fsebugoutzone.org:9999

       Posts by raesene@infosec.exchange
 (DIR) Post #AP9nKB7O9LhnOXoF6G by raesene@infosec.exchange
       2022-10-30T08:20:49Z
       
       0 likes, 1 repeats
       
       As appears to be tradition, here&#39;s an #introduction from me :) After some time as a #Netware admin, I&#39;ve been in #infosec for a bit over 20 years. Started in financial services as a security analyst, moved into #pentesting for banks then as a consultant for various companies and now experiencing the sometimes odd world of Security Advocacy.Tech-wise these days I focus on #Kubernetes #Docker and all things containerization, but dabble in #webappsec things and code in #ruby and #golang when required.
       
 (DIR) Post #ASkdlrDK7iRorK4hii by raesene@infosec.exchange
       2023-02-16T11:50:45Z
       
       4 likes, 3 repeats
       
       Here&#39;s a possibly unpopular #Infosec  opinion.For ordinary non-corporate end users, SSO systems like &quot;Sign in with Google/Microsoft/Facebook&quot; are a bad idea.Here&#39;s the reason. It&#39;s possible to get banned from an entire ecosystem based on a perceived infraction on one site, and there have been multiple cases of this happening. When these bans occur they can stop you being able to use that SSO system, locking you out of every account that uses it.Ordinary end users have very little chance of getting a sensible response from mega-corps when this happens.The impact of being locked out of all your systems if this happens is high, and possibly a worse outcome than losing an individual credential because of a hack when you&#39;re managing your own credentials.
       
 (DIR) Post #ASkeT5RV66CHRNJrtY by raesene@infosec.exchange
       2023-02-16T13:10:37Z
       
       0 likes, 0 repeats
       
       @scottpack yeah in a happy path case, I can see why SSO makes sense, it&#39;s the failure more that worries me.The worst ones are where you get locked out of a Google/MS account, as then your fallback is probably an e-mail address you no longer have access to! At that point I could see people really struggling to ever fix that. You&#39;d end up testing what companies manual &quot;I&#39;ve forgotten everything&quot; policies are, and I&#39;m guessing it&#39;s not good.A possibly remedy would be having an SSO provider which just does that and has some obligation to have decent dispute resolution procedures, but that&#39;d likely require gov. intervention and we know how well that tends to work :P