This is gonna catch some folks out π
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog I used a rooted device, purely to copy my totp keys out of Microsoft Authenticator, because there's no native way of exporting them to migrate to a different platform.
I suggest everyone else does too. It's stored in an sqlite database as plain text, so it's trivial to extract them once you have access
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog This is still just the authenticator TOTP protocol documented in an RFC?
-
R relay@relay.infosec.exchange shared this topic
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog this is completely idiotic. Let me guess, they also eventually will start ratting out Android devices which no longer receive security updates and wipe them as well? Fuck Microslop
-
R relay@relay.publicsquare.global shared this topic
-
@GossiTheDog This is still just the authenticator TOTP protocol documented in an RFC?
@dascandy @GossiTheDog They have some custom push thingy too.
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog The irony. It means authenticator will not work on secure smartphones with @GrapheneOS even with the bootloader locked! But it will run fine on commercial phones that have countless holes and are broken into with cellebrite in a matter of hours (yes, when locked) -
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog This is going to do wonders for work/life balance
-
R relay@relay.mycrowd.ca shared this topic
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog waiting for the first false positive...
-
@GossiTheDog this is completely idiotic. Let me guess, they also eventually will start ratting out Android devices which no longer receive security updates and wipe them as well? Fuck Microslop
I have worked for organisations that do just that - their mobile device management platform does a remote wipe of the work profile if you do not keep the system up to date: if you fall more than two versions behind you get a week to upgrade or no work email / teams / access for you.
Bliss.
-
I have worked for organisations that do just that - their mobile device management platform does a remote wipe of the work profile if you do not keep the system up to date: if you fall more than two versions behind you get a week to upgrade or no work email / teams / access for you.
Bliss.
@BernardSheppard @GossiTheDog they can do whatever the fuck they want with devices that THEY issued. But they can go fuck themselves if they expect to gain access to my private device for shenanigans like that
-
@BernardSheppard @GossiTheDog they can do whatever the fuck they want with devices that THEY issued. But they can go fuck themselves if they expect to gain access to my private device for shenanigans like that
@DJGummikuh this was on byod devices - but, yeah, I hear you.
This was a major multi-national with, by and large, compliant staff.
You could either be given a shitty work supplied locked down device that was several generations out of date, and carry two phones (which personally shits me) or accept that, if you wanted to byod, which you could self-enrol, you had to keep it reasonably up to date.
As I was there for only a few months, and I didn't particularly want or need to have work email on my phone, I opted out.
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog I've always felt weird about using my personal device for anything work related. Fortunately I was never forced to use it for email/teams. If this gets implemented, I hope people just start pushing for companies to provide them devices to use.
-
@DJGummikuh this was on byod devices - but, yeah, I hear you.
This was a major multi-national with, by and large, compliant staff.
You could either be given a shitty work supplied locked down device that was several generations out of date, and carry two phones (which personally shits me) or accept that, if you wanted to byod, which you could self-enrol, you had to keep it reasonably up to date.
As I was there for only a few months, and I didn't particularly want or need to have work email on my phone, I opted out.
@BernardSheppard @DJGummikuh @GossiTheDog
Why would anyone byod or even mix private/business hardware, especially if there's MDM going on. I never got that.
Also, work hardware is going into poweroff after the agreed upon hours unless very special conditions and pricing apply.On the other hand: Keeping the MDM'd business hardware up-to-date/updated or lock it otherwise sounds pretty sane.
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog Compelling reason why my next job in tech under Microslop is paying for a workplace handheld 100% so my rooted phone can stay off of work.
-
@GossiTheDog waiting for the first false positive...
@KHoos @GossiTheDog Right? Or a regression where MS believes all is well when millions are affected.
-
@BernardSheppard @DJGummikuh @GossiTheDog
Why would anyone byod or even mix private/business hardware, especially if there's MDM going on. I never got that.
Also, work hardware is going into poweroff after the agreed upon hours unless very special conditions and pricing apply.On the other hand: Keeping the MDM'd business hardware up-to-date/updated or lock it otherwise sounds pretty sane.
When it was a small IT team, and the head of IT was a peer, and I could discuss, understand the stack, and trust him, a work profile was no big deal.
Otherwise, yeah, nah, you can supply me with a phone. Which I will still turn off.
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog FreeOTP+
Works fine for #Mircoslop and all other OTP tokens
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog π€―
Not quite unbelievable, but wow.
-
@GossiTheDog This is still just the authenticator TOTP protocol documented in an RFC?
@dascandy @GossiTheDog It's several different things. Standardized TOTP is supported; two similar looking but distinct('microsoft authenticator(push notification)' and 'microsoft authenticator(phone sign-in)' proprietary things are supported and preferred in default AAD configs; and it's also the client for "Face Check"/"Verified ID" cases, if an org is paying up for that.
-
@GossiTheDog this is completely idiotic. Let me guess, they also eventually will start ratting out Android devices which no longer receive security updates and wipe them as well? Fuck Microslop
@DJGummikuh @GossiTheDog If 'play integrity' and similar are anything to go by; ancient and busted will be fine; so long as it's the ancient and busted that your OEM intended. The enemy, after all, is your filthy little hacker fingers; not an industry of pervasively abysmal code quality and more or less open contempt for confidentiality issues.
-
RE: https://infosec.exchange/@merill/116203323789181775
This is gonna catch some folks out
@GossiTheDog thats why I dont use MS Apps on my Phone. I have setup a Auth Code App like Aegis for my work account I hope its still a option.
