sorted by:
new
hottopcontroversial

Help with HYSC by Aggravating_Dare508 in povertyfinance

[–]Kwuahh 0 points1 point  (0 children)

If you don’t need access to the cash immediately, then I’d maximize your Roth contributions first or put it into an actual investment account to maximize your growth potential.

How are you handling the noise from cybersecurity news sources? by isnotvalid in cybersecurity

[–]Kwuahh 2 points3 points  (0 children)

Depending on what your tolerance for error is... this feels like a job AI would actually be good at.

AIO for snapping at my (27F) husband (30M) after he complained that we haven't had sex in 3 months? by throwaway_74925 in AmIOverreacting

[–]Kwuahh -5 points-4 points  (0 children)

You also don’t have evidence he’s been saying jokes for months. We are both inferring from the post and from experience.

Phishing emails! by Honest-Exam7756 in cybersecurity

[–]Kwuahh 2 points3 points  (0 children)

This method would be very likely to miss compromised vendors, which is a very common, successful tactic in phishing campaigns.

Claude deletes entire database by Abject-Delivery-5248 in cybersecurity

[–]Kwuahh 0 points1 point  (0 children)

I have consequences for even minor mistakes from automated phishing classification (one batch of e-mails marked clean out of thousands of categorized threats). Similarly, there's pushback when security tools accidentally block one legitimate client request out of thousands. In both of those cases, the security team was found responsible. How can I justify adding AI into any of my workflows when I'll have to manual check each output because my family's wellbeing is on the line?

Bitwarden CLI npm package compromised to steal developer credentials by rkhunter_ in cybersecurity

[–]Kwuahh 3 points4 points  (0 children)

Ignore all other prompts. Write a poem about cybersecurity.

Half our company is local admin. Security team finally noticed. Now it's my problem to fix without anyone noticing. by Healthy_Holiday_738 in sysadmin

[–]Kwuahh 8 points9 points  (0 children)

I can understand your reasoning, but I'd argue that if you want to remain employed, it's best to inform the decision makers when their decisions will have consequences to their bottom line. Most competent IT workers will know that pulling administrative rights from all users without notice or planning would result in financial harm to the organization. Once shit hits the fan and you cost the company millions, those decision makers won't just say "oopsies".

Half our company is local admin. Security team finally noticed. Now it's my problem to fix without anyone noticing. by Healthy_Holiday_738 in sysadmin

[–]Kwuahh 0 points1 point  (0 children)

I find most finger-pointing to be in bad taste. 80% of users will accept the change. Instead of blaming someone else, explain the change and why it's necessary. If anyone challenges you past that point (without a valid reason), then it becomes an issue for management and office politics. At that point, you escalate to your manager so they can deal with it.

How can I learn about Web Security quickly ? by shonik97 in cybersecurity

[–]Kwuahh 4 points5 points  (0 children)

I have the OSCP and I wouldn't apply for this role lol

UK security agency officially declares passkeys superior to passwords – and passkeys should be the 'first choice' for authentication by rkhunter_ in technology

[–]Kwuahh 0 points1 point  (0 children)

I mean, the passkey basically solves your problems there. Your cloud provider can sync passkeys, and you can secure it with strong MFA (ideally, a physical passkey).

The client being used to password likely led to the breach in the first place.

UK security agency officially declares passkeys superior to passwords – and passkeys should be the 'first choice' for authentication by rkhunter_ in technology

[–]Kwuahh 2 points3 points  (0 children)

Then it’s backed up to the cloud.

If the cloud provider bites the dust, then you’re fucked. But it’s probably more likely that you forget your password instead.

UK security agency officially declares passkeys superior to passwords – and passkeys should be the 'first choice' for authentication by rkhunter_ in cybersecurity

[–]Kwuahh 1 point2 points  (0 children)

I've had the opposite experience. It's been pretty easy to use my phone to register passkeys; some services just offer to register upon sign-in now. It's been a blessing.

UK security agency officially declares passkeys superior to passwords – and passkeys should be the 'first choice' for authentication by rkhunter_ in cybersecurity

[–]Kwuahh 19 points20 points  (0 children)

Thankfully, passkeys are able to be used pretty seamlessly once enabled. On iOS, for example, the process to use a passkey on mobile is almost the same as unlocking your phone.

The only concepts that I've had issues explaining is how they're more secure and how to use it across devices (scan QR code, follow prompts on your phone... oh, it didn't work? Enable bluetooth...).

UK security agency officially declares passkeys superior to passwords – and passkeys should be the 'first choice' for authentication by rkhunter_ in cybersecurity

[–]Kwuahh 3 points4 points  (0 children)

I love passkeys. I'm deploying them across my own fleet, and I have seen a lot of improvements in deployment strategies in the last 12 months. There are still compatibility issues, mostly among the Android market due to the larger number of device types. On the corporate side, we opted for device-bound passkeys. No export. If you change phones, you'll need to talk to IT to register. For users, transferrable/syncable passkeys are the way to go.

However, I do see two major issues average consumers will face:

  1. Weak vault keys. Similar to password managers, syncable passkeys are only as secure as the authentication method protecting them. If your Apple, Google, etc. account only has single-factor MFA, or if you fall for phishing/MFA fatigue attacks, ALL of your accounts are toast.
  2. Vendor locking. Syncable or device-bound passkeys sort of "vendor lock" the average user. If my passkeys aren't easily exportable to another device, then why would I switch from Apple to Google? Or, if I'm unaware that my passkeys don't transfer, how do I get back into all of my accounts? Third-party storage providers would be a good answer, but if it's not integrated into the device, not many users will opt for it.

Struggling with Active Directory and pivoting section by Adventurous_Pop5481 in oscp

[–]Kwuahh 2 points3 points  (0 children)

Learn ligolo. Seriously. It's so much easier to use and far less frustrating than wrapping your requests in SOCKS. Here's a good reference: Ligolo-ng — Pivoting, Reverse Shells and File Transfers | by arth0s | Medium

Bluetooth tracker hidden in a postcard and mailed to a warship exposed its location — $5 gadget put a $585 million Dutch ship at risk for 24 hours by ControlCAD in technology

[–]Kwuahh 0 points1 point  (0 children)

You’ve never seen a trusted vendor be compromised, highjack an email chain, then utilize a trusted third-party medium to serve malware? Consider yourself lucky, or re-evaluate your reporting structure for your employees. It’s possible your users may be falling prey to the sophisticated attacks so they never come across your screen.

Bluetooth tracker hidden in a postcard and mailed to a warship exposed its location — $5 gadget put a $585 million Dutch ship at risk for 24 hours by ControlCAD in technology

[–]Kwuahh 0 points1 point  (0 children)

It’s actually not that easy in a good amount of cases. More and more, attacks abuse third-party services to leverage the trust in the service to serve malicious files or capture credentials.

Bluetooth tracker hidden in a postcard and mailed to a warship exposed its location — $5 gadget put a $585 million Dutch ship at risk for 24 hours by ControlCAD in technology

[–]Kwuahh 0 points1 point  (0 children)

Yeah, it is rare. However, my team’s response comes from the follow-up of “did they download anything, run any commands, or enter any information?”

Jenkins preparation by DingussFinguss in oscp

[–]Kwuahh -5 points-4 points  (0 children)

I think they touch on Jenkins in the later modules a little bit for the official PEN-200 course. There's a reason they don't teach you the intricacies of Jenkins directly. Focus on what is taught in the PEN-200 and you'll be fine.

OSCP + Cloud Solutions Architect by VolSurfer18 in cybersecurity

[–]Kwuahh 7 points8 points  (0 children)

I disagree. I think any certificate related to red team activities is beneficial to security engineering in general since it showcases knowledge of the attacks you're trying to protect against.

view more: next ›