|
I really like lastpass because its chrome extension auto-adds websites you sign in to, and comes with a handy autofill feature as well. The iOS app is fine too.
|
#
¿
Feb 13, 2018 16:31
|
|
Cat Army 
|
|
| # ¿ May 22, 2024 16:17 |
|
|
Siochain posted:That segue's nicely into my question - corporate password management. Aka - what would you all recommend for our small IT team to track all of our various systems/passwords? also lastpass as it turns out, which admittedly makes it inconvenient since I have to sign in/out to access work passwords versus personal passwords.
|
|
#
¿
Feb 13, 2018 16:57
|
|
|
Internet Explorer posted:You can share your personal passwords to your work account and a LastPass administrator can't see them. I'm also pretty sure if your work account password gets changed it will break the link to your personal passwords. Oh I know, I am a lastpass administrator  I just like keeping those things separate at least. As for the autofill, I don't actually mean autofill in the sense it auto-populates forms and fields on every website. I just mean you can click next to the password box and have it populate based on a list of matched saved sights. Big time saver, but I can't imagine it's vulnerable in the same way since the only time you're entering credentials is when you're actually pressing submit, no? Or is there another vulnerability?
|
|
#
¿
Feb 13, 2018 18:39
|
|
|
Avenging_Mikon posted:It's an EU company. The EU is putting in to action a law that requires users to accept each individual cookie a website wishes to use, each time you visit that site. I would be very surprised if 1-Party recordings were legal by companies.  the EU continues in their quest to have the most useless and onerous regulatory environment possible Also no, companies intentionally installing malware on your system is not okay whether it's used or not.
|
|
#
¿
Feb 21, 2018 22:47
|
|
|
Can we please talk about anything other than lastpass
|
|
#
¿
Feb 25, 2018 22:48
|
|
|
Jeoh posted:But it ain't DarkTrace levels of pretty. don't trigger me like this
|
|
#
¿
Jun 12, 2018 23:24
|
|
|
so sticky notes is perhaps not a great idea, but keeping your passwords written down physically in a secure journal and stored nowhere else is probably one of the best things you can do for your password security. Ain't no remote code execution exploits available there.
|
|
#
¿
Sep 7, 2018 20:27
|
|
|
the issue isn't that chinese espionage is some huge moral wrong. It's not. Espionage is the prerogative of any sovereign power. The problem is that they're on the other team, and I don't want a communist autocracy with an ICBM pointed at my continent to win. The Iron Rose fucked around with this message at 02:12 on Oct 5, 2018 |
|
#
¿
Oct 5, 2018 02:02
|
|
|
ThePagey posted:I'm pretty deep in this program at this point to do literally anything else, and uh, well, that's the first time anyone's actually told me that certs are useless, but I suppose that makes sense. It's more that you're not asking the right questions. You've never worked in Enterprise IT before and you want to start a consulting firm on practical and effective infosec. You're running before you can walk. It's not that certs are useless or your education isn't helpful. But all the certs in the world don't mean a thing when you have absolutely no experience about how a business operates at any scale. You're billing yourself as a subject matter expert when you not only don't have expertise, but no relevant work history whatsoever. Take a few years before launching this and work for literally anybody doing systems or networking, or even desktop support (I.e. Not call center helpdesk), whatever. The literal technical skills are only a tiny fraction of this. Way more important is understanding how the work you do affects the day to day operations of the people and companies you support. The Iron Rose fucked around with this message at 04:11 on Oct 20, 2018 |
|
#
¿
Oct 20, 2018 04:09
|
|
|
BangersInMyKnickers posted:OSX and iOS are just fine, thank you. ahahahahahahhahahahahahaha macOS security in enterprise environments is a pathetic joke this is literally the company that let you have sudoers access by entering a blank passcode
|
|
#
¿
Nov 5, 2018 22:30
|
|
|
Hey maybe they'll make their cloud offering not poo poo now  Good software but managing that thing was awful and the client was hilariously bad on macs.
|
|
#
¿
Nov 11, 2018 20:28
|
|
|
Man I really hope Trump signs that executive order banning Huawei equipment in the US. Connected to a Huawei network before connecting to a VPN like an idiot while travelling and the phishing texts and emails were nearly instantaneous.
|
|
#
¿
Jan 2, 2019 04:33
|
|
|
Subjunctive posted:To maybe unfuck the thread a bit: if you have a customer with a regulatory requirement that you run AV, which Windows/Mac AV is least likely to make you wish you’d just cancelled the contract instead? You can't just stick with MSE for Windows? Doesn't solve your Mac problem but it's about as lightweight as you can get. I've never seen an antivirus on OSX that didn't cause way more problems than it fixed. Avoid Semantec and McAfee because they're terrible. Cylance is probably fine if you're using their on prem offering, but their cloud av service kinda sucks for management features. Easily the best of the three though.
|
|
#
¿
Feb 23, 2019 16:21
|
|
|
incoherent posted:See I don't know why Trump implied that Huawei is a threat due to state sponsored ties, they could of hammered home how incredibly inept they are. In fairness this is always going to be 100% the case at any large organization. I've literally seen these exact problems at every company I've ever worked with.
|
|
#
¿
Mar 28, 2019 21:55
|
|
|
If a user stopped me in the halls or ask me at my desk about concerns they have with what we monitor and secure, I was generally very happy to explain what we did, why we did it, and how their privacy was or was not implicated. I've talked people down who were as indignant as you are, Virigoth, and generally by explaining our perspective and how we are constrained by a narrow set of regulatory, legal, and/or compliance directives I was always able to alleviate people's concerns. If you have serious concerns, the best way to learn more is just to ask your security team. Chances are they'll welcome an opportunity to explain their side of what's happening! I'd recommend going in person over dropping an email though, a face to face conversation is usually for the better here. I'd certainly never publish more information than I had to though, or broadly distribute that sort of specific information on how the agent works or our various regulatory/legal/compliance requirements. There's a big difference between explaining honestly to one or two users how things work so they feel more comfortable using their corporate equipment, and explaining that to the whole company. It's simply not appropriate to distribute certain information that widely, and you're just inviting trouble and blowback when 99% of the time nobody's going to notice or care.
|
|
#
¿
May 2, 2019 16:59
|
|
|
CommieGIR posted:Found a cool tool for your Pen Testing lab: Generates usernames/passwords for AD: I was all "why wouldn't you just write this yourself in PowerShell" until I realized it pulled from real world password lists which is admittedly pretty cool.
|
|
#
¿
Jul 1, 2019 16:29
|
|
|
BangersInMyKnickers posted:here's a secure solution you both can agree on Literally a more secure password manager than LastPass
|
|
#
¿
Jul 23, 2019 16:26
|
|
|
Raenir Salazar posted:Is decrypting incidental internet communications illegal in US law? Remember the ethical part in ethical hacking. Absolutely snooping on people's encrypted traffic is a crime, but it's morally wrong regardless. Don't do anything on a network you don't own or have permission to operate on.
|
|
#
¿
Aug 2, 2019 02:33
|
|
|
Lain Iwakura posted:AV isn't the right solution; the issue is super complex and is beyond just dealing with someone's computer or device--as in you're right that it is more than a technical problem. Premium features = ransomware is a new one to me. Characterizing the free version as a carrot on a stick is also a really weirdly malicious way to talk about a pricing model. Do you object to the idea of paid software altogether? Because otherwise I don't see the distinction between an AV with premium features from software demos, or really any form of tiered capability software sales model to begin with. but then again I'm not morally outraged that capitalism exists I'm also really unconvinced that anti-virus programs are an appropriate or effective response to stalking apps.
|
|
#
¿
Aug 8, 2019 23:35
|
|
|
Lain Iwakura posted:It isn't an effective response but in the case of a person being abused it's the one case where I won't bat an eye to them attempting to do whatever they can under duress--a rag will suffice as gauze if you find yourself dealing with something that otherwise needs stitches and proper attention and have no other means to deal with things. You will never, ever hear me talking positive about anti-virus but this is one of these edge cases where I will not go after people for suggesting it. I think they should suggest more effective things to someone being abused to install an antivirus program. I'm not sure the social obligation particular measures up against, idk, premium rootkit or web execution prevention, or scheduled scans or whatever. To what extent does a product designed to keep people from harm have a social obligation to provide protective services free of charge? And to what extent does it have when it largely doesn't work and there's hundreds of free and paid AV solutions that provide varying feature sets? I'm certainly not complaining when antivirus providers improve the quality of their free offerings, because however imperfect and flawed they are, millions of people use them and the more protected they are the better we all are - including from stalkerware. I'm glad that social pressure created positive change. But I see words from you and others like ransomware or mafioso style lol, and that's pretty extreme way of talking about it and I don't think it's deserved. The Iron Rose fucked around with this message at 04:09 on Aug 9, 2019 |
|
#
¿
Aug 9, 2019 04:07
|
|
|
Terrorforge posted:This may be a bit babytown for this thread, but I'm sick to death of needing 40 passwords, using six and forgetting which one I used every time I get logged out of something. Any recommendations for good, cheap (free?) password managers that I can use on multiple devices? 1password is inexpensive and easy to use and consistently gets high marks from everyone. I particularly like it's implementation of shared vaults, which lets me share stuff like an Amazon Prime login or NYT account with family. The browser extension makes it trivial to add logins and you can put your data in a local cake vault for privacy and security. It also doesn't have the poor history of other password managers like LastPass. There are other free options folks can speak to, but it works great for me.
|
|
#
¿
Aug 12, 2019 20:29
|
|
|
rolling your own VPN is also surprisingly easy and cheap. You can toss OpenVPN or IPSec on a cloud VM for a few bucks a month. If you don't have an AWS account you can run it entirely free for 12 months on their free tier. Here's a cloudformation template that'll do it all for you: https://github.com/UrsysC/Cloudformation-IPSec-VPN for ad blocking or the like, you can step up a pihole and then point your VPN's DNS server address at that. https://github.com/CloudEric/dnsvpn-cloudformation is another script that can set up both for you. The Iron Rose fucked around with this message at 20:48 on Aug 29, 2019 |
|
#
¿
Aug 29, 2019 20:45
|
|
|
Powered Descent posted:Very true, and I've done something similar myself at various times. The only real downside of rolling your own VPN on a cloud host is that you lose all ability to "get lost in the crowd": that cloud host is linked to you, and in fact ALL traffic that comes from it will be yours. Websites and advertisers will see its IP and be able to recognize you by it. Advertisers might be able to recognize it as an IP address within a known range of instance IP addresses- Netflix does this to block EC2 instances - but they certainly aren't able to tie that IP to your real world identity. If you don't have a static IP it'll be constantly changing anyways. And I'd be surprised if many other providers even went that far, it's an eclectic choice for VPNs. RandomAdDomain.com certainly won't be able to tie it to you. The rest of your post is a fantasy and not really worth engaging with.
|
|
#
¿
Aug 29, 2019 21:26
|
|
|
Powered Descent posted:Unless you happen to log in to Facebook or Google or Amazon or wherever else the advertisers happen to dispense their tracking cookies. Fair enough, but I don't see how a commercial VPN would change that?
|
|
#
¿
Aug 29, 2019 21:41
|
|
|
Powered Descent posted:Traffic from many other people is also coming from that node. The correlation is no longer one-to-one, so they don't know that traffic from this IP is always you. (Besides, a big VPN service probably has hundreds of endpoints you might be connecting through. You could do the same thing for yourself and spin up hundreds of VPSes, but would you?) Only if you keep the same VM or use an elastic IP, but yes they can certainly tie traffic from that IP address a new set of browsing data. They can't get your real world identity from just an EC2 IP address though, which is all I'm trying to say. But you're right, the moment you do log into a service they can associate your real world identity with whatever IP address you choose, so fair enough. I misinterpreted what you were saying as "they can get your real world identity just from a cloud VM IP address" not "if you log into something that exposes your identity and you're the only one who uses this IP address, so they know it was you" which is I guess a distinction without a difference
|
|
#
¿
Aug 29, 2019 22:01
|
|
|
Another day, another reason not to use LastPass https://www.forbes.com/sites/daveywinder/2019/09/16/google-warns-lastpass-users-were-exposed-to-last-password-credential-leak/amp/
|
|
#
¿
Sep 16, 2019 22:50
|
|
|
What's the actual usecase for 32bit Win 10 at this point anyways?
|
|
#
¿
Sep 24, 2019 20:32
|
|
|
Tapedump posted:Common?? Storage driver during installation? F6 and all that? RAID installs? Honestly I buy it, at least for networking and storage. For enterprise windows operating system deployments, driver CABs, manual deployments, USB sticks with network drivers are all extremely common. I've had numerous cases where, for example, SCCM didn't properly pull storage/network/video card drivers from a share, or a base image didn't properly include the intel HD card's graphics and nobody notices till they try and connect to a meeting room. Now, you can make arguments about whether or not that's a Windows problem versus broader architectural issues or administration problems, but I've absolutely had to gently caress with drivers on Windows systems. I don't have nearly as much linux experience so I haven't chimed in on this conversation much... and all my *nix machines are in the cloud anyways where drivers are the last thing I have to deal with.
|
|
#
¿
Sep 26, 2019 21:53
|
|
|
PBS posted:Our security team blocked amazon s3. Care to guess how many sites are horribly broken now? I don't even know what to say to that
|
|
#
¿
Oct 31, 2019 13:50
|
|
|
I use unbound for my upstream DNS. You can run pihole in one container and unbound on another to make it really easy if you want.
|
|
#
¿
Nov 10, 2019 19:12
|
|
|
EVIL Gibson posted:I wish i could run docker on my systems. vmware/vbox fuggin hates docker running at the same time and vice versa. Just toss it on an EC2 or digital ocean droplet - or heck, run it in ECS! It doesn't need much resources so it should cost you like $5/mo. Latency is a little worse than if you had it on your local network of course, but it's actually not much of a problem once dns records are cached; it's not really noticeable. you need to limit access to just your public IP address range to secure it but you should be doing that with cloud resources anyways.
|
|
#
¿
Nov 10, 2019 19:46
|
|
|
klosterdev posted:"And this is my going-to-America phone" You laugh, but I have "going to China" hardware and it was pretty tragic I had to do the same travelling to or through the country I was born in. This is a fantastic ruling and a great day for privacy.
|
|
#
¿
Nov 14, 2019 14:23
|
|
|
eames posted:This news would've concerned me 10 years ago when there were no viable alternatives. If 1Password implodes tomorrow from chasing after ROI there are already plenty of options to replace it. It brought about the rise of cheap and easy cloud storage, dramatically reducing the risk of data loss for the average consumer?
|
|
#
¿
Nov 15, 2019 14:20
|
|
|
Lol my bad, I read that as being critical and I apologize!
|
|
#
¿
Nov 15, 2019 14:38
|
|
|
klosterdev posted:How long until it comes out that Google, Facebook and company actively seek out the data dumps every time this happens if it's the PDL breach you're talking about they already had that info it was "just" job histories, emails, social media profiles, phone numbers, and personal data all collated together. problematic obviously but that information is out there and for sale already. they don't need to seek out these data dumps because they've already matched or exceeded it already
|
|
#
¿
Nov 27, 2019 17:56
|
|
|
https://www.businessinsider.com/nginx-russian-police-cofounders-f5-networks-2019-12 Might want to hold off for a spell on nginx updates and modules till this shakes out. Smells like a source code grab!
|
|
#
¿
Dec 16, 2019 02:45
|
|
|
Sickening posted:Okay infosec thread. What infosec specific things do you wish your infosec leadership could do better? I wish people in my organization actually understood PKI and certificates, and I wish that was encouraged by leadership on an organizational level. I appreciate our infosec's active engagement with staff every time there's a breach and employees' personal data is exposed (not our breaches - lifelabs, Equifax etc) I am on a personal crusade against shared accounts and I'd like that to be not a personal crusade - leadership should hammer that home during all hands and encourage buy-in from the rest of the company. Clear policies for travels to high risk areas like China/Russia/GCC as well as something to say if TSA wants to inspect company data. Password managers for the whole company. The Iron Rose fucked around with this message at 18:03 on Dec 19, 2019 |
|
#
¿
Dec 19, 2019 17:49
|
|
|
Monday I get to make a Windows patching infrastructure so that will be awful
|
|
#
¿
Jan 18, 2020 00:26
|
|
|
LastPass is a million times better than not using a password manager at all and even an imperfect solution makes end users massively more safe. That being said I've heard good things about Dashlane which has a free edition. Having the free version is so important to get people to use one and as much as I love 1password its (extremely inexpensive) subscription cost turns people off. Fortunately it's trivial to switch password managers so I just get people to change a year in when they've bought into the concept.
|
|
#
¿
Jan 18, 2020 03:59
|
|
|
|
| # ¿ May 22, 2024 16:17 |
|
|
D. Ebdrup posted:Oh right, I'd forgotten about the whole social-engineering part that makes SMS so useless. I just wish 2FA was mandatory The amount of resistance to password managers just kills me I sound like a broken record player telling everyone to start using one.
|
|
#
¿
Jan 18, 2020 18:33
|
|