|
surebet posted:general itsec question, today we're starting to look at candidates for an erp platform i've really only ever worked on SAP stuff before but i'm inclined to say that all ERP platforms are equally garbage and the only difference is how poorly they are implemented. the platforms are always big and complicated af with lots of moving parts. this means that for a sizable deployment you'll need to hire ppl just to do SAP/whatever full-time. because of this most companies outsource that side of things and as usual you get what you pay for. oh also because the platforms become instantly business critical management will never accept any appreciable periods of downtime or drastic changes so the ppl supporting the platforms are never motivated to do anything proactive other beyond break+fix/transports/functional changes so the platforms get stale.
|
#
?
Jul 22, 2016 12:46
|
|
|
|
| # ? Jun 6, 2024 11:00 |
|
|
oh yeah i've got a question: is Windows Data Protection API (DPAPI) garbage? i've been reading the MSDN article (https://msdn.microsoft.com/en-us/library/ms995355.aspx) and it certainly sounds like it. is it basically unchanged and still uses 3DES? reason i ask is that i was looking at the ConvertFrom-SecureString powershell function which uses DPAPI by default unless you provide a key where it then apparently uses AES. seems kinda dumb
|
|
#
?
Jul 22, 2016 12:59
|
|
|
hackbunny posted:yeah I do this (except it's "lol nice try") but nobody noticed should have put "if youre smart enough to find this email me at..." then reported anyone that emails it for hacking
|
|
#
?
Jul 22, 2016 12:59
|
|
|
cheese-cube posted:i've really only ever worked on SAP stuff before but i'm inclined to say that all ERP platforms are equally garbage and the only difference is how poorly they are implemented. the platforms are always big and complicated af with lots of moving parts. this means that for a sizable deployment you'll need to hire ppl just to do SAP/whatever full-time. because of this most companies outsource that side of things and as usual you get what you pay for. oh also because the platforms become instantly business critical management will never accept any appreciable periods of downtime or drastic changes so the ppl supporting the platforms are never motivated to do anything proactive other beyond break+fix/transports/functional changes so the platforms get stale. yeah just find/replace SAP with oracle/ peoplesoft and add 'it will cost more money than you can possibly imagine'
|
|
#
?
Jul 22, 2016 13:01
|
|
|
I can't remember who posted it but somebody on here once explained ERP software being like corporate diabetes: Once you have it it it's not going away, and it takes legions of expensive specialists to monitor and care for it. We have Epicor at work and it is at least slightly less daunting and user un-friendly than SAP or, heaven forbid, Sage.
|
|
#
?
Jul 22, 2016 13:17
|
|
|
isn't salesforce an erp now
|
|
#
?
Jul 22, 2016 13:46
|
|
|
jammyozzy posted:I can't remember who posted it but somebody on here once explained ERP software being like corporate diabetes: Once you have it it it's not going away, and it takes legions of expensive specialists to monitor and care for it. yeah this is 100% true except i'd call it more of a cancer than diabetes, especially if SAP is involved. it always starts off innocently with ERP plus maybe a couple other products which are stongholded by being integrated with HR and payroll. then 3 years later there are an additional 15 diff SAP products deployed all of which have their own independent environments with multiple app/web/DB servers multiplied by 4-8 environments (prototype, dev, qa0, qa1, qa2, uat, bau, prod) giving you a surface area of almost 300 VMs. oh and they are all interconnected with each other in some way so performing any kind of maintenance is next to impossible. oh yeah and they also bought two SAP cloud products so there's that boondoggle on top.  on the other hand lol am i glad that i dont actually have to support SAP beyond the underlying infra
|
|
#
?
Jul 22, 2016 13:57
|
|
|
and to think i actually want to write a decent ERP
|
|
#
?
Jul 22, 2016 14:27
|
|
|
Westie posted:and to think i actually want to write a decent ERP enterprise requirements: poop
|
|
#
?
Jul 22, 2016 14:29
|
|
|
cheese-cube posted:oh yeah i've got a question: is Windows Data Protection API (DPAPI) garbage? i've been reading the MSDN article (https://msdn.microsoft.com/en-us/library/ms995355.aspx) and it certainly sounds like it. is it basically unchanged and still uses 3DES? reason i ask is that i was looking at the ConvertFrom-SecureString powershell function which uses DPAPI by default unless you provide a key where it then apparently uses AES. seems kinda dumb that documentation is specific to XP which didn't support AES in schannel, 3des was the best you got so it makes sense. If the api isn't depreciated then I would be very surprised if it still defaults to 3des on newer OSs. BangersInMyKnickers fucked around with this message at 15:39 on Jul 22, 2016 |
|
#
?
Jul 22, 2016 15:00
|
|
|
oh god, that's encouraging lol tbf as far a hardware sprawl goes, we're deploying a new 10k machine today just to load balance our thin client rdp poo poo show since people are running excel files so badly made and that pull down so many vlookup(some_other_file) levels that we have users leaching 25%+ of cpu time with a single document  in actual secfuck news, ups has an amazing array of apis i want to use, but they require user, pass and token in each post at least it's pointing to https, but it looks like I won't be integrating this with anything portable. of course, no granularity in access rights, so in theory if you borrow some poor schmuck's excel file that pulls down rates or something, you hav everything you need to have authoritative control of their account it's especially dumb since they put in the effort to setup sandbox environments but they opted against rolling out oauth or anything like it
|
|
#
?
Jul 22, 2016 15:01
|
|
|
surebet posted:in actual secfuck news, ups has an amazing array of apis i want to use, but they require user, pass and token in each post I assume they want you to put up your own server between them and the client so they aren't directly supporting every lovely mobile device and 3rd party piece of garbage making calls directly to them?
|
|
#
?
Jul 22, 2016 15:42
|
|
|
cheese-cube posted:yeah this is 100% true except i'd call it more of a cancer than diabetes, especially if SAP is involved. it always starts off innocently with ERP plus maybe a couple other products which are stongholded by being integrated with HR and payroll. then 3 years later there are an additional 15 diff SAP products deployed all of which have their own independent environments with multiple app/web/DB servers multiplied by 4-8 environments (prototype, dev, qa0, qa1, qa2, uat, bau, prod) giving you a surface area of almost 300 VMs. oh and they are all interconnected with each other in some way so performing any kind of maintenance is next to impossible. oh yeah and they also bought two SAP cloud products so there's that boondoggle on top.
|
|
#
?
Jul 22, 2016 16:29
|
|
|
BangersInMyKnickers posted:that documentation is specific to XP which didn't support AES in schannel, 3des was the best you got so it makes sense. If the api isn't depreciated then I would be very surprised if it still defaults to 3des on newer OSs. taking another look at the MSDN article the DPAPI interface functions, CryptProtectData and CryptUnprotectData in Crypt32.lib, only have win xp as a minimum version and appear to still be fully supported. the version of Crypt32.dll is OS-specific and different versions provide different capabilities but the interfaces are the same. however i can't find jack poo poo info on how those functions actually do their dirty work i'm pretty sure that DPAPI isn't depreciated as it is referenced in the technet article for the ConvertFrom-SecureString cmdlet in powershell 5.0: https://technet.microsoft.com/en-us/library/hh849814(v=wps.640).aspx. ofc i'm dumb so yeah Bhodi posted:lol if u use monsoon, that thing is a half-assed aws ripoff with a quarter of the performance and features oh no i was reffering to T&E which they acquired from concur and successfactors. SaaS stuff really but still dumbbbbb
|
|
#
?
Jul 22, 2016 16:33
|
|
|
cheese-cube posted:taking another look at the MSDN article the DPAPI interface functions, CryptProtectData and CryptUnprotectData in Crypt32.lib, only have win xp as a minimum version and appear to still be fully supported. the version of Crypt32.dll is OS-specific and different versions provide different capabilities but the interfaces are the same. however i can't find jack poo poo info on how those functions actually do their dirty work MS funnels practically all of their crypto stuff through schannel so what it should be doing it negotiating with whatever is on the other end based on the supported cipher list so the worst you should get if everything is newer than XP is aes128.
|
|
#
?
Jul 22, 2016 16:35
|
|
|
dpapi is definitely still supported and in active use by all sorts of Microsoft stuff including asp.net/.net core.
|
|
#
?
Jul 22, 2016 16:37
|
|
|
cheese-cube posted:oh no i was reffering to T&E which they acquired from concur and successfactors. SaaS stuff really but still dumbbbbb
|
|
#
?
Jul 22, 2016 16:37
|
|
|
holla at my crystal reports folx, especially all of us using it with sensitive client information woooooo
|
|
#
?
Jul 22, 2016 18:14
|
|
|
ugh, triggered
|
|
#
?
Jul 22, 2016 18:26
|
|
|
you think you're triggered, I have to administer the loving thing
|
|
#
?
Jul 22, 2016 18:41
|
|
|
You might remember that a little while ago I posted a link to an European Commission survey, they are doing a thing to help European citizens be more secure online, and one of the parts of this is them doing a security audit on the code of a few pieces of software. Which programs was to be determined by the survey. Well, the results are in, the IT departments of the EC and the EP will do an audit on KeePass and on Apache HTTP server. https://joinup.ec.europa.eu/node/153614
|
|
#
?
Jul 22, 2016 18:43
|
|
|
lol if you think crystal reports is bad when Oracle Discoverer exists
|
|
#
?
Jul 22, 2016 18:46
|
|
|
https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/quote:I was able to see the entire source code of vine, its API keys and third party keys and secrets. Even running the image without any parameter, was letting me host a replica of VINE locally.  docker. [kisses fingers and throws them up in the air]
|
|
#
?
Jul 22, 2016 18:46
|
|
|
after the last maintenance update SEP's tamper protection detected its own systray/gui as maliciously modified files on win7 and wouldn't launch them
|
|
#
?
Jul 22, 2016 18:53
|
|
|
BangersInMyKnickers posted:after the last maintenance update SEP's tamper protection detected its own systray/gui as maliciously modified files on win7 and wouldn't launch them sounds like they implemented a decent fix for that SEP rce taviso found bug closed: working as intended
|
|
#
?
Jul 22, 2016 19:28
|
|
|
Westie posted:and to think i actually want to write a decent ERP I wrote ERP software for 10 years. there is no such thing as decent ERP. every ERP starts out as decent. then you get your first customer and they want to tweak your setups a little to better reflect their business process. then you get your next customer, and they do things a little differently, so you add a few configurable flags, add an additional panel or two to some modules, and you're good. then the first customer wants a new feature that affects some modules used by customer 2 so you add more flags and convoluted code. then you get a third customer that does things differently again so more flags and features. then you get a prospect who wants to see features X, Y, and Z, so you quickly write some prototype code that will need fleshing out later. you lose that one. but then customer 3 wants feature X and oh crap I need to make that code work now but I can't make it break how customer 1-2 work and then customer 2 wants feature Z but can it do Zprime instead of Z and repeat until the heat death of the universe or you shoot yourself in the head. you basically are trying to sell off-the-shelf software to an organic entity that is different from every other one out there but said organic entity expects it to integrate perfectly into their process. you end up with tons of code full of convoluted business logic, some of which was half-implemented in an attempt to get a customer 5 years ago, the rest of which is obscure code that you don't want to touch because you have no idea what it will affect. oh, and the guy asking about ERP security?  security is important, but before you work on that customer 3 has a bug in module X can you fix that, oh and we have a demo coming up in a few weeks that will require a new feature, and once that's done you need to look at customer 2 they have a new gadget that they want to integrate into our system. once that is all done you can work on implementing that HTTPS thing in our web app as long as there are no additional bugs to fix or features to add.
|
|
#
?
Jul 22, 2016 19:44
|
|
|
Who just published auth credentials to a (private to the company, but still) github repository? It is me. The secfuck is coming from inside the office.
|
|
#
?
Jul 22, 2016 20:31
|
|
|
the user secrets thing in (asp).net core is really good for preventing that kind of thing.
|
|
#
?
Jul 22, 2016 20:44
|
|
|
Rooney McNibnug posted:https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/ I want $10,000 for telling someone docker is bad
|
|
#
?
Jul 22, 2016 21:21
|
|
|
Rooney McNibnug posted:https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
|
|
#
?
Jul 22, 2016 21:38
|
|
|
Rooney McNibnug posted:https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/  i'm the piss snowflake
|
|
#
?
Jul 22, 2016 21:54
|
|
|
i don't think that's dockers fault though, it's the fault of whoever made that server publicly routable
|
|
#
?
Jul 22, 2016 21:58
|
|
|
anthonypants posted:who's gonna be the guy who says this is immoral because he downloaded code instead of just reporting the publicly-accessible domain this is immoral because he didn't leak the code
|
|
#
?
Jul 23, 2016 00:50
|
|
|
vOv posted:i don't think that's dockers fault though, it's the fault of whoever made that server publicly routable what is the secfuck equivalent of 'dont hate the player, hate the game'? like "don't hate the endpoint, hate the route" idk
|
|
#
?
Jul 23, 2016 01:06
|
|
|
Loving Africa Chaps posted:I tried to download ricochet today and it got flagged by windows defender as containing a trojan. it's probably because ricochet bundles a copy of tor, and some ransomware also does this (to contact their c+c) Loving Africa Chaps posted:Emailed and messaged them to let them know but didn't get a reply yet. Just curious if anyone knows if it's a known false positive. no need to email them, they sign their releases: https://github.com/ricochet-im/ricochet/releases
|
|
#
?
Jul 23, 2016 01:14
|
|
|
also good luck finding someone to talk to on ricochet
|
|
#
?
Jul 23, 2016 01:15
|
|
|
*configures a docker registry to be publicly available and without authentication* loving docker!!!!!!!
|
|
#
?
Jul 23, 2016 03:17
|
|
|
why can you make it available without authentication?
|
|
#
?
Jul 23, 2016 03:18
|
|
|
Shaggar posted:why can you make it available without authentication? lazy practices
|
|
#
?
Jul 23, 2016 03:20
|
|
|
|
| # ? Jun 6, 2024 11:00 |
|
|
yo get me outta this SAP prison
|
|
#
?
Jul 23, 2016 04:20
|
|
