|
Lain Iwakura posted:https://twitter.com/KateLibc/status/958478170604290048 noice. also sorry for making GBS threads up the last thread
|
# ¿ Jan 31, 2018 01:03 |
|
|
# ¿ May 18, 2024 01:29 |
|
Doccykins posted:Whilst the forums were down Matt Hancock, the guy responsible for the Department of Digital, Culture, Media and Sport in the UK released his own social media platform called 'Matt Hancock MP' It is, of course, full of privacy issues lol so that app download landing page has this as allow in robots.txt: https://matt-hancock.disciplemedia.com/user/sign_in fuckin why?
|
# ¿ Feb 1, 2018 17:27 |
|
geonetix posted:is anyone going to RSA2018 or is it worth going at all? only if you can mass-goatse the con
|
# ¿ Feb 13, 2018 08:36 |
|
ahaha holy poo poo. surely that violates the apple store tos or something?
|
# ¿ Feb 13, 2018 13:34 |
|
just checked and yeah that's deffo what google does. the images are cached and then loaded via something like https://mail.google.com/mail/u/0/?u...38b17&zw&atsh=1 edit: that link is from one of my e-mails but it disnae matter as they require auth
|
# ¿ Feb 14, 2018 13:05 |
|
from what i observed google only fetches when you open the message. there's zero reason for them to retrieve and cache images upon message receipt because i'm pretty sure the gmail app doesn't download messages by default so why bother when the user may immediately archive/delete the message?
|
# ¿ Feb 14, 2018 15:04 |
|
secfuck: i joined a union recently and upon receiving my membership details i found i was unable to login to their website. reset password wasn't working so i e-mailed my rep who changed my password to "<SURNAME>.123!" and e-mailed it to me in the clear. then when i logged in it did not force me to change it. a shameful display
|
# ¿ Feb 16, 2018 16:58 |
|
Wiggly Wayne DDS posted:see if you can organise the userbase into convincing them to fix this yeah that's a good idea, thanks. i already replied to my rep advising how their current poo poo is garbage but if they don't improve things i'll start reaching out to membership. CHANGE FROM WITHIN, MOTHERFUCKERSSSSS
|
# ¿ Feb 16, 2018 17:16 |
|
infernal machines posted:as someone who provides services to a couple of union locals, let me assure you, unless you stop them from doing so the average member will make their password <surname><membership number> lol great, the two things readily available on your membership card
|
# ¿ Feb 16, 2018 17:39 |
|
p sure that dingus is a troll or a legit shill
|
# ¿ Feb 16, 2018 19:10 |
|
what the gently caress is "Brave" in the context of that greydingus?
|
# ¿ Feb 16, 2018 20:09 |
|
work secfuck: just discovered that some idiot hell fucker has configured ACEs at the root of the AD domain which allows auth users (aka almost everyone) to write properties on all computer objects and join computers to the domain
|
# ¿ Feb 22, 2018 05:06 |
|
CareyB posted:That was my suspicion. It would be good to know if the enterprise version is in fact as vulnerable as the free version. We've got 1password on our shortlist too however it looks to be a fair bit more work to maintain our end which is where lastpass seems to have it beat, but obviously day to day productivity isn't the only factor here.... i'd bet dollars to donuts that the free and enterprise versions of lastpass share the same codebase and have the same vulnerabilities. of course that's besides the point because the primary problem is the organisation behind the software. as others have already mentioned they have an abysmal track record when it comes to security and have not really shown any improvements. basically they cannot be trusted to handle things properly.
|
# ¿ Feb 23, 2018 14:49 |
|
Soricidus posted:“shut up haters I loving wrote the wiki on the thermal properties of wax” - icarus
|
# ¿ Mar 5, 2018 10:34 |
|
just gonna put my garbage tweet(s) here. tl;dr my bank is garbage https://twitter.com/GarbageDotNet/status/971327709170167808
|
# ¿ Mar 7, 2018 11:32 |
|
Lysidas posted:i give it a 50 50 chance they "fix" it by also opting out of the ssl labs scan actually my bad i should have linked further down the thread. they're embedding JS from a third-party ad server on the fuckin internet banking login page lol https://twitter.com/GarbageDotNet/status/971330728645443584
|
# ¿ Mar 7, 2018 17:20 |
|
put on your 3d glasses now
|
# ¿ Mar 8, 2018 02:33 |
|
the fact that they do it on every page including ones where you enter or view sensitive info is pretty fuckin greasy
|
# ¿ Mar 9, 2018 07:27 |
|
spankmeister posted:Insufficient Bank Security
|
# ¿ Mar 9, 2018 09:07 |
|
i pay nothing to use my bank and pretty much always have (only fee i've ever had to pay was the FID tax that was a couple of cents a year but they got rid of the FID tax aeons ago). sure i've only got a single savings account but it suites my needs and i get a chip+pin mastercard debitcard that has that NFC stuff in it and ive never encountered any fees p much ever.
|
# ¿ Mar 9, 2018 13:42 |
|
sadus posted:anyone ever mess with disabling specific TLS Extensions in SChannel like Session Ticket, is that even a thing (I'm guessing not)? Yay auditors thinking it would be a great use of time nickpick Microsoft's TLS implementation beyond just locking down specific ciphers and protocols. pretty sure we have one resident schannel pro, i shamefully cannot remember but they posted nice cipher suite lists plus recommended ECC curve combos, was very handy
|
# ¿ Mar 13, 2018 14:45 |
|
BangersInMyKnickers posted:Hi. That is me. ty bangers and sorry for forgetting you!!! infernal machines posted:holy loving poo poo! no (well maybe but how?) but samba operates it's own LDAP server to interface with an AD DC and this is where the issue occurs (correct me if i'm wrong). from what i understand the issue is that in AD "change password" and "reset password" privileges are secured differently for obvious reasons however the samba LDAP server conflates the two and fucks up the extended right security checks.
|
# ¿ Mar 13, 2018 16:40 |
|
i'd never trust anything other than a windows server DC to provide domain services, simply because everything else out there seems to fail in spectacular ways at things which are very simple. for example, the AD schema clearly outlines object and attribute associations as well as the typing of the values for attributes. attributes which accept integers are either typed as "Integer" (int32) or "LongInteger" (int64). CA (the company) provides an entire suite of software which integrates with AD as an IAM solution. however in their infinite wisdom they've ignored the schema and just decided on arbitrary types for attribute values. this really fucks poo poo up when you want to say set an exchange recipient type value which is an int64 but the CA garbage only accepts int32 for some idiotic reason.
|
# ¿ Mar 13, 2018 17:24 |
|
yeah if your linux doesn't do SSSD then whatever samba can do would be an acceptable fall back seeing as NIS is deprecated
|
# ¿ Mar 13, 2018 17:32 |
|
infernal machines posted:yes, AD sync to azure cloud actually works pretty well can confirm, AADC sync is smooth as gently caress. however if you want to enable password change in the cloud with federation then you'll need to pay for an AAD P1 subscription, that's how they get you (probably, idk just buy ECS which is Enterprise E3 plus EMS E3 for gently caress all)
|
# ¿ Mar 13, 2018 17:41 |
|
Shaggar posted:yeah its such bullshit that password change and security auditing is in P1 and not included in E1 or E3 i like how they put the really useful security features in E5. our sec ops lead is always asking "hey can we use this?" and my answer is usually "no we're not licensed for it lollll" NEED MORE MILK posted:isnt their a free azure tier? "azure" and "azure AD" are two different beasts. afaik there's no AAD P1 or EMS E3 trial.
|
# ¿ Mar 13, 2018 17:46 |
|
yep that will work fine.
|
# ¿ Mar 13, 2018 17:50 |
|
Shaggar posted:it really feels like extortion when they hide basic security stuff behind a higher plan level. I'm implementing some of it myself (poorly) cause I refuse to pay the absurd price to get a P1 for everyone. it's funny our customer recently outsourced SOC (Security Operations Centre) to a BPO (lol yeah i know) and the first complaint i got from them was that the on-prem SIEM appliance wasn't getting logs from O365. the dudes at the BPO just assumed we were using the actual "SIEM integration" feature with Cloud App Security but yeah i had to tell them "lol nope, we're not licensed for that and are just smashing APIs for logs". kind of a critique on how garbage BPOs are but also how microsoft try to make you pay for stuff. if you google "office 365 siem integration" the first results are for the E5 feature so the whole thing's a rort.
|
# ¿ Mar 13, 2018 18:02 |
|
the new Graph API looks p sw8, been meaning to find time to gently caress with that for a while now. apparently that's where microsoft are going to push all o365+services and seccom reporting to. also looks like a faster method of querying some of the more expensive exchange cmdlets (Get-MailboxStatistics, Get-MailboxFolderStatistics, etc.) sorry im making GBS threads up the sec gently caress thread with msft stuff i'll stop now Tankakern posted:nice fud
|
# ¿ Mar 13, 2018 18:08 |
|
break a leg!!!
|
# ¿ Mar 13, 2018 18:25 |
|
nvm
|
# ¿ Mar 13, 2018 18:39 |
|
yeah logs are still available via syslog from azure, just the auth is a bit more involved.
|
# ¿ Mar 13, 2018 19:26 |
|
wd cari for surviving the talk, excellently presented imo.
|
# ¿ Mar 13, 2018 19:29 |
|
that's a good fishmech, two pages late and no one cares
|
# ¿ Mar 13, 2018 20:01 |
|
no i actually like a lot of fIshmech's posts, like in the transport thread. that post i had to quote because it was so bad
|
# ¿ Mar 13, 2018 20:17 |
|
NEED MORE MILK posted:im a big fan of how ntfs and windows can have file paths of like 2.5 trillion characters but explorer is still limited to 255 not to over use this but
|
# ¿ Mar 13, 2018 21:18 |
|
dumb nerds are just using words they saw in video games and lazy portmanteaus
|
# ¿ Mar 15, 2018 14:47 |
|
the MO of anyone allowed to post content to a sharepoint site really. also uploading images that don't have a 1:1 aspect ratio and then get squished all up and poo poo/
|
# ¿ Mar 15, 2018 19:04 |
|
BangersInMyKnickers posted:DH implementations aren't looking so hot these days so I'd probably drop them entirely for ECDH, there are very few clients that support DH that don't also support ECDH and if its legacy RSA is still an ok fallback. We'll see what's going on with curve availability, hopefully MS starts adding some additional modern curves instead of just x25519 i disabled DH on several of our servers because as i understand you can't change DH params with schannel so disabling DH is the only way to mitigate that DH vulnerability whose name escapes me.
|
# ¿ Mar 16, 2018 02:30 |
|
|
# ¿ May 18, 2024 01:29 |
|
ate all the Oreos posted:as far as i know: what about password safe? it doesn't get mentioned much because honestly it has little in the way of features compared to keepass but i use it because i'm a simpleton and apparently it's not terrible?
|
# ¿ Mar 20, 2018 11:19 |