@SwiftOnSecurity We deploy uBlock but suffer from inability to provide custom allowlists ie. Links from saas provider emails often go via awstrack etc (Google Workspace, macs/windows). Currently looking for something with more flexibility
Do you have a way to allowlist ublock?
@PlayWell_LLC Right! From our perspective, the org either needs consent or they don't. I don't care about how they choose to label their cookies. But somehow it seems Zoom is now putting 'essential' cookies under Consent. π€·ββοΈ
Zoom's cookie banner (via dumb OneTrust) when declining all, turns off 'Functional Cookies' such as 'Stay Signed in'. Never seen a site let you turn off functional cookies like this before, weird. Punished for denying marketing?
@MissIG_Geek@PrivacyMatters If you go to any site using OneTrust cookie bot, and look under Functional Cookies... you may find a large number of irrelevant cookies which have no relation or presence on the actual website your visiting! Checked 5 so far
@MissIG_Geek@PrivacyMatters Right! There seems to be two weird issues here
Zoom choosing to have optional functional cookies
and OneTrust showing cookie options from other ?customers? I note on globenewswire, they have both Incapsula and nlbi cookies lol...
Has something changed re; functional cookie guidance that I've missed? AFAIK you can jut set Functional Cookies as long as they're explained properly and are actually functional/required. Tho i prefer to call them Essential.
Why can i turn off their security measures? π€·ββοΈ
@MissIG_Geek I agree, its pretty obvious this could never have been a service email. I mostly dealt with back office teams and their cycle 2 work teams who got and implemented our Privacy by Design needs nicely. Different teams ! Marketing probably usual culprit
@MissIG_Geek FWIW, when i worked b2b with Halfords they seemed on top of things Privacy related. Their processes worked well and could tell everyone had better than average understanding of their responsibilities re; GDPR.
@neil_neilzone Becoming more common unfortunately. This client was big but had a very small contract, so we refused as would push us into negative returns. A big UK supermarket soon followed suit with a different supply management co, IIRC that cost us 5k a year but made Β£ sense. Frustrating
@neil_neilzone Lol. I had a customer who, for due diligence insisted on us using a third party risk management co, who wanted to charge us Β£500-2000 a year for us to then spend hours on their unintuitive questionnaire platform. ππ
@pjhersh13@chrisplummer@MalwareJake We are a start up, there's no IR team other than myself doing everything right now. We don't have regular actual clicks so far, but we are mostly engineers so its not surprising vs the bank i used to defend which had daily clicks everywhere & publicly punished who failed tests
@chrisplummer@DenisRno@MalwareJake Agree. Though had to change some things as they were setup a little *too well* for my liking. Previous secteam removed default Gmail warnings & protections to ensure the tests worked effectively. Clearly reducing the whole orgs security to ensure your tests work is bad.
@chrisplummer@MalwareJake I have been strongly against them for a long time but joined a new org who had it all setup with Kb4 and after 4 months here, almost everyone has good things to say about the tests and our average click rate is way down year on year. We obvs don't punish or publish 'clickers'.
@AppSecBloke Indeed. I've been dealing with this from a SaaS vendor POV for the past 6 years or so & have learnt alot of strategies for dealing with it. Happy to share/discuss/rant if helpful :)