| lotuspsychje | good morning | 02:49 |
|---|---|---|
| marcoagpinto | Morning! | 06:04 |
| ducasse | good morning | 07:27 |
| lordievader | Good morning | 08:16 |
| oerheks | "soifmypasswordisjustabunchofwordsstickedtogetherimustbeokeandsafeontheinternet" .. dutch article about password hackers, they usually try short passwords only https://www.security.nl/posting/731137/Onderzoeker%3A+aanvallers+bruteforcen+geen+lange+wachtwoorden | 12:32 |
| lotuspsychje | ssh the new vnc :p | 12:47 |
| lotuspsychje | 25k attacks oO | 12:47 |
| TJ- | does that article link to the original research? I read it yesterday bit cannot find it now. The title of the researcher at Microsoft is fab "Head of Deception" or some-such! | 13:21 |
| oerheks | TJ-, it points to https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/ | 13:27 |
| oerheks | also, ms limits passwords to 24 characters, AFAIK | 13:27 |
| TJ- | yeah; I can't find the original paper/report by Bevington now I'm looking for it! | 13:27 |
| oerheks | and therecord points to https://www.linkedin.com/in/ross-bevington-854440152/ | 13:27 |
| TJ- | yeah | 13:28 |
| oerheks | nope, i cannot find the source , i'll end up in china | 13:30 |
| oerheks | https://www.cnbeta.com/articles/tech/1206583.htm | 13:30 |
| TJ- | ahh, found it! pages 85-87 contain the detail of the therecord summary. https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi (PDF) "Microsoft Digital Defence Report, October 2021" | 13:45 |
| TJ- | The entire report is well worth reading | 13:46 |
| oerheks | thanks! | 13:51 |
| lotuspsychje | massive paper | 13:53 |
| oerheks | save a tree, pdf | 13:53 |
| lotuspsychje | :p | 13:53 |
| lotuspsychje | 'what we do to stay ahead of the curve' :p | 13:54 |
| TJ- | it's the full year report; shame the press just pick on small 'fluff' parts | 13:54 |
| lotuspsychje | we got it all figured out | 13:54 |
| TJ- | these threat intelligence reports are extremely valuable, especially from an organisation the size of Microsoft, with the sheer size of their sensor network | 13:55 |
| TJ- | "In Azure Active Directory we observe 50 million password attacks daily, yet only 20% of users and 30% of global admins are using strong authentications such as MFA.96 " | 13:56 |
| TJ- | errr, thats in the context of "...Our sign-in service sees 90 billion authentication requests per day,..." | 13:59 |
| daftykins | D: | 14:09 |
| cbreak | for that, you don't need a sensor network | 15:20 |
| cbreak | you only need to analyze your log files | 15:20 |
| cbreak | (or force 2FA and be done with it :D) | 15:20 |
| TJ- | the sensor network is honeypots | 15:32 |
| TJ- | illuminating critique of flatpack/snap/appimage/etc - shocking the waste of resources https://ludocode.com/blog/flatpak-is-not-the-future | 15:55 |
| oerheks | TJ-, somehow it is true, still convenient to have all dependencies installed | 16:14 |
| JanC | except when you run out of disk space (which happens easily) | 16:15 |
| TJ- | "Flatpak and Snap apologists claim that some security is better than nothing. This is not true. From a purely technical perspective, for apps with filesystem access the security is exactly equal to nothing. In reality it’s actually worse than nothing because it leads people to place more trust than they should in random apps they find on the internet." | 16:16 |
| JanC | TJ-: that's pretty good indeed, and doesn't even touch the fact that even within one system you will often have to install multiple versions of the same runtime in parallel because each app uses a different one (and the app packagers are too lazy/busy to upgrade to a new one) | 16:16 |
| TJ- | JanC: it does talk about that unless you mean something different to what I read at least | 16:16 |
| TJ- | the subsection "Sharing Runtimes" | 16:17 |
| JanC | they mention e.g. Fedora vs. FDO ones, but even _within_ those there are multiple versions | 16:17 |
| JanC | so even just sticking to one store backend/repository doesn't solve that problem | 16:18 |
| TJ- | indeed | 16:18 |
| JanC | and I bet some packagers would rather just copy the whole unmaintained runtime into their package than upgrade when a runtime gets deprecated :P | 16:19 |
| TJ- | I like the example thet give of flatpack gimp and a libjpeg 0-day | 16:20 |
| JanC | I'm not that far yet, but obviously the security issue has been pointed out from before those stores were officially launched... | 16:21 |
| JanC | I mean, I'm sure there are some packagers doing their work properly | 16:22 |
| JanC | but others don't, or packages are just left behind abandoned | 16:22 |
| TJ- | I call it "throwing code over the wall" | 16:23 |
| TJ- | The wholesale Fedora flatpak conversion without namespacing properly is awful!! | 16:24 |
| JanC | now, if packages were built with all dependencies pulled in from a maintained repository and automatically rebuilt if necessary, that could maybe help, but obviously that's not happening... | 16:25 |
| JanC | (and it begs the question why not use existing package managers to do the whole thing...) | 16:26 |
| JanC | you can implement "multiple runtimes" and "system access restrictions for apps" in apt/rpm just as easily... | 16:31 |
| oerheks | spaces in names.. as weird as a nuclear bomb. | 16:32 |
| JanC | like, the whole "portal" idea is a good one in general | 16:37 |
| JanC | (although the implementation not always is) | 16:39 |
| JanC | and even making people pay for apps is possible with apt/rpm of course (Canonical & others already do that!) | 16:50 |
| TJ- | exactly; I recall when I paid via UbuntOne for MasterPDFEditor and got a login to the PPA | 16:51 |
| JanC | also see ESM | 16:52 |
| oerheks | There should be a dedicated channel for ESM support, or is there? | 16:53 |
| TJ- | oerheks: mind out, Kolusion is an abusive user, frequently gets banned, and DOES know the answer to the questions he asks in most cases | 16:56 |
| oerheks | someone made me ubuntu member, because i try to stay nice, but thanks for the warning TJ- :-D | 16:56 |
| oerheks | .. i do remember him though | 16:56 |
| TJ- | oerheks: I warned about him about 3-4 weeks ago - we had a bad spate of him resulting in bans in #linux and #networking | 16:57 |
| JanC | "GUI apps built for Windows 95 still work out of the box on Windows 10" is definitely not (always) true though... | 17:01 |
| JanC | many Windows 95 apps break even on Windows 2k or XP (some even break on WinNT 4.x which is about from the same time...) | 17:02 |
| JanC | mostly because of filesystem permissions and/or hardware access | 17:03 |
| TJ- | I think that's more about the Win16/Win32 API/ABI still being there | 17:04 |
| JanC | no, many Win95 apps liked to store config/data files next to the binaries, but that's (by default) not allowed on NTFS-based systems | 17:06 |
| JanC | well, it works when you run as administrator | 17:06 |
| JanC | or mess with the file permissions | 17:06 |
| JanC | (which you often have to fix after upgrades) | 17:07 |
| JanC | but not as a regular company user in a company with a proper IT department :) | 17:08 |
| JanC | or student in a school, etc. | 17:08 |
| JanC | there are also other compatibility issues between Windows versions | 17:09 |
| JanC | but in general backwards compatibility is better than on most linux distros, I suppose... | 17:09 |
| daftykins | i've come across some old software in my work which tried to read and write to paths that got denied since Vista, gets confusing when they're redirected elsewhere | 17:10 |
| JanC | any Win95 software that used hardware directly (as was most common then) would also break | 17:12 |
| JanC | that broke a lot of industrial/lab software | 17:12 |
| JanC | when upgrading to NT-based Windows which requires drivers for that | 17:13 |
| JanC | soem companies probably still run WinME because of that :P | 17:13 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!