GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Kate Temkin ????❤️ (ktemkin@chaos.social)'s status on Monday, 11-Dec-2023 04:02:34 JST Kate Temkin ????❤️ Kate Temkin ????❤️

    I swear, half the CVEs I hear about are “if your computer is connected to the internet and someone sends you a text message, they now have your power of attorney”

    and the other half is “if a trained thief were to sneak into your house and replace your hard drive with an identical copy, an attacker with an exact predictive model of that drive could interrogate the SSD wear leveling algorithm and reduce the search space for your bitlocker password by up to 12 bits _without you even noticing_”

    In conversation Monday, 11-Dec-2023 04:02:34 JST from chaos.social permalink
    • Haelwenn /элвэн/ :triskell:, iced depresso and silverwizard like this.
    • Embed this notice
      timthelion (timthelion@emacs.ch)'s status on Monday, 11-Dec-2023 08:23:04 JST timthelion timthelion
      in reply to

      @ktemkin You forgot the 30% of CVEs which are 'if you turn on these three flags that were deprecated in 2009 and point your program at a non trusred server the program would run slightly slower. LOOK ITS A DOS ATTACK CAN I PLEEZZ HAVE A CVE ON MY RESUME PLZZ!!!!'

      In conversation Monday, 11-Dec-2023 08:23:04 JST permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      mcv (mcv@nerdica.net)'s status on Monday, 11-Dec-2023 08:23:51 JST mcv mcv
      in reply to
      I once had pen testers report that the data to our application could be compromised if hackers managed to get write access to the server it was on. I said if they had that access, compromised data was the least of our worries.
      In conversation Monday, 11-Dec-2023 08:23:51 JST permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Monday, 11-Dec-2023 08:25:00 JST Rich Felker Rich Felker
      in reply to
      • mcv
      • Zimmie

      @bob_zim @mcv Firewalls/routers also have no access to any data only minimal metadata, unless you're doing something horribly wrong. I would classify an attacker getting root on them as DoS or in the case of firewall, slightly more favorable ground to launch further attacks from, not critical.

      In conversation Monday, 11-Dec-2023 08:25:00 JST permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      Zimmie (bob_zim@infosec.exchange)'s status on Monday, 11-Dec-2023 08:25:01 JST Zimmie Zimmie
      in reply to
      • mcv

      @mcv I had to fight that fight when Spectre/Meltdown were the shiny new flaws. “We need you to prove the firewalls and routers aren’t vulnerable to Spectre/Meltdown!”

      That whole class of flaw requires the ability to run code on the target system. If somebody who isn’t on my team can run *any* code on our firewalls and routers, we have much bigger problems.

      In conversation Monday, 11-Dec-2023 08:25:01 JST permalink
    • Embed this notice
      fedops 💙💛 (fedops@fosstodon.org)'s status on Tuesday, 12-Dec-2023 06:34:05 JST fedops 💙💛 fedops 💙💛
      in reply to
      • mcv
      • Rich Felker
      • Zimmie

      @dalias perfectly illustrates the schism in IT security orgs. This has been normalized in recent years, basically because people are out of ideas how to prevent phishing attacks from succeeding on completely patched endpoints.
      @bob_zim @mcv

      In conversation Tuesday, 12-Dec-2023 06:34:05 JST permalink
      GreenSkyOverMe (Monika) repeated this.
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 12-Dec-2023 06:34:05 JST Rich Felker Rich Felker
      in reply to
      • fedops 💙💛
      • mcv
      • Zimmie

      @fedops @bob_zim @mcv By (1) not having employees possess phishable authentication secrets, and (2) not using a common communication medium for org-internal and outside-facing comms. This is not rocket surgery.

      In conversation Tuesday, 12-Dec-2023 06:34:05 JST permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 12-Dec-2023 06:34:06 JST Rich Felker Rich Felker
      in reply to
      • fedops 💙💛
      • mcv
      • Zimmie

      @fedops @bob_zim @mcv I call those middleboxes not firewalls, but whatever you call them, in my book their presence is a critical in the audit report. 😈

      In conversation Tuesday, 12-Dec-2023 06:34:06 JST permalink
    • Embed this notice
      fedops 💙💛 (fedops@fosstodon.org)'s status on Tuesday, 12-Dec-2023 06:34:07 JST fedops 💙💛 fedops 💙💛
      in reply to
      • mcv
      • Rich Felker
      • Zimmie

      @dalias every corporate firewall I've seen in recent years is configured to break open TLS streams and inspect the contents. So I think it's fair to say that firewalls are the single most valuable point of attack in the network.

      Or indeed outside of your network as the same is true for zscaler.
      @bob_zim @mcv

      In conversation Tuesday, 12-Dec-2023 06:34:07 JST permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.