|
A patient adversary with that access could replace my password manager with their own version and I'd never know the difference.
|
# ¿ Feb 20, 2019 02:02 |
|
|
# ¿ May 15, 2024 00:18 |
|
Last time I needed to give someone one of those answers, I weirded the poor call center agent right out. "My eldest nephew's name is a 32-character string, which I will now read to you. Please assume all letters are lowercase unless I specifically say they're capital. g as in golf, capital Q as in Quebec, lowercase d as in delta," and so on, and on, and on... and she sounded extremely surprised when it worked.
|
# ¿ Apr 16, 2019 15:16 |
|
I could wish the Logitech firmware tool that article suggests was available from a site with a cert signed by a trusted and meticulous CA, and clearly given to Logitech. When I'm already in paranoid mode, a Let's Encrypt cert bothers me.
|
# ¿ Jul 11, 2019 21:25 |
|
Sirotan posted:We do but it's ServiceNow and I don't hate my users that much. You will eventually, so why not skip to the endgame? :<
|
# ¿ Jul 16, 2019 22:13 |
|
I just went from KeePass to KeePass2 on the desktop and Keepass2Android on my phone. I wasn't unhappy before but I am positively delighted now. Keepass2Android can talk directly to Dropbox, so sync is not an issue at all. I use a key file that isn't in Dropbox, so even if an attacker cracks Dropbox wide open, they'd still have trouble brute-forcing my database. I don't bother with plugins, I just do a lot of tinkering with auto-type strings in Windows, or the Keepass2Android keyboard in Android.
|
# ¿ Dec 1, 2019 21:33 |
|
Internet Explorer posted:can we please stop pretending that anyone is able to do this whole infosec or uptime thing correctly I argue that "infosec or uptime" is easy, it's "infosec and uptime" that nobody can manage.
|
# ¿ Jan 22, 2020 20:52 |
|
Given that Algo itself doesn't own any of the providers, I'd take that to mean only that your anonymity is only protected so far as Digital Ocean or whoever want to protect it, which is not a factor Algo itself can possibly control.
|
# ¿ Feb 19, 2020 21:55 |
|
I thought everyone knew that your computer would broadcast an IP address unless you have several layers of third-party security software installed.
|
# ¿ Apr 2, 2020 18:20 |
|
bitprophet posted:Thought this was the Infosec thread not the Poorly Roleplaying 1990s Cyberpunk Themes thread? A distinction without a difference, my hominid.
|
# ¿ Jun 25, 2020 02:45 |
|
Head Bee Guy posted:Is there a preferred multi factor authentication app? I just moved my codes from Authenticator Plus to Authy, so I really hope Authy is still recommended.
|
# ¿ Feb 27, 2021 23:04 |
|
Hopefully, if employee computers getting subpoenaed is a regular occurrence, they've got plenty more fresh devices to issue.
|
# ¿ Feb 28, 2021 03:01 |
|
Defenestrategy posted:As part of my role as infosec guy, I've been tasked with doing "employee education", and so every two months I've been putting out a short company newsletter that has broad stroke significant company affecting infosec event summaries, such as successful phishing attempts on employees, or foreign IP logins,etc as well as a "infosec tip of the day" kind of thing where it outlines a thing to be slightly safer, like enabling MFA or signing emails with PGP, stuff like that. One good thing that might come of it: an improved internal recruiting program, as junior IT guys read it and think, "hey, that sounds interesting, that's a cool job to which I might aspire." Hah hah who am I kidding, nobody ever promotes internally.
|
# ¿ Mar 4, 2021 21:52 |
|
I think that when you get to a certain size, "not publicly accessible" stops being real meaningful. If 20k people have access to your internal network, how safe can it be?
|
# ¿ May 26, 2021 22:12 |
|
Oysters Autobio posted:Is there a way to like, easily generate/manage throwaway emails that can all forward to one account, but can then be deleted or "disconnected" if spammed/compromised? It seems like more and more these days maybe it makes sense to treat usernames almost as a credential too, and I want to keep my "real name" email address for more professional things. Unless someone has ideas on how to make a socially acceptable / professional personal email address that isn't full name, but also isn't "bostonbruinsfan2314234@gmail.com"for or in-person things (like when asked for email for like, car rentals and stuff, I dont want to give them an email with my name on it but I also am embarrassed to give them some video gamer handle or something.) I have a vanity domain hosted at fastmail.com for my personal email, and when I have to register for a site that I'd rather didn't have my real email, I just register a new alias with the name of the site @ my vanity domain. IIRC unlimited aliases are included in the basic plan, and I suspect that's common since it's not like they take up a lot of compute cycles.
|
# ¿ Jul 16, 2021 17:46 |
|
Getting an Oracle Solaris cert in late 2021 probably gives you a strong inside track on a lot of jobs you absolutely do not want.
|
# ¿ Oct 7, 2021 16:44 |
|
Ssh can retrain ciphers, can't it? In an age of slower processors, I always liked the idea of speeding up sftp transfers by handling auth in a highly secure fashion and then changing to no encryption to move data faster. Today I assume the encryption is pretty much free, so there's no reason to bother.
|
# ¿ Feb 10, 2022 04:40 |
|
Achmed Jones posted:youre holding it wrong. they aren't supposed to "harden servers to cis l2" they're supposed to "create all servers from FOO puppet template" (which happens to be hardened to that level). you dont throw policy at workers, you throw implementations at them that security practitioners (and/or legal) have confirmed conform to the policies Strong agreement here. Doesn't have to be Puppet, obviously, but if you really care about it being exactly right every time, checklist is never going to be half as satisfactory as code.
|
# ¿ Oct 19, 2022 17:46 |
|
I PM'd 3DES once and told it that its mom was fat, but it never answered.
|
# ¿ Oct 23, 2022 03:51 |
|
Sickening posted:Apparently HR reached out to me today because another employee cursed my name so many times in the previous days that they set off teams communication policies that sent alerts to HR. I am not sure I have ever been this jealous of a fellow IT professional.
|
# ¿ Aug 16, 2023 19:41 |
|
BonHair posted:Okay, I made a bad post I guess, but can someone make me a better person by explaining why? Junior people shouldn't be resolving conflicts, they should be identifying them and helping people initiate a process. They don't have the authority to make an an exception and they don't have the standing to force compliance, so asking them to resolve anything is waste of time and talent. The expectation should be that they provide people with information about security policy, identified vulnerabilities, exception policies, etc, and gather job experience while keeping the simple stuff off the desks of senior engineers and management.
|
# ¿ Aug 21, 2023 19:30 |
|
Methylethylaldehyde posted:On the flip side, lovely people in the org love to go directly to the most junior person they can find with the permissions needed to do the wildly dumb thing they want. I've worked with total doormats who would just get harangued until they folded, time and time again, even after coaching and being told 'if this person ever talks to you again, you get me RIGHT AWAY, understand?'. You can ask "tell me about a time when you stood up to pressure in the workplace," but for junior candidates, responses will be all over the place. You need the right sort of work experience to have an answer, and you can't expect junior people to have it. I mean, I would probably settle for, "This one time a guy was so upset about the amount of ketchup on his burger that I had to silently nod at his abuse for eight minutes until my manager came out front," but it's not going to translate directly. To Methylethylaldehyde's post about juniors caving, if any of my team did that, they'd get some intensive mentoring, and then a performance improvement plan, and then a good solid firing. If you're too timid to do your job when I'm sitting here supporting you in doing it, you need a different line of work.
|
# ¿ Aug 21, 2023 21:58 |
|
We never codified our rubrics, but we did agree on them as part of the process of determining which questions we wanted to ask everyone. Asking ourselves why we wanted to ask a question and what answers we were looking for was very instructive. There were some questions we started out liking, but which turned out to telegraph the answers. If the rubric starts to sound like, "see if the candidate can't take the hint or is obviously lying when they do take it," see if you can't find a better question.
|
# ¿ Aug 22, 2023 05:40 |
|
wargames posted:i don't see how it could get worse, unless you need a splunk cert to get the license. Oh, I think you aren't digging nearly as deep as a properly desperate executive. Just imagine it. "We've heard some customers complain that our pricing model is difficult for them to manage due to fluctuating ingest bandwidth needs. We've decided to make a more flexible set of options built around Splunk Infrastructure Credits (SICs) which can be used for ingest-based or a new capacity-based licensing model. Telemetry in new editions of Splunk will phone home and tell us how many SICs you're using, and you'll be billed accordingly. We'll be publishing the details of SIC calculations in the future."
|
# ¿ Sep 21, 2023 15:48 |
|
Blinkz0rz posted:If you want to lead an infosec program your job won't have much to do with the day to day of security. At that level, your job is fundamentally communicating and agreeing on risk management strategies. The key to succeeding at that level is understanding that your job isn't to secure the company, it's to align with the business on the risks it is willing to accept in order to operate. That is really well put.
|
# ¿ Jan 15, 2024 21:21 |
|
BonHair posted:Yeah, step one of compliance should always be "what do we actually need?", followed by "what's the first step to actually getting there in a realistic way?". Way too many people start at maximum everything, to be implemented in 6 months. Without bothering anyone else. Both tech and legal types in compliance tend to forget to look at the big picture and context. One of my favorite sections of The Phoenix Project is the one where the new CTO, who is basically an avatar of IT competence, tells the security guy who's convinced he's the lone prophet of IT best practice that most of his pushes for better security are completely irrelevant, and walks him through all the non-IT controls that make the security guy's cherished worst case scenarios impossible. I started out feeling bad for the poor security guy, so seeing him yanked up short like that was also an eye-opener for me.
|
# ¿ Feb 29, 2024 22:38 |
|
|
# ¿ May 15, 2024 00:18 |
|
Why such small storage? I've never understood that given how cheap gigabytes of memory have become.
|
# ¿ May 8, 2024 15:51 |