Forrest Brazealgood morning and welcome to 2023
Kamyar Kojouri
- 87 Followers
- 41 Following
- 50 Posts
Cybersecurity professional and open source enthusiast by day, amateur musician at night, blogger and book worm past bedtime. Loves Manchego and the color red.
@tinker I’ve been using Ubuntu 24.04 on my Lenovo x1 Caron work laptop for about a year now. Pretty much everything works, but it took quite a bit of finagling. The only thing I couldn’t get to work reliably is audio on Zoom.
@juddlegum @briankrebs which explains why I keep seeing his tweets even though I don’t follow him nor do I give a flying fuck about this guy.
@knova any DIY or mod/hacking project shows the candidate’s relentless drive, childlike curiosity, and critical thinking. Could be anything from building a raspberry pi for war driving, to mod’ing your wah-wah guitar pedal to say ‘sheesh’.
BrianKrebsPSA for everyone here who happens to be a US resident:
If you haven't done so lately, go to annualcreditreport.com, and get a truly free copy of your credit file from one of the major bureaus. Maybe start with Experian, since they seem to be currently the most clueless.
And then, assuming Experian doesn't make you do cartwheels through the mail to get your report (and that's a big if) -- really take the time to read it. I'm confident you will find stuff that is not supposed to be there and needs to be disputed.
When you dispute stuff, don't offer more information about yourself. Just get them to remove stuff that isn't yours. And then check back periodically to make sure they did that.
By the way, if you're already paying for or using credit monitoring services (hopefully not run by the same bureau you're trying to dispute), they may also be able to assist with this.
The information in your credit file -- whether it is yours or not -- can make the difference between whether you get that job or not, or apartment, or line of credit.
So please set some calendar reminders this year right now: Roughly every four months, request a free copy of your report from one of the three bureaus via annualcreditreport.com.
That is all. As you were.
So Adidas just called me [EMPTY]! Come on Adidas. Yes, I’m filling that void by spending my hard earned cash on shoes I don’t really need, but you really had to rub it in, didn’t ya! 😞
How about you stop being so [MEAN] and ask you front-end dev to add an ‘if’ statement for NULL values in your database before generating an email? [MIC DROP]
P.S. thanks for the shoes
My two cents on the recent breach at #LastPass:
Despite the inherent risks involved with using password managers, they still beat password reuse or sticky notes so I continue to recommend them. If you’re tech savvy and can set up an offline password manager and ensure you can access it on demand, that’s great, but most people who lack the technical expertise, or simply have better things to do with their lives than securing OpenVPN with MFA on pfSense in their underground bunker, or figuring out a way to access their password vault on Google drive while trying to put in a Seamless order on the subway ride home.
For most us, it will have to be an online password manager until password-less authentication becomes mainstream from your Amazon account to the DMV website.
So how do we minimize the risk involved with using online password managers? This may not work for everyone, but here is how I’ve been doing it.
- For non-critical accounts (e.g. reward programs, airlines, etc.) I let the password manager generate randomized passwords. There’s no need to memorize these.
- For accounts where a breach can cause me financial or reputational (or emotional) damage (e.g. email, social media, banking, 401k), I use a mental algorithm to generate unique passwords and do not store them anywhere. I just came up with one that generated the password ‘mA!MoreShakshuka@18’ for ‘Facebook.com’. I’ll let you reverse engineer it.
- Length is almost always more important than complexity. ‘TheygotthegunsButwegotthenumbers!’ is exponentially harder to crack and much easier to remember than ‘^12xWhqU!+‘. CIS recommend a minimum of 14 characters, I would say 20 is good for now until processors get faster or quantum computing goes mainstream.
- Use #MFA in as many places as possible. The order of preference for MFA should be: first hardware token (FIDO2 or U2F), then mobile app, and finally SMS only as a last resort.
Lastly, for corporate accounts on 3rd party sites (GitHub, Jira, etc.), always opt for single sign-on (#SSO) instead of local accounts. This make life easier for your employees by letting them use a single set of credentials, for your IT team by not having to manually set password policies across multiple platforms, and for the compliance department by not having to worry about disabling the salesforce account for the account manager who left 5 years ago. Your IdP/IAM platform should be configured to use different authentication methods (password only, MFA with mobile app, MFA with hardware token, etc.), authorization to and within different apps (HR platform, CRM tool, etc.), and session timeout settings, using a context-based method (managed vs. unmanaged device, location, time of the day, etc.) so you’re not causing MFA-fatigue for your users. This can be implemented using an identity-driven access platform like Microsoft Conditional Access, Okta, Duo, etc. Some people call this ZeroTrust but that’s a whole different topic.
Beautiful said. That a a quote from Neil Gaiman and it applies to a lot more than only books.
Interesting read. Way too many “one trick pony” security vendors these days with long lists of stuff that’s “on the roadmap”.
https://blog.crashoverride.com/a-security-tools-crash-is-coming
Adam ruins Musk, Zuckerberg, SBF, and other man-child privileged frat boys who just happened to be luckier than the rest.
https://youtu.be/oVj4kZF-Fgk
