|
Subjunctive posted:
"Look, we know the volume is full of CP, we have detailed scans of your eDonkey share showing it. Now turn over the key so we can tally up how many non-shared images you had and get this sham of a court case over with." "I forgot the key." "The hell you did. Cough up or we hold you in contempt indefinitely."
|
#
¿
Jan 22, 2016 22:47
|
|
|
|
| # ¿ May 7, 2024 23:01 |
|
|
doctorfrog posted:"My password contains a confession to the crime I am being charged with, therefore it is protected by the fifth amendment." That would actually be a novel defense, except for the fact that it's been used, and they compelled the person to type it in without knowing what was being typed to avoid disclosing it to law enforcement.
|
|
#
¿
Jan 25, 2016 12:41
|
|
|
So if you're setting up a new 100 person office with a 100k budget for server and infrastructure related stuff, how would you go about making the users least likely to get infected or otherwise gently caress up their machines? The users are a standard cross-section of average American users, from 20 to 60, with at least 10 people too useful to fire, but too stupid to train in any meaningful fashion. They run windows software, need adobe reader, java for a lovely web app, and will revolt of flash isn't installed for their stupid cat.swf email chains that go around. Things I've seen in this thread so far: Some form of application white-listing via Applocker or other mechanism to cut down on garbage drivebys Websense or some form of filtering service to blackhole the known virus sites, and to keep users out of areas of the internet significantly more likely to infect them. An email filtering service that allows you to disable attachments of arbitrary type, gently caress you invoice.zip.exe A robust backup system with server snapshots that users can't modify or delete, disable the ability for users to roll back folders, copy/move vss snapshot data only. A firewall/IDS of some description.
|
|
#
¿
May 4, 2016 09:24
|
|
|
Kazinsal posted:That payload was written by some old-school virus/malware guys. Or maybe it's the era of the revival of boot sector viruses. Back when viruses were more about being clever and sheer dickishness, vs. today's 'I wonder how I could leverage this into a paycheck' type deals.
|
|
#
¿
Aug 3, 2016 11:25
|
|
|
Jabor posted:So it's really just "people might pair their vulnerable devices with a malicious app"? Except you don't even need to download an app or pair it, Spotify gets a poisoned ad which autopairs and fucks up whatever it can find with no user effort required.
|
|
#
¿
Aug 11, 2016 12:00
|
|
|
Dylan16807 posted:Measuring a password is simple: with every piece you add, consider how unlikely adding that piece was, and be pessimistic. Once you start a famous quote, continuing it is very likely, so it's almost useless to password strength. If you make up your own quote, common words are not very useful, and related words are not very useful. Using the most common 5000 words in the english language covers something like 97% of human speech. If you know it's a pass phrase somehow, you can reduce the possible entropy from 37^65 to 30000^4, going from 'will never be guessed' to 'I sure hope you didn't pick Correct horse battery staple'. I want to ride my bike -> common sentence, easy to guess, bad passphase Lexicon puckin horse linguist -> Doesn't follow english rules, less structured and therefore better entropy, uses words that are uncommon or unique
|
|
#
¿
Nov 15, 2016 01:03
|
|
|
CLAM DOWN posted:If you have some form of USB port protection in place, it's not dangerous at all. If you don't, well.... Does the windows built in USB protection prevent DMA type exploits?
|
|
#
¿
Nov 21, 2016 21:32
|
|
|
OSI bean dip posted:Without somehow exploiting a flaw in the controller itself, DMA-style attacks via USB are not possible (at this time). Was it firewire that had the native impossible to fix DMA issue, or was that something people were afraid of with the new Thunderbolt stuff?
|
|
#
¿
Nov 21, 2016 22:35
|
|
|
OSI bean dip posted:What is FDE going to do for you once you're in handcuffs and someone has access to your unlocked computer? Even if you epoxyed the USB ports, whoever has your machine has at least the option to keep smashing keys on the keyboard until they get what they need. There was a really great example of this, the feds suckerpunched him and yanked the laptop out of his hands then cuffed him. Got all his data. Now you can buy little wireless dinguses that will auto-lock or force-hibernate or power off your machine if you get more than like 5-10 feet away from it, or you hit the panic button on it.
|
|
#
¿
Nov 22, 2016 22:19
|
|
|
Internet Explorer posted:The idea of super-gluing all the USB ports in any company I've ever worked at is hilarious. You'd be laughed out of the room with a suggestion like that. At a place that requires a higher than normal level of security, sure. For most companies though, being that inflexible just isn't politically possible. Outline the security risks inherent with the various practices in place at the firm, document processes and ways to mitigate those risks, make a presentation to the board/owner, and get them to sign off on whatever they decide on. Blammo, rear end is covered, and if someone decides that a 64 gb flash drive full of tax documents needs to be express mailed to Romania, well that's not on you. On something like a TS/compartmentalized system, or machines running SCADA for secure facilities, I can totally see getting standard COTS stuff then welding it into a vented crate or adding epoxy to all the ports.
|
|
#
¿
Nov 23, 2016 21:53
|
|
|
madmatt112 posted:Hi all - fun request for y'all. Find a sketchy cracks/warez site and just download and install everything you can. I guarantee you'll be chock full of something before the end of an hour's time.
|
|
#
¿
Jan 10, 2017 22:39
|
|
|
Subjunctive posted:Haha, they run ads? That's some brazen poo poo. I tried it once, saw the app was poo poo, and went back to just manually punching it in.
|
|
#
¿
Apr 13, 2017 17:29
|
|
|
Thanks Ants posted:Finding IoT vulnerabilities must just be shooting fish in a barrel at this point. Morbidly obese fish, in a small batch whisky barrel, that has been fit down the bore of a cannon.
|
|
#
¿
Apr 20, 2017 09:05
|
|
|
Forgall posted:So the interpreter process is signed, but code it's loading isn't? How is this problem supposed to be solved correctly? You can do what Carbon Black does, whitelist all the valid processes, and look for processes spawning poo poo that they shouldn't. If word invokes powershell, you probably hosed up, if outlook launches a bat file, you probably hosed up. Random unsigned programs being downloaded and invoked by Chrome or IE? Nope, block that poo poo. It seems to work really well at my firm, we basically don't have malware tickets, which is absurd given the 1k+ endpoints we have.
|
|
#
¿
Apr 22, 2017 18:01
|
|
|
EVIL Gibson posted:The guy that registered that deactivation domain just registered it because it was a random sting they found and didn't connect it (at the time) to a function (which we now know prevents the spread). This was in a tweet he did. The Infosec version of the age old trope 'I wonder what this button does?'
|
|
#
¿
May 14, 2017 22:04
|
|
|
RFC2324 posted:So thats why the GIP CE thread freaked out over the pic of Bannon with his exposed. There's always the jokes about the CAC card, but it's a no joke huge loving issue to lose to let others use your CAC card. Even letting people see it can be a big issue in some areas.
|
|
#
¿
May 23, 2017 17:35
|
|
|
Given how often you see XSS exploits and other weird stuff, I'd be extremely hesitant to have your browser touching keepass at all. You can always make your passwords keyboard friendly, lowercase, numbers and symbols gives you 40bits with 20ish characters.
|
|
#
¿
Jun 3, 2017 04:50
|
|
|
I use my gvoice number and an aliased email address that dumps directly to a spam folder in my main profile, works pretty well.
|
|
#
¿
Jun 28, 2017 17:04
|
|
|
Furism posted:Honestly with the certbot tool I don't even understand why LE is doing this. It makes generating and installing new certificates The Right Way extremely easy and in that case I believe people are trading too much of security for convenience. Why are wildcards so bad?
|
|
#
¿
Jul 7, 2017 19:41
|
|
|
I'll literally be using it to secure a lovely self-hosted webpage and possible my RDP-gateway server. Possibly an exchange instance if I decide I really do in fact hate myself.
|
|
#
¿
Jul 7, 2017 19:51
|
|
|
Lain Iwakura posted:Cylance is crap. If you go with them you'll never be able to talk about how much crap they are. Any software that comes with a complementary gag order is something you should avoid.
|
|
#
¿
Jul 10, 2017 06:14
|
|
|
Internet Explorer posted:If that's all true, not particularly bright of him to be traveling to the US. More or less, the US has a long memory and a dim view of this kind of thing.
|
|
#
¿
Aug 3, 2017 20:10
|
|
|
Thanks Ants posted:Spiceworks are at the initial peak in the dunning-kruger curve, and if I had to pick an emoticon to describe them, I would use I dunno,  or  would also qualify.
|
|
#
¿
Sep 21, 2017 17:56
|
|
|
Volmarias posted:It's still pretty awful. Even if you have "identity theft target DO NOT CHANGE ACCOUNT OVER PHONE" and you tell them to require you to say a password, they'll still assign your number to another sim if someone sweet talks them enough. This happened to a co-worker a year ago or so, and the most he got out of them was "oh, oops.". It's perfectly understandable on their end because there's no actual ramifications for them if you can't realistically change networks because only one has adequate coverage of your area. There are SMS to email services you can get, which neatly fixes that issue. No actual human being to sweet talk, no ability to get the sim changed over to a lovely burner phone.
|
|
#
¿
Oct 8, 2017 13:36
|
|
|
Space Gopher posted:No. There are known vulnerabilities in SMS and call routing systems that can hijack the SMS before it ever gets to your email gateway. It's been used in the wild to hit bank accounts. Yep, I knew that was also a thing, but my solution just addressed the 'oh nhoes, I lost my phone, plz gieb new 1 plz'. SMS 2 factor is dogshit and only stops the lowest effort thieves.
|
|
#
¿
Oct 9, 2017 03:25
|
|
|
Proteus Jones posted:https://arstechnica.com/tech-policy/2017/10/trumps-doj-tries-to-rebrand-weakened-encryption-as-responsible-encryption/ Best possible counterargument: Would these keys be more or less important to keep secure than every American's credit history and identity details, the personnel information of every single government employee, or the NSA's most closely guarded secrets?
|
|
#
¿
Oct 11, 2017 05:03
|
|
you fascist.
|
CLAM DOWN posted:My personal understanding and use of the acronym "PKI" is that it's more all encompassing and like you said includes the infrastructure for distribution, issuing, etc. Yeah, PKI is all the backend crap needed to have joe user request a public/private key pair and have it be managed by the organization, or a cert for something, or any kind of managed encryption system.
|
|
#
¿
Oct 16, 2017 21:55
|
|
|
"My password is the first 64 bytes of the 3rd file on a flashdrive that was sitting on my desk when you stormed in and siezed everything. You have it somewhere, and I just told you what it is." Hint: You're still lying.
|
|
#
¿
Jan 21, 2018 00:08
|
|
|
AlternateAccount posted:This requires/assumes that literally every mobile device is compromised on the entire planet. Or are you saying that Google/Apple would comply with requests to turn over such data? I guarantee they're already being compelled to turn over the data, FISA issues a warrant that says 'give us all this data, or else' and they have a choice of comply and business as usual, or don't and enjoy the consequences. Failing to comply with a FISA warrant can get whatever level director or Chief whatever locked up until they DO comply, almost without limits.
|
|
#
¿
Jan 29, 2018 20:03
|
|
|
RFC2324 posted:My favorites(that aren't public record) is favorite pet or favorite teacher... that changes based on my mood lately. I always put bullshit answers in then document them in keepass. Favorite Relative: Le Beef Supreme First Pet: Xretus Destroyer of Worlds Hobby: Masturbation Deluxe Phone Password: Kinky Threesome More than once the customer service rep has asked me for my password with an audible cringe, it's great.
|
|
#
¿
Feb 1, 2018 02:52
|
|
|
B-Nasty posted:That was literally what I said over the phone to a financial organization CSR, which was sufficient to pass the authentication. Proving 2 things: they store them plain-text, and static KBA is more security theater than the TSA's nut grabs. I always get the executive pat-down after that whole 'lol, hot girl in line, better save those body pics' scandal, and it's fun to shoot the poo poo with the poor TSA guy while he does his thing. If they actually say the whole preamble without loving up I fill out a positive comment card, the poor guys deserve a break between fussy moms and the MUH RADIATION idiots.
|
|
#
¿
Feb 1, 2018 04:02
|
|
|
Sheep posted:Forked that so hard. Fork it, ignore the entire premise, deploy lovely code developed by a HS senior in C, ignore exploits, declare more secure thing.
|
|
#
¿
Feb 7, 2018 05:52
|
|
|
The Fool posted:That man has brought so much entertainment since he moved back stateside. I forgot just how much a gem John McAfee is, and how much joy he brings to the technology world.
|
|
#
¿
Feb 9, 2018 04:49
|
|
|
That would actually be an interesting legal challenge. Pirate a copy in a state that says EULAs are as legally binding as a crayon contract on a beer stained bar napkin, pirate the poo poo out of the software, then sue them the second the passwords are uploaded for CFAA violations, what whatever state level computer crimes you can find.
|
|
#
¿
Feb 19, 2018 19:06
|
|
|
CLAM DOWN posted:Who cares about America, that company fslabs seems to be in the EU so there are much stricter laws over there Good point, the EU is gonna rip him a new rear end in a top hat as soon as the legal stuff gets started over there.
|
|
#
¿
Feb 19, 2018 19:27
|
|
|
Real question time. I use Keepass at work, home, and on my android phone. I want to use 2 factor because any and all of my passwords I can both remember and type on my phone without wanting to kill myself are breakable, what should I get/use, and how does it compare to the 2nd best thing in a similar product space?
|
|
#
¿
Feb 26, 2018 00:16
|
|
|
anthonypants posted:Dang, how long has it been since we had a good ol "our critical infrastructure is at risk from poor infosec practices" scare If you're familiar with modern SCADA systems, Stuxnet and related drama, it's a very real concern to have. The systems are very robust, but do exactly what you tell them to, and a great many of them have weak or nonexistent permissions preventing remote modification. Add in the fact that a great many plants have several internet links for out of band management, and poor if any air gapping procedures, and you have a fun target to point at. Near as I can determine, any generation facility can be damaged if you have access to the SCADA system. You can completely wreck the turbines in a generator facility in a dozen different ways, ranging from 'this is bad' up through 'cheaper to build a new one'. Disabling the turbine or generator bearing oiling mechanism, and spoofing the bearing temp data, disconnecting the breakers and forcing the turbine and genset to fail via overspeed, and a few others that are more complex. Despite costing millions of dollars and taking months to build, they're not exactly super complex devices, and much like the turbo in a car, no oil or going to fast will break it just as surely as if you took a hammer to it. Unlike the turbo in the car, when it comes lose after melting the bearings, it tends to do a great deal of damage, Temple of Doom rolling boulder style to anything around it. It's a serious as gently caress issue, because you can more or less brown out or black out huge sections of the national grid more or less on a whim if you can damage or destroy 10% of it's generation capacity. Not to mention the incredible loss of life and environmental damage if an actual reactor is induced to fail.
|
|
#
¿
Mar 15, 2018 23:43
|
|
|
anthonypants posted:I'm aware, I don't believe it's not a real threat. What I don't believe is that now, today, this time, the people in charge are going to buckle down and do something about it. It's entirely pageantry to either distract from something, or to advance an agenda by putting it forward. That agenda might actually be 'make these things safer' if we're really lucky! Hell if I know the specifics behind it being done today. Cup Runneth Over posted:Don't worry, Trump will just pretend the hack never happened and we won't have to do anything about it. The lights going out tends to be something harder to wish away.
|
|
#
¿
Mar 16, 2018 00:09
|
|
|
Maneki Neko posted:So far all I've seen is DHS people out giving vague guidelines on things or being sticklers about stupid poo poo. Every SCADA system group I've ever interacted with has been engineers from other disciplines that just know enough computer stuff to "get by", heavily leaning on vendors trying to sell you commodity hardware to run a system with a 10-20 year lifespan. Setting up and implementing a SCADA system is a huge pain in the dick. You basically need to know everything there is to know about how the plant needs operate, down to the smallest valve and relay, design a system that's able to capture and control all of that, then connect it up in such a way that a sparky who barely knows how to use his phone can't gently caress it all up by plugging the wrong network cable in place, and staying proactive and on top of monitoring, patching and updating the back end network systems. Exactly no facilities actually do all of that, because it's way easier to leave a dusty old dell in the corner with a network card and CANBUS card and have the vendor remote in to fix things. Or they get sold on the unholy crossbreed of safety critical infrastructure and IoT, cloud managed PLC!
|
|
#
¿
Mar 16, 2018 07:23
|
|
|
|
| # ¿ May 7, 2024 23:01 |
|
|
bitprophet posted:When you're out in a public space, does anything short of "on your person or otherwise within reach/sight" count as physically secured? "Left with the guard at the kiosk with a receipt issued" would also count, I guess?
|
|
#
¿
Mar 22, 2018 18:04
|
|