mustache Ride posted:I sat in a meeting today, as I have done for many months, asking that 2fa be put on O365. One of the development directors told me today that her team could make their own 2fa solution that could do what the parade of companies my team had brought on were offering. I'll buy the first round.
|
# ¿ Sep 27, 2016 01:18 |
|
apseudonym posted:I get quoted in articles as a senior engineer that's kinda They just mean that you're old.
|
# ¿ Nov 4, 2016 20:47 |
|
What's the Yubi story for the new Macs? Will they do some pass through thing so you can still charge your laptop? Maybe there's a TouchID U2F thing?
|
# ¿ Nov 7, 2016 15:32 |
|
Methylethylaldehyde posted:Was it firewire that had the native impossible to fix DMA issue, or was that something people were afraid of with the new Thunderbolt stuff? Wasn't Firewire, I'm pretty sure. Didn't VT-D block it entirely?
|
# ¿ Nov 21, 2016 22:40 |
|
Can't you just cut the keyboard cable and get access to the USB traces electrically?
|
# ¿ Nov 22, 2016 19:37 |
|
Same, but me logging into your account.
|
# ¿ Dec 3, 2016 15:58 |
|
scott/tiger
|
# ¿ Dec 5, 2016 14:44 |
|
psydude posted:CLAM DOWN made a good and accurate post. Not the first time, and god willing not the last.
|
# ¿ Dec 6, 2016 02:19 |
|
Every bank I've ever dealt with indemnified against losses from someone compromising your account anyway.
|
# ¿ Dec 6, 2016 19:33 |
|
Some people hire folks who only know what you can learn at school, and then teach them on the job. Dozens, perhaps hundreds of new grads get jobs this way every year.
|
# ¿ Dec 8, 2016 23:19 |
|
Internet Explorer posted:I like my vShield agentless AV... works pretty well and doesn't seem to get in the way. Don't.
|
# ¿ Dec 13, 2016 21:06 |
|
Internet Explorer posted:I know AV is a bit of a joke, but what do you guys do in your environment? No AV across the board? Not even for using-facing systems? I find that hard to believe. That was the setup at my previous, large, actively-attacked employer.
|
# ¿ Dec 13, 2016 22:27 |
|
Also internal segmentation, like requiring 2FA to transit from the corp network to development servers. That came in after someone burned a zero-day to target some of our developers, back when humans still ran Java.
|
# ¿ Dec 13, 2016 22:41 |
|
Wiggly Wayne DDS posted:hostile attacker someone or good red team someone Not a red team. There was a forensics festival, my whole team was invited. (They were targeting my team specifically.)
|
# ¿ Dec 13, 2016 22:50 |
|
Common sense says you tell your users to always, always call IT for support, and make sure that number is routed to a human 24/7.
|
# ¿ Dec 14, 2016 01:08 |
|
Internet Explorer posted:Oh, tell my users to do something? Problem solved then! It may not be sufficient, but it's a good idea.
|
# ¿ Dec 14, 2016 01:27 |
|
flosofl posted:Sure, but if I'm doing an internal audit or a risk analysis I can only include systems and solutions that are predictable in nature. People exercising common sense or following process would not be one of them. Your risk analysis has to ignore people, as a class?
|
# ¿ Dec 14, 2016 01:50 |
|
flosofl posted:Well, no. But I'm concerned with stopping them from being self-destructive idiots, not factoring them in as a layer of security. So you can't have any process elements in the defense model, it all has to be physics and (bug-free) software?
|
# ¿ Dec 14, 2016 01:58 |
|
flosofl posted:I didn't say that, but I'm not relying on "common sense" anymore, am I? I'm constraining behavior through enforceable policy and processes. The people are still an identifiable risk. But you said you couldn't include anything unpredictable in your analysis, which as you say very much includes people and IME often includes software. So what is predictable enough to include?
|
# ¿ Dec 14, 2016 02:10 |
|
|
# ¿ May 22, 2024 13:47 |
|
flosofl posted:You're right. You win. I'm done with this stupid argument. Rely on "common sense" if you want. I'm not suggesting anyone rely on users practicing common sense. My advice was to IT staff, not users at all. I'm just trying to understand what the components of your analysis are, because I'd always understood such analyses to be about identifying and bounding unpredictability.
|
# ¿ Dec 14, 2016 02:17 |