* Posts by hoodedgeometry

4 publicly visible posts • joined 5 Dec 2018

Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections


“if a website is issued a certificate from one of those aforementioned Euro-mandated government-backed CAs, that government can ask its friendly CA for a copy of that certificate so that the government can impersonate the website.”

Not quite - the government can ask its friendly CA to issue a new certificate, but a copy of the old certificate will be of little use without the private key stored on the requesting organisation’s web server etc.

It can do this even if the original certificate wasn’t issued by one of the Euro-mandated government-backed CAs, as presumably organisations wanting to reduce the risk of government tampering would use a CA outside this government programme.

Existing countermeasures like Certification Authority Authorization (CAA) would presumably remain effective against this EU-mandated vulnerability, or at least require DNS to also be compromised to perform the MITM attack.

Enterprising browser extension developers can hopefully code for removing these CAs from the trust chain to restore security on the endpoint - perhaps rolled up into existing popular extensions like ad blockers.

Dratted 'housekeeping', eh? 150k+ records deleted off UK’s Police National Computer database


- And the vehicle belongs to you, does it sir?

- And your name is?

Right. Hold on a second.


My name is: Derek'); DROP TABLE CriminalRecords; --

- What kind of name is that?

California man served with restraining order for allegedly 'stalking' Apple CEO Tim Cook


This sounds like a mental health case. Not that it’s nice to be on the receiving end of it either but presumably the poor chap isn’t getting the care he needs, mental health and social care isn’t great in the UK so I can’t imagine what’s it’s like in the USA.

Wanna save yourself against NotPetya? Try this one little Windows tweak


Re: Like a US drug commercial...

I think you've misunderstood.

Delegation in the context of "Account is sensitive and cannot be delegated" is *Kerberos* delegation - not delegation of control in AD DS, which is just adding permissions to an ACL much like granting rights over files and folders.

To be clear, enabling this setting doesn't impact delegation of administration in AD DS.

Kerberos delegation allows a user/computer/service to act on behalf of another user, and can be unconstrained Kerberos delegation, or constrained to specific services using Kerberos (i.e. Kerberos Constrained Delegation - KCD) or any authentication protocol (e.g. for NTLM protocol transition). The less constrained, the higher the risk (in theory). ISA/TMG reverse proxying and SharePoint are/were common use cases for this functionality.

There's some great new functionality for Protected Accounts available in AD DS and the OS from Windows Server 2012 R2 and Windows 8.1 and above that offers significant protection in this space, but requires configuration - it's not on by default. Protected Accounts, in a domain with functional level Windows Server 2012 R2 or higher, cannot 'be delegated by using unconstrained or constrained delegation'.

GO because... GO implement this in your AD DS environment.