@munin@infosec.exchange avatar

munin

@munin@infosec.exchange

Trans techwitch, and the keeper of many curses. Abyssal domain expert. Infosec by trade. Definitely NSFW brain. Sex work is work; all workers deserve the protection of unions. She like a storm; they like a conference. Neurospicy as hell and loving it.

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

munin , to random
@munin@infosec.exchange avatar

I am -extremely- looking forward to when the technical details about this are published, because if these guarantees can be remotely assured, that is going to be absofuckinglutely amazing

https://security.apple.com/blog/private-cloud-compute/

specifically, the telemetry that is "purpose-built to deterministically provide only a small, restricted set of operational metrics to SRE staff" is......I may possibly be in love.

jerry , to random
@jerry@infosec.exchange avatar

So much Wi-Fi enabled smart shit in this world. Why can’t I have a condensate pump that tells me when the drain line is clogged or running slower than normal?

munin ,
@munin@infosec.exchange avatar

@jerry cuz you have to instrument the drain line for that to work, and that is a difficult task to do reliably

munin ,
@munin@infosec.exchange avatar

@jerry

this makes the assumption the drain area is going to be wet all the time.

Drains aren't meant to be wet all the time, so any float-based system is going to suffer from intermittent wet-dry cycles and cause failures over time; this sensor will then become an expensive maintenance item.

jerry , to random
@jerry@infosec.exchange avatar

I was thinking that the new omniscient AIs can tell sentiment and mood. What if we don’t let people log in unless they are in a good mood? Log them out if they get into a bad mood.

What if email systems could send real time feedback to the sender in the faces you made while reading their diarrhea of the fingers?

munin ,
@munin@infosec.exchange avatar

@jerry that proposal's been made in last gen, with facial surveillance.

jerry , to random
@jerry@infosec.exchange avatar

To those people who are coming at me about security training - at best, it reduces the problem, but doesn’t come close to eliminating it. And you’ve not lived until you have a person who opened the wrong email being skewered by senior management, who insists the whole thing was their fault, after all, “they took the training”

No, I am not on that train. It is part of a program, but it is NOT a security control. I will die on this hill.

munin ,
@munin@infosec.exchange avatar

@jerry

Expecting non security personnel to act as an unmitigated part of a security program is a violation of separation of duties. Prove me wrong.

bontchev , to random
@bontchev@infosec.exchange avatar

Would anyone have problems with Recall if it worked exactly as it does now but was delivered turned off by default and displayed a clear warning about the risks involved if the user tried to turn it on?

I mean, there are probably valid use cases for it, if you know what you're doing. If I remember correctly, there is an OSINT tool that does something similar about your browser, so that you don't forget or misplace some piece of information you've stumbled upon while investigating a case.

munin ,
@munin@infosec.exchange avatar

@bontchev yes I would have had many problems, as this still has the whole threat surface for domestic abuse even with those conditions.

jerry , to random
@jerry@infosec.exchange avatar

Surely there’s a way to make mid 6 figures by playing with puppies and kittens???

munin ,
@munin@infosec.exchange avatar

@jerry

alas, apparently all the billionaires live lives bereft of animal companionship

futurebird , to random
@futurebird@sauropods.win avatar

Is there a good resource or book for learning about some of the details of how webservers work?

For example if I want an IP address on a intranet to be a webpage that people on that intranet can go to... how would I set that up from scratch. Let's say I have a machine with a static IP on the local net... (but what I really also need to understand is how a static IP is established locally, a DNS?)

Maybe the dream book or resource doesn't exist. But I ask anyway.

(it's macs if that matters)

munin ,
@munin@infosec.exchange avatar

@futurebird

so the classic text to understand all of this is https://en.wikipedia.org/wiki/TCP/IP_Illustrated

It's....a Lot.

Breaking your question down into more manageable chunks, the things that you're going to want to learn for this are:

  • DHCP, which is how "a machine on the network" becomes "a machine with an IP address"
  • DNS, which has multiple parts: the recursive resolver part, which has both server and client parts, and the authoritative server part, which is what tells the world "the machine available on this IP address has this name"
  • NAT - network access tables, which is how multiple machines on a LAN can share an IP that's addressed externally
    ( this is a -huge- pain in the ass tho, and once you learn it you'll see why all of us who do this as a job typically rent space on a VPS provider to do this )
  • IP routing, which is how the computer at one address can find the computer at the other address
  • HTTP, the protocol used to serve webpages
  • HTTP servers - there's several, but if you want to learn the nitty gritty of how they work, you'll want to learn a programming language - python and rust are both very popular choices that are frequently used for this - and "build a simple webserver" is a common tutorial for both of them

There's also TLS certificates and firewalling stuff, but that can wait until after you have an understanding of those other elements.

munin , to random
@munin@infosec.exchange avatar

One of the more convenient bits about normalizing my expectations of business operations to soc2 and other pertinent standards is that when a company's being asinine, my complaint comes with citations and footnotes to prove that they're asinine.

munin OP ,
@munin@infosec.exchange avatar

Companies do not give the weight of a possum shit on a newspaper to the likes of 'ethics' or 'civil behavior' but -compliance- means you can -force- the issue.

munin OP ,
@munin@infosec.exchange avatar

Y'ever think about how 'ai' posting is normalized to business-acceptable language 'cuz the lawyers won't let the robot swear?

So working blue is an effective fuckin' signal of authenticity, in a way.

munin OP ,
@munin@infosec.exchange avatar

This cements shitposting as the most -human- of arts :3

munin OP ,
@munin@infosec.exchange avatar

"can you weaponize the scunthorpe problem"

munin OP ,
@munin@infosec.exchange avatar

wait this is just https://en.wikipedia.org/wiki/Mat_(profanity)

munin OP ,
@munin@infosec.exchange avatar

just love to live in a world where "the robots are going to steal my words, my face, and my voice, and use those to scam my friends" is now an -actual threat model- that can be addressed by things like "counting the fingers and teeth in a picture", "refusing to ever answer a phone call", "swearing constantly" which are all now -adaptive behaviors-

munin , to random
@munin@infosec.exchange avatar

Holy shit: ING bank has a means of validating, through their app - so, a trusted, mutually authenticated channel - whether or not the person who has called you is -actually a bank employee-

"If you really have an ING employee on the line, the screen shows their name or their department name. Via the green bar at the top, you can go back to the conversation."

https://www.ing.nl/particulier/english/fraud-and-safe-banking/check-the-call

This is -beautiful- and I want -every- other institution to implement this, holy shit.

munin , to random
@munin@infosec.exchange avatar

......hey so if you're in a chat session with someone in a two party recording state and MS recall logs the transactions, does that put you in violation of wiretapping laws?

jerry , to random
@jerry@infosec.exchange avatar

Time to file a patent to mine Recall on corporate fleets to help companies monitor employee efficiency. And then sue anyone that tries to do this.

munin ,
@munin@infosec.exchange avatar

@jerry ......can you file a patent for a criminal activity?

munin ,
@munin@infosec.exchange avatar

@fcktheworld587 @jerry

Take it a step further and license your patent to victims for a peppercorn to give them grounds for lawsuits.

munin ,
@munin@infosec.exchange avatar

@jerry @fcktheworld587

I'm still going to want to hear from a patent lawyer but this could lead to amusing places.

jerry , to random
@jerry@infosec.exchange avatar

The new Recall features is a good reason to remind everyone to not do personal shit on your work computer. Please.

munin ,
@munin@infosec.exchange avatar

@jerry

Structural unsafety cannot be addressed by individual choice.

cstross , to random
@cstross@wandering.shop avatar

Microsoft Recall in Windows 11: in what way can this be POSSIBLY compliant with the requirements of GDPR?

(Same goes for Office365 requiring autosave to stash files in OneDrive, and Outlook slurping all your emails into Microsoft's cloud and using them for AI training.)

munin ,
@munin@infosec.exchange avatar

@cstross

speaking as a compliance professional,

it sure the fuck cannot. It constitutes data gathering outside of the stated purpose of the system and is prima-facie noncompliant with GDPR and -multiple- other compliance regimes.

tho my personal problem with it stems from its inherent abusive characteristics - https://infosec.exchange/@munin/112480357946214139

munin , to random
@munin@infosec.exchange avatar

Hey so,

This windows recall thing?

Enables domestic abuse.

munin OP ,
@munin@infosec.exchange avatar

Like, flat-out.

This 'feature' means that someone in an abusive relationship now has a canonized part of the OS monitoring their activities that can be then invoked and studied by the abuser.

jerry , to random
@jerry@infosec.exchange avatar

Why is everyone talking about bears lately?

munin ,
@munin@infosec.exchange avatar

@jerry they're an NP-hard problem - you can't tell ahead of time whether or not something's going to halt, or whether it bears repeating

jerry , to random
@jerry@infosec.exchange avatar

Well, I've had a completely ridiculous number of people DMing me on LinkedIn... Since I just announced that I am leaving, are they wishing me well? no

Are they offering me jobs? no
Are they making funny llama jokes? well, some of them
Are they mostly trying to meet with me so they can sell stuff to my (soon to be) former employer? absolutely

I guess it's too hard to program their DM spam bots to see if the person they are spamming just announced they are getting the boot.

munin ,
@munin@infosec.exchange avatar

@jerry ......why bother tho? spambots are munitions to be expended, not something valuable to be maintained.

munin ,
@munin@infosec.exchange avatar

@jerry I mean.......they're not -people- to be -avoided-; they're -accounts- that exist to spam and the expectation by the operator is that the account will be shut down quickly.

jerry , to random
@jerry@infosec.exchange avatar

Maybe we all broke Reddit. Not just me.

munin ,
@munin@infosec.exchange avatar

@jerry so

Reddit blew it?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •