|
YOSPOS › Security Fuckup Megathread - v17.1a - motherfuckers act like they forgot about jre
|
#
?
Mar 28, 2019 05:46
|
|
|
|
| # ? May 9, 2024 06:10 |
|
|
Office depot got nailed for tricking customers into buying magic antivirus software to the tune of $35 millionquote:From at least 2009 to November 2016, Office Depot, Inc. [...] made misrepresentations to consumers regarding the security of their computers. Support.com provided the Office Depot Companies with the “PC Health Check Program,” a software program designed as a sales tool to convince consumers to purchase diagnostic and repair services. Defendants advertised the PC Health Check Program to consumers as a free service that purportedly diagnosed consumers’ computers for security problems and performance issues, including scanning the computer for viruses. lol exhibit A:  https://www.ftc.gov/enforcement/cases-proceedings/172-3023/office-depot-inc
|
|
#
?
Mar 28, 2019 19:14
|
|
|
COACHS SPORT BAR posted:Office depot got nailed for tricking customers into buying magic antivirus software to the tune of $35 million Malware detected, for example, the application showing you this message. They're not technically wrong I guess
|
|
#
?
Mar 28, 2019 19:38
|
|
|
quote:ID: CVE-2019-9977 What's old is new again 
|
|
#
?
Mar 28, 2019 21:24
|
|
|
ErIog posted:Thirding this. All configuration is a transition from some state to another state, and the concept of idempotence with regard to configuration just seems like either pretending the starting state doesn't exist or implicitly assuming a known clean starting state. I like Ansible for configuration automation, but the idempotent paradigm is stupid and I don't use it. I thought I was stupid or that I must have been using Ansible wrong. I may still be stupid, but it seems pretty clear to me after a few years of using it that Ansible itself misunderstands the nature of their own project. it seems to me that a key part of Ansible is to discourage people writing their own code, evidenced by the plugin system that actually works perfectly well but is completely 100% undocumented. I used ansible for a bit over two years and I went back to shell/python scripts because it's just easier by every possible metric. The real massive win for me was, during that time, becoming comfortable with CD and various tooling to accomplish that.
|
|
#
?
Mar 28, 2019 22:15
|
|
|
abigserve posted:it seems to me that a key part of Ansible is to discourage people writing their own code, evidenced by the plugin system that actually works perfectly well but is completely 100% undocumented. I think that is a key part of Ansible, and I think that's probably actually good considering how many people would absolutely gently caress up implementing the basic features of many of the most-used modules if they had to write their own shell/Python scripts.
|
|
#
?
Mar 29, 2019 00:53
|
|
|
you aren't wrong but the issue I found was that you still run into the same logic issues you would coding it but ansible doesn't give you many ways to resolve them without it becoming unreadable people are cooling off on ansible in a big way as well, everyone I know that was all over it 1-2 years ago have ditched it or are actively looking for alternatives
|
|
#
?
Mar 29, 2019 01:11
|
|
|
I wrote our last (present but rapidly going away) deployment system with ansible and I absolutely hate it. I'm probably an idiot for generating ansible manifests with an ERB template, but the Ansible part still sucks. Now I'm being extremely 2019 and just doing everything in Kubernetes
|
|
#
?
Mar 29, 2019 01:21
|
|
|
This is a gold mine: https://np.reddit.com/r/sysadmin/comments/b6hhrn/software_vendor_vpns_dont_work_and_public_facing/ quote:nmap caliach.com http://www.caliach.com/caliach/support/knowledge/sql/0015.html quote:The server MUST allow us to enter with Remote Desktop AS THE
|
|
#
?
Mar 29, 2019 01:34
|
|
|
fuckin lmao clowns: "hi, we're about to install some ERP software on your network. we need a windows server with outbound filesharing, rdp, and SQL ports." IT people: "Uh what? no? That's hideously insecure and a terrible idea" clowns: "goddamn time wasting IT staff!! Why is it the same story with every single customer!!! Nothing but time wasters!!!"
|
|
#
?
Mar 29, 2019 01:46
|
|
|
You missed the best partquote:If you are unsure if your Server or Firewall have these capabilities, please check with
|
|
#
?
Mar 29, 2019 02:42
|
|
|
no token ring
|
|
#
?
Mar 29, 2019 02:52
|
|
|
That's some of the worst poo poo and worst attitude ever
|
|
#
?
Mar 29, 2019 03:55
|
|
|
Chris Knight posted:no token ring it's right there on the left (c/o Soricidus)
|
|
#
?
Mar 29, 2019 06:24
|
|
|
The Fool posted:This is a gold mine: This entire website reads like a Trump campaign speech.
|
|
#
?
Mar 29, 2019 07:56
|
|
|
Captain Foo posted:That's some of the worst poo poo and worst attitude ever I like the inappropriate question marks, reads like annoying interrogative tone you know???
|
|
#
?
Mar 29, 2019 08:49
|
|
|
Krankenstyle posted:I like the inappropriate question marks, reads like annoying interrogative tone you know??? it just makes it sound like they're really confused we don't want to invoice you for wasting our time? i thought we did!
|
|
#
?
Mar 29, 2019 09:10
|
|
|
secure network, no inbound RDP. Oh these IT timewasters got this all screwed up Secure network? No, inbound RDP!
|
|
#
?
Mar 29, 2019 09:14
|
|
|
|
|
#
?
Mar 29, 2019 09:29
|
|
|
abigserve posted:
|
|
#
?
Mar 29, 2019 10:33
|
|
|
secfuck thread on fire lately
|
|
#
?
Mar 29, 2019 11:19
|
|
|
offer them inbound x11 instead
|
|
#
?
Mar 29, 2019 12:25
|
|
|
offer them some sort of contrived web app but fail to add certificates
|
|
#
?
Mar 29, 2019 12:26
|
|
|
abigserve posted:Secure network? No, inbound RDP!
|
|
#
?
Mar 29, 2019 13:13
|
|
|
i've now started getting those "oo look i have your old password therefore i hacked you!!" spam emails except to accounts where they don't even have my old password. it just assures me that they definitely do, pinky swear it's been fun to watch this kind of spam slowly transform over time into the most  version possible i guess
|
|
#
?
Mar 29, 2019 14:35
|
|
|
abigserve posted:Secure network? No, inbound RDP!
|
|
#
?
Mar 29, 2019 15:02
|
|
|
abigserve posted:Secure network? No, inbound RDP!
|
|
#
?
Mar 29, 2019 15:09
|
|
|
You'll get a VDI and you'll like it.
|
|
#
?
Mar 29, 2019 15:39
|
|
|
abigserve posted:Secure network? No, inbound RDP! I'm the Password (not important) from the openssl create script 
|
|
#
?
Mar 29, 2019 15:56
|
|
|
it's nightmares about having to work with these sorts of vendors that make me glad i got the gently caress out of IT
|
|
#
?
Mar 29, 2019 16:15
|
|
|
CommieGIR posted:You'll get a VDI and you'll like it. lol that reminds me of the last gig I was at. the customer decided to outsource a bunch of BPO stuff to Accenture (massive bastards btw, look em up re Philippines) in order to automate and streamline processes. Accenture decided to implement this with Automation Anywhere, a software package that just records and plays-back mouse+keyboard inputs, but enterprisey (why spend time and money understanding APIs and building scripted orchestration poo poo for whatever product your dealing with when you can just simulate the user interaction). despite the automation poo poo Accenture were putting in they were still employing a team of poor Filipinos working remotely to operate Automation Anywhere for some reason, probably mad profit min-maxing or some poo poo. anyway to use the AA software front-end it has to run as administrator in the context of the user executing it. at first they wanted to just put it on the Citrix environment to which we said "lol gently caress know" after weeks of back and forth with us saying "this poo poo is hosed, get it outta here" and the customer saying "yeah but we need it kay" we ended up designing and deploying an entire VDI solution solely for the Accenture drones to run AA from remotely. basically gently caress BPOs
|
|
#
?
Mar 29, 2019 16:53
|
|
|
i havent gotten any "we have your password" emails  i did get kicked off a linux iso tracker because they apparently found my password in a leak, they said to join their irc to reactivate my account so i just deleted the bookmark  theres a bunch of "trumpmedicare" ones in my spam folder for some reason
|
|
#
?
Mar 29, 2019 20:27
|
|
|
Pile Of Garbage posted:lol that reminds me of the last gig I was at. the customer decided to outsource a bunch of BPO stuff to Accenture (massive bastards btw, look em up re Philippines) in order to automate and streamline processes. Accenture decided to implement this with Automation Anywhere, a software package that just records and plays-back mouse+keyboard inputs, but enterprisey (why spend time and money understanding APIs and building scripted orchestration poo poo for whatever product your dealing with when you can just simulate the user interaction). i am having multiple running battles with this kind of poo poo because even ignoring security stuff because its 100% internal, if the thing is simple enough that you can run some "record mouse clicks" poo poo on it then it can be replaced/deleted entirely because it's probably a worthless process. like I've seen 45 page documents illustrating "process automation" that amounts to "screen scrape some data to csv and email it to someone that is gonna delete it because the content is garbage"
|
|
#
?
Mar 29, 2019 21:52
|
|
|
Accenture has +469k employees, they've min-maxed the fuckin numbers on the automation game and know exactly how much they need to do and how to make a profit. poo poo is hosed...
|
|
#
?
Mar 29, 2019 22:32
|
|
|
Pile Of Garbage posted:it's right there on the left (c/o Soricidus)  abigserve posted:Secure network? No, inbound RDP!
|
|
#
?
Mar 29, 2019 22:51
|
|
|
> why spend time and money understanding APIs and building scripted orchestration poo poo for whatever product your dealing with when you can just simulate the user interaction lol at the idea of anything that accenture is being called into automate has documented apis intended for public use. this is ENTERPRISE; nothing is designed well
|
|
#
?
Mar 29, 2019 23:55
|
|
|
they're consultants, there's no long term money in fixing a problem, only in managing it year after year after year
|
|
#
?
Mar 30, 2019 00:17
|
|
|
consider me "surprised" https://twitter.com/stephengillett/status/1111741162535026688 to be fair, no car manufacturer offers FDE in the storage on their car to the best of their knowledge. every time i rent a car i always try and reset the settings to factory because i don't want my phone to inadvertently pair to it again or have my call logs still on there. that said, i can let it slide on having dash cam footage unencrypted for insurance reasons that said, how the heck do you perform a factory reset when the car is dead? like if the batteries are fried we're not going to be going into the control panel and resetting everything to defaults because you're unlikely to get access to it. furthermore no user knows how to power on the computer post-wreckage usually and they're not going to know where to smash the NAND chips anyway
|
|
#
?
Mar 30, 2019 00:40
|
|
|
Why have persistent storage on a car at all? If the car loses power, wipe everything.
|
|
#
?
Mar 30, 2019 00:42
|
|
|
|
| # ? May 9, 2024 06:10 |
|
|
ate poo poo on live tv posted:Why have persistent storage on a car at all? If the car loses power, wipe everything. i think that it gets a bit harder these days to do that although i don't disagree. however because of the dash cam footage i personally would advocate against that and instead just make it so the data for the rest of the car is encrypted and unlocked via your car key or whatever tesla uses
|
|
#
?
Mar 30, 2019 00:45
|
|