Cornelius_Wangenheim @ Cornelius_Wangenheim @lemmy.world

Posts

0

Comments

569

Joined

2 yr. ago

Laws and courts do not exist as ends in and of themselves. They're tools created to serve a greater purpose, namely to discourage and stop bad behavior. If the tool is failing at its primary purpose, it deserves criticism.

Responding to criticisms about how the courts work with "but that's how the courts work" is missing the point.

Yes, I'm aware of the failings of the US civil court system and the fact they try to boil everything down to a dollar value instead of actually making the victim whole again.

It was a defamation suit. Of course the goal is to shut him up and make him stop defaming his victims. The judgement is just the means to do that. Prioritizing the judgement over removing the tool he used to defame the aggrieved party is asinine.

It's mostly the responsibility of the client to build defense in depth. If is a straight shot from your Solarwinds server to your ADFS server, where the SAML signing keys are stored, that's your fault, not Solarwinds or Microsoft. Well, I would still blame Solarwinds, because they were encouraging horribly insecure practices, like doing "agentless" monitoring using a highly privileged account.

In this case, yes, not letting a SAML assertion signed by the ADFS server authenticate to Azure reduces defense in depth. But if you're at the point where your authentication servers have been compromised, you're already so turbo-fucked that it's very unlikely a wall like that would stop an attacker for long.

USB devices have a hard coded vendor identifier and product identifier built into them that are issued from a central authority. The ones I saw were easily identifiable as not legitimate mice.

Oof, that was painful to read as someone in cybersecurity. I respect ProPublica, but they have no idea what they're talking about.

The Solarwinds hack was caused by Solarwinds being absolutely god awful at cybersecurity. The password to their update server was "solarwinds123", which we know because they accidentally published it in a public Github repo. The company is a complete and utter clown show.

As for Golden SAML, almost nobody in cybersecurity would consider it a vulnerability. It's just a fundamental part of how asymmetric cryptography works. HTTPS suffers from the same issue. If your private key gets stolen and used to forge signatures, the problem is you not properly protecting it, not the technology requiring you to keep it secret.

A more valid complaint is that Microsoft has been neglecting their on-prem software in favor of Azure. There are tons of security features that they've added to Azure that will probably never make their way to ADFS or Exchange.

I've been the one identifying the people who use jigglers. Usually it was a manager coming to us to look for a reason to fire a poor employee or a contractor trying to bill a suspiciously large number of hours for the work produced. If it was just poor performance, HR would make us do a PIP and waste 3 months on them. Violating security procedures and falsifying time sheets was an immediate termination. And for the contractors, you need evidence in order to refuse payment.

Btw, if you want to get away with it, don't use a software or USB one. Get one that interfaces with a regular mouse. Modern cybersecurity software logs every process executed and device connected.

Eh, maybe after they added the NPC icons to the map. At launch, there was basically zero chance you'd complete any NPC quests on your own.

There is no BIOS anymore. It's all UEFI, which is massively fatter and more complex. Being fat and complex, they have plenty of security vulnerabilities that need to be patched.

Because the alternative is people getting compromised and getting their computer crypto locked, accounts stolen or their bank account drained.

The idea is that you spread the knowledge to others and occasionally do something about some of them, even if it's only a small contribution.

Dubbing?

I just wish it had less zany YouTube BS. I'd like to send it to my mother, but there's zero chance she would take it seriously.

What exactly makes you think they were ever great tools?

They've always been a thing in Texas. The difference is now it moves around and the rest of you get to experience the miserable heat as well.

What ever happened to the Chocolatier game he announced?

That's really only true if your target audience has the memory of a lead-addled boomer.

Fully worth the $10 I throw them every month.

Except everyone wants to have their own launcher and they all want to register background services that chew up resources constantly and do god knows what.

No they weren't. They gave trump a 33% chance of winning and successfully predicted how he could win.