|
Happiness Commando posted:The header indicates SPF: pass, and we have -all at the end of the record Usually the mails are sent with a different envelope from. Email sucks and SPF is poo poo and everyone it works in a sensible way when it really doesn't.
|
# ? Mar 15, 2018 07:59 |
|
|
# ? May 23, 2024 11:49 |
|
Thanks Ants posted:The Tradfri stuff is meant to be pretty decent. I bought the ones with a fixed colour temperature because I thought "oh it's a newer model they must've made it cheaper to make that's why it's cheaper to buy" because I'm an idiot.
|
# ? Mar 15, 2018 08:12 |
|
Methylethylaldehyde posted:More or less this. Or in one case, the dipshit pissed off the assistant, so they talked IT into giving him just enough rope to hang himself. Turns out following the sev 1 incident process to the letter pisses off a lot of people when it's 'add this printer I bought from Office Depot to my machine so I can print coupons or some dumb poo poo'. Dipshit was fired for poor performance about a month later, because he was magically now under a microscope. I have found making the effort to foster a good working relationship (or even friendship) with Admin Assistants for senior management is always worth it. And if it's a particularly good working relationship, you can have them in your corner, which is invaluable. They have a lot more influence over the C level they work for than people realize sometimes.
|
# ? Mar 15, 2018 17:21 |
|
Secretaries, Security, Smokers. Gets ya all the gossip you need.
|
# ? Mar 15, 2018 17:59 |
|
Thu Mar 15 10:49:00 2018 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Thu Mar 15 10:49:00 2018 TLS Error: TLS object -> incoming plaintext read error Thu Mar 15 10:49:00 2018 TLS Error: TLS handshake failed Why no, I didn't want to do anything else this morning. Glad you asked.
|
# ? Mar 15, 2018 18:09 |
|
ChubbyThePhat posted:Thu Mar 15 10:49:00 2018 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed One of my favorite things to do is explaining to people how SSL and TLS work.
|
# ? Mar 15, 2018 18:27 |
|
Thankfully I don't have to explain to anyone what is going wrong, I just need to fix it.
|
# ? Mar 15, 2018 18:40 |
|
Jerk McJerkface posted:One of my favorite things to do is explaining to people how SSL and TLS work. What is so complicated about the Simple Software Layer and Top Level Security? (These are both things I have heard in customer conversations. )
|
# ? Mar 15, 2018 18:41 |
|
so turns out SCCM has been reporting successful patching, without actually patching any endpoints since december pretty easy to just cut out sccm and switch to WSUS, but jesus christ. Pretty sure that's the death knell for this software too, which is a bit of a bitter pill since I was the lead admin after the guy who set it up got fired The Iron Rose fucked around with this message at 18:45 on Mar 15, 2018 |
# ? Mar 15, 2018 18:43 |
|
I thought SSL meant Sausage Sandwich Lover, who have I been sending my sexts to?
|
# ? Mar 15, 2018 18:51 |
|
We brought in a few infosec consultants to primarily to help us with our Azure/Aws production environment and its turning into a loving shitshow. The entire first 10 days of their time was us has been spent in dick measuring contests with me and my staff over the mundane of on-prem infrastructure bullshit. They have been obsessing over internal network acl's and firewall rules for obscure "what-if" situations that are in way a priority for us at the moment. Why is this part of the industry filled with so many clowns?
|
# ? Mar 15, 2018 19:29 |
|
Agrikk posted:What is so complicated about the Simple Software Layer and Top Level Security? TLS obviously stands for Three Letter Security. Same kind of security that the Three Letter Agencies use!
|
# ? Mar 15, 2018 20:01 |
|
Sickening posted:We brought in a few infosec consultants to primarily to help us with our Azure/Aws production environment and its turning into a loving shitshow. The entire first 10 days of their time was us has been spent in dick measuring contests with me and my staff over the mundane of on-prem infrastructure bullshit. They have been obsessing over internal network acl's and firewall rules for obscure "what-if" situations that are in way a priority for us at the moment. Why is this part of the industry filled with so many clowns? It's all they know how to do and they want to put some accomplishments under their belt to prove their worth. Dictating internal security policies is so much easier than doing their real job. Which they may have BSed their knowledge of in the interview and are now scrambling to be useful.
|
# ? Mar 15, 2018 20:09 |
|
Avenging_Mikon posted:TLS obviously stands for Three Letter Security. Same kind of security that the Three Letter Agencies use! One thing I strive to be good at is to explain something complicated to people in a simple way. It's a big part of my relative success so far, but man, explaining how CA certs and trusted root certificates to people is almost too much for me to handle.
|
# ? Mar 15, 2018 20:11 |
|
Jerk McJerkface posted:One thing I strive to be good at is to explain something complicated to people in a simple way. It's a big part of my relative success so far, but man, explaining how CA certs and trusted root certificates to people is almost too much for me to handle. If you ever come up with a very simple way to relay this info, do share.
|
# ? Mar 15, 2018 20:21 |
|
ChubbyThePhat posted:If you ever come up with a very simple way to relay this info, do share. Maybe something with locked boxes that a locksmith knows how to make all the keys for everyone's boxes. You trust this locksmith, you get a box you think is from Joe but you don't know so you ask the locksmith for Joe's key. If it opens the box it's from Joe.
|
# ? Mar 15, 2018 20:26 |
|
Sickening posted:We brought in a few infosec consultants to primarily to help us with our Azure/Aws production environment and its turning into a loving shitshow. The entire first 10 days of their time was us has been spent in dick measuring contests with me and my staff over the mundane of on-prem infrastructure bullshit. They have been obsessing over internal network acl's and firewall rules for obscure "what-if" situations that are in way a priority for us at the moment. Why is this part of the industry filled with so many clowns? Are you paying them for their time or to work on a set of defined areas? As the customer can you not just tell them to get the gently caress back on task?
|
# ? Mar 15, 2018 20:53 |
|
pixaal posted:Maybe something with locked boxes that a locksmith knows how to make all the keys for everyone's boxes. You trust this locksmith, you get a box you think is from Joe but you don't know so you ask the locksmith for Joe's key. If it opens the box it's from Joe. Except someone fit certificate chains into this scenario. You only trust the locksmith because his dad's, dad's, dad's, dad has the same name as his dad? ChubbyThePhat posted:If you ever come up with a very simple way to relay this info, do share. I essentially say this: 1) a cert has several components, the main one we care about are "Subject name" and "Issuer" 2) a cert tree links the Issuer of a cert, with another cert that has that subject name. 3) you keep going up this tree, linking the issuer of a previous cert with the subject of the preceeding cert 4) eventually you arrive at a root cert is basically a cert with the same subject and issuer. 5) Trusting that cert, means you trust everything under the same tree, as long as the link chain is complete (and the subject name matches VERBATIM the host of the site you are visiting, yes subject alternative names and wild card certs, but that's cert 102). Then I draw on the white board an example cert chain. Then I make them go on their own PC and open cert manager and show them a few root certs, and the I show them the cert for Google and how it has the entire chain, and then I ask them "define a root certificate" and they look at me like I'm an idiot. After this, I try to show them how LDAPS with TLS operates the same way and it blows their minds, because LDAP isn't a webserver so how does it know.
|
# ? Mar 15, 2018 20:55 |
|
Thanks Ants posted:Are you paying them for their time or to work on a set of defined areas? As the customer can you not just tell them to get the gently caress back on task? Yeah and we definitely have. The hard part is that the CIO is out and I have the full authority to do everything but fire them. I have pushed them back on task 4 times now. Today I was at the end of my rope. One of these fuckers had this big tiff about local administrator password complexity auditing and I lost it. I had to flat out tell them that I didn't my staff or myself to be invited to another meeting we talk about on-prem infrastructure at all. The CIO setup a call with me in a hour and I am going to recommend to sever right now. I hate not being part of these vetting processes sometimes. Sickening fucked around with this message at 21:11 on Mar 15, 2018 |
# ? Mar 15, 2018 21:05 |
|
Jerk McJerkface posted:Except someone fit certificate chains into this scenario. Yeah I could see people just glazing over. pixaal posted:Maybe something with locked boxes that a locksmith knows how to make all the keys for everyone's boxes. You trust this locksmith, you get a box you think is from Joe but you don't know so you ask the locksmith for Joe's key. If it opens the box it's from Joe. This actually doesn't seem so bad. Also, I fixed the broke TLS handshake.
|
# ? Mar 15, 2018 21:30 |
|
I used a wax seal analogy once, but it also falls short when trying to describe root certificates and chains.
|
# ? Mar 15, 2018 22:04 |
|
Some things are more complex than a simple analogy can accurately portray
|
# ? Mar 15, 2018 22:29 |
|
Thanks Ants posted:Some things are more complex than a simple analogy can accurately portray Yeah, this, I pride myself, and it's been very helpful in my career, in the fact that I can explain 90% of technical things to non-technical people in a way that will get the point across, but god drat certificates is not something I can think of how to do easily.
|
# ? Mar 15, 2018 22:39 |
|
MF_James posted:Yeah, this, I pride myself, and it's been very helpful in my career, in the fact that I can explain 90% of technical things to non-technical people in a way that will get the point across, but god drat certificates is not something I can think of how to do easily. Semi-related, PKI is a joy as well. It's like watching heads explode in Scanners.
|
# ? Mar 15, 2018 22:44 |
|
Two people on my team have been told to start helping on a queue that they were told wouldn’t end up being their responsibility. They have no admin access to the system. They have no training, and despite the people in charge saying that they had training opportunities, we actually requested training and never got it. I’m angry enough to want to walk out and I’m not even the one who was given this poo poo sandwich. I suggested malicious compliance. Go through all of the tickets they can, send them to the person in charge of the project saying they don’t have the permissions to resolve the ticket and so they’re forwarding it to someone who does.
|
# ? Mar 15, 2018 22:47 |
|
“Certificates secure traffic between two points on the Internet. I could go into it further if you want, but for now just knowing this is good enough.”
|
# ? Mar 15, 2018 22:47 |
|
I think a passport analogy could work in this case? Like the CA is the state. It's trusted by other states/countries to authorize passports The passport is a validated client cert.
|
# ? Mar 15, 2018 23:21 |
|
Sefal posted:I think a passport analogy could work in this case? ...that's not half bad.
|
# ? Mar 15, 2018 23:23 |
Agrikk posted:“Certificates secure traffic between two points on the Internet. I could go into it further if you want, but for now just knowing this is good enough.” Root certificates are anchor points, as long as a root certificate is trusted (anchored), anything else hooked up on the root certificate is also assumed to be reliable. The actual computer science behind is complicated, but it's similar to how you should assume your bank is trustworthy because the SEC has approved of them. (And if it turns out the SEC was accepting bribes, you may as well no longer trust any approval of theirs.)
|
|
# ? Mar 15, 2018 23:25 |
|
The CA is exactly like the DMV, they issue you a photo ID when you ask them to. Everyone knows the IDs are very very hard to forge, so if someone has an ID that says they're Joe Blow, then you trust that they are. Lots of states issue ID, but some states are known to not do as good a job at determining if the guy in line is Joe or if he's Bob. If enough people believe that they aren't doing a good enough job, then nobody takes ID from that state anymore. If they need more detail, the DMV has the master ID printing machine, and the password to use it in the basement of their head office. It can make as many lesser ID printing machines as it needs to. Each local office gets a lesser ID printer, and password, which they use to issue IDs to people. If it's lost or stolen, they can alert everyone that all the IDs printed on it are bad, and not to trust them (CRL). This process costs money, and ID fees are how they pay their bills. There are also those really excited robots in the parking lot, who will issue you a no questions asked ID good for 3 months, and all you need to do is state your name, get your picture taken, and get your fingerprints recorded (let's encrypt). None of the state offices like those guys much.
|
# ? Mar 16, 2018 00:01 |
|
Sefal posted:I think a passport analogy could work in this case? And also like passports, there's some issuers where almost noone trusts it, and some where almost everyone does.
|
# ? Mar 16, 2018 00:05 |
|
fishmech posted:And also like passports, there's some issuers where almost noone trusts it, and some where almost everyone does.
|
# ? Mar 16, 2018 00:07 |
|
My internal security team is pissing me off. We had a bunch of stuff signed off on 3 months ago during design and when we checked in the Director went full grand stand reaming me in emails and chat. I sent all the previous docs and he just responded INVALID. Found out they were being lazy on previous audits because they knew the auditor and we got a new one this time and they’re getting cornholed bad. This should be fun times. Luckily my AWS Enterprise Support Lead reached out and the Chicago office wants to interview me.
|
# ? Mar 16, 2018 02:49 |
|
Agrikk posted:“Certificates secure traffic between two points on the Internet. I could go into it further if you want, but for now just knowing this is good enough.” I'm vendor trying to explain why my Linux server doesn't trust their ldaps server since it's a Windows DC with a self signed cert and I need their root CA to get it all to work.
|
# ? Mar 16, 2018 04:09 |
|
Please don't dox my brother.
|
# ? Mar 16, 2018 10:02 |
|
Pissing me off Part Duex: I put my hand out 15-20 years ago in the army cos I know X. Now I've done it again! There's a huge recall of a bunch of embedded systems that I am part of the supply netowrk of. I literally had one personally to RTM but the curious hardware hacker in me got the best of me. I had a look at the one board I had before sending back and noticed it had a direct ICSP port. First thing I did was email head of Australia's tech department for that company (we are on chatting bullshit basis) that I might give a go at dumping the hex and reuploading old working firmware if I could just have a copy of known good files. I have a bunch of older boards lying around to practice on. This turned into a nationwide email dump of everyone in their company sending me files/tip/clues and a 'how do you have X hardware and Y software that is limited to 5 people in the country?' Turns out our supplier can only 'load Z firmware' and not do anything they want with the whole chip including the bootloader. Naturally the ID marks are shaved off. SO I'll be playing blind. RIP my weekend as now this seems like a LOT of attention about a DIP8 microcontroller with a programming/debugging header on the board above the conformal 5mm thick gel over the board. My heart says 'hack the gibson' to save sending 10k boards back for reprogramming, but my mind says 'hmm theres money to be made here'.
|
# ? Mar 16, 2018 13:21 |
|
Humphreys posted:This turned into a nationwide email dump of everyone in their company sending me files/tip/clues and a 'how do you have X hardware and Y software that is limited to 5 people in the country?' How do you?
|
# ? Mar 16, 2018 13:24 |
|
Jaded Burnout posted:How do you? Could it be related to the porn muling? I kid, would like to know the story as well, if there is one.
|
# ? Mar 16, 2018 13:30 |
|
Things pissing me the gently caress off this morning: Somehow our poo poo rear end MSP took "Upgrade to IE 11" as "Remove IE from the PC totally" for 85 PCs Why they didn't just approve the WSUS update I'll never loving know.
|
# ? Mar 16, 2018 14:38 |
|
|
# ? May 23, 2024 11:49 |
|
One of our vendors switched to a new quoting software. Their old one was great from a administration point of view; was entirely self contained to one directory, did not need admin to work or even update itself. Long as the user had write access to the directory the software was installed in there where no problems. The new one, while it looks pretty, insists on updating every single time you open it, and requires Admin to do so. When I complained about this they sent me a Word document full of screenshots showing how to disable UAC , the screenshots where of Windows Vista. Why in 2018 are people still writing software like its 1999?
|
# ? Mar 16, 2018 14:46 |