|
freeasinbeer posted:I can't wait for you to work at a real shop. For someone who's against the  thingYou sure do like being the living loving embodiment of it.
|
#
?
Apr 18, 2018 13:21
|
|
|
|
| # ? Jun 13, 2024 02:06 |
|
|
KS posted:Venting because my new work laptop, the just-released Elitebook 830 G5, is a great laptop with one very annoying flaw. We got a dozen of these in. Let me know what else you think. Half our users are getting an annoying BSOD and I can't figure out why.
|
|
#
?
Apr 18, 2018 13:57
|
|
|
Interviewing candidates is the worst. I totally understand why phone screens are a valuable tool now. Out of 15 interviews we only have two candidates that I would ever want to talk to again. There are a shocking number of it folks who can't carry a normal conversation with people they've just met. If I ask about your time management skills and you sigh and say "okay." before responding, you probably won't get the job.
|
|
#
?
Apr 18, 2018 14:45
|
|
|
Yuuuuup. Hiring folks is a pain, but you usually get back what you put into it. I've seen companies that just try to outsource that completely or not take it seriously and it's a disaster. Doing management poo poo is hard, soul crushing, and time consuming. I'm in the middle of interviewing candidates for a position now and I usually estimate about 40 hours of work to find someone I like. And that's for a fairly junior position.
|
|
#
?
Apr 18, 2018 14:59
|
|
|
I'm great at talking to people, hire me pls 
|
|
#
?
Apr 18, 2018 15:02
|
|
|
thought this thread might appreciate https://twitter.com/ow/status/986160447152885760
|
|
#
?
Apr 18, 2018 15:04
|
|
|
Okay, another development about the company owner's weird cryptocurrency shenanigans in today's companywide meeting. There was a year to date revenue report, and they marked $800k in enterprise equipment sales, $500k of which was to the cryptocurrency company that our boss is running. Conversation between me and my manager: Me: is it just me, or did they just count 500k in equipment sales to <crypto company>? Can we sell to ourselves? Manager: We are not <CRYPTO COMPANY> and that is actual billed Me: i was under the impression we were at least hosting the equipment. So are you saying <our company's owner> is a kind of a co investor? Manager: <Our company's owner> is the owner of the company. He has quite a few investors that have dropped some serious cash in it. They will be hosted at <one of our data centers>. Maybe I'm being too concerned and I just don't understand finance and business (which I don't). It's just that it makes me suspicious because nobody is announcing any of this to the employees. I only know about it because someone accidentally put a few documents in a publicly shared folder.
|
|
#
?
Apr 18, 2018 16:13
|
|
|
Judge Schnoopy posted:It's cool, yes, but go through the proper channels to get a hidden SSID separated from the domain network please. "Hidden" SSIDs aren't. All it actually means is that the AP isn't sending out beacons advertising the network. It won't show up in a standard network selection dialog but any passive scanner can easily see that the network exists if there's any traffic at all. The SSID is broadcast in the clear whenever a client connects, so any potential attacker can just do a quick deauth attack and force a reconnection to reveal the name if they care. Worse, most client implementations will broadcast "hey, is <SSID> around?" when looking for a network so if any mobile devices are set up to use the network you actually end up broadcasting its existence to anyone listening wherever they go. Depending on your goals, disabling beaconing is at best a pointless inconvenience to legitimate users and potentially actually counterproductive.
|
|
#
?
Apr 18, 2018 16:13
|
|
|
Depending on the context, hidden SSIDs are a hint that there's something useful on that network that's worth trying to access.
|
|
#
?
Apr 18, 2018 16:25
|
|
|
Zapf Dingbat posted:Okay, another development about the company owner's weird cryptocurrency shenanigans in today's companywide meeting. I can't tell exactly what the situation is either from this information. What you might be seeing is the owner starting a shell company to fleece gullible crypto investors and funneling the money to parent company for services rendered, which should be good for everybody at parent company. Or your company owner could be a true believer who is going to sink everything somehow by betting on crypto. Angry investors filing lawsuits against owner and parent company. Dogs and cats living together.
|
|
#
?
Apr 18, 2018 16:39
|
|
|
Dr. Arbitrary posted:Depending on the context, hidden SSIDs are a hint that there's something useful on that network that's worth trying to access. What it definitely does say though is that someone who makes decisions about this network does not actually understand it and follows cargo cult "security" techniques.
|
|
#
?
Apr 18, 2018 17:29
|
|
|
wolrah posted:What it definitely does say though is that someone who makes decisions about this network does not actually understand it and follows cargo cult "security" techniques. Yeah, SSIDs are never hidden, they just don't broadcast. They will always respond to a "hey who's out there?" probe. Also management frames are in the clear as well which will reveal the SSID. Another I love is MAC filtering touted as a "security feature"
|
|
#
?
Apr 18, 2018 17:36
|
|
|
wolrah posted:Potentially yes, though with how commonly that bit of "advice" is repeated in all sorts of "How to Secure your WiFi" guides I wouldn't necessarily assume there was anything truly interesting there. I wouldn't go that far. For example, we have a network that's specifically for nintendo switches, playstations, cute pieces of tech that don't play nice with 802.1x called [Company] Toys. We don't broadcast it because we don't want people with workstations seeing it and trying to connect to it. As a security measure it, well, isn't. But there's all sorts of non-security related reasons you might want to hide an SSID from users
|
|
#
?
Apr 18, 2018 17:37
|
|
Cat Army
|
quote:Another I love is MAC filtering touted as a "security feature" The Iron Rose posted:I wouldn't go that far. For example, we have a network that's specifically for nintendo switches, playstations, cute pieces of tech that don't play nice with 802.1x called [Company] Toys. We don't broadcast it because we don't want people with workstations seeing it and trying to connect to it.
|
|
#
?
Apr 18, 2018 18:13
|
|
|
wolrah posted:I still don't really see what difference it'd make over just having the users not be told the password to the Toys network, but at least it is a logically sound plan that actually works as intended. People clicking connect but never "forgetting" the SSID, so their device tries to connect when their primary SSID disappears for a few moments and now suddenly a support ticket is open because "my wifi intermittently doesn't work" Have seen that too many times.
|
|
#
?
Apr 18, 2018 18:17
|
|
|
KS posted:Venting because my new work laptop, the just-released Elitebook 830 G5, is a great laptop with one very annoying flaw. The 830 G5s are pretty sexy. As soon as they become approved devices for our Corp I'm going to order myself one since I do all the purchasing for our IT department. Right now I have a Elitebook Folio G1 and it's pretty nice in a wanna be mac book air way but I yearn for the 830 G5.
|
|
#
?
Apr 18, 2018 18:30
|
|
|
Vargatron posted:Security and access policies should support the goals of the business, not be there to just gently caress with users. That said, I was involved with a push to remove admin rights from local user computers at my last job, following a licensing incident that cost the company about $50k in fines and licensing. The Engineering team eventually complained to the CEO, who reversed the IT decision, despite this being a reaction to a very serious issue that could have been mitigated. Only 50K? You got off easy. We got nailed for about half a million because a few people in our APAC region pirated a product instead of going through the channels to buy it. We have plenty of resources, no reason for them to pirate the software, the purchase would have been approved if they would have taken the time to ask for it. Dealing with another software audit right now, the 3rd one in the last 12 months. Acquisitions seem to trigger these things and they suck. On the bright side it triggered some reforms on how we handle software installation and licensing, and local admin rights, so that should help down the road.
|
|
#
?
Apr 18, 2018 18:32
|
|
|
I don't get pirating in a business setting. We had a pirated print to PDF program on our print server in the past (idk why) and when we migrated to a new print server people were real mad we didn't bring the pirated stuff along with
|
|
#
?
Apr 18, 2018 18:34
|
|
|
Our Mexico facility has zero oversight and it was they who decided to run a cracked version of Solidworks.
|
|
#
?
Apr 18, 2018 18:36
|
|
|
wolrah posted:There's a long-running thread on the Ubiquiti forums with people asking for MAC filtering who are unwilling to accept that it's drat close to meaningless. Oh we don't tell them the password either, this way really just avoids questions about it.
|
|
#
?
Apr 18, 2018 18:37
|
|
|
wolrah posted:There's a long-running thread on the Ubiquiti forums with people asking for MAC filtering who are unwilling to accept that it's drat close to meaningless. Have a quick link that explains this well? I know it's trivial to spoof MAC addresses but wouldn't you still need to know what MACs are allowed? You'd be able to see the traffic for wifi but for wired connections it would be harder to determine.
|
|
#
?
Apr 18, 2018 18:43
|
|
|
Vargatron posted:Our Mexico facility has zero oversight and it was they who decided to run a cracked version of Solidworks. 
|
|
#
?
Apr 18, 2018 19:01
|
|
|
We were finally able to hire somebody! He got the grand tour Monday. I had a chance to get him all set up yesterday. He seemed like he's going to be very good here and pick things up quickly. Today he quit; accepted a counter offer from his previous job.
|
|
#
?
Apr 18, 2018 19:03
|
|
|
wolrah posted:Potentially yes, though with how commonly that bit of "advice" is repeated in all sorts of "How to Secure your WiFi" guides I wouldn't necessarily assume there was anything truly interesting there. I never suggested hiding the SSID was a security measure? This whole hypothetical has gotten really out of hand. If a department came into my office and said they bought a bunch of raspberry pis for TV displays, my answer isn't going to be "No" like some smug rear end in a top hat who doesn't want to be helpful. My answer is to approach it as a new project, look at the solution from top to bottom, and get it scheduled within the timeline of current projects and resources. I would create a separate SSID on a VLAN that is sectioned off from the domain network, and if they need access to anything domain-related, I would gather the requirements of what they need and how they plan to get it. It's not hard to use ACLs both on the network and the server resource to allow specific access, but it should absolutely be vetted and documented by IT. I suggested hiding the SSID purely to avoid questions of "what's this network?!?" by C-levels and then having to do a deep-dive with them on how the whole thing works. Better to avoid the spotlight entirely. The ultimate answer to the department is "yes, but we're going to do this the right way and document everything that goes into this setup."
|
|
#
?
Apr 18, 2018 19:15
|
|
|
Judge Schnoopy posted:The ultimate answer to the department is "yes, but we're going to do this the right way and document everything that goes into this setup." i'd love to see you when you get to a real shop brah ~~~*360 noscope in my cloud*~~~
|
|
#
?
Apr 18, 2018 19:18
|
|
|
Don't put stuff on Wi-Fi that isn't going to move around and has an Ethernet jack on it.
|
|
#
?
Apr 18, 2018 19:39
|
|
|
96 Port Hub posted:Have a quick link that explains this well? I know it's trivial to spoof MAC addresses but wouldn't you still need to know what MACs are allowed? You'd be able to see the traffic for wifi but for wired connections it would be harder to determine. The MAC filtering we're talking about are blacklists. If you're looking at whitelists, you're better off implementing 802.1x (like EAP-TLS).
|
|
#
?
Apr 18, 2018 19:40
|
|
|
Proteus Jones posted:The MAC filtering we're talking about are blacklists. My eyes glazed over several pages back. Isn't this talking about MAC-sec as the fallback for 802.1x for things like printers? You setup the printers port to be default mac-sec into the printer vlan that allows keep-state connections to the printer for printing, or similar, and nothing back.
|
|
#
?
Apr 18, 2018 19:44
|
|
|
96 Port Hub posted:Have a quick link that explains this well? I know it's trivial to spoof MAC addresses but wouldn't you still need to know what MACs are allowed? You'd be able to see the traffic for wifi but for wired connections it would be harder to determine. 802.11 management frames are sent in the clear. One of these in particular, the probe request, will have the senders MAC address. There are many tools that can watch this traffic and give you a nice list of client MAC addresses that are associated with a given network. There does appear to be a 802.11 extension that encrypts management frames, however it does not appear to be widely supported, and the probe request is still sent in the clear (it kinda has to be!) Edit: I used to mess around with cracking WEP networks and WPA networks that had WPS enabled. It was amazing how quickly WEP could be cracked. You only needed to capture a few MB of data and it would crack it within minutes. WPS took a few hours of capturing packets, but it would ALWAYS work. Pretty sure by now they have come up with new methods that are even faster. stevewm fucked around with this message at 19:54 on Apr 18, 2018 |
|
#
?
Apr 18, 2018 19:47
|
|
|
Internet Explorer posted:~~~*360 noscope in my butt*~~~ never giving up this extension
|
|
#
?
Apr 18, 2018 19:52
|
|
|
H110Hawk posted:My eyes glazed over several pages back. Isn't this talking about MAC-sec as the fallback for 802.1x for things like printers? You setup the printers port to be default mac-sec into the printer vlan that allows keep-state connections to the printer for printing, or similar, and nothing back. For wireless it works a little different. You're not doing port authentication at the switch. 802.1x in a wireless context involves a supplicant, and authenticator and authentication server. The authenticator is typically the AP or Wireless Controller. Your authentication server is going to be something like a Radius service or maybe a Kerberos service. If you're going that route, then rather than WPA2-PSK, you'll be doing some sort of WPA2-EAP for authentication. And if you're going to do that, EAP-TLS is the way to go since WPA-PEAP uses MSCHAPv2 and you're better off using a PSK at that point. But EAP-TLS requires generating and distributing a client cert, which isn't a huge deal with the right infrastructure, but there are plenty of companies that just go "eh" and use PSK.
|
|
#
?
Apr 18, 2018 19:55
|
|
|
GreenNight posted:We got a dozen of these in. Let me know what else you think. Half our users are getting an annoying BSOD and I can't figure out why. Oh great. Our Windows engineering group just started on adding G5 support for the standard image. Our tech refresh group is going to have a busy summer, there are 6-8000 G1s on campus, all overdue for refresh.
|
|
#
?
Apr 18, 2018 20:05
|
|
|
Yeah, I'm getting some BSODs out of sleep as well. Laptop resets instead of resumes. I really can't get over the breaking of shift-home and shift-end though. Argh. Not ordering any more.
|
|
#
?
Apr 18, 2018 22:10
|
|
|
For some of our users, when they shut down it BSODs, then autoruns the repair wizard on next boot. It only happens maybe 40% of the time.
|
|
#
?
Apr 18, 2018 22:15
|
|
|
Some of my elite books had these issues and it was resolved by updates to the intel management engine.
|
|
#
?
Apr 18, 2018 22:20
|
|
|
Just flew across the country from MD to Bellevue, WA for an interview; landed at 1130pm local time (2:30am my time), threw up from a terrible migraine before bed, woke up at 6 for an 6hr interview, and took an Uber straight from the interview to the airport. Now I take a red-eye home. What a long rear end haze of 2 days. Given the shape I am in, I am not sure if I'm delerious or aced it but I walked out feeling decent so that's the best I can hope for. 
|
|
#
?
Apr 18, 2018 22:28
|
|
|
I am realizing my job is not really all that secure. We are offloading a bunch of new client configuration onto the implementation team, desktop support could handle the internal user support I do, product managers could handle the "hey CaptainJuan how does our software work" stuff, QA could handle the bug tracking stuff... Plus we got a new c-level who I think might be an rear end in a top hat. So we will see. Fortunately I have an interview tomorrow so i guess I'll just have to leave before they make me redundant 
|
|
#
?
Apr 18, 2018 22:41
|
|
|
Walked posted:Just flew across the country from MD to Bellevue, WA for an interview; landed at 1130pm local time (2:30am my time), threw up from a terrible migraine before bed, woke up at 6 for an 6hr interview, and took an Uber straight from the interview to the airport. As a fellow migraine haver and a fellow "traveling for work" migraine haver you have my sympathies. Nothing worse.
|
|
#
?
Apr 18, 2018 22:50
|
|
|
Proteus Jones posted:For wireless it works a little different. You're not doing port authentication at the switch. I thought the leap to wireless, and WEP/802.11b era MAC filtering was a mistake. Oops.
|
|
#
?
Apr 18, 2018 23:01
|
|
|
|
| # ? Jun 13, 2024 02:06 |
|
|
GnarlyCharlie4u posted:We were finally able to hire somebody! This got overlooked but  sorry that happened to you. Must've been a hell of an offer or you guys are quite dysfunctional. I've been put in charge as leading a few projects here but my bosses boss keeps referring me to people and using their short name like I will understand who these people are in a company of thousands of which I interact with 3 or 4. Like dude tell me their full loving name I just started.
|
|
#
?
Apr 18, 2018 23:26
|
|