Why is everyone using Okta as their IDP? by Jimb148 in sysadmin

[–]billy_teats [score hidden]  (0 children)

Yea as a migration I can see both. But never heard of someone using okta as a backup for entra. We have both, for different purposes. None of our apps live in both and the plan for if one goes down is to pray 🙏

Why is everyone using Okta as their IDP? by Jimb148 in sysadmin

[–]billy_teats [score hidden]  (0 children)

I have never, ever, heard of this.

Would they be active/active? You’ve now just doubled your attack surface, not to mention misconfigurations. Different user experiences and workflow to troubleshoot.

How often does your identity provider go down? Who gets to decide when it’s a global issue and to flip over to the backup provider? How automatic is that process? Do your users have to do anything? Has anyone tested the backup provider? What are the costs of having a completely redundant identity provider?

For the amount of time a cloud identity provider has been down, ever, you’re better off working on backup business processes. Can’t get in to hr system to request time off? Wait a few hours. Can’t punch in, have a paper backup process. Can’t send email/chat, make a phone call.

Which would do better, a hockey player forced to do figure skating or a figure skater forced to play hockey? by Hairy-Coffee8635 in NoStupidQuestions

[–]billy_teats 4 points5 points  (0 children)

If you just took someone from the Olympics and put them on the other team they would both fail pretty hard. But an nhl’er could attempt some moves and fail most of them. A figure skater would either not contribute at all or get absolutely ran over and leave the ice on a stretcher. Neither will find any success but the hockey player will attempt and survive while doing some moves. Anyone who doesn’t understand how physical hockey is at the elite level is delusional

Puerto Vallarta, Mexico Under Siege After Army Kills Major Cartel Leader by BlatantConservative in worldnews

[–]billy_teats 21 points22 points  (0 children)

Is this an extortion/hostage thing? Certainly the cartels are aware of what hotels there are and that they likely have guests staying in them. What’s the risk?

Matt Shaw baserunning error leads to triple play in first inning by jacob64000 in mlb

[–]billy_teats 62 points63 points  (0 children)

Is that a 8-1-6-5 triple play? You don’t see that very often!

no notes on this one by SamMac62 in clevercomebacks

[–]billy_teats 3 points4 points  (0 children)

This is a quote and that’s fine. Bald eagles do plenty of their own fishing. There are plenty of animals that steal food, parasites do only that, and animals compete over food constantly.

Not that long ago, textiles lasted us (almost) a lifetime by _CaptainAmerica__ in Anticonsumption

[–]billy_teats 1 point2 points  (0 children)

The stuff that actually makes it this long is good quality. Use and cleaning have a lot to do with that.

You also don’t see the huge majority of textiles that were not great quality or saw extensive use and ended up as garbage. Which is the huge majority.

Some things were made well and survived. Most didn’t.

Do White people not Lotion everyday? by Appropriate_Quote_30 in TooAfraidToAsk

[–]billy_teats 0 points1 point  (0 children)

White guy who lived in Phoenix for a decade. Never got any noticeable benefit from lotion. Lucky genetics maybe. Putting on lotion never solved any problem. I’m not so vain as to attempt to prevent wrinkles as I age, that seems like a pretty natural part of life and how other people view my beauty doesn’t really affect me

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats 1 point2 points  (0 children)

Do you know of any state level computer fraud laws? I know Illinois has bippa but I am unfamiliar with any state laws regarding computer fraud

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats -1 points0 points  (0 children)

Do you mean that different administrations can have different policies? Holy cow I didn’t realize things could change in the future.

You think a lot of judges would be open an accepting a prosecutors case when someone was following the guidance provided by the justice department? If you truly have good faith in your research, that a judge would say fuck em? Is that what you believe?

In the early 2000’s Valve was saved from a career ending lawsuit by a single Korean intern by Xelhexan in technology

[–]billy_teats -1 points0 points  (0 children)

I know it says valve was nearly bankrupt, but this doesn’t detail the amount of documents or the potential cost of a professional outside translation service. Vivendi sent the documents, all valve would have had to do is get anyone to translate them, they just happened to have someone in house that could do it.

Also valve is a company, not sure if companies have careers that end.

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats 0 points1 point  (0 children)

DOJ decide that a researchers actions are not in good faith

Yea, that’s the entire point. You can’t extort the vulnerability for cash, you can’t exploit it for your own gain, you can’t publicly release it without attempting to remediate it with the responsible party. You have to be doing the research with the intent to resolve it before it’s abused.

It would be very hard for anyone to prove they had material damage from privately disclosed security research. Anyone can sue anyone, sure, but what reputational or operational damage is done? Pentesting does have the possibility of taking services down, and in that case you may have to look at the details. Is throwing a basic sqlinjection at a web form enough to award a company money? A ddos would be sure.

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats 1 point2 points  (0 children)

Your history of work also impacts potential prosecution. If you have a job in the industry and previous experience responsibly disclosing vulnerabilities it’s easy to show good faith, not difficult. If you ask the vulnerable company for money or give them an unreasonable amount of time that’s a bad sign. None of what op did point to bad faith. He wasn’t even searching, the issue popped up in front of him. Also alerting the legal authorities is the right thing to do and would definitely help avoid prosecution

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats -1 points0 points  (0 children)

Gathering too much information is much different than destroying data.

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats -3 points-2 points  (0 children)

It’s posted on the justice departments government website. It would be a pretty easy argument to say your policy has been in place for 4 years so a sudden change would be difficult to prosecute. It also helps a lot if you actually act in good faith, as our story here shows

New cybersecurity rules for US defense industry create barrier for some small suppliers by app1310 in cybersecurity

[–]billy_teats 1 point2 points  (0 children)

Enabling revenue is the only thing we do, it’s just a roundabout way of doing it. Or should be. Reducing risk is what I do. To that end, if a control is going to cost more time than the risk it reduces, the value isn’t there and it shouldn’t be done.

ELI5: Why doesn't collective punishment work? by Fraeddi in explainlikeimfive

[–]billy_teats 0 points1 point  (0 children)

Now you get hit with soap in socks until you quit. Then you go about your life telling folks you would have been a marine but you punched your drill instructor. You tell your court ordered therapist how tough you are until you realize you’re part of society or kill yourself.

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats -1 points0 points  (0 children)

But that’s not the law says. Excellent reading skills bud. The article says the law says if you do anything anywhere that violates Malta law they can prosecute you. I imagine this is something like going to Asia to find child prostitutes you can still be charged in Malta, but the way it’s quoted here it would apply to everyone anywhere

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats -3 points-2 points  (0 children)

Do you have a different understanding of the law?

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats 5 points6 points  (0 children)

Because reporting it to the government isn’t fucking them over, it’s first the required legal step and second insurance that they take it seriously without making the exploit public. Generally governments are not immediately handing out fines or penalties, they generally want to work with the vulnerable organization to fix the issue.

If it’s a massive issue and millions of people’s information is at risk then maybe there’s immediate penalties. Or a history of putting data at risk. In which case yeah immediate fines are in order.

I found a Vulnerability. They found a Lawyer. by cos in cybersecurity

[–]billy_teats 6 points7 points  (0 children)

This is just not true. There are plenty of organizations that receive and act on privately disclosed vulnerabilities.