Posts by MissingSecurity

Re: Perplexing

Quite a few of us, and your right to point, its not going to replace FB and twitter, but I've never met a marketing team that doesn't want "social" interaction at work. I think this is to justify calling it collboration, instead of pointless.

It's not really colboration, its part of the new office change where everyone is everyone's best friend, and makes for excellent smoke screen about workplace happiness. After all, if it "feels" like a social network we must all collborate.

It really isn't productivity at all. Company chat, Email, Calanarding, filesharing, etc are collaboration, but really if it intended use was to keep people abreast of anything, you could just add an RSS feed.

Personally, I think its just a data mining thing for Office 365. I just wonder how long before MS starts selling your corporate data to the highest bidder, or when the TOS change to include Ad's based on your socal history in Office 365.

Re: That's a capital sin in our office...

@bpfh I thought this was universal sysadmin behavior? At first its a test, than its just considered on-going training.

Re: Cost?

Except there tends to be a large cost assocaiated with it, unless your dealing P2P Encryption devices which are completely devoid of your network infrastrucutre. For instance:

Take a new merchant installing software for the first time, lets say its a SME with 300-700 people.

There is a good chance that:

1) The have no one trained on security nor staffed by security.

2) Don't have the network configured properly for PCI.

3) Are about to scream at the software vender when they need to improve the network.

So lets start by the first most obvious and basic requirement. A firewall. Now, most companies have one at the edge but not all have two or three doing DMZ work. If the only have one you have really three choices.:

1) Segregrate off a port on the current one (If you have the ability too, I'm thnking UTM's) works ok for smaller deployments,

2) Purchase another FW for DMZ (A requirement for PCI, but more than I care to explain)

3) Bring in a separte ISP line and add a firewall.

Were trying to keep it cheap so lets say we have a FW in place and have ports we can use off the FW for DMZ work and segregration requirements. Right now were running on our admin time (a cost I'd assocate with any project). We now must consider our servers.

Physical servers are actually less complex regarding PCI IMO, but even smaller SME are virtualized so this tends to be either an additional cost in hardware, or we need to go through the process of configuring our Virtual Environment, which with virtual you run into the problem of PCI servers and non pci servers on the same hardware. (Larger facilities can afford to have dedicated VM hosts for PCI VM's, SME don't really.)

I could keep going on this, I see it every day. We havn't even got into the cost of having a QSA come in, or the added requriements for remote access (most SME's I come accross don't use two-factor) and being SME's with no security professional or trained staff they don't have:

1) An Information Security Charter

2) Don't perform risk assessment, vulnerablity assesments, or gap analysis

3) Have no method for Incident Response

4) Have piss poor physical access

5) Have no documentation on log analysis, network maps, etc

So,cost tends to be a big point.

Re: Simple advice for Nadella

What the need is to make it just work for the customer, while making it feel cool.

Than the need the tools behind it to make sysadmins lives easier to manage it, making us more willing to adopt it into out networks.

Right now, the don't do either, and try to tac on cloud as a solution to shitty development.

Re: There's a damn good reason XP is still in such wide use.

I still trying to figure out why the IT world still thinks standalone desktops are going to be the norm for the next 10-15 years. It would be more likely that between the push to cloud (or what is essientally the re-invention of mainframe computing) and virtual infrastruction improvments even CADD Junkies, Renders, and source code cowboy's will be hard pressed to argue the power of computering on servers vs local high end systems.

I know right now about about 60% of my office could be on tablets/laptops/etc and have no need for a standalone setup, and if we had the infrastrucutre the other 40% wouldn't need there high systems either.

Hell, I only fire up my fat box when I need to check something in WIndows, but between my Tablet, Laptop, and phone I pretty much have my environment covered.

Re: Fish in barrels @ I ain't Spartacus

My perspecitive from SME's being sold on cloud is: ACCESS ANYTHING ANYWHERE. Which sound really great right? Until we remever that most companies probably had this ability already and thier staff (if they had any) had little knowledge or support on the matter. On top of it, most SME's run into the "Oh, our data is safe in the cloud" syndrome, when looking at any contract's for cloud service backup services, regional seperation, and archiving are additional costs.

Granted SME's tend to run on a lot of risk that largely they are unaware of, and the big things that work effectively as cloud services (Email, Calandaring, Chat) are a lot less mission critical for SME's since uptime is less of a factor.

I don't know why you where downvoted, but from my perspective (and since we have quite the number BOFH's here) for what most SME's are getting from there cloud solution it's usually missing a shit ton from what BOFH understand should be there.

Re: US ZIP codes are hardy personally identifiable

Regardless, PII for most legally defined cases include a Mailing Address, because it can be linked to you in some way. It's less about how accurate it is on its own and more to do with the ability to take broad pieces of information and provide an acurate decription of you, your location, or for contact.

The case seems pointless unless the three can prove that Apple:

1) Sold the information

2) If it was collected when not required. I don't know, how one would judge using it for security, even if the CC companies don't require you collect it.

Re: I am unsubscribing from your mailing list!

It's more likely that ISO 7 is just fucking around with developers and the way they design interfaces.

There is no logic is MS forcing Nokia to pull HERE in sutle ploy to get them to move WP8. First fanbois are not going to up and switch for this. Not only is it web base and easily access, you also have googles maps which will work for much of anyhting needed.

Also while MS wants to grow its moblie devices, it's still a software company, and I don't know why you'd sacrafice software market penetration (IE a popular maps app on IOS devices) be taking the risk of pushing the software into absurcirty.

HERE might be good, but its not the "killer" app MS needs for device switching. Its more of a "you need this app to even conisder looking at the phone." Granted they could have just as easily partnered with google for that <---------- Last line is a snowballs chance in hell..

Re: "Apple's iPhone Plant"

I read it as Apple had someone on the inside and Apple was just letting us know that thier guy didn't do the killing. I think work is getting to me...

Re: This is actually a work force training device

I don't know ... compared to the dreadful office staples around here, Fisher Price in the cubical industry might be a good thing. I could really use a bouncy chair with an attachedable arm that holds my tablet.

Re: Nasty Blackmail @ rm -rf/ @ Alan Brown

I don't by that BS anymore. Yes the internet is a hostile environment with loads of shit heads and assholes with nothing better to do that degrade their fellow humans. It also has civil and honest people who give a shit. Congrates the internet is a digital society.

These women didn't post on the site. Even if they took the photographs that doesn't give assholes the right to post it on the web and take it a step further by posting the details on top of the backmailL.

You're blaming the victims by even using the internet as an excuse for this. Just don't Privacy is social construct one that can just as easily be applied to the internet. If you have a reasonable expectation of privacy in your home, you should also be allowed to have it for site trying to protect your data. You don't change that fact because the method for peaking on someone is less risky.

Re: Google arnt stealing my data...

Don't kid yourself. Google is an ad giant who only creates "free" products to sell you more ad's. These platforms offer you the consumer a means to want to keep using it. There is no other way their business model would work out.

Yes, we feel we're gaining something by having these services, but in reality you're just locking yourself into Google's tech. It certianly is bloody convienent and on top of that they do provide good user expereinces, but on the whole they are in a way becoming worse than Microsoft.

Microsoft's definatly not the good guy here, they just were late to game and are struggling to catch up, but I would be cautious of any unwavering support of any company thats goal is to keep you tied to there services only.

All in all, I don't mind the attempt, certianly it's a pot and kettle situation, but I chuckled at the mug. I think the Scrooggle tag line is horribly stupid and I wouldn't go out of my way to buy any of it, but if it was a gift I wouldn't bastardize it (well unless I can channel my inner BOFH).

Re: Hmm... a new variation of "won't anyone think of the children", I see.

You can download a demo, and Its for mobile.

Re: rc4 vulnerable?

BEAST attacks are targeted at TLS 1.0 and the older SSLversions and back in 2006-ish RC4 was the recommneded method for short term mititgation (though it still has its problems). TLS 1.1 and 1.2 are considered not vulnerabile as they have CBC protections . OpenSSL has settings which could screw you up if you're using it. Most major browsers support TLS 1.1 and 1.2 but moblie browsers don't really yet and most major borwsers don't default to the more secure TLS 1.1/1.2..

I know what you mean about PCI (and its frusturating) you can move on to using TLS 1.1 or if you can 1.2, but most people are still supporting TLS 1.0 for compatiiabilty with borwsers and mobile. I would say you'd enable the better security for clients that will use it, than prioritize mitigating BEAST attacks over RC4 attacks.