|
If you're an MSP then that means you're probably a Microsoft Partner, so there's a good reason there not to be seen endorsing any sort of license violation. In the situation they are in they might be better off seeing if they qualify for Office volume licenses through Techsoup rather than trying to license it via dodgy usage of Office 365.
|
#
?
Mar 5, 2021 16:40
|
|
|
|
| # ? May 31, 2024 08:55 |
|
|
Anyone want to go be a lumberjack with me? Trees don’t page you if they’re not cut down. If you hate a tree you can just cut it down.
|
|
#
?
Mar 6, 2021 04:45
|
|
|
Ice road truckers. That can be us.
|
|
#
?
Mar 6, 2021 04:52
|
|
|
severity 1 page: tree next to your mountain cabin is covered in ice, and about to collapse onto your mountain cabin
|
|
#
?
Mar 6, 2021 05:00
|
|
|
jaegerx posted:Anyone want to go be a lumberjack with me? Trees don’t page you if they’re not cut down. If you hate a tree you can just cut it down. It wasn't baseless. I do love me some nice flanel and jeans, and beanies and occasionally suspenders. ...also my truck bed almost always had branches or log rounds in it. Plus the chansaw, and some wedges, a sledge and a maul. The axe stayed in the cab with me. Anywho, you just never know when you're gonna find a downed tree in your path. Might as well make firewood out of it.
|
|
#
?
Mar 6, 2021 05:10
|
|
|
At least on the user end in nursing we have to share passwords sometimes because of a combination of factors. First our medical records system now requires a 16 digit complex password that you have to input every. single. time. you want to put in vitals, update a note, etc. So every minute or so you’re typing it in. So you’re gonna use this password a whole lot, at least dozens if not hundreds of times in a shift. Oh but guess what, put your 16 digit complex password in wrong 3 times and your account locks. Now finally, the most ridiculous thing. Our helpdesk never returns messages in a timely manner (days) and if you manage to learn the not posted anywhere direct phone number they leave you on hold for about 30 minutes to 3-4 hours. Probably about an hour on average. Hope you don’t have to do any nursing during that time because they’ll hang up if you don’t immediately answer! Since covid things have gotten even more busy and all the people who are supposed to be giving us access to stuff have stopped doing their jobs so we have dwindling access to other stuff like our med dispenser and glucometer which require an account as well. So those have to get shared too. So either you effectively lose a nurse for at least half a shift or share accounts. And we just can’t afford that. Not to excuse the willfully ignorant but often lovely management and badly thought out security policy essentially forces bad security behavior on the user end.
|
|
#
?
Mar 6, 2021 05:33
|
|
|
If you can make sure your dept members get the vaccines on different days, otherwise you wind up like we did with 90% of us out for the last couple of days due to side effects. Thankfully management stepped in and told people to chill the gently caress out about their keyboard problems and only worry about real emergencies.
|
|
#
?
Mar 6, 2021 11:56
|
|
|
GnarlyCharlie4u posted:The guys at my last job referred to me as Lumbersexual. I was hiking in the fall this past year and some guy biked past me wearing a chainsaw backpack to go do some trail maintenance. My new hero.
|
|
#
?
Mar 6, 2021 15:34
|
|
|
bus hustler posted:I was hiking in the fall this past year and some guy biked past me wearing a chainsaw backpack to go do some trail maintenance. My new hero. Park Rangers generally don't take too kind to me hiking with a chainsaw and a felling axe. Inevitably I get stopped and questioned. It's always an odd conversation when someone asks what I do for a living and the answer isn't "poaching dead felled wood from neglected trails."
|
|
#
?
Mar 7, 2021 08:35
|
|
|
SMEGMA_MAIL posted:At least on the user end in nursing we have to share passwords sometimes because of a combination of factors. I'm curious, how would an easier to access thing work here? Write-only records, easier passwords combined with no reading from the file, other than some unique random number you can match up with the patient's bed? Issue everyone a hardened washable yubikey-equivalent that would do a u2f-equivalent handshake on touch (+ works through gloves), but that's obviously somewhat reasonable and modern which means it's almost certainly going to be incompatible with whatever horrendous backend that probably also drops everything after the first 8 characters of a password?
|
|
#
?
Mar 7, 2021 08:49
|
|
|
Biowarfare posted:I'm curious, how would an easier to access thing work here? Write-only records, easier passwords combined with no reading from the file, other than some unique random number you can match up with the patient's bed? Issue everyone a hardened washable yubikey-equivalent that would do a u2f-equivalent handshake on touch (+ works through gloves), but that's obviously somewhat reasonable and modern which means it's almost certainly going to be incompatible with whatever horrendous backend that probably also drops everything after the first 8 characters of a password? I feel like the obvious solution is for IT to answer the phone. Alternatively, just going back to allowing 8 character passwords. It's not like you can brute force it since it locks after 3 times. Alternatively if that can't be done, a 16 digit complex passcode that has to be typed in repeatedly throughout the shift, especially when you're in a hurry, that locks if you err 3 times in a row is not a reasonable situation you can expect users to not workaround to get their job done. Either the software needs to only require the password after a certain amount of inactivity or change the password policy. DOD (this is a DOD hospital) already does 2FA to log into the computers, funny enough. The point I'm making is that a lot of "user education" or compliance issues are forced errors. We already know we're not supposed to do that, but if we complain or try to fix it the problem just get deferred a day or we get ignored. If people are widely sharing passwords and accounts just to get their job done, that's a failure of the system, not the user, and I think a good security policy would be to investigate why. This being the military, that will never happen lol. Butter Activities fucked around with this message at 10:55 on Mar 7, 2021 |
|
#
?
Mar 7, 2021 10:51
|
|
|
I once called my ISP during a harsh winter, and the automated message stated something like, "We are aware of the outage, we have dispatched technicians on snowmobiles to address the issue." That was pretty lol but I like to imagine snowmobile-mounted network techs speeding toward a rural mountaintop to power cycle APs or something.
|
|
#
?
Mar 7, 2021 11:10
|
|
|
palindrome posted:I once called my ISP during a harsh winter, and the automated message stated something like, "We are aware of the outage, we have dispatched technicians on snowmobiles to address the issue." You know it's a good outage when they give a blunt answer like that instead of customer-language vagaries like "technicians are enroute, eta x hours". The best one I've seen is an official response from a vendor that was filtered from the the onsite technicians, to their NOC, to us, of "Monster Rats" as the cause of a fibre break.
|
|
#
?
Mar 7, 2021 13:23
|
|
|
The last time I was in the local hospital, they always logged into Epic to do their charting/whatever via a badge swipe system. I know currently hospitals (Especially in the US) are reticent to spend any money on a new system/training, but surely with a required 16-character password that locks after 3 tries and SERIOUS HIPAA violation potential, the short term costs don't even come close to outweighing the benefits of such a system?
|
|
#
?
Mar 7, 2021 13:43
|
|
|
palindrome posted:I once called my ISP during a harsh winter, and the automated message stated something like, "We are aware of the outage, we have dispatched technicians on snowmobiles to address the issue." This is 100% a standard message in the NE Kingdom area of VT. I can't prove it but I feel it in my soul.
|
|
#
?
Mar 7, 2021 15:49
|
|
|
My boss just up and quit without any warning on us after weeks of him trying to push back on our regional HQ on getting a domain migration done asap. My supervisor called in everyone in the section to be present on monday in the office so thats like 7 people in a relatively small office. We are supposed to get like 1000 devices migrated to the new domain in 2 weeks and they pretty much have to be done without any major migration tools so I hope that our admin crew was able to at least get some of it automated through scripts to push through SCCM. This was basically my wakeup call to not be picky with locations for my next move. I've applied to like 10 different positions and I'll jump ship with the first one that tells me if I'm interested in joining them.
|
|
#
?
Mar 7, 2021 18:25
|
|
|
palindrome posted:I once called my ISP during a harsh winter, and the automated message stated something like, "We are aware of the outage, we have dispatched technicians on snowmobiles to address the issue." I used to work at a WISP servicing rural Colorado and this was literally a thing heh. We had tower sites way the gently caress up on mountain tops that were entirely inaccessible for a month or two of the year, and required a snowcat to reach the rest of the time. Those field techs had a lot of good stories.
|
|
#
?
Mar 7, 2021 18:50
|
|
|
DelphiAegis posted:The last time I was in the local hospital, they always logged into Epic to do their charting/whatever via a badge swipe system. I know currently hospitals (Especially in the US) are reticent to spend any money on a new system/training, but surely with a required 16-character password that locks after 3 tries and SERIOUS HIPAA violation potential, the short term costs don't even come close to outweighing the benefits of such a system? We have a generic logon for shared computers like that. No password lockout, everyone is told the password when they are hired. They have their own logon to the EMR, though.
|
|
#
?
Mar 7, 2021 19:17
|
|
|
Bob Morales posted:We have a generic logon for shared computers like that. No password lockout, everyone is told the password when they are hired. They have their own logon to the EMR, though. Our security guys have been pushing migrating these to a Windows Hello PIN instead of a password. Supposedly that's more secure? I don't know.
|
|
#
?
Mar 7, 2021 19:44
|
|
|
GreenNight posted:Our security guys have been pushing migrating these to a Windows Hello PIN instead of a password. Supposedly that's more secure? I don't know. PIN is device only, so you could theoretically set a strong password on the account, not give it to anyone and preconfigure a pin for everyone to use on that workstation. Still dumb, but it does lower the threat profile a bit if you don’t have any other options.
|
|
#
?
Mar 7, 2021 19:50
|
|
|
We went the opposite route and enforced using our AD account password on our Macbooks. So much for using a complex password.
|
|
#
?
Mar 7, 2021 19:58
|
|
|
AD passwords can be plenty complex. Unless there’s an issue with macOS support for ldap/ad auth , in which case: lol
|
|
#
?
Mar 7, 2021 20:07
|
|
|
GreenNight posted:Our security guys have been pushing migrating these to a Windows Hello PIN instead of a password. Supposedly that's more secure? I don't know. Windows hello data is bound to TPM so it’s not just an extra row in SAM. Their hierarchy of MFA safety is ms authenticator special otp mode>fido2 key>hello biometrics>hello pin>conventional otp>nothing. Operationally it lets you enforce stupid complex passwords as the commonly used one is a four-six sequence of digits SlowBloke fucked around with this message at 21:13 on Mar 7, 2021 |
|
#
?
Mar 7, 2021 21:10
|
|
|
Question for the thread: I have a client that got dinged on a PCI audit for their SSL VPN certificate CN not matching the host. But not exactly. If a session is initiated via FQDN, everything is copacetic. FQDN = CN However, if session is initiated via public IP address, failure. I've figured out the why. For some reason (before I was brought in to look at it), they use a dynamic dns service to map the hostname to the IP (I guess it was DHCP address once upon a time). That being the case, there's no PTR for the IP to point back at the client's hostname. Instead it points to the ISPs entry for that IP. Hence the failure on the PCI audit. My question is how does this best fixed? Do I have them work with the ISP for DNS? Work with who they registered their domain with (GoDaddy)? These are all local offices, with only inbound VPN listening, a single static IP and no other hosts.
|
|
#
?
Mar 8, 2021 18:27
|
|
|
Do you mean CN or do you mean X509 SAN? I was under the impression that CN has been deprecated since the 90s on certificates. For anything PTR related: ISP controls it, talk to them
|
|
#
?
Mar 8, 2021 18:33
|
|
|
Biowarfare posted:Do you mean CN or do you mean X509 SAN? I was under the impression that CN has been deprecated since the 90s on certificates. Sorry, I meant CN as in the Common Name field of the certificate. OK, that's about what I figured. Thanks.
|
|
#
?
Mar 8, 2021 19:54
|
|
|
Good: may be getting stock options in the Fall. Bad: we are moving to hybrid work locations which means the rear end sweat in the chair will not be mine. Ugly: I lost my sheep pincushion that was on my old desk.
|
|
#
?
Mar 8, 2021 21:20
|
|
|
Proteus Jones posted:Sorry, I meant CN as in the Common Name field of the certificate. I wasn't even aware this was still a thing, SSL certs that only contain a CN don't even work in browsers. I usually just see a completely ignored, unrelated hostname or the first hostname on the cert in the CN field
|
|
#
?
Mar 8, 2021 22:09
|
|
|
Question for the hivemind: How deep can/have you nest(ed) VMs? Yes, I realize this becomes a "Why?" question after like 2 levels, but let's ignore that and just embrace the theory chaos.
|
|
#
?
Mar 9, 2021 01:12
|
|
|
How deep can a dream within a dream go?
|
|
#
?
Mar 9, 2021 01:18
|
|
|
Biowarfare posted:I wasn't even aware this was still a thing, SSL certs that only contain a CN don't even work in browsers. I usually just see a completely ignored, unrelated hostname or the first hostname on the cert in the CN field  I guess I'm not understanding what you're talking about? If that CN doesn't match, you get that pop up where you need to either "continue anyway" or hit the get me the gently caress outta here button. (this is just an example, not the host in question). Now granted that's the bare minimum for the Subject Name section in the cert (usually you'll see more info like company name and country and locality)
|
|
#
?
Mar 9, 2021 01:24
|
|
|
Paladine_PSoT posted:Question for the hivemind: No
|
|
#
?
Mar 9, 2021 01:35
|
|
|
Proteus Jones posted:
This is unrelated to your PCI thing, but Browsers actually look here and disregard the Common Name:  If you do not have a Subject Alternative Name, but you have a valid CN - even if the CN matches - your cert is not valid. 
|
|
#
?
Mar 9, 2021 02:09
|
|
|
Biowarfare posted:This is unrelated to your PCI thing, but Ah, I see what you're saying. PCI (or at least this audit) specifically calls out the "Common Name" as in "SSL Certificate Common Name Does Not Validate (External Scan)" when connecting via IP address directly. The reverse lookup in this specific case doesn't match since the PTR record is for the ISPs naming for that IP. Thanks, learned something new in regards to Alt Names.
|
|
#
?
Mar 9, 2021 02:30
|
|
|
Paladine_PSoT posted:Question for the hivemind: https://youtu.be/maO7h9PIKQk Me hitting that 4th level of nested VT-D WHYS THE SYSTEM TIME SO SLOW!?!?
|
|
#
?
Mar 9, 2021 02:31
|
|
|
4 hours post interview and I still feel like throwing up. I literally can’t think of anything else worse than interviewing for a job.
|
|
#
?
Mar 9, 2021 04:57
|
|
|
Spring Heeled Jack posted:4 hours post interview and I still feel like throwing up. Being cross examined in court
|
|
#
?
Mar 9, 2021 06:55
|
|
|
Not being interviewed for a job ?
|
|
#
?
Mar 9, 2021 07:32
|
|
|
Proteus Jones posted:Ah, I see what you're saying. PCI (or at least this audit) specifically calls out the "Common Name" as in "SSL Certificate Common Name Does Not Validate (External Scan)" when connecting via IP address directly. The reverse lookup in this specific case doesn't match since the PTR record is for the ISPs naming for that IP. Someone please correct me if I have the wrong end of this, but I wasn't aware that the PTR was verified when doing any sort of TLS checking, and it would be impossible to do when using load balancers, reverse proxies, cloud firewalls etc. anyway. Is the audit scan complaining that when connecting via the IP address they set an invalid certificate error? Because I've always seen that as normal. Do they want the IP address as a subject in the cert?
|
|
#
?
Mar 9, 2021 12:10
|
|
|
|
| # ? May 31, 2024 08:55 |
|
|
Thanks Ants posted:Someone please correct me if I have the wrong end of this, but I wasn't aware that the PTR was verified when doing any sort of TLS checking, and it would be impossible to do when using load balancers, reverse proxies, cloud firewalls etc. anyway. Yeah you're right, the certs don't do any reverse lookup. I was thinking the same as you regarding the IP as a SAN, but I think their PCI failure was the auditors doing something like a nslookup on the IP and not getting the FQDN back rather than them actually trying to connect and getting a cert error?
|
|
#
?
Mar 9, 2021 13:26
|
|
