|
KillHour posted:I use remote desktop because I have to juggle multiple work laptops and my desk is crowded enough as it is, but I'm actually allowed to do so. In fact, it's the only option for our offshore team because my customer refuses to ship them a laptop (RIP). But in any case, the IT departments made that determination, as is their job. So I’m allowed to use Remote Desktop since it was supplied with My laptop from the bank. How am I breaking policy? It’s installed. I’m using it. Another 30 IE
|
#
?
Jan 24, 2022 05:35
|
|
|
|
| # ? May 28, 2024 07:35 |
|
|
jaegerx posted:So I’m allowed to use Remote Desktop since it was supplied with My laptop from the bank. How am I breaking policy? It’s installed. I’m using it. If it was within policy for you to do that, it's neither an IT problem nor a policy problem so I don't know why you even brought it up.
|
|
#
?
Jan 24, 2022 05:38
|
|
|
The Fool posted:It’s a bad take and he should know better. I feel like half the open source tools I end up downloading have downloading an executable as an afterthought compared to downloading and compiling source code but IDK, maybe not. Same thing with basically anything you're getting off github though. It depends on what information you need to provide as far as justification, but it might be faster to download and compile the source from github than it would be to fill out a request and submit it. Which really does make me feel even more like this whole argument is people arguing around the core point that you mentioned above, it's a company culture and process problem rather than a technical problem. Which kind of explains it, goons are better at addressing problems with computers than with people so that's the first thing we're likely to focus on. I'm not sure if it's relevant but I have never worked somewhere that wasn't a massive black hole of tech debt and ossified bad practices, not giving every single user local admin is above average security for places I have worked, nevermind devs. 22 Eargesplitten fucked around with this message at 05:42 on Jan 24, 2022 |
|
#
?
Jan 24, 2022 05:38
|
|
|
22 Eargesplitten posted:I feel like half the open source tools I end up downloading have downloading an executable as an afterthought compared to downloading and compiling source code but IDK, maybe not. Same thing with basically anything you're getting off github though. It depends on what information you need to provide as far as justification, but it might be faster to download and compile the source from github than it would be to fill out a request and submit it. IT's job isn't to make breaking the rules impossible - it's to create the rules and set some reasonable controls. IT is just as much a business function as a technical one, and its role is to support the technical pieces that make the business work. IT wants to know what you're running so that they can support it because when they roll out Windows 11 to all the enterprise laptops after 6 months of testing and it breaks the critical thing you need to do your job because nobody in IT knew you used it and relied on it, that's a bigger problem than having to submit the paperwork for the software in the first place. Also, and this is important, if everyone downloads and compiles their own software, nobody is ever going to be on the same version of said software, and there's no way for anyone to figure out what it's installed on. This is just a longwinded way to say that you, as an individual, shouldn't be managing your own computer. Not because you're stupid and will break it (although...), but because there needs to be standardization in order for the organization to have any hope of supporting you. Edit: To be clear, this depends on where you work, too. There is a point where a company is so small, that having an IT department responsible for standardizing all your hardware and software is impractical, and a point where a company is so large that it's mandatory. There is also an in-between part where a lot of startups get to as they grow and immediately trip and break their nose because it's not easy to transition. KillHour fucked around with this message at 05:51 on Jan 24, 2022 |
|
#
?
Jan 24, 2022 05:43
|
|
|
jaegerx posted:So we agree that it's a policy problem, not an IT problem. You cannot lock down a PC unless they're an idiot. I've dealt with a locked down windows surface book, you know what i did, i just remote desktop'd into it while developing on my mac. Security is a joke, smart people will always find a way. How have you been able to hold down a single IT job with that attitude/approach
|
|
#
?
Jan 24, 2022 05:49
|
|
|
That last part is another aspect I hadn't thought about since I don't think I've worked at a place with more than 4-5 devs. At my current place the devs have the exclusive keys to the DevOps pipeline and Terraform/Ansible resources, although I'm not sure how many of them are primarily devs vs operations people that know how to code like the one person that moved from the Linux team who tbh could be on here, he has a ridiculous depth of Linux knowledge and a similarly ridiculous lack of interpersonal skills that means he's stuck working at this hellhole. The majority of the development work seems to be on Linux boxes, though, and we still don't have like 50-75% of them on a directory service, so they probably have whatever access they want there.
|
|
#
?
Jan 24, 2022 05:49
|
|
|
22 Eargesplitten posted:That last part is another aspect I hadn't thought about since I don't think I've worked at a place with more than 4-5 devs. At my current place the devs have the exclusive keys to the DevOps pipeline and Terraform/Ansible resources, although I'm not sure how many of them are primarily devs vs operations people that know how to code like the one person that moved from the Linux team who tbh could be on here, he has a ridiculous depth of Linux knowledge and a similarly ridiculous lack of interpersonal skills that means he's stuck working at this hellhole. You work at a company that is probably one phishing email / bad hard drive / misclick away from going bankrupt. This is not really a problem though because there are about a million other things that are more likely to kill you because small companies are like bugs on the bottom of large companies' shoes. If your company is successful enough, they will eventually need to grow out of that or they will strangle themselves in lost productivity and bad decision making. At the scale you're talking about, someone trying to standardize software packages would be a huge waste of money over just walking into the room where all the devs sit and asking if anyone uses x version of y. When you have dozens or hundreds of devs, that becomes impossible. KillHour fucked around with this message at 05:58 on Jan 24, 2022 |
|
#
?
Jan 24, 2022 05:55
|
|
|
CLAM DOWN posted:How have you been able to hold down a single IT job with that attitude/approach I lie a lot See y’all in 4 months
|
|
#
?
Jan 24, 2022 06:13
|
|
|
jaegerx posted:I lie a lot Will you?
|
|
#
?
Jan 24, 2022 06:17
|
|
|
I know at least 3 of the FAANGs give out local admin to everyone on at least a time limited basis. It's not that the other two don't, it's that I haven't checked. It's a weird religious argument because it's clearly fine to do it both ways if it's part of broader controls. There's a continuum of maturity from "everyone has local admin and you probably shouldn't work there" to tight IT controls and software deployment, and at the high end back to BYOD, zero trust, and local admin again because there are other controls in place such as applocker and 802.1x. Like yes, local admins here can uninstall Crowdstrike or the posture agent, but they'll get kicked off the network if they do so who cares. I haven't seen that model effectively enabled at a smaller company yet because you need scale to spread the costs out, but you know it'll be there in a few years.
|
|
#
?
Jan 24, 2022 06:28
|
|
|
You're not the boss of me!
|
|
#
?
Jan 24, 2022 06:39
|
|
|
KillHour posted:You work at a company that is probably one phishing email / bad hard drive / misclick away from going bankrupt. This is not really a problem though because there are about a million other things that are more likely to kill you because small companies are like bugs on the bottom of large companies' shoes. If your company is successful enough, they will eventually need to grow out of that or they will strangle themselves in lost productivity and bad decision making. The current fight has been "We do not have enough storage to provide the services we're offering and one of our biggest storage arrays is EOL and will be out of support in two weeks, give us budget for new storage" and the CFO going "But the bottom line..." And I'd say strangling themselves in lost productivity and bad decision making sounds pretty accurate, but less fatal strangling and more like growth-stunting. It's a MSP which means it's run by people that don't understand just because you can make someone work 60 hours doesn't mean you can make them get 1.5x as much done, and we have garbage documentation and the NOC is pretty much just routing tickets because there's no KBs for 90% of tickets but nobody has time to write KBs with all of the other stuff that's being demanded of them and also needing to do the break/fix that is getting pushed to them because of the lack of documentation. I really want to get out of here but I have a lot of weak spots in terms of linux administration (getting better because our broke-rear end software that takes all my time is Linux-based), IaC, scripting, and especially DevOps pipelines. Most of that stuff except the pipelines I have some experience with, just not nearly enough, and I'm consistently finding myself in workplaces where there's no built-in learning opportunities for that kind of thing.
|
|
#
?
Jan 24, 2022 06:45
|
|
|
How does having local admin make ransomware more dangerous? If the user can use a web browser, or email-client more advanced than Mutt, you should just assume there's unknown vulnerabilities a determined attacker will use to get code execution and privilege escalation anyway Code running on a computer shouldn't be more dangerous to your network just because it has system privileges on the hardware it's running on. It can still send the same packets across the network whether it's running in a limited or a privileged account. A local administrator account shouldn't have more access to remote file shares, or less checks on sudden modification to thousands of files across a share. The only additional danger associated with having local administrator on your local workstation (assuming there are no known or unknown privilege escalation attacks) is that any malware will be able to hide better from investigation from inside the system. But why are you even worrying about that? Flatten, flash and reinstall, if a machine has been compromised. Having local administrator by default is bad, I agree. Put the access behind a small hatchway, but don't make it entirely unavailable. A little roadblock such as having to enter (different) credentials, or send a request via a network service, or talk to a helpdesk employee, should be more than enough to make users think twice. Just don't make it the default, or only locked behind a "Yes" button in the UAC GUI.
|
|
#
?
Jan 24, 2022 07:52
|
|
|
nielsm posted:How does having local admin make ransomware more dangerous? Is this really being asked? It makes defense evasion, persistence, lateral movement, and privilege escalation easier.
|
|
#
?
Jan 24, 2022 08:38
|
|
|
Yes I'm serious. Please explain to me why your defenses against attacks from clients on the network are entirely dependent on having full control of those clients. Why are your defenses not in firewalls between network segments and on file servers monitoring for unusual activity?
|
|
#
?
Jan 24, 2022 08:43
|
|
|
I had to write a paper on this for class actually, but it really can be summed up by saying "Safe Enough," isn't a thing, every layer of security is a redundancy for the next layer, and the easier and less damaging the layer is, the more important it is for having it on. Giving end users local admin privileges opens the risk for them to do something very silly, like turn off UAC entirely, which would allow things to install in the background, by removing that small barrier to doing that, you get a great deal more security with no real cost to you or the end user. It's a small setting and it exists as a stop gap. If every other safe guard you have fails, then your security is only as strong as your last line of defense.
|
|
#
?
Jan 24, 2022 08:48
|
|
|
CLAM DOWN posted:How have you been able to hold down a single IT job with that attitude/approach In virtually every corporate environment I've worked there have been lots of rules, and lists being emailed around but very little actual security guidance (let alone help with implementing). Besides creating policies those departments rarely monitor or investigate anything that does not pop up from their default scanning tools, let alone enforce it. So compiling your own stuff (hi there CNTLM proxy) will hardly ever get detected. When it comes to PKI most live in the stone age and don't even have auto enrollment on internal CA's, yet they wonder why teams run self signed certs (ro worse, use HTTP for sandbox, dev or test environments). Lol if you think I'm going to request SSL certs manually in TYOOL 2022 for automated builds. -edit- One of the bigger financial institutions I've worked for had a nice take on local admin on workstations. You can get it (on a seperate account you can esalate to), but if any of their security toolings gives as much as a beep they'll lock you out of everything and you can come by to let them wipe / reinstall it. You better make sure you save everything to network drives / sharepoint / git repos / whatever because there are no backups made for workstations. Surprisingly that worked fairly well. Both Devs and Desktop support were happy enough with it. LochNessMonster fucked around with this message at 09:45 on Jan 24, 2022 |
|
#
?
Jan 24, 2022 09:41
|
|
|
This has been such a great conversation. Next topic: vim vs emacs.
|
|
#
?
Jan 24, 2022 12:39
|
|
|
deedee megadoodoo posted:This has been such a great conversation. Next topic: vim vs emacs. nano
|
|
#
?
Jan 24, 2022 13:07
|
|
|
I prefer Notepad++.
|
|
#
?
Jan 24, 2022 13:23
|
|
|
no I think we should go back to slack vs. teams
|
|
#
?
Jan 24, 2022 14:03
|
|
|
Jeoh posted:nano pico
|
|
#
?
Jan 24, 2022 14:05
|
|
|
Wibla posted:pico And Pine as email client.
|
|
#
?
Jan 24, 2022 14:29
|
|
|
I'm glad that got figured that out that was stressful for a moment
|
|
#
?
Jan 24, 2022 14:53
|
|
|
nielsm posted:Yes I'm serious. Please explain to me why your defenses against attacks from clients on the network are entirely dependent on having full control of those clients. Why are your defenses not in firewalls between network segments and on file servers monitoring for unusual activity? I'm not going to explain that, because it's not remotely what I said. What I actually said was "It makes defense evasion, persistence, lateral movement, and privilege escalation easier." The best defense is a layered approach, and the more layers you poke holes in, the more likely you're going to have issues. Giving admin credentials to end users makes securing the endpoint itself nearly impossible, which is a huge security failure.
|
|
#
?
Jan 24, 2022 17:49
|
|
|
deedee megadoodoo posted:This has been such a great conversation. Next topic: vim vs emacs. WordPerfect
|
|
#
?
Jan 24, 2022 17:52
|
|
|
Fortunately all the old school grognards that looked down on vi and emacs users for not using ed have died or retired.
|
|
#
?
Jan 24, 2022 17:54
|
|
|
Has anyone here worked with VMWare Tanzu? They are selling hard at my org and leadership is very interested. I'd rather get out of VMWare altogether and move to Openshift, but they don't really listen to me.
|
|
#
?
Jan 24, 2022 17:58
|
|
|
xzzy posted:Fortunately all the old school grognards that looked down on vi and emacs users for not using ed have died or retired. I liked this line from the ed Wikipedia entry: quote:(In)famous for its terseness, ed gives almost no visual feedback, and has been called (by Peter H. Salus) "the most user-hostile editor ever created", even when compared to the contemporary (and notoriously complex) TECO.
|
|
#
?
Jan 24, 2022 17:58
|
|
|
Got news this morning company is getting bought by bigger company. Now i have to trick another company into letting me run their IT dept
|
|
#
?
Jan 24, 2022 18:08
|
|
|
alg posted:Has anyone here worked with VMWare Tanzu? They are selling hard at my org and leadership is very interested. I'd rather get out of VMWare altogether and move to Openshift, but they don't really listen to me. I've worked on it back when it was Pivotal CloudFoundry and I was at PVTL. It's great if what you want is an on-prem Heroku for hosting apps that are 12-factor, which is probably what you actually want as an app developer. In that regard its a better experience than k8s - buildpacks are a lot easier to deal with than figuring out how to containerize. If you're doing Spring Boot it's an amazingly smooth experience since Pivotal maintains Spring and made sure that Cloud Foundry outputs all the autodiscovery stuff for Spring Boot. It's also great if you need to be able to run the same application on-prem and in various cloud providers for regulatory reasons or some other wormbrained multi-cloud strategy. We managed to migrate all of public Pivotal Tracker from AWS to GCP (iirc) with something like 18 minutes downtime just by replicating the data and switching DNS records, no changes to the application. However running it on AWS or GCP is just dumb since Heroku already exists. What it's not great at: shoving third-party software into it is miserable (this is what I did on the MySQL team), then you probably want k8s. It's also not great at having third-party vendor support. It's mindshare is a lot smaller and operating it (at least in 2017) was a bit rear end, but so is operating kubernetes.
|
|
#
?
Jan 24, 2022 18:08
|
|
|
Early in my career I worked under a richard stallman lookalike that spent an hour trying to convince everyone that ed was the best editor. The only thing that worked in his favor is that ed works as designed in a terminal without any screen drawing capability, which in the 90's and earlier could happen, so I guess there's a plus for it. But even then we did 99% of all work over an ssh connection so it really didn't help much.
|
|
#
?
Jan 24, 2022 18:09
|
|
|
scott zoloft posted:Got news this morning company is getting bought by bigger company. Now i have to trick another company into letting me run their IT dept Exciting times. I've been through several acquisitions and each one worked out positively for me. Good Luck.
|
|
#
?
Jan 24, 2022 18:11
|
|
|
skipdogg posted:Exciting times. I've been through several acquisitions and each one worked out positively for me. Good Luck. Flip side: I've been through one divestiture, and it went poorly for me. I'm confident the executives responsible saw significant improvements in their portfolios and bonuses after significant reductions in payroll costs, though!
|
|
#
?
Jan 24, 2022 18:23
|
|
|
Wizard of the Deep posted:Flip side: I've been through one divestiture, and it went poorly for me. I'm confident the executives responsible saw significant improvements in their portfolios and bonuses after significant reductions in payroll costs, though! Glad to hear it had a happy ending
|
|
#
?
Jan 24, 2022 18:24
|
|
|
Well, Kronos is back for us. I'm disappointed we decided to stick with them.
|
|
#
?
Jan 24, 2022 18:28
|
|
|
xzzy posted:Well, Kronos is back for us. I'm disappointed we decided to stick with them. Who are the alternatives? I think they're pretty much dug in like a tick here because we're a public employer and inertia is a thing.
|
|
#
?
Jan 24, 2022 18:40
|
|
|
Our on prem Kronos has never gone down.
|
|
#
?
Jan 24, 2022 18:56
|
|
|
Vargatron posted:Who are the alternatives? I think they're pretty much dug in like a tick here because we're a public employer and inertia is a thing. Well they whipped up a temporary version in about a week in Apex that was actually pretty good. I'd vote for that.
|
|
#
?
Jan 24, 2022 18:57
|
|
|
|
| # ? May 28, 2024 07:35 |
|
|
The first Kronos I had to work with gave people a shock when they used it to log in. Had no idea at the time that it was a preview of what was to come.
|
|
#
?
Jan 24, 2022 19:28
|
|