Hmm, by using Authy I wouldn’t receive these. They’d just be asked for the current code and unable to proceed.
On the one hand I’m happy not getting spammed like you with 2fa requests. On the other, I think I’d like to know if any of my user/password pairs have been compromised.
I imagine at some point it could be added to the Have I Been Pwned tool, which you can use to check for the presence of your credentials being in a data breach.
Tbh I am not sure what he is talking about. I didn’t know Microsoft had 2FA by mail. They have their authenticator app, sms, physical key, windows auth (or whatever is called that the PC acts as key/2fa). I know of one case where you can get invited to an org and if you don’t have an azure account the login is done by a mail they sent you, but I wouldn’t call that 2FA. But I guess here is a mail version I didn’t know about.
Oh you’re right. I thought it was notification spam to the phone/watch that @Random_user was complaining about.
There is an email MFA method for Hotmail/LiveID accounts, but M365 doesn’t have email as an authentication method. There’s Authenticator Lite, which comes through as a notificataion through the Outlook App on the phone, though. Not so many organisations use it because it’s fairly new and we’ve mostly been doing MFA for years by now.
Pretty sure the person who said they are getting 2fa emails was meaning that they are getting email alerts from Microsoft that says “we blocked these logins. Were they you?”
Some service providers do this when they see large attempts to access accounts fail due to 2fa blocks.
I call a victory the fact that he’s asking. I’ve seen the consequences of people just clicking and when you tell them what they did is wrong they just blatantly lie to my face.
$100 says there is a series of emails sent by a sysadmin/DBA over the past couple months warning about this issue in explicit detail and its increasing urgency, that have been ignored.
The person sending the emails will still get chewed out because they failed to make the higher ups realise this is a real problem.
Basically with self signed certs, you control the ENTIRE trust chain. When you use existing CAs, any bad actor in any of those CAs can generate certs that you would end up trusting. So it’s less secure because you have to trust a lot more people.
And if you’re not using a trusted CA, you are unable to protect against MitM and other forgery attacks, as well as needing to rely upon a mechanism like TOFU in order to avoid auth fatigue and other human error, which is not great.
you are unable to protect against MitM and other forgery attacks
Uhh, using a self signed cert doesn’t mean you just accept any old cert… Not every cert is designed for serving content to a browser. You do SSL mutual auth between services using self signed certs
You do SSL mutual auth between services using self signed certs
If you do, you remove the ability to prove that a service is what it claims to be as this requires accepting its provided cert - that is, authenticate it. You have to trust somewhere, even in a “zero trust” environment. Using self-signed certs for services to communicate means that you have to either have manual involvement every time a service comes up or accept the authenticity of a self-signed cert automatically. Either would be a compromise in security over use of a private CA, not an improvement.
Again, that works if your only concern is data across the pipes being encrypted during transmission but, it removes nearly all of the other additional security provided by PKI and increases your threat surface. It can be acceptable in some cases, like dev envs or as temporary measures but, with the constant increase in malicious traffic and activity, we’ve got to aim for better.
Oh! Then you are doing it right. That was basically my entire objection - having A chain of trust is necessary to effectively and securely use certs because you have a mechanism to validate, rather than trust the cert that is presented as authentic. :)
Certs do more than encryption in transit. They are also used for protection against MitM and authentication. Self-signing removes the ability to verify a cert’s authenticity.
That’s bullshit. You are the one who issued the cert. You can add it to your list of trusted certificates. You just have to check that this is the right certificate.
Your man in the middle scare comes from users who ignore cert warnings and continue without checking anything.
Nope. That’s the basics of PKI and scalable, secure, low-trust environments.
You are the one who issued the cert. You can add it to your list of trusted certificates. You just have to check that this is the right certificate.
You can indeed do these things. But, are you and your users going to verify every cert for every request and response? That’s a lot of unnecessary cognitive load and tedium, both of which are known to compromise judgement. Are you going to automate it? Ok then how are you going to verify the authenticity of a given cert?
Your man in the middle scare comes from users who ignore cert warnings and continue without checking anything.
Humans are not rational actors. Does everyone read the entire EULA? Not even close.
The problem with your statement, and why it is fallacious, is that you are not accounting for humans besides yourself. I’d even argue that you should also take your human nature into account because we all make mistakes.
Robust security postures do not require everyone to act perfectly but accept and plan for the fact that we’re fallible. That is why chains and webs of trust were created, so that humans and automated services can take an approach of deference towards a less mutable “expert” on whether a claim of authenticity is trustworthy - giving them the capability and responsibility of deciding this for themselves introduces unnecessary targets for exploits.
Your man in the middle argument is invalid, no matter how much you write. Just trust youur self signed certs and you users see no difference. That’s even more secure than blindly trusting the idiots from verisign.
Your man in the middle argument is invalid, no matter how much you write.
It really isn’t and it’s a significant part of why PKI exists in the first place. I’ve been doing this stuff professionally for over a decade and am very familiar with ISO27001, SOC2, and CIS standards, as well as generally just finding that a healthy dose of paranoia in computing keeps things more secure. Understanding how and why PKI works and is architected as it is is something that I recommend that everyone involved in technology explore.
Just trust youur self signed certs and you users see no difference.
This is problematic if a service needs to be redeployed, the cert expires, or becomes compromised, leaking its keys. In the former two scenarios, the new cert needs to be added on all of your end users’ machines. If you have just a few users, sure, that’s easy enough but, tedious and unnecessary. If it is a case of the latter, you now need to revoke the cert on all systems that have trusted it and deploy a new one. Again, tedious and prone to human error. Plus, you have to hope that you detect this quickly, otherwise a malicious host can harvest a lot of potentially-sensitive information, a situation easily prevented with a trusted CA.
That’s even more secure than blindly trusting the idiots from verisign.
I’m not suggesting that a public CA is the best choice for everyone or every situation. For internal use, a well-managed private CA or LE is probably a better choice, purely from a cost perspective.
I’d also like to understand why you are so hostile towards Verisign and feel better qualified in cert management. Were you or someone close to you caught up in their 2010 breach?
Don’t act so smug.
Not sure where this hostility is coming from. I am primarily explaining how these statements are not in line with intended use of security technologies and best practices. If you don’t like currently accepted security best practices, that’s absolutely your prerogative.
I understand the need for security, but default is powerful, which is why the eu requires os vendors to provide a browser choice screens instead of letting the os vendors to pick their own default browser. Without coupling this restriction with a browser choice screen, this would guarantee to increase edge market share simply because it’s the default.
Your assuming everyone understands how default apps work. And you are forgetting that most people get intimidated by the popups trying to get you not to change the default.
It is complete enshitification if you ask me. There should be no reason why a application can't have a button to make it the default.
It's possible that I've been lucky, and my experience of end users when it comes to Windows lately have been using it since Windows 10 which strongly pushed the Default Apps configuration vs previous versions. The world is a big place after all
Maybe I'm just over reacting. But people like us deal directly or indirectly with the fallout of such madness. I hope that the DOJ goes after Microsoft at some point soon or at least scares them a little.
Ah how I wish someone would delete the IRS’ records and backups 🥰
But on a relevant note, that is major! Hitting Russia in the wallet is going to hurt. The morale among the civilian population can get worse under this too.
I’m actually wondering how many Russian billionaires are celebrating today that the tax department has lost the records of all the tax bills they haven’t paid.
I bet a ton are. And probably not for current years but past years of making mistakes, whether on purpose or not are likely now gone and they effectively have a clean record.
But I wonder if they had anyone making payments. How are they going to know their balance? This is assuming their tax structure is similar to what the US has.
It could benefit a lot of people from all classes. But could also create a lot of havoc when the government demands to be paid and the people don’t agree with the numbers being demanded.
Optimistically, whatever tax is not getting paid, it converts to money not being spent to continue the war. Realistically I would expect the government to cut every other expense but the war, so this is not going to influence the war short-term :(
The thread starter is probably right about civilians’ morale, cause they are going to be sucked dry of any money even faster with this kind of fuck-up from government
Are you using Trend Antivirus? We just finished a months long fight of very similar symptoms, and it was that our antivirus was deleting the login tokens.
I feel like cybersecurity should specifically be addressed in terms of it though; The responsibilities & all that get even more insane and I've noticed my friends working in the field are especially stressed out
It sounds like you’ve got a good manager, so hopefully they won’t hold that against you. This is the reality of oncall - it sucks!
When you get woken up in the middle of the night, of course you’re going to be more tired the next day. I’m the same as you - I can’t fall back asleep if its early morning so I normally just stay awake and am tired that day. You shouldn’t feel guilty for being at 1/2 capacity after working all night to solve your employer’s problems!
Yeah my manager is sympathetic to it because they also have to do on call on the roster. So they know the pain of getting up at those hours of the morning. I think based on the information in this thread I have a good strategy for this.
I’m the first to shit on Google, but this change was communicated so far in advance it really is on OP and his company. They could have been ready long ago.
It’s like the people bitching about MS changing Azure AD to Entra and how they have to rewrite part of their automation flow. But the module to access Azure AD has been on the depreciation path for over a year.
How to learn Windows? Years of pain and torture of course.
What to learn? Powershell, learn powershell.
Then as you follow along any guides or howtos for administrative tasks, try to search how to accomplish the same things in powershell. Take notes on your own powershell learnings. I keep all my windows administrative powershell one liners, scripts, and notes in the same digital notebook for quick reference and updating.
If you're already experienced with bash, like I was, learning powershell might be tough. As it was for me, I had trouble understanding why PS cmdlets seemed to hide data when piped... Format-table(ft) and Format-List(fl) help tremendously
Powershell remoting is still a pain in my ass in most places, I rarely use it.
YouTube! Don't necessarily look for YouTube powershell windows videos. Just the necessary tasks through the GUI will give you the correct direction to begin converting a process to PS. Learn how other Admins process tasks by watching them. Especially if it's an often repeated task try converting some or all of what they do in the video into PS equivalent.
With all of that said knowing powershell doesn't really help recovering from disasters. Knowing how to install windows and recover data from borked systems is a task best learned through battles. So, absolutely set up VMs and installed all manner of versions you'll be working with...that way you'll have familiarity with when things go wrong in them. I've yet to install windows 11 in a VM but I did try to install a copy onto a surface tablet only to learn the hard way that do ing so leaves the tablet without the drivers necessary for using the keyboard and touchscreen...weird need a custom built image or recovery image, great fun.
Powershell remoting is still a pain in my ass in most places, I rarely use it.
So the big thing with remote Powershell sessions is that you can't hop around like you can with SSH, but it's super useful when troubleshooting complaints of frozen/misbehaving systems with less resource needs than rdp
I love python. Even on windows but I tend to try to learn to live off the land and not prerequisite my admin skills on additional software that may not always be available or an option.
Nah you dont need a special image for the touchscreen and stuff. Check the advanced update settings for optional downloads and also give the surface app in the microsoft store a shot. It actually is not terrible for troubleshooting.
Other than that:
Create your own custom image if you deeply wish to. Here is the help doc:
Sysadmin
Top