|
hobbesmaster posted:the watchdog just has to be fast enough that nobody notices Pretty much. But if you gently caress it up. NYSE data distribution was down from 2:45pm through close (4:00-4:30pm) on Monday because the connection manager didn't know one site was unavailable due to a dead router and decided to redirect everyone to it as it had no load. The comments on the floor: "yeah, we've seen this before."
|
# ? Dec 20, 2017 01:44 |
|
|
# ? May 14, 2024 10:07 |
|
hopefully this is a easy question to answer but i don't know anything about security stuff so here goes: over the past few months my client has been adding 2-way SSL to all of their servers' application ports above dev. cool. we're also setting up automated testing which is part of the jenkins deployment into the higher environment. basically the jenkins instance calls a ruby script post deployment which then uses curl to fire off the various tests against the application port. the dbas set up the environment such that the client certificate has to be pkcs#12 and apparently that's fundamentally incompatible with the centos server that jenkins is running on? i really should be more knowledgeable about this stuff but what it looks like is that it's basically impossible to get our jenkins instance to actually handle the client certificate in order to run our tests. is there anything obvious that I'm missing to make this easy?
|
# ? Dec 20, 2017 02:16 |
|
That's just a file format for security certificates there are way too many and clunky poo poo only supports certain ones. You can convert them with openssl or even the ipsec command line utilities. If you don't care too much there are also websites that will do it so you don't have to find the awful command line parameters to do it for you. It's like 5 minutes of effort and people make excuses that lead to weeks of delay because of it. Random example that also includes openssl params: https://www.sslshopper.com/ssl-converter.html MrMoo fucked around with this message at 02:36 on Dec 20, 2017 |
# ? Dec 20, 2017 02:30 |
|
You should be able to OpenSSL to convert the p12 to PEM then use it with cURL or whatever unless I’m misunderstanding the issue. You could probably better automate the tests depending on what those steps are doing, though.
|
# ? Dec 20, 2017 02:31 |
|
Rex-Goliath posted:hopefully this is a easy question to answer but i don't know anything about security stuff so here goes: pkcs12 is pretty much the standard for keystore formats so if something cant handle it its that thing that's janky. idk if curl can handle pkcs12 but openssl definitely can. imo rewrite the tests in java so you can just run them as part of the maven package both locally and in Jenkins.
|
# ? Dec 20, 2017 02:37 |
|
MrMoo posted:It's like 5 minutes of effort and people make excuses that lead to weeks of delay because of it. Yeah the CIS/jenkins team has basically told us to do a different thing every time we've come back with 'that didn't work now what' and you called it: this has been going on for weeks now. I finally got frustrated enough with them to reach out to you guys Hed posted:You should be able to OpenSSL to convert the p12 to PEM then use it with cURL or whatever unless I’m misunderstanding the issue. You could probably better automate the tests depending on what those steps are doing, though. I'm pretty sure we tried this but something went wrong- this was a week or two ago. Something about how the PEM we converted to was fine if we did it on one of our machines but then jenkins would reject it. But when we tried to do the conversion on the jenkins machine it was straight up unable to. It's also likely that we were just loving up the process. Shaggar posted:pkcs12 is pretty much the standard for keystore formats so if something cant handle it its that thing that's janky. idk if curl can handle pkcs12 but openssl definitely can. imo rewrite the tests in java so you can just run them as part of the maven package both locally and in Jenkins. yeah this is what I suggested earlier today but i feel like the tech director won't be happy with adding yet another 'thing that can break' to their already complicated system. idk
|
# ? Dec 20, 2017 02:57 |
|
Rex-Goliath posted:yeah this is what I suggested earlier today but i feel like the tech director won't be happy with adding yet another 'thing that can break' to their already complicated system. idk
|
# ? Dec 20, 2017 03:05 |
|
anthonypants posted:lol what i see you haven't been following my saga in the cjs thread
|
# ? Dec 20, 2017 03:06 |
|
Rex-Goliath posted:i see you haven't been following my saga in the cjs thread it's quite a sordid tale
|
# ? Dec 20, 2017 03:13 |
|
Another alternative might be to use a proxy like stunnel which can present an unencrypted TCP port and forward it over SSL to an an arbitrary destination. It's great for apps (clients or servers) which don't support SSL, or don't support it well.
|
# ? Dec 20, 2017 03:54 |
|
minato posted:It's got to be pretty secure tho, it says right there that it broils all the incoming chars.
|
# ? Dec 20, 2017 04:06 |
|
Rex-Goliath posted:the client certificate has to be pkcs#12 and apparently that's fundamentally incompatible with the centos server that jenkins is running on?
|
# ? Dec 20, 2017 04:25 |
|
our org just created a URL shortening service for our URLs. I immediately checked and it neither requires nor supports TLS. It's apparently OK though because we're not using it to link to sensitive information
|
# ? Dec 20, 2017 04:34 |
|
theodop posted:our org just created a URL shortening service for our URLs. I immediately checked and it neither requires nor supports TLS. i mean it's just a redirect to other (presumably SSL'd?) information right, what would SSL really get you there e: domain validation maybe i guess?
|
# ? Dec 20, 2017 05:22 |
|
ate all the Oreos posted:i mean it's just a redirect to other (presumably SSL'd?) information right, what would SSL really get you there An attacker could mitm the shortlink to point to a phishing site.
|
# ? Dec 20, 2017 05:42 |
|
Lots of CMSs use article titles/summaries in the URL. Some terrible apps add session tokens into the URL. URLs can include filter/search params which can reveal interesting info. Related to URL secrecy: Both Google & Facebook employees use browser extensions which let them use the browser URL field as a ersatz CLI tool to easily navigate to internal tools and pages. If the extension isn't set to their default search engine then it's activated by typing in a magic prefix to the "command". But if they fluff the magic prefix or omit it entirely, then of course the browser just does a Google search. Facebook management were a little concerned about this since it meant that their competitor (Google) could sometimes see what employees were navigating to internally, possibly revealing business intelligence.
|
# ? Dec 20, 2017 05:42 |
|
Jabor posted:An attacker could mitm the shortlink to point to a phishing site. ding ding ding a MITM could insert a fake login page for our business, knowing that the client uses our business due to the URL being for one of our resources
|
# ? Dec 20, 2017 05:53 |
|
minato posted:Related to URL secrecy: Both Google & Facebook employees use browser extensions which let them use the browser URL field as a ersatz CLI tool to easily navigate to internal tools and pages. If the extension isn't set to their default search engine then it's activated by typing in a magic prefix to the "command". But if they fluff the magic prefix or omit it entirely, then of course the browser just does a Google search. Facebook management were a little concerned about this since it meant that their competitor (Google) could sometimes see what employees were navigating to internally, possibly revealing business intelligence. lol whyyy cant they just sync a bookmark set & use autocomplete to jump around their intranet, or are they literally doing like "command push repo to url" or something insane like that
|
# ? Dec 20, 2017 06:33 |
|
Because the arguments are dynamic and the list of commands is large. Firefox has a built-in similar (& simpler) feature called Quick Search where the user can bookmark a URL template + keyword, and entering the keyword + an arbitrary string will expand the template. e.g. "wiki Hackers movie" expands to "https://en.wikipedia.org/w/index.php?search=Hackers%20%movie". The Facebook one could be used to (say) navigate to the web-view of a given source file, search all repos for arbitrary strings, jump deep within internal tools, and as a way to verbally give someone a shorthand way of accessing an internal page. But yeah, at the risk of significant information leakage.
|
# ? Dec 20, 2017 06:58 |
|
minato posted:Because the arguments are dynamic and the list of commands is large. This. I was always concerned that somehow Google would learn terrible internal secrets when I worked at Amazon and had those set up, then made a typo and whoops now Google knows the codename if the new Kindle.
|
# ? Dec 20, 2017 07:15 |
|
A few years ago when I was learning Python, I kept Googling a lot of Python docs. One spooky night the search results were entirely replaced by a Google Python coding challenge that led to what turned out to be a Google recruiting drive. So Google is definitely looking at these results. And what I think they'll find is that people at BigTechCos definitely use StackOverflow a lot.
|
# ? Dec 20, 2017 07:38 |
|
minato posted:Firefox has a built-in similar (& simpler) feature called Quick Search where the user can bookmark a URL template + keyword, and entering the keyword + an arbitrary string will expand the template. e.g. "wiki Hackers movie" expands to "https://en.wikipedia.org/w/index.php?search=Hackers%20%movie". i work for google and i do this with our internal codesearch tool, so like 'cs whatever' will do a codesearch for me. no extension needed, i just add it as a search engine in chrome. occasionally i gently caress it up and accidentally wind up doing a google search for some highly internal tool, which makes me panic until i remember who i work for i would like to think that the people that work on search are above manually looking at search results from other companies' IPs (and that our internal tools would catch them) vOv fucked around with this message at 07:47 on Dec 20, 2017 |
# ? Dec 20, 2017 07:40 |
|
FWIW, all you actually need for that is DNS.
|
# ? Dec 20, 2017 07:52 |
|
Jabor posted:FWIW, all you actually need for that is DNS. A DNS query does not contain the URN
|
# ? Dec 20, 2017 07:58 |
|
spankmeister posted:A DNS query does not contain the URN i think they meant like http://cs/stuff+goes+here and then that resolves to http://cs.some.internal.domain.thing/stuff+goes+here, which the server interprets as a query which works but is more fiddly to deal with and puts a constraint on how your server interprets URLs, unless you want to run a server just to forward it to the 'real' codesearch server we do use that kind of DNS thing for other stuff tho
|
# ? Dec 20, 2017 08:02 |
|
It came to my attention today that an internal domain (.com) with a ton of infrastructure attached was never registered because why spend $10 when you can just fiddle with the DNS view? Eight years later, someone external registered it and poo poo broke.
|
# ? Dec 20, 2017 08:51 |
|
lol
|
# ? Dec 20, 2017 09:06 |
|
|
# ? Dec 20, 2017 12:44 |
|
|
# ? Dec 20, 2017 13:31 |
|
secfuck: we're seeing malicious traffic destined for the internet traversing one of our VSAT links (the traffic is being blocked by the firewall on our onshore side). the source of the traffic: the VSAT service provider's network on the offshore vessel. it's all on separate VLANs and poo poo to our traffic but still lmao. we reported it to them 20 days ago and have yet to receive a response. i tell you what, offshore telecoms is the worst. all they do is stand up VSAT/WiMAX links with rudimentary L3 config and then just walk away. good thing we're protecting our poo poo on separate VLANs and tunnels.
|
# ? Dec 20, 2017 13:47 |
|
i'd say use an invalid tld like .lan for internal poo poo, but with the rate new stupid tlds have been getting approved by icann lately, i don't think i can recommend that either. also, Volmarias posted:This. google definitely knows some of my now old passwords lmao
|
# ? Dec 20, 2017 13:49 |
|
Truga posted:i'd say use an invalid tld like .lan for internal poo poo, but with the rate new stupid tlds have been getting approved by icann lately, i don't think i can recommend that either. if you do that you need to be able to operate a CA and add a root to _everything_ (badge reader talks to AD?) because you can’t get real certs issues for non-registered domains just register a second domain and only use it internally
|
# ? Dec 20, 2017 14:03 |
|
i run an internal ca, completely forgot about that bit. it's definitely easier to just reg a domain, yeah.
|
# ? Dec 20, 2017 14:05 |
|
got a "important security notification" at work from some internal team for a container tool that I don't use telling that "there is a security vulnerability if the following configuration is used"code:
no poo poo guys well done
|
# ? Dec 20, 2017 14:17 |
|
do they notify for all potentially vulnerable configurations?
|
# ? Dec 20, 2017 14:21 |
|
is the vulnerability “your data isn’t encrypted”, or something else that is revealed by that configuration change?
|
# ? Dec 20, 2017 14:25 |
|
Varkk posted:industrial control software and cheap enough don’t really go together. pricing is certainly high enough that no one notices the hardware cost of an extra workstation or two. But then they will each need their own license. You have absolutely no idea what this poo poo used to cost when they were doing hand-built logic gates or even the early vms poo poo compared to it all being commodified on Winx86 and PLCs
|
# ? Dec 20, 2017 17:40 |
|
Subjunctive posted:if you do that you need to be able to operate a CA and add a root to _everything_ (badge reader talks to AD?) because you can’t get real certs issues for non-registered domains actually, just use subdomains of your main, public, domain for internal apps.
|
# ? Dec 20, 2017 17:54 |
|
i hope no one's been using the captcha plugin for wordpress: https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/
|
# ? Dec 20, 2017 18:08 |
|
|
# ? May 14, 2024 10:07 |
|
spankmeister posted:actually, just use subdomains of your main, public, domain for internal apps. ugh, cookie bleed
|
# ? Dec 20, 2017 18:18 |