sylver_dragon

sylver_dragon, 17 days ago

I work in cybersecurity for a large company, which also uses the MS Authenticator app on personal phones (I have it on mine). I do get the whole “Microsoft bad” knee-jerk reaction. I’m typing this from my personal system, running Arch Linux after accepting the difficulties of gaming on Linux because I sure as fuck don’t want to deal with Microsoft’s crap in Windows 11. That said, I think you’re picking the wrong hill to die on here.

In this day and age, Two Factor Authentication (2FA) is part of Security 101. So, you’re going to be asked to do something to have 2FA working on your account. And oddly enough, one of the reasons that the company is asking you to install it on your own phone is that many people really hate fiddling with multiple phones (that’s the real alternative). There was a time, not all that long ago, where people were screaming for more BYOD. Now that it can be done reasonably securely, companies have gone “all in” on it. It’s much cheaper and easier than a lot of the alternatives. I’d love to convince my company to switch over to Yubikeys or the like. As good as push authentication is, it is still vulnerable to social engineering and notification exhaustion attacks. But, like everything in security, it’s a trade off between convenience, cost and security. So, that higher level of security is only used for accessing secure enclaves where highly sensitive data is kept.

As for the “why do they pick only this app”, it’s likely some combination of picking a perceived more secure option and “picking the easiest path”. For all the shit Microsoft gets (and they deserve a lot of it), the authenticator app is actually one of the better things they have done. SMS and apps like Duo or other Time based One Time Password (TOTP) solutions, can be ok for 2FA. But, they have a well known weakness around social engineering. And while Microsoft’s “type this number” system is only marginally better, it creates one more hurdle for the attacker to get over with the user. As a network defender, the biggest vulnerability we deal with is the interface between the chair and the keyboard. The network would be so much more secure if I could just get rid of all the damned users. But, management insists on letting people actually use their computers, so we need to find a balance where users have as many chances as is practical to remember us saying “IT will never ask you to do this!” And that extra step of typing in the number from the screen is putting one more roadblock in the way of people just blinding giving up their credentials. It’s a more active thing for the user to do and may mean they turn their critical thinking skills on just long enough to stop the attack. I will agree that this is a dubious justification, but network defenders really are in a state of throwing anything they can at this problem.

Along with that extra security step, there’s probably a bit of laziness involved in picking the Microsoft option. Your company picked O365 for productivity software. While yes, “Microsoft bad” the fact is they won the productivity suite war long, long ago. Management won’t give a shit about some sort of ideological rejection of Microsoft. As much as some groups may dislike it, the world runs on Microsoft Office. And Microsoft is the king of making IT’s job a lot easier if IT just picks “the Microsoft way”. This is at the heart of Extend, Embrace, Extinguish. Once a company picks Microsoft for anything, it becomes much easier to just pick Microsoft for everything. While I haven’t personally set up O365 authentication, I’m willing to bet that this is also the case here. Microsoft wants IT teams to pick Microsoft and will make their UIs even worse for IT teams trying to pick “not Microsoft”. From the perspective of IT, you wanting to do something else creates extra work for them. If your justification is “Microsoft bad”, they are going to tell you to go get fucked. Sure, some of them might agree with you. I spent more than a decade as a Windows sysadmin and even I hate Microsoft. But being asked to stand up and support a whole bunch because of shit for one user’s unwillingness to use a Microsoft app, that’s gonna be a “no”. You’re going to need a real business justification to go with that.

That takes us to the privacy question. And I’ll admit I don’t have solid answers here. On Android, the app asks for permissions to “Camera”, “Files and Media” and “Location”. I personally have all three of these set to “Do Not Allow”. I’ve not had any issues with the authentication working; so, I suspect none of these permissions are actually required. I have no idea what the iOS version of the app requires. So, YMMV. With no other permissions, the ability of the app to spy on me is pretty limited. Sure, it might have some sooper sekret squirrel stuff buried in it. But, if that is your threat model, and you are not an activist in an authoritarian country or a journalist, you really need to get some perspective. No one, not even Microsoft is trying that hard to figure out the porn you are watching on your phone. Microsoft tracking where you log in to your work from is not all that important of information. And it’s really darned useful for cyber security teams trying to keep attackers out of the network.

So ya, this is really not a battle worth picking. It may be that they have picked this app simply because “no one ever got fired for picking Microsoft”. But, you are also trying to fight IT simplifying their processes for no real reason. The impetus isn’t really on IT to demonstrate why they picked this app. It is a secure way to do 2FA and they likely have a lot of time, effort and money wrapped up in supporting this solution. But, you want to be a special snowflake because “Microsoft bad”. Ya, fuck right off with that shit. Unless you are going to take the time to reverse engineer the app and show why the company shouldn’t pick it, you’re just being a whiny pain in the arse. Install the app, remove it’s permissions and move on with life. Or, throw a fit and have the joys of dealing with two phones. Trust me, after a year or so of that, the MS Authenticator app on your personal phone will feel like a hell of a lot better idea.

sylver_dragon, 30 days ago

People being assholes over it is dumb, but I can’t say I would want one. I saw one recently at my local grocery store and I couldn’t stop thinking how poorly built it looked. It just seemed like the fit and finish of the body panels was kinda bad. I got an overall feeling like it was something put together by a couple of teenagers in metal shop.

sylver_dragon, 1 month ago

Even more important that the one time bump is the very last line of the article:

Starting July 1, 2027, the rule requires Labor to adjust the salary threshold every three years to account for updated wage data.

Rather than having to fight for these things every few years, we need to just tie minimum wage and the overtime floor to CPI. But, that’s something the GOP will fight tooth and nail.

sylver_dragon, 2 months ago

While certainly an interesting development, this is just in a petri dish.

sylver_dragon, 2 months ago

Yes, yes it has. And it’s directly because Russia engaging in exactly the type of expansionist wars NATO was set up to stop.

sylver_dragon, 2 months ago

This is pretty embarrassing for Russian air defense. Though, I also wonder if they were hesitant to shoot down an unidentified aircraft after multiple cases of friendly fire bringing down VKS aircraft. I’m also amazed that there was seemingly no Electronic Warfare (EW) systems in the area to prevent remote control of drones. Sure, there are EW countermeasures, but this seems like a pretty significant failure that this drone could be flown in from that far away.

sylver_dragon, 2 months ago

However, let’s face it, Valve isn’t about to just let Microsoft run a GamePass app on SteamOS either.

SteamOS is Linux (Arch). If Microsoft wanted to put GamePass on Linux, there’s no reason it wouldn’t run on a SteamDeck. Valve isn’t trying to create the same sort of “walled garden” which you get with other consoles. I have several games loaded up on my SteamDeck which aren’t from Steam. And I can even add them to the Steam interface. Microsoft software not running on the SteamDeck is entirely Microsoft’s choice.

sylver_dragon, 2 months ago

The investigation report is going to be interesting. While bridges can only take so much punishment, they are usually designed to survive some collisions with their pylons. I wonder what the state of the bridge was, prior to the collapse. If it’s anything like the rest of the infrastructure in the US, it was probably not good. Though, this may also be a case that the designers in the 70’s planned for a collision with a cargo vessel of the times, which were tiny bath tub boats compared to the super container ships we have now. The Dali was built in 2015 she is a 300m ship capable of carrying 116851 tons. That’s a lot of mass for the pylon and it’s barriers to stop.

sylver_dragon, 3 months ago

Viruses had only been discovered a few decades before this picture was taken. It’s very likely that the family (and most of society) had no understanding that the virus was unlikely to jump species and so took the same precaution to keep the cat from spreading the disease that they themselves took. I’d rather people made this sort of mistake than the willful idiots we had this time around refusing to believe in viruses at all.

sylver_dragon, 3 months ago

This probably says more about the lack of large scale, peer on peer conflicts since WWII than the capabilities of the Houthis. The Houthis are one of the first groups with the capability, positioning and willingness to directly attack US Navy assets.

sylver_dragon, 6 months ago

If we could harness the energy of Regan spinning in his grave, we’d have a limitless supply of energy.
Imagine telling any conservative, during the Cold War era, that we could completely fuck Russia’s military power and readiness, for years to come, by sending weapons to a relatively small country. They would be rushing to arm anyone and everyone they could, unintended consequences be damned. And yet, here we are with the GOP blocking exactly that sort of activity. And even better, there is a very real possibility that we aren’t arming future terrorists this time around. Maybe that’s the GOP’s problem, Russia losing in Ukraine won’t create an excuse in 20 years to kill more brown people.

sylver_dragon, 6 months ago

While it’s not my thing, and I view dogs as pets and not food, it’s pretty hypocritical to complain about the farming and consumption of dogs for food, while many of us still eat pigs, chickens, cows, turkeys, etc. If Korean culture places dogs on the list of eaten animals and it’s done in as human and sanitary condition as possible for farming the animals, then it’s not my place to try and stop them.

sylver_dragon, 6 months ago

Let us celebrate the achievements of the world’s nations, in the middle of one of the most oppressive, authoritarian dictatorships on the planet. But hey, they are the nice dictators, with oil. So, we’ll overlook little things like murder.

sylver_dragon, 7 months ago

Good. Tying aid to cuts in IRS funding was absolutely asinine. Failing to fund Ukraine, which is actually fighting for it’s continued existence as a political entity is also asinine.

Yes, Hamas is a horrible organization; but, the Israeli Government isn’t facing an existential threat and has not been an innocent actor in the situation in Gaza. Aid and support should come with strings attached to ensure the protection of civilians and property rights of the people being displaced.

sylver_dragon, 7 months ago

Ford Motor Co.'s second-quarter profit more than tripled to $1.92 billion versus a year ago (source)
Revenue rose 12% to $44.95 billion

Kinda hard to drum up sympathy for the company when it’s raking in almost $2 billion in profit per quarter. Yes, Ford is burning about $1billon per quarter on EVs right now. That’s not something the workers should be financing. That’s money the company is investing to be viable in the future. That sucks for the shareholders; but, they are the ones who will reap any benefits of that investment and they should be the ones eating the cost.

sylver_dragon, 8 months ago

Turns out getting fucked on camera is more profitable than getting fucked by the school district. The hours are probably better too.

sylver_dragon, 9 months ago

Seems like MS is trying to run afoul of anti-trust laws, again.

sylver_dragon, 10 months ago

Time for The Satanic Temple to open Satan’s Elementary School and apply for charter funding.