|
BaseballPCHiker posted:Good loving lord. Now someone doesnt want to update because a change freeze was going to go into affect next week. point them towards https://www.bleepingcomputer.com/news/security/kronos-ransomware-attack-may-cause-weeks-of-hr-solutions-downtime/ and say this is going to be them, soon i don't think the https://nvd.nist.gov/vuln/detail/CVE-2019-17571 CVE is as bad since an attacker would have to netcat java objects directly into the loggers listen port which is definitely not the same as https://nvd.nist.gov/vuln/detail/CVE-2021-44228 where the logger just has to see the magic jndi string in whatever plain text string was logged by an application
|
#
?
Dec 13, 2021 19:04
|
|
|
|
| # ? May 25, 2024 06:23 |
|
|
BaseballPCHiker posted:I cant believe this company hasnt been just totally annihilated by ransomware or something yet.
|
|
#
?
Dec 13, 2021 19:08
|
|
|
BaseballPCHiker posted:Good loving lord. Now someone doesnt want to update because a change freeze was going to go into affect next week. I would say sticking with 1.x for a few weeks isn't an awful idea while you wait to see how this shakes out. As r u ready to WALK pointed out, the conditions for the 2019 CVE are pretty limited and can be confirmed easily. Log4j 2 has shown itself to have made some pretty fundamental mistakes and was pretty hastily patched. Pushing people from 1 to 2 haphazard seems a bit risky since this is potentially only the tip of the iceberg for 2. Nukelear v.2 fucked around with this message at 20:04 on Dec 13, 2021 |
|
#
?
Dec 13, 2021 20:01
|
|
|
Nukelear v.2 posted:I would say sticking with 1.x for a few weeks isn't an awful idea while you wait to see how this shakes out. As r u ready to WALK pointed out, the conditions for the 2019 CVE are pretty limited and can be confirmed easily. Yeah most of the more major CVEs were in 2.x, so some bad choices were made
|
|
#
?
Dec 13, 2021 20:18
|
|
|
evil_bunnY posted:Be the change you want to see in the world. Goddammit this made me laugh way too hard
|
|
#
?
Dec 13, 2021 21:00
|
|
|
Most of the time being on salary is a Good Thing for me, since no one cares if I pop off early on a regular basis as long as my stuff is getting done. This weekend...oof. Really would'a make a nice overtime check.
|
|
#
?
Dec 13, 2021 21:46
|
|
|
It's a pet peeve of mine, so sorry in advance, but there's salary exempt and salary non-exempt and only the later doesn't get overtime. And if you're salaried non-exempt, then your work schedule should be flexible and you should be able to work less than 40 hours. Obviously, that's not how it often works out in practice, but yeah. *gets down off soap box*
|
|
#
?
Dec 13, 2021 21:57
|
|
|
I think you're mixing them up. Exempt does not get overtime.
|
|
#
?
Dec 13, 2021 22:24
|
|
|
Yes, you're right, sorry for the mixup and thanks for the correction. Was phone posting.
|
|
#
?
Dec 13, 2021 22:28
|
|
|
Internet Explorer posted:It's a pet peeve of mine, so sorry in advance, but there's salary exempt and salary non-exempt and only the later doesn't get overtime. And if you're salaried non-exempt, then your work schedule should be flexible and you should be able to work less than 40 hours. Obviously, that's not how it often works out in practice, but yeah. I have defined shifts, yet am salary-exempt. got a long way to go before we can get salaried back to the way it should be
|
|
#
?
Dec 13, 2021 22:58
|
|
|
Yeah, while salary non-exempt technically exists, it's a very rarely used status these days (it's only required if your salary is under $35k, or under $107k in some cases). Somewhere along the lines companies figured out that the vast majority of workers will accept salary-exempt and just...deal with it if they need to put in time over 40. Really the only places I'm aware of that commonly use salary non-exempt these days are in strong union shops and some limited government areas. Neither of which tends to include tech, let alone Security  In any event, I generally can't complain too much about my scheduling. This...has been a bad two weeks, though.
|
|
#
?
Dec 13, 2021 23:29
|
|
|
Internet Explorer posted:It's a pet peeve of mine, so sorry in advance, but there's salary exempt and salary non-exempt and only the later doesn't get overtime. And if you're salaried non-exempt, then your work schedule should be flexible and you should be able to work less than 40 hours. Obviously, that's not how it often works out in practice, but yeah. A very relevant thing for people who touch computers as a profession and make more than minimum wage (oops we're all exempt)
|
|
#
?
Dec 13, 2021 23:44
|
|
|
We had a bit of a scare at work, because a central and extremely important system uses log4j. Turns out we're so behind on upgrades, it's not vulnerable unless you use specific functionality, which we've never used and have no plans to use  Score 1 for never loving upgrading poo poo.
|
|
#
?
Dec 13, 2021 23:46
|
|
|
DrDork posted:Yeah, while salary non-exempt technically exists, it's a very rarely used status these days (it's only required if your salary is under $35k, or under $107k in some cases). Volmarias posted:A very relevant thing for people who touch computers as a profession and make more than minimum wage (oops we're all exempt) I hear what you all are saying, but part of raising awareness of the issue, in my eyes, is making sure we aren't going around saying salary = no overtime.
|
|
#
?
Dec 14, 2021 00:11
|
|
|
Different countries have different cultures but my experience is it wouldn’t even need to be spelled out here (UK) that if you’re salaried and working extra hours that you get that time in lieu, with some sort of multiplier for weekend days. If you’re doing billable work then no employer would object to it being paid out as OT. The idea that you just lose those hours because you’re salaried is alien.
|
|
#
?
Dec 14, 2021 00:18
|
|
|
Yeah, that's kind of what I was getting at with the whole salaried exempt = no set hours thing. At the very least you should be getting comp time for extra hours worked. Same thing if you somehow get called in during PTO or other days off. Or travel during non-business hours. I think it's important to push back on that sort of stuff, otherwise it makes for a really lovely work environment. I've had a lot of success in the past, but unfortunately facing the same ol' poo poo at my current place. Slowly approaching the topic.
|
|
#
?
Dec 14, 2021 00:27
|
|
|
Internet Explorer posted:Yeah, that's kind of what I was getting at with the whole salaried exempt = no set hours thing. At the very least you should be getting comp time for extra hours worked. Same thing if you somehow get called in during PTO or other days off. Or travel during non-business hours. I'm pretty new to the management thing, but this is kinda how I run my salaried exempt team at our client's site. My company has a minimum hours worked requirement, a standard 40 hour workweek, but you can bet your rear end that if you work over that you're getting comp'd. The last guy in this position was a spineless slug who folded at the slightest of pushback from the main office and retention of talent was a serious issue. That's not an issue anymore and I leverage that history everytime I get flak.
|
|
#
?
Dec 14, 2021 01:08
|
|
|
I haven’t had “on call” on my JD in years and years but I definitely put in my time this week to help the IR and SecOps teams. My company seems to be pretty good at paying out on-call rates even if you’re not an on-call classed role so I guess log4j is paying for my next trip to Japan or something, thanks Apache.
|
|
#
?
Dec 14, 2021 02:14
|
|
|
 seems badhttps://twitter.com/eastdakota/status/1470767351087964164
|
|
#
?
Dec 14, 2021 15:56
|
|
|
Diva Cupcake posted:
Yeah. That's because it is bad. Like, real bad.
|
|
#
?
Dec 14, 2021 16:09
|
|
|
Its not just that its bad, its that its so easy to exploit.
|
|
#
?
Dec 14, 2021 16:21
|
|
|
I am very glad I've been off the past few days.
|
|
#
?
Dec 14, 2021 16:36
|
|
|
I wonder if i still have a job to return to after christmas or just a giant blob of encrypted data
|
|
#
?
Dec 14, 2021 17:26
|
|
|
What's up, still running log4j1 infosecbros  A few of the products my company makes are more vulnerable, but the ones I specifically support seem to have ducked the worst of it so the past few days my ticket count has doubled but they all consist of sending the same copy/paste email and security bulletin attachments. Some of the techs in other departments are having a rough time tho.Internet Explorer posted:Yeah, that's kind of what I was getting at with the whole salaried exempt = no set hours thing. At the very least you should be getting comp time for extra hours worked. Same thing if you somehow get called in during PTO or other days off. Or travel during non-business hours. On-call rotation is my least favorite part of my job, but it's probably also why I'm non-exempt still and can put in OT and weekend hours whenever. ProTip: work for a company that's headquartered somewhere non-USA, they'll almost always treat their employees better.
|
|
#
?
Dec 14, 2021 19:47
|
|
|
https://twitter.com/Laughing_Mantis/status/1470526083271303172 lol
|
|
#
?
Dec 14, 2021 22:16
|
|
|
secfuck thread was talking about that: Sarah Problem posted:
|
|
#
?
Dec 14, 2021 22:28
|
|
|
Yes, if you were expecting your WAF to stop anything above script kiddies here, you are gonna have a very bad day. On the other hand, the number of attempts I've seen ending in /Exploit, /a, or /TotallyLegitimateJavaClass is amusing.
|
|
#
?
Dec 14, 2021 22:31
|
|
|
*filters requests with "exploit" in them and calls it a day*
|
|
#
?
Dec 14, 2021 22:34
|
|
|
Just don't log anything 
|
|
#
?
Dec 14, 2021 23:56
|
|
|
log4j 2.16.0 is out, please update
|
|
#
?
Dec 15, 2021 00:05
|
|
|
Biowarfare posted:log4j 2.16.0 is out, please update no
|
|
#
?
Dec 15, 2021 00:06
|
|
|
Biowarfare posted:log4j 2.16.0 is out, please update https://www.youtube.com/watch?v=k8_NmCUXyiU
|
|
#
?
Dec 15, 2021 00:17
|
|
|
vulnerability disclosures will continue until morale improves
|
|
#
?
Dec 15, 2021 01:24
|
|
|
Jeoh posted:vulnerability disclosures will continue until morale improves Title
|
|
#
?
Dec 15, 2021 02:18
|
|
|
Jeoh posted:Serious Hardware/Software Crap › The Infosec Thread: vulnerability disclosures will continue until morale improves
|
|
#
?
Dec 15, 2021 02:48
|
|
|
one day I am going to learn2code so I can edit thread titles from my phone
|
|
#
?
Dec 15, 2021 02:54
|
|
|
I want to scream It didn’t help But I think it made me feel a little better
|
|
#
?
Dec 15, 2021 03:31
|
|
|
|
|
#
?
Dec 15, 2021 05:00
|
|
|
Internet Explorer posted:one day I am going to learn2code so I can edit thread titles from my phone Make me a mod so I can test it and I'll make a PR for the awful app with the functionality.
|
|
#
?
Dec 15, 2021 05:07
|
|
|
|
| # ? May 25, 2024 06:23 |
|
|
I don't have GRANT MOD ACCESS rights. 
|
|
#
?
Dec 15, 2021 05:13
|
|