TimAn AWS data champion!
| https://twitter.com/disintegr8te/ | |
| Github | https://github.com/disintegr8te |
| [email protected] | |
| Twittodon | https://twittodon.com/share.php?t=disintegr8te&[email protected] |
disintegr8te 
- 346 Followers
- 644 Following
- 69 Posts
Father, IT Geek, Living in the corporate MS IT-Hell, IT - Security Architect, Political Enthusiast, Extrovert.
@cbotaish @romanmarr @michaelabon how do you protect against an Insider Attack. Example the Threat of Manipulating Code of Client and Browser Extensions to get the Secret Key and Password.
Why didnt you to decide to OpenSource the Client Side so that everyone can check if there are Backdoors?
Why didnt you to decide to OpenSource the Client Side so that everyone can check if there are Backdoors?
@kadin @jacob I would agree on the Assume Breach Part.
But LastPass made major Design Mistakes:
URL‘s in the Vault not encrypted. (Thinkmof Tokens, API Keys etc., they knew for 6 Years)
Master Password is used for Encryption which is fundamental different to for as Example 1Password with their Secret Key and Password Approach.
Using PBKDF2-SHA256 with 100100 rounds which is not up to date.
Also there Communication looks not really fully transparent.
Jerry 🦙💝🦙I just wrote a post about the current state of growth in infosec.exchange at the one month mark post E-day here: https://blog.infosec.exchange/2022/11/27/an-update-on-growth-of-infosec-exchange/
Note: I installed a plugin that will allow you to follow blog posts there by following @[email protected]
@jerry dont want to say i agree with their Approach but there is a Logic to it and it could generally lead into a shutdown of the Instance if this Legal Framework isnt fixed or moved to an non EU Legislation
@jerry its multiple Things but mainly you are forced by law if you host a Web Service in Germany to post a Contact for Data Privacy and a Legal Contact.
So by blocking your Mail Server they are blocking „Illegal Web Services“ to protect their Customers.
So by blocking your Mail Server they are blocking „Illegal Web Services“ to protect their Customers.
@jerry Somehow they Protect their Customers here, you host your Services in Germany but you are not complying with German Law (GDPR, TMG etc.).
@alexandru @sidd Ideally, we force MFA. The most significant problem I face with password only authentication is password reuse. And it's a major problem.
@jerry maybe authenticatoon with something like keycloak (saml or oidc)
@disintegr8te I do! I have some things to sort out, like I’d really like to have a single authentication source (ldap or saml etc) and, of course, the hosting aspect. But yet. On my radar