|
kalstrams posted:0day posting
|
# ¿ Apr 8, 2016 19:23 |
|
|
# ¿ May 22, 2024 08:00 |
|
w o w
|
# ¿ Apr 27, 2016 13:46 |
|
minivanmegafun posted:a friend of mine broke her ankle and is TSA pre check approved and just went through hell at Newark because crutches might have explosives or something? crutches are hollow also security theater
|
# ¿ May 9, 2016 00:55 |
|
real sec talk: what's the right way to handle app secrets? it used to be you'd inject them as env vars for the user running your application but that's still really vulnerable because if the box gets owned your db creds are leaked. we're investigating using hashicorp vault but i can't help but think this is a solved problem already and we're just reinventing the wheel
|
# ¿ Jun 28, 2016 13:20 |
|
ErIog posted:Umm.. why's your poo poo logging into a db directly from a client? Isn't that kind of a no no? uh what the gently caress are you talking about? of course db access is sitting behind an api. client in this case refers to a service or set of services. the goal in my case is the most secure way of delivering the connection string to an ec2 instance so the app hosted on it can use it to access a database e: everything is behind a private subnet with restrictive security groups. it's more a question of how to federate access to secrets in such a way that they're not available to all apps, including those that might not need them. case in point, we have a service that needs cassandra credentials and one that needs mysql creds. there's no reason the app that needs c* creds should ever be able to get mysql creds. Blinkz0rz fucked around with this message at 14:40 on Jun 28, 2016 |
# ¿ Jun 28, 2016 14:38 |
|
jony ive aces posted:define them as constants in each app's config.php file don't trigger me plz
|
# ¿ Jun 28, 2016 15:50 |
|
Cocoa Crispies posted:use PKI to allocate, rotate, and revoke per-instance client certificates; auth secrets don't move over the network, each client can be revoked or rotated independently, and your server config can be just validate clients are signed by the CA and acceptable by OCSP that still doesn't really solve the problem because the app has to query the db somehow. we've thought about putting another dal app in front that handles cert validation, auth, etc. but that's a huge bottleneck even if we scale horizontally and doesn't buy us anything over temporary credentials like vault does.
|
# ¿ Jun 28, 2016 20:10 |
|
Subjunctive posted:Yeah, we can push a config change those 10e5+ systems in under 2 minutes, or the whole thing would fall apart. idk if you can share but it'd be cool to know how fb does infrastructure. we use a golden image model but it still takes between 15-20 minutes to bake an ami from mvn release to ami available even though a lot of it is resolving artifacts from nexus and tests the downside to this is that if we need to make low level changes to the whole fleet everything has to be rebaked and that takes a bunch of time and coordination are you guys doing anything similar or is it a whole different model?
|
# ¿ Jun 30, 2016 11:58 |
|
Volmarias posted:So should I be concerned, or aroused, or both, or what? mainly aroused imo because a bug bounty program worked perfectly and the company paid out without any issue
|
# ¿ Jul 24, 2016 16:28 |
|
Parallel Paraplegic posted:why does nobody in the world understand how to do regex right because regex is terrible
|
# ¿ Jul 27, 2016 15:55 |
|
not to doxx myself but corp communications just emailed the company telling us to look for our logo in the new bourne movie and it gave me a hearty lol
|
# ¿ Jul 30, 2016 13:07 |
|
BeOSPOS posted:are you the bad guys in the movie? i'm tommy lee jones
|
# ¿ Jul 30, 2016 14:24 |
|
Subjunctive posted:I guess my order of priorities are: (appless) RF convenience, then keypad for other users, then the IoT control via zwave or zigbee or whatever, then logging and monitoring and break-in sirens and poo poo. I'll find the home automation thread, thanks all for the reassurance that locks all suck so I might as well go for convenience. what's wrong with a key?
|
# ¿ Jul 31, 2016 21:23 |
|
VikingofRock posted:YOSPOS › Security Fuckup Megathread - v12.1.6 - The security aspect of cyber is very, very tough
|
# ¿ Sep 27, 2016 14:20 |
|
Shinku ABOOKEN posted:BLOGMYTITS k
|
# ¿ Oct 15, 2016 16:51 |
|
idk if he's well known but i met jason chan who's the director of cloud security at netflix at reinvent and the poo poo they're doing is so loving ownage i want to work there so bad
|
# ¿ Dec 4, 2016 20:27 |
|
Maximum Leader posted:in america you can vote without an id. hosed up but true. people on reddit will actually defend this. if it costs money in your state to get an idea then gently caress yeah you should be able to vote without an id poll taxes are illegal hth
|
# ¿ Dec 6, 2016 15:41 |
|
is there a secfuck thread approved, not-poo poo, consumer-grade networking hardware list floating around?
|
# ¿ Dec 29, 2016 18:08 |
|
ratbert90 posted:You know how I said I like Ubiquiti products. well i'm sold
|
# ¿ Dec 29, 2016 21:57 |
|
but realtalk i'm stuck with a fios modem/router and i don't want to do nat bridging or any of that poo poo, just want a reliable, secure router with a strong wifi radio that i can use as an app to extend my network
|
# ¿ Dec 29, 2016 21:58 |
|
|
# ¿ May 22, 2024 08:00 |
|
ate all the Oreos posted:i have a fios modem/router and the modem doesn't actually care if you're using the router, i'm pretty sure all i had to do was clone the MAC address on the WAN port and the modem happily connected to it and gave it a public IP. the FIOS router is also responsible for routing the coax data stuff for the TV part of FiOS but it seems perfectly fine with doing that while behind my router (on a separate network segment just for good measure) i did that with a older buffalo router with tomato on it and remembering to redo some of the settings if the modem restarted was a huge pain. i'm sure someone figured out a better way but honestly
|
# ¿ Dec 29, 2016 23:19 |