|
At this point, isn't it more length rather than special characters that stop a dedicated hacking attempt?
|
# ? Nov 3, 2015 15:18 |
|
|
# ? Jun 7, 2024 13:54 |
|
That's restricted too, and having at least one of each kind of character helps. Those restrictions do nothing but narrow things down for hackers.
|
# ? Nov 3, 2015 15:25 |
|
dogstile posted:At this point, isn't it more length rather than special characters that stop a dedicated hacking attempt? Randall Monroe apologized to people for his simplification but I don't know if he ever apologized for the effect it has on threads like this.
|
# ? Nov 3, 2015 15:53 |
|
dogstile posted:At this point, isn't it more length rather than special characters that stop a dedicated hacking attempt? It's also a sign that they're potentially storing it as plain text somewhere since if it were properly hashed it could any arbitrary length you want. This is only relevant because of how opaque businesses are about their security in general.
|
# ? Nov 3, 2015 16:12 |
|
the littlest prince posted:Randall Monroe apologized to people for his simplification but I don't know if he ever apologized for the effect it has on threads like this. That flew over my head, but i'm assuming you're talking about something a bit more advanced than brute forcing and i'm not a security guy, so its more of a question than a statement if that helps. All I know is that people told me 8 characters was awful and we should definitely use more.
|
# ? Nov 3, 2015 16:20 |
|
I worked at a call center for a bank, and our passwords had to be exactly 8 characters, and a bunch of other specifications that vastly narrowed the options down. In that case, though, internet access was almost completely shut down and a lot of people were the kind of computer illiterate who would have made their passwords Aaaaaaa1 if they could have.
|
# ? Nov 3, 2015 16:52 |
|
8+ characters, including at least one of all of these: Upper case Lower case Numbers Symbols That's my phone's unlock password requirements. By the time I get it unlocked, I can't remember who I wanted to call.
|
# ? Nov 3, 2015 17:10 |
|
SIR FAT JONY IVES posted:I was surprised with how much they described the job in straight up terrible terms. At one point, they mentioned the migration from 600 AIX or Unix servers to all RHEL, and that hey were doing it in by end of year. They jokingly said "ah, we are all going to have awful holidays this year, hahahahah!" But there were was such sadness in their eyes. It's a symptom of defeated and repeatedly brow-beaten IT professionals. After a while they cope with the stress and rigors of their daily tasks by taking a weird martyr stance, as if their life is given substance through their misery. They're the kind of people who think that working less than 60 hours a week is incredibly strange and novel. Throughout IT there are hordes of professionals that have been so used and abused by their salaried status that they don't see it as abnormal anymore, and I say this as someone who has been there before.
|
# ? Nov 3, 2015 17:23 |
|
I don't think I (as a guy) need to like, rescue a girl, but I'm on a conference call and a guy is talking to a soft spoken woman with a massively condescending dickhead tone, and I've come here to say that I'm about to give him the "you're going to want to take the edge off your voice or I'll do it for you" bit if only to keep myself from actually doing it. e: it had to come out of my body some how so I chose the internet rather than saying it on the phone. whew. that was close. SH/SC saves lives. MC Fruit Stripe fucked around with this message at 17:29 on Nov 3, 2015 |
# ? Nov 3, 2015 17:25 |
|
MC Fruit Stripe posted:I don't think I (as a guy) need to like, rescue a girl, but I'm on a conference call and a guy is talking to a soft spoken woman with a massively condescending dickhead tone, and I've come here to say that I'm about to give him the "you're going to want to take the edge off your voice or I'll do it for you" bit if only to keep myself from actually doing it. Another office disaster is averted.
|
# ? Nov 3, 2015 18:07 |
|
Oh hey I can contribute to this thread now! I started with another new guy who has managed to piss off most of the team he's a part of. In an effort to save himself, he keeps very loudly asking me how much work i've done on specific projects that he knows i've not been working on. I mean, jokes on him, I've been tasked with other projects, but its annoying me and I can't wait for my boss to call him out on it. He's noticed and he's the type of guy who loves waiting for the perfect moment. At the same time, gently caress you dude, clearly you're not busy enough if you're badgering me about what i'm doing all day.
|
# ? Nov 3, 2015 18:51 |
|
How have we EVER passed a PCI/DSS audit
|
# ? Nov 3, 2015 18:55 |
|
pixaal posted:Straight up say "I make more that now that offer is insulting". Ask for more then your usual minimum to accept for the insult. Many places do not know the actual value of IT, and a ton of people under value their own skills and work for nothing. That or they are actually bad and can't get through an interview of a place that is paying the proper amount. Heh. I was doing permanent contract and they wanted to pull me full time on a job. I was making about 60k as a contractor. The office manager pulls me in and says "We want to transition you to working for our company, hows 50k sound?" I respond "I make 60k now, no thanks." She then proceeds to go "Well how about this" and writes 55k on a slip of paper. I look down at it, flip it over and write "I make 60k now. No thanks." and slide it back.
|
# ? Nov 3, 2015 19:00 |
|
Bob Morales posted:How have we EVER passed a PCI/DSS audit same way everyone else passes regulatory inspections. lying and bribes
|
# ? Nov 3, 2015 19:01 |
Rhymenoserous posted:Heh. I was doing permanent contract and they wanted to pull me full time on a job. I was making about 60k as a contractor. The office manager pulls me in and says "We want to transition you to working for our company, hows 50k sound?" I respond "I make 60k now, no thanks." She then proceeds to go "Well how about this" and writes 55k on a slip of paper. I look down at it, flip it over and write "I make 60k now. No thanks." and slide it back. 55k + benefits is better than 60k without. Also, depending on how you were paid as a contractor. For example, if you were 1099, the tax difference alone would make it worth it.
|
|
# ? Nov 3, 2015 19:03 |
|
go3 posted:same way everyone else passes regulatory inspections. lying and bribes I just don't get how you could pass without the compliance company scanning your loving website. At least we aren't typing credit card numbers down in customer files anymore!
|
# ? Nov 3, 2015 19:05 |
|
ConfusedUs posted:55k + benefits is better than 60k without. This is completely dependent on if you have a significant other that may provide those benefits.
|
# ? Nov 3, 2015 19:36 |
|
Wrath of the Bitch King posted:This is completely dependent on if you have a significant other that may provide those benefits. Paid leave. Plus the fact that taxes that you were formerly paying 100% of yourself is now being split between you and your employer.
|
# ? Nov 3, 2015 19:41 |
|
You sure that's the case with W2 contracts? I'm pretty sure it's not. And depending on the health benefits offered (W2s have health insurance), they may be pretty comparable aside from PTO/sick leave. And for someone making 60k, 5k is about 5 weeks, that's a lot of vacation time.
|
# ? Nov 3, 2015 20:30 |
|
We had a server that became unresponsive and it ended up needing to be hard booted. Higher up blowhards want an RCA. I wrote same in flowery business speak. They want it "more granular". Alright what you want me to like describe the way I right clicked the VM or something? It's a server, the thing got rebooted, who cares, this is why we cluster and load balance everything.
|
# ? Nov 3, 2015 20:35 |
|
ConfusedUs posted:55k + benefits is better than 60k without. Not a 1099, was full time with contracting company with full benefits. So it was a net loss all around. The only gain was an extra week of vacation.
|
# ? Nov 3, 2015 20:43 |
|
MC Fruit Stripe posted:We had a server that became unresponsive and it ended up needing to be hard booted. Higher up blowhards want an RCA. I wrote same in flowery business speak. They want it "more granular". Alright what you want me to like describe the way I right clicked the VM or something? It's a server, the thing got rebooted, who cares, this is why we cluster and load balance everything. Do you work at my previous employer? RCAs for every little stupid loving thing. I get that they can be a good idea, but only when its a severe outage, not something affecting 10 loving people in a 6,000 employee environment.
|
# ? Nov 3, 2015 20:48 |
|
So I built the servers for this project a year ago. Production go live in in three weeks. After trying for months, the servers (now a year behind our best practices) finally get reviewed by our chief architect. He gives me a considerable list of items to fix, config files and scripts to update. Most of them are "Search Engine Config is old, update" "Script isn't strong enough, modify to meet best practices" "Fix Tomcat Config" But I have no source of these "best practices" since it's all in his head. So I take his hugely long email, turn it into a page on our confluence with a chart listing his changes, my notes, and then status of the update on the 5 environments. Basically each one status is just "please give me more information". Fantastic!
|
# ? Nov 3, 2015 21:00 |
|
Rhymenoserous posted:Not a 1099, was full time with contracting company with full benefits. So it was a net loss all around. The only gain was an extra week of vacation. This is the position I'm in - making 72k and a full time slot with the company opened up, but the pay is not anywhere in that ballpark. And worse yet, the company has a rule that a consultant has to take a month off (unpaid) after two years of consecutive work. I like the place and the people, and my boss is amazing, but that doesn't pay the mortgage unfortunately. =(
|
# ? Nov 3, 2015 21:11 |
Rhymenoserous posted:Not a 1099, was full time with contracting company with full benefits. So it was a net loss all around. The only gain was an extra week of vacation. Yeah then gently caress that lol. Good call.
|
|
# ? Nov 3, 2015 21:43 |
|
Walked posted:
American Express for a time had passwords that were CASE INSENSITIVE. I hope that's been changed.
|
# ? Nov 3, 2015 22:09 |
|
Bob Morales posted:How have we EVER passed a PCI/DSS audit We have documented processes! We can document that we follow them! (Those processes suck, but they are documented and we follow them.)
|
# ? Nov 3, 2015 22:10 |
|
nitrogen posted:American Express for a time had passwords that were CASE INSENSITIVE. I hope that's been changed. Blizzard/Battle.net accounts still are.
|
# ? Nov 3, 2015 22:26 |
|
nitrogen posted:We have documented processes! We can document that we follow them! This is basically Sarbanes-Oxley in a nutshell.
|
# ? Nov 3, 2015 22:36 |
|
Ynglaur posted:This is basically Sarbanes-Oxley in a nutshell. And yet my company can't even do that. We have so many people that use each other's accounts. We also had a manager say that their new employee was going to just use the old employee's account.
|
# ? Nov 3, 2015 23:28 |
|
The old ISO9000 credo: It doesn't matter if you produce absolute poo poo, as long as it is consistent, absolute poo poo.
|
# ? Nov 4, 2015 00:03 |
|
Roargasm posted:Blizzard/Battle.net accounts still are. I can forgive their legacy password horrible-ness solely because they have solid 2FA and a failed auth check results in “bad credentials” regardless of whether it’s the password or bad code.
|
# ? Nov 4, 2015 00:05 |
|
Ursine Catastrophe posted:I can forgive their legacy password horrible-ness solely because they have solid 2FA and a failed auth check results in “bad credentials” regardless of whether it’s the password or bad code. I have an electronic door lock that allows for 4 up to 9 digit codes. Great. Fine. Except if you enter a shorter or longer code than the codes that are stored, it will in fact say "invalid number of digits", and if you enter an incorrect code with the correct number of digits it will say "incorrect code". MOTHERFUCKER THAT IS NOT THE TIME OR PLACE FOR HELPFUL ERROR MESSAGES
|
# ? Nov 4, 2015 00:56 |
|
Ursine Catastrophe posted:I can forgive their legacy password horrible-ness solely because they have solid 2FA and a failed auth check results in “bad credentials” regardless of whether it’s the password or bad code. It's not legacy password, they said it didn't increase the number of stolen accounts and cut their calls to customer service in half because people weren't calling saying they forgot their password because caps lock was on. If you have a password from 2004ish you need to type in the capitals.
|
# ? Nov 4, 2015 01:22 |
|
pixaal posted:It's not legacy password, they said it didn't increase the number of stolen accounts and cut their calls to customer service in half because people weren't calling saying they forgot their password because caps lock was on. If you have a password from 2004ish you need to type in the capitals. Yea when most of your customers give out their passwords to phishing emails/sites or get keylogged, case sensitivity does not matter all that much.
|
# ? Nov 4, 2015 03:14 |
|
Raerlynn posted:This is the position I'm in - making 72k and a full time slot with the company opened up, but the pay is not anywhere in that ballpark. And worse yet, the company has a rule that a consultant has to take a month off (unpaid) after two years of consecutive work. I like the place and the people, and my boss is amazing, but that doesn't pay the mortgage unfortunately. =( I believe the required leave is due a federal law dealing with contractors. Something like if they are so necessary to your environment they can't be out, then they shouldn't be contractors.
|
# ? Nov 4, 2015 04:09 |
|
poo poo pissing me off today: Our newish guy is completely untrainable. The process is on our wiki which amounts to "update java - run citrix receiver cleanup tool - restart computer - install citrix 4.3.1 from sccm" and he couldn't even manage to follow those basic steps. He failed to restart the computer which meant the new citrix install hosed up and the user had to call back again and wait another 10 minutes. My useless boss still hasn't put him on a pip. My boss is also not even on the same page as anyone on the team in regards to our interviews for new L1s on the team. She was gung ho about an applicant today and gave her the tour like the applicant was a shoe in. She seemed shocked when all 4 other people on the interview were very unimpressed. Director bought my lunch today, so i've got that going for me. silicone thrills fucked around with this message at 04:21 on Nov 4, 2015 |
# ? Nov 4, 2015 04:18 |
|
CitizenKain posted:I believe the required leave is due a federal law dealing with contractors. Something like if they are so necessary to your environment they can't be out, then they shouldn't be contractors. Yeah, it absolutely reeks of an attempt to dodge employment law. I thought it was 18 months, but that may be a UK thing I'm remembering from some of my friends overseas. They could only work 18 months as a contract employee and then they had to not work at the company for 6 months or the company would be forced to convert them to FT. If I recall, wasn't Microsoft taken to court by some of it's contractors for this very thing, because instead of converting them, they'd not renew the contract after 18 months?
|
# ? Nov 4, 2015 04:24 |
|
nitrogen posted:American Express for a time had passwords that were CASE INSENSITIVE. I hope that's been changed. My insurance company set their MAXIMUM password length to 8 characters. 8. I no longer use passwords with 8 characters. Why the gently caress is my SA password more secure than my goddamn insurance password?
|
# ? Nov 4, 2015 05:19 |
|
|
# ? Jun 7, 2024 13:54 |
|
Made a quick PowerShell script that reports on any members of the local admin group that shouldn't be there to a remote server. Gotten back 18 results so far and I know exactly who is responsible for all of them. The culprit even put his own domain account in the local admin group for a computer for some reason. Gonna hand the list to my boss without naming names and just let her come to her own conclusions.
|
# ? Nov 4, 2015 16:28 |