I have not dealt with this much, however I have seen sharing groups get their members removed completely.

This error came up while loading the page - not because the user clicked on something, or clicking on the lock in the address bar.

@Dashrender said in PCI Point to Point vs End to End:

@scottalanmiller said in PCI Point to Point vs End to End:

@Dashrender said in PCI Point to Point vs End to End:

@Pete-S said in PCI Point to Point vs End to End:

@Dashrender said in PCI Point to Point vs End to End:

@Pete-S said in PCI Point to Point vs End to End:

@Dashrender said in PCI Point to Point vs End to End:

@Pete-S said in PCI Point to Point vs End to End:

If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

Thanks, I get the difference now... but now why anyone cares.

It's just that CC info can't be picked up anywhere if it's end to end encryption.

but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).

Maybe I should have said it can't be picked up in transit.

The card processors probably have more stringent requirements for infosec than PCI.

Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...

So I'm still not seeing a benefit to E2EE to the merchant.

I assume E2EE gives you some discounts.

based on what?

Just seems like the logical reason.

@wrx7m said in Passing OpenVPN through ER-X:

@scottalanmiller said in Passing OpenVPN through ER-X:

I can't find any references to OpenVPN using 943/TCP. You sure that that isn't a custom setting somewhere?

https://openvpn.net/vpn-server-resources/how-to-configure-the-openvpn-access-server/

It must just be access server.

"TCP port 943 is the port where the web server interface is listening by default."

Yeah, no web server in OpenVPN itself.

@JaredBusch said in Locally hosted email with CloudFlare Origin cert - SMTP?:

@Dashrender said in Locally hosted email with CloudFlare Origin cert - SMTP?:

@JaredBusch said in Locally hosted email with CloudFlare Origin cert - SMTP?:

@Dashrender said in Locally hosted email with CloudFlare Origin cert - SMTP?:

This is related to my moving to CloudFlare proxy thread.

The issue is - if the email server only has the CF Origin TLS cert, how will SMTP over TLS work? I would assume that other mail servers might reject that cert because it's not signed by a trusted CA.

Does this only affect inbound mail?

I have never actually tested this with Exchange, but I do know that I can tell postfix to send with TLS without configuring any certificates.

Sure, that's not really secure though, it's TLS with no security.

As for what it affects - I frankly don't know. For all I know a self signed cert would be fine - but I don't know what happens when you both a assumed allowable cert and a CF origin cert on the same machine.

Umm I think you misunderstand. When you send, you don't need a cert. Just like you don't need a cert in your browser to access HTTPS pages. the other side has that.

Yes, I assume you need something valid for the inbound SMTP.

OK - yeah, I suppose the receiving side is what sets up the tunnel.. Ok good point...

@Dashrender said in Moving to Cloudflare proxy:

Seriously you want me to buy another domain to fix this?

Yes, because someone screwed up with the original domain, so yes, you need to either fix that or do something to work around it. Mistakes have costs, this is a pretty trivial one.

Well - on behalf of my customer (and I'm billing them for it) I opened a case through my O365 account about how O365 is assigning BCL 9 to an email from their domain, for seemingly everyone in O365.

After more than an hour on the phone, we left it with me sending MS some headers and a mailtrace.

They did point out some nice tools I thought I would share.

https://sender.office.com

This site allows you to request MS to remove an IP from MS's black lists.

https://testconnectivity.microsoft.com/

This site has a Message Analyzer tab now - at least I never noticed it before. it can analyze headers.

Just got the notice this morning as well. So far, 2 out of the 4 potentially affected laptops of ours are in the clear. Trying to get in contact with the other 2 employees, who likely won't be able to make it in to the office until next week.

@IRJ said in AV - should companies keep buying it?:

@Dashrender said in AV - should companies keep buying it?:

@scottalanmiller said in AV - should companies keep buying it?:

@Dashrender said in AV - should companies keep buying it?:

Well then - I guess most of the world is idiots

That should fall into the "well duh" category. Of course most of the world is idiots.

Along this line - the boss wants me to add to my duties - I now get to train our users on how to use a computer as well as how to be security minded. i.e. don't plug in random USB sticks into a computer, etc.

You aren't blocking USB drives today?

nope.
That was just one example.

Then there is the need to still use DVDs around here - that one I couldn't block.

Well I tried maintenance mode - out of service for 10 mins, then back on - no go.

I put the password back into the system - bam.. damn thing is registering again. 😞

Uninstalling FF and deleting all folders from c:\users%username%\Appdata that are either FireFox or Mozilla, the rebooting and reinstalling - solved the problem.

Now to do that to Chrome.

Or this : https://smbitjournal.com/2014/07/it-worked-for-me/

Like who can honestly justify these decisions? You're burying your head in the sand and hoping nothing bad happens.

@Dashrender said in Hyper-V 2019 on a domain:

@PhlipElder said in Hyper-V 2019 on a domain:

All of the above and more but done in PowerShell on our KB site.

New-NetLbfoTeam -Name vSwitch -TeamMembers *

Nice

Thanks

I've posted that before.

@LindaStull said in Chrome updates - breaks shit.:

The vendor specifically checks for the browser and disables use on anything they don't approve.

Not surprising.

Yup https://community.ubnt.com/t5/UniFi-Updates-Blog/UniFi-Network-Controller-5-10-17-Stable-has-been-released/ba-p/2676018

@StorageNinja said in 4th Ammendment:

Doesn't it only work for the purposes though of border enforcement, and only by border patrol?

That's the excuse that they used to get a ruling removing the constitution. But as there is no law to create limits, there are no limits.

But like anything - this could grow through the use of other compromises for privilege elevation, and bam - pown'ed.

@pmoncho said in Does VDI Conquer the Dashrender Challenge?:

@Dashrender said in Does VDI Conquer the Dashrender Challenge?:

@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:

@Dashrender said in Does VDI Conquer the Dashrender Challenge?:

We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?

That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.

RDP has a tendency to be a high profile target, which is still not a big deal.

The biggest issues with RDP are that...

Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH. End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.

If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.

I've held this belief for many years.

I have had so many sudo-Jared FFS's by at least 5 other security individuals about this subject over the last 15 years. I try to state the logic behind RDP with good passwords and lockout (RDP Guard) but get the "No Direct RDP connections" that is so ingrained in the security mantra.
It has just become a dead talking point for me.

I just tell the doc's, "I have no problem spending more of your money that other "experts" want to rip from your pocket."

Yep, exactly.

@scottalanmiller said in Mobile Computing for Medical:

Man that vendor really hates you.

I was going to say the same thing.

The next thing out of this vendor will be that they only support Windows NT . .