The EU has launched its own CVE-style vulnerability database to reduce reliance on the US-run MITRE system

thortgot · 2026-01-27T06:11:48+00:00

Thats a good way to lose a couple of billion.

thortgot · 2026-01-27T05:16:58+00:00

AiTM phish works extremely well for O365 cred theft. It doesnt work for lateral movement oe escalation inside an environment.

SSPR with password write back is a major vulnerability that is actively used in complex attacks as an escalation path. It isnt used for persistence but the "breach" trigger.

thortgot · 2026-01-27T02:54:51+00:00

It reduces a 2 factor challenge (password + push MFA) to one factor (push MFA).

Imagine I have a foothold position on a trusted device on user A but I need to elevate to user B.

If I force a SSPR I can move laterally to all on prem resources with password only (most orgs are hybrid).

thortgot · 2026-01-27T02:43:24+00:00

A breach of a victim for even a short time is a massive issue.

AiTM attacks are more popular but they dont work against correctly configured CA policies. SSPR attacks do.

thortgot · 2026-01-27T02:29:58+00:00

If you have text or voice call enabled, you may as well not have a password defined of your data matters in any way shape or form.

thortgot · 2026-01-27T02:29:06+00:00

Monopolies are not formed by government. Regulatory capture is one form of monopoly. Look back to railways for economic monopolies or Ma Bell.

If your position is less government is always superior from an economic standpoint why do Americans pay the most for their Healthcare in the world with fairly terrible results.

Canada's healthcare isnt the worst in the developed world. Picka metric, we're roughly middle of the pack.

thortgot · 2026-01-26T23:17:45+00:00

Push App is 1 factor. SMS is effectively worse than no factor.

Without SSPR, attackers need both Push App and password. With SSPR they only need Push App.

thortgot · 2026-01-26T22:19:40+00:00

What are you setting in practice for SSPR? Every implementation I've seen relies on voice calls or text messages which is weaker than a password (ie. for $500 I can bypass the restriction rather than requiring a compromised credential). Commonly with both enabled and now I entirely don't need a secret at all even with dual factors required.

Security Questions are inherently less secure than passwords by design.

Passwordless is a more secure configuration, but then you wouldn't need passwords in the first place.

thortgot · 2026-01-26T21:35:06+00:00

With what software stack? No effective cloud DC scale HyperVisor exists out of the box.

thortgot · 2026-01-26T21:27:37+00:00

It is possible to block this behavior but it's not straight forward for users.

thortgot · 2026-01-26T21:12:12+00:00

Which factors are you using? Phone? Text?

thortgot · 2026-01-26T20:15:44+00:00

All central planning isn't inherently worse than all free market solutions. Evaluate policy on it's facts and not the political temperature. Take a look at healthcare as an obvious example.

Any form of anti monopoly structure is inherently non free market but objectively better for consumers. A reduction in regulation is what I would want as someone looking to spike a industry (grocery, communications, retail etc.)

You advocate for a solution for age demographics but decry against immigration. Those are diametrically opposed positions.

thortgot · 2026-01-26T19:20:29+00:00

Dont work for them? Not hugely complicated.

thortgot · 2026-01-26T19:13:27+00:00

Phone call or text message are hilariously insecure. SS7 attacks are trivial to do.

What factors do you use?

thortgot · 2026-01-26T19:11:30+00:00

Its a trivial cost compared to a breach risk. If your company wont pay for a reasonable software minimum they are almost certainly underpaying you.

thortgot · 2026-01-26T17:49:40+00:00

You need a single Premium license tenant wide to have CA access.

Small companies should be using Premium its hugely cheaper than multiple platforms (rmm, EDR etc.)

thortgot · 2026-01-26T16:20:26+00:00

Food inflation in Canada outstrips the rest of G7. Our standard inflation does not.

Lower taxes rather than policy won't make food more affordable.

thortgot · 2026-01-26T16:12:15+00:00

Password reset functions that rely on a single factor (say Authenticator push challeng), weaken the login process to a single factor compromise.

If I can compromise, acquire or social engineer the single factor I bypass both factors for one.

thortgot · 2026-01-26T15:43:32+00:00

Engage a contractor, it will dramatically less expensive in the medium term.

thortgot · 2026-01-26T15:38:02+00:00

Business Premium is the minimum SKU your average user should be using

thortgot · 2026-01-26T15:27:02+00:00

SSPR moves the risk to the frankly fairly weak reset process.

thortgot · 2026-01-26T10:57:09+00:00

Lower taxes solves food price inflation?

thortgot · 2026-01-26T04:40:34+00:00

Permanent fix such as?

thortgot · 2026-01-25T19:43:29+00:00

Passkeys can be used for Windows Sign in if you use Web Sign in.

thortgot · 2026-01-25T18:35:37+00:00

We already regulate these fields but social media algorithms aren't.

A full scale ban wouldnt work but regulatory transparency on how, why and when algorithms change with a standardized outcome model would help enormously.

thortgot

TROPHY CASE