Quick tip. If you're trying to download really old versions of macOS, they're hard to find (e.g., El Capitan, etc.). You can find lots of dodgy sites that you don't want to deal with, but it's hard to find legit Apple web sites. The trick is to search for "enterprise". Then you can find pages like this, which has a legit link to an Apple DMG. https://support.apple.com/en-us/HT206886
One of the more obscure and least understood #security principles is "psychological acceptability." Nobody spends any time on it. Just google a phrase and see that everyone plagiarizes everyone else. Search for "principle that aims at maximizing the usage and adoption of the security functionality"
@zenhack I hear ya. Been running my own server since 1996. It gets harder and harder. An SMTP server is a house of cards. One daemon stops or one config is wrong and everything falls apart. I’m still hanging in there. But I hear ya.
Simply put, #BlackLivesMatter more than #infosec or all the other things I usually toot about. I did a little bit this weekend to help. Trump sent me $2500 I didn't need in the CARES Act. I've given every last cent of it to people he wouldn't have given it to, and who need it more than I do. https://blog.paco.to/2020/black-lives-matter/
Some people might call this "parody". In my world, it's a bit more like "Tuesday". https://www.youtube.com/watch?v=JMOOG7rWTPg
@WPalant I just saw this reply. But I answered it in my post. It's one EC2 instance at AWS. The IP range it comes from is a /14 range (250K IPs). I own 1 IP address from Amazon and outlook.com has no way to verify that. They did eventually get back to me after a week. They put in a mitigation. But when you're the little guy, life is hard. I only have 20 users or so.
I had a non-delivery notification from my personal mail server to outlook.com. It said "your ISP's network is on our block list.' My ISP is AWS and the network is a /14. It's bonkers.
It's like living in a 500-unit apartment complex and a company says "unit 402 didn't pay for their purchases last month, so we're not selling anything to anyone in that complex any more."
#spam #isp #email #smtp
If you have some spare compute cycles and you want to donate them to fighting #covid19, there's a medical research programme called "Folding@Home" which is similar to SETI@Home, but for medical research: https://foldingathome.org/2020/03/15/coronavirus-what-were-doing-and-how-you-can-help-in-simple-terms/
This is a fascinating C2 vector. But I gotta admit: it's hard to take it seriously with this diagram. https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/
Not mine. But absolutely appropriate for this forum. :) #infosec
That’s big news. #OpenSSH adds support for Fido/U2F tokens. https://www.zdnet.com/article/openssh-adds-support-for-fidou2f-security-keys/
@jjbaumgartner yeah I’ll just add another protocol where we disagree. There’s no need to slice and dice and imagine that things unsaid are implied in the worst possible way. Even NIST recanted it’s recommendation to change passwords for government and enterprises. Do some research on it. It was never founded in anything. Someone just sorta made it up and it stuck. There is not a lot of justification for it.
I wrote a blog post on how to use KMS key policies to act as a separate access control for data in Amazon S3. https://aws.amazon.com/blogs/security/how-to-use-kms-and-iam-to-enable-independent-security-controls-for-encrypted-data-in-s3/
@ebel I feel your pain. After 10 years living in Europe I moved back to the US. It's infuriating. Makes me want to get European cookbooks / recipe books. It'll all be in millilitres and sane units.
I see a lot of articles say things like "They now run this service in the cloud—which brings its own set of security challenges." I wish they would equivalently write "They run their IT in their own data centres—which brings its own set of security challenges."
DIY infrastructure? Oh that's obviously secure. Professionally-run commercial clouds? Whoa, they're risky.