• 0 Posts
  • 60 Comments
Joined 3 months ago
Cake day: March 28th, 2024
  • sandalbucket@lemmy.worldtoTechnology@lemmy.worldEU charges Microsoft with 'abusive' bundling of Teams and Office, breaching antitrust rulesEnglish
    10·
    2 days ago

    But MS teams is very secure! It’s sandboxed in a web browser :) It’s effectively a single-tab display of an entire ram-eating chromium process :)

    The only unfortunate side effect is that it can’t read your system default audio output, so it uses a cryptographically secure random number to decide which other audio output to use. That’s right - it very securely knows about all of your audio outputs, even though they aren’t the system default :)

    Did you just try to send someone a file? Don’t worry, I’ve put the file in sharepoint for you, and have sent them a link instead. Actually, wait - you had already sent that to someone else, so I sent file (1).docx instead. Actually wait - that was taken too. Now it’s file (2).docx.

    I would like to provide a friendly reminder that you will need to manage the file sharing permissions in sharepoint should anyone else join this 1-on-1 direct message chat :)

  • sandalbucket@lemmy.worldtoopenSUSE@lemmy.worldHow to block applications from accessing the Internet
    7·
    4 days ago

    Use network namespaces :)

    A brand new network namespace doesn’t have any network interfaces. When you start a process in a namespace, all its child processes will start there too. It’s like a little network jail, and the functionality is baked into the kernel / is kernel enforced.

    I use this to keep certain processes on a vpn, with no need for interface-binding support from the process, or a vpn-killswitch.

    Another fun fact, this is the functionality that enables containerization, like docker/podman

  • sandalbucket@lemmy.worldtoAsk Lemmy@lemmy.worldWhat would happen if everyone in your country became rich? Would inflation equalize it or would everyone just diaspora to maintain their buying power
    10·
    4 days ago

    It really depends on the parameters of the thought experiment.

    If everyone suddenly received a lot of money, there would be a wild period of adjustment before we figure out the pricing system again and life continues as normal. Even though there’s a lot more money, there is not magically more TVs to buy. Nor would we all start building tv factories - there’s not magically more copper or concrete to buy either.

    If we all got more money and buried it in our yards and swore never to use it, then nothing has changed. For the sake of the thought experiment, someone would break the promise (I would - I want air conditioning), and then everyone else would break it too, and we end up in the previous situation.

    If everyone were suddenly truly wealthy - as in stuff / things - some might think we would chill out and coast for a while. But having satisfied our big needs ( I am not being hunted by tigers) and our medium needs (Air conditioning, yay!), I imagine humanity would just keep working - there are always more problems to solve / there is always more work to do.

  • sandalbucket@lemmy.worldtoSecurity@programming.devhow much would/should/could it cost to get my app security assessed?English
    4·
    11 days ago

    The threat model helps a lot.

    I work for a small consulting firm. We do security assessments, but not the kind you’re looking for. I don’t want to sell you anything.

    From your intro here, I would expect to book a resource on this project at 50% utilization (to avoid burnout) for about 3 weeks. One week of assessment, one week of report writing, and we’ll say a week of overhead / buffer (to get things rolling / ask questions / interviews / report readout). That’s a total of 60 hours.

    My employer is expensive; we charge about $300/hr per resource. That comes out to about $18k. I would call this an upper limit (though in truth there is no upper limit. If you put multiple $700/hr resources on a project and let them bring in SMEs, things get expensive fast)

    If you haven’t done a security review before, I wouldn’t worry - you aren’t ready for the $18k service, or the $1k service. You will need a 3rd-party certificate eventually, but right now all you need is trust from your userbase, and openness and transparency are a good initial strategy.

    When it’s time, throw a hundred bucks at a local college student who’s into cryptography. Then fix / address all their findings. Then go for the next level, and fix their findings. There will always be findings; what you are buying is user trust. The more in-depth the review, the more trustworthy - but you don’t want the expensive service to be distracted by things a college student could have caught.

    I am intoxicated and rambling - let me know what questions you have :)

  • sandalbucket@lemmy.worldto196@lemmy.blahaj.zoneRule
    15·
    20 days ago

    My apologies, allow me to elaborate - grayhatwarfare.com is a cybersecurity company that crawls and indexes publicly-available blob stores, like s3 buckets, azure storage accounts, digital ocean spaces, and google cloud object stores. They offer limited search capabilities for free, no account-wall.

    They are a legitimate cybersecurity company, despite their name.

    My employer is working on a sensitive data scanning service, to alert clients in case their information surfaces in these buckets (even if they do not own the bucket), leveraging the grayhatwarfare api. In short, allowing us to detect and remediate the problem, which I hope you will agree is a white-hat activity :)

    I do not publicly condone breaking the law. I reserve the right to criticize the DMCA tho ;)