Here's an example of a rego policy for OPA:

package envoy.authz
import input.attributes.request.http as http_request

default allow = false

token() = claimInfo{
    token := split(http_request.headers.authorization, " ")
    claims := io.jwt.decode(token[1])
    claimInfo := claims[1]

checkRecord() = http.send({
    "url": sprintf("http://localhost:8080%s", [http_request.path]),
    "method": "GET",
    "force_cache": true,
    "force_cache_duration_seconds": 3600
})

allow {
    requester_is_owner
}

allow {
    method_is_post
}

method_is_post {
    http_request.method == "POST"
}

requester_is_owner {
    getRequest.body.username == tokenData.sub
}

The awesome thing about this is your app doesn't need to understand roles, users, etc. OPA requests a record from this app takes the JWT in the request and compares the owner of the record stored at username to the sub in the token. If they don't match you get a 403, if they do match it will return the record for you. The app just needs to return the record and doesn't care about auth.

You can also use OPA as a K8s admission controller to verify that resources have correct annotations, labels, policies, etc. It's a really awesome tool.

@irj said in Greenfield Kubernetes Architecture and Security:

Let's say your organization has 50-100 different applications running on kubernetes. Historically each cluster runs one application.

You have the ability to greenfield and re-architect how everything is built.

1. Would you keep one cluster per application and use network policies to control data flow?

2. Would you break up clusters similar to how you'd separate a 3 or 4 tier web app? One of the advantages to this approach is perhaps you can keep DevOps engineers from accessing database clusters at all. The disadvantage of course being complexity on the network side.

3. Would you create a few kubernetes clusters and separate applications by namespace and use network policies to filter traffic?

Note : For sake of discussion Kubernetes will be hosted on major CSP (AWS, Azure, or GCP) so no need to worry about hardware requirements for this topic.

1 will get really expensive and complicated really fast.

2 is complicated in networking, but less complicated in that you need less rolebindings (also more expensive).

3 makes the most sense but adds complexity with SAs and rolebindings. Let the namespaces be the logical separation. Use a mesh like Istio/Kuma for mTLS. If you pay for Kuma you get OPA integration in the sidecar with a CRD for the policy, if you use Istio you still get OPA but I believe it's a configmap that you need to load into a central OPA I can't remember. This way you can define policy for each app but your app doesn't need to understand how authentication mechanisms work.

I'd recommend Rancher for an easier RBAC solution and more logical separation of projects on top of namespaces.

@obsolesce said in NG AV / Endpoint Protection in 2021:

@hobbit666 said in NG AV / Endpoint Protection in 2021:

So in simple terms, people are saying dump the AV products like Webroot/Bitdefender/Eset and move over to a more SIEM orientated setup whether that's in house or externally managed (we wouldn't have the resources internally)

What about products like CrowdStrike, Cynet XDR, Mimecast. Does these fall into the SIEM realm? As they say they monitor machines for changes in system files/logs/other stuff for behaviour that looks like issues i.e. Virus/Ransomware.

It's not just about having an anti-virus software updated to the latest definitions. I would say definition based malware threats are pretty much the basic 1-9% of the whole picture. This is where the solutions such as some CrowdStrike products and Microsoft 365 Defender come into play to cover the ~90% of the whole picture.

https://www.amazon.com/UNIDOPRO-Socket-Tapping-Bottle-Bracket/dp/B07G3XS4W8

Thanks for the bolt recommendation.

@dashrender said in NG AV / Endpoint Protection in 2021:

@stacksofplates said in NG AV / Endpoint Protection in 2021:

@irj said in NG AV / Endpoint Protection in 2021:

Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.

We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).

I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.

Most small shops or even medium shops are going to have SIEM.

Ok? We are talking about what should be done, not what is done. SIEM are fairly easy to set up. And if you use systems like Wazuh or Graylog they're free. No excuses really.

@irj said in NG AV / Endpoint Protection in 2021:

Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.

We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).

I agree 100%. But I still think you need reliable reporting on when things do pop up. I don't think just knowing the AV is up to date or not is enough. And you're right, an SIEM will do that for you.

@scottalanmiller said in NG AV / Endpoint Protection in 2021:

@travisdh1 said in NG AV / Endpoint Protection in 2021:

I'm curious, how do you handle centralized reporting with Defender? That's still the 1 missing piece most places I deal with want, and I don't know of a way to do it with Defender itself.

Reporting on it being up to date and running? Both MeshCentral and TacticalRMM report on that. So do lots of other tools.

Can you give a screenshot of this? I just can't conceptualize how these tools can give you a report on running, updates, number of findings, what the findings are, etc.

@eddiejennings said in I can't even:

@stacksofplates said in I can't even:

I've actually found a lot of useful information on there.

As have I, but not often. Sometimes posts on Reddit provide a little nugget of information that leads me to finding a better source.

@scottalanmiller said in I can't even:

@eddiejennings why are you on Reddit? Avoid that. It's nothing but idiots with bad advice. There's no value there. It's just the new Yahoo Answers. If I found candidates posting there, I'd question their sanity. It's not like Spiceworks or here, it's not an IT community.

I don't spend a ton of time on reddit, but I do post things from time to time if I think they'll be useful for people. And there are a few humorous things to find there :).

It's inevitable that I find the obscure thing I'm looking for that someone posted. It's usually found there or stack overflow.

@scottalanmiller said in I can't even:

@eddiejennings why are you on Reddit? Avoid that. It's nothing but idiots with bad advice. There's no value there. It's just the new Yahoo Answers. If I found candidates posting there, I'd question their sanity. It's not like Spiceworks or here, it's not an IT community.

I've actually found a lot of useful information on there.

@jaredbusch said in RMM Service:

@stacksofplates said in RMM Service:

@scottalanmiller said in RMM Service:

write their own agent (like us

Could you give us more details on this? I'm really curious how you all wrote the agent. Like what language, whether you used gRPC or a message bus for the async communication, etc.

I read his statement as he figured out they needed to have their own agent instead of just using salt. As far as I know that is where SS stalled. Not that he made his own agent for SS.

Oh ic, I thought he meant they wrote one like Tactical did.

@scottalanmiller said in RMM Service:

write their own agent (like us

Could you give us more details on this? I'm really curious how you all wrote the agent. Like what language, whether you used gRPC or a message bus for the async communication, etc.

@scottalanmiller said in RMM Service:

@voip_n00b said in RMM Service:

What everyone using now a days?

Ideally it would cover:

• Managing both workstations and server
• Alerting
• Patching
• Remote Access
• Hosted

FoxRMM... our own blend of Zabbix, Tactica, MeshCentral, Grafana, Unifi, Salt...

Never found a commercial RMM that I'd be willing to deploy.

Is this going to replace sodium suite or are you not going to release this?

@gjacobse said in Insert Label into PDF:

@stacksofplates said in Insert Label into PDF:

@gjacobse said in Insert Label into PDF:

@dashrender said in Insert Label into PDF:

What's on the label you're adding?

Name, Date, ID number (for Name).

That's metadata.

Can metadata be read as OCR?

What? Metadata just describes information about another set of data.

My point was this shouldn't be a label at all. The document should be scanned in, and then this information added as metadata to the document. Like when you look at a PDFs document properties. There are systems that can track that metadata and make it searchable so you can just search by things like Name, Date, ID number, etc.

@gjacobse said in Insert Label into PDF:

@dashrender said in Insert Label into PDF:

What's on the label you're adding?

Name, Date, ID number (for Name).

That's metadata.

@irj said in Insert Label into PDF:

Also the more I think about it...

1. Why do additional notes need to be in the same file?

2. How are these documents being stored and accessed? Is there any type of software being used to access customer information and documents?

That's why I asked if it's metadata. If it's just a label to store misc date, just use a tool for that.

Does it need to be a label or are you just using the label as metadata? If it's just metadata something like paperless might work.

Also, if you look at their diagram in their white paper, the photo is part of the safety voucher, which is what is uploaded to iCloud.

So this is what I was getting at earlier.

This voucher is uploaded to iCloud Photos along with the image.

Is that separate from icloud backup or is the voucher sent along with the image when it's backed up? By their process description the photo has to be sent as well, because they can't verify other-wards.

This is why it's not straightforward and why I think @Carnival-Boy was making those statements.

Wrong, the on-device code is creating a hash, and that hash recording is getting compared. Read the announcement again from Apple.

The machine learning comparison doesn't come in until the image is in iCloud. That's where the comparison happens, and then if a threshold is hit a human compares the images/hashes

The official statement doesn't even mention AI/neural in any way. Here's from their technical paper:

NeuralHash
NeuralHash is a perceptual hashing function that maps images to numbers. Perceptual hashing bases this
number on features of the image instead of the precise values of pixels in the image. The system computes
these hashes by using an embedding network to produce image descriptors and then converting those
descriptors to integers using a Hyperplane LSH (Locality Sensitivity Hashing) process. This process
ensures that different images produce different hashes.

Before an image is stored in iCloud Photos, the following on-device matching process is performed for that
image against the blinded hash table database. The device computes the image NeuralHash and looks up
the entry in the blinded hash table at the position pointed by the NeuralHash. The device uses the
computed NeuralHash to compute a cryptographic header. It also uses the blinded hash that the system
looked up to obtain a derived encryption key. This encryption key is then used to encrypt the associated
payload data.

The AI is running on the phone and doing image verification based on features, not just a checksum.

Also it's eavesdrop.

@dustinb3403 said in Apple plans to scan your images for child porn:

@stacksofplates said in Apple plans to scan your images for child porn:

@dustinb3403 said in Apple plans to scan your images for child porn:

@stacksofplates said in Apple plans to scan your images for child porn:

The scan results would have to include the photo.

Actually no, the scans on-device create a hash record (MD5 or SHA256 probably) and then are compared against a known database of CSAM.

Anything that matches would start sending up red flags.

The actual photo may never get uploaded to iCloud.

That's a joke right? You didn't read the article. They're using a neutral network to compare an image to a database of checksummed images. Presumably by features like face, exif data, etc. Then a human verifies it's a match to content in the existing checksummed image.

A 4 year old could get around comparing two images by checksum. That's clearly not what's happening here. Just change a single pixel and it's different. You don't need a neural net to compare checksums.

By the explanation in the article, they have to have the photo to compare.

Wrong, the on-device code is creating a hash, and that hash recording is getting compared. Read the announcement again from Apple.

The machine learning comparison doesn't come in until the image is in iCloud. That's where the comparison happens, and then if a threshold is hit a human compares the images/hashes

The AI is running on device. Not sure where you read it's not. It's the same on device AI they are using for the iMessage sexually explicit verification.

@dustinb3403 said in Apple plans to scan your images for child porn:

@stacksofplates said in Apple plans to scan your images for child porn:

What is the human verification for if the photo isn't uploaded?

The human verification is only once an account has passed a threshold of known CSAM hash records being discovered on a individual Apple device.

Once that threshold is hit, someone at Apple has to check and confirm that the content is CSAM (subjective to the person and training) and then if it is, they lock your account and notify the authorities.

So to get around the checksum method you are describing, you just crop the picture a tiny bit and would never catch any new photos that aren't a part of that database. Again, hardly need a neural net for that. Could do that on a raspberry pi.

@dustinb3403 said in Apple plans to scan your images for child porn:

@stacksofplates said in Apple plans to scan your images for child porn:

The scan results would have to include the photo.

Actually no, the scans on-device create a hash record (MD5 or SHA256 probably) and then are compared against a known database of CSAM.

Anything that matches would start sending up red flags.

The actual photo may never get uploaded to iCloud.

That's a joke right? You didn't read the article. They're using a neutral network to compare an image to a database of checksummed images. Presumably by features like face, exif data, etc. Then a human verifies it's a match to content in the existing checksummed image.

A 4 year old could get around comparing two images by checksum. That's clearly not what's happening here. Just change a single pixel and it's different. You don't need a neural net to compare checksums.

By the explanation in the article, they have to have the photo to compare.