|
Kibner posted:I just run a work VM on my personal machine. Unironically - Same. I had a laptop issued, cloned the disk into a VM and keep it on my personal machine.
|
# ? Dec 6, 2023 01:38 |
|
|
# ? May 25, 2024 13:06 |
|
I’m amazed that you’re permitted to do that
|
# ? Dec 6, 2023 01:39 |
|
Subjunctive posted:I’m amazed that you’re permitted to do that I did it as a demo for BYOD capabilities as there was serious concerns about how much we were spending to issue laptops to contractors that already had laptops. They just never took it back, and I have a fairly high level position in the security team so they never bothered.
|
# ? Dec 6, 2023 01:42 |
|
Kibner posted:I just run a work VM on my personal machine. Posting this through a personal VM on my work machine Which is also sitting on a VPN to get around my org's content filtering.
|
# ? Dec 6, 2023 02:36 |
|
CommieGIR posted:Security people like this piss me off and makes it really hard to work in the field. The next evolution is when IT security starts throwing stuff over the wall... To product security teams. Watching the egos clash is entertaining, but hard to to get blood off the walls afterwards
|
# ? Dec 6, 2023 04:03 |
|
Subjunctive posted:I’m amazed that you’re permitted to do that I cleared it with my company's security team. We are a small consulting firm, though. Like, maybe 30 people. ~6 devs, ~3 security people, ~3 networking/infrastructure people, ~3 project managers, and the rest split up between HR, help desk, and some specialized products for our clients. e: i guess they just trust me i know the security team shares my frustration with how slow the anti-virus/malware software makes our work computers. a bit of a difference between my 11th gen i7 work laptop and my 7950x3d home desktop.
|
# ? Dec 6, 2023 05:00 |
|
Hmm yes let's give some person's laptop that we have zero control over and might be chock full of malware full control over our corporate image, without us being able to monitor anything. Surely this won't ever go wrong. What a terrible idea.
|
# ? Dec 6, 2023 07:44 |
|
CommieGIR posted:A good Security team partners with IT to solve issues. I've got one of those to work with. A couple of weeks ago I had a lab change the password on a generic account they used on all the lab machines. It was also used by some scheduled tasks set to absurd frequencies, so their poo poo was getting locked out on the reg. Yes, you need to copy data to an approved repository, no, every 5 minutes doesn't make sense. I emailed security@example.com and an hour later I had a spreadsheet showing which hosts had generated failed authentication events and how often. We updated the credentials on the scheduled jobs, made the frequency make more sense, and the lab was back to work. Goddamn but I like our security governance people, they want to help us do the core work.
|
# ? Dec 6, 2023 09:33 |
|
CommieGIR posted:I have a fairly high level position in the security team so they never bothered. lmao the higher I get the more amazed at how deferential everyone becomes, like they don't have any concept that I could be the bad actor in every threat exercise we play out At some point I'm going to have to present myself as the tabletop subject.
|
# ? Dec 6, 2023 12:35 |
|
some kinda jackal posted:lmao the higher I get the more amazed at how deferential everyone becomes, like they don't have any concept that I could be the bad actor in every threat exercise we play out Given that I run the Red Team - I am the bad actor
|
# ? Dec 6, 2023 13:02 |
|
lol we wouldn’t allow any of that poo poo. I don’t care if you’re the CFO. Especially not if you’re the CFO.
|
# ? Dec 6, 2023 13:07 |
|
I just installed Power Toys on my work laptop and use Mouse Without Borders to control both it and my personal computer at the same time. Now my workplace can't see my poo poo posting.
|
# ? Dec 6, 2023 16:17 |
|
The SA phone app is actually pretty good y'all just shitpost from your phone
|
# ? Dec 6, 2023 17:15 |
|
CommieGIR posted:Given that I run the Red Team - I am the bad actor If I worked with you, it would really worry me that you might believe that. Your credentials and activities sound like they deserve more protection, not less. Especially on the basis of “I was testing this as something we might give to random contractors, and based on someone forgetting to ask for the test configuration back I’m using it for my actual, privileged work”. You’re my nightmare: someone who thinks they’re too clever to be at risk. Subjunctive fucked around with this message at 17:34 on Dec 6, 2023 |
# ? Dec 6, 2023 17:31 |
|
E: Misread
|
# ? Dec 6, 2023 18:14 |
|
Turns out the employee is an extreme privacy nut in their personal life and don't have the impulse control to not let it spill over into their working life. The company is going through an overhaul of security and standardization of software across the board has been underway. This developer has things like brave browser, tor, burp suite, at least 5 vpn clients, and tons of other "privacy" poo poo installed on their laptop. All of it is getting shitcanned and I can wait to for the next implosion. We are also noticing the local vm/docker crowd being cute but not properly killswitching their stuff so various breadcrumbs are found. There is enough of it that the CISO is going to make vm's and docker poo poo a pain in the rear end because people can't have nice things.
|
# ? Dec 6, 2023 18:24 |
|
Tor on a work device
|
# ? Dec 6, 2023 18:25 |
|
I was wondering what Burp Suite was so I googled it and found out it’s the product of a company named “PortSwigger.” What the gently caress are they on?
|
# ? Dec 6, 2023 18:29 |
|
Burp Suite is a legitimate security tool maintained by a respected company. There's possibly a use case for it on a dev machine if they work in a web dev or something but based on the context above, that is probably not the case here.some kinda jackal posted:Tor on a work device significantly more horrifying. you are going to employee jail brother!
|
# ? Dec 6, 2023 18:31 |
|
Arivia posted:I was wondering what Burp Suite was so I googled it and found out it’s the product of a company named “PortSwigger.” What the gently caress are they on? Its more a security toolset and a developer having it on their workstation would raise some questions. Its not proof of wickedness but its out of place. The first wave of standardization isn't even that unreasonable. The issue is when you create a culture of developer entitlement and toxic leadership sensitivity to disrupting ANY conveniences , it takes time to change hearts and minds.
|
# ? Dec 6, 2023 18:34 |
|
some kinda jackal posted:E: Misread read this pre-edit and I thought it made a decent point but if I can’t make up a dude to get mad at then I might as well delete my account
|
# ? Dec 6, 2023 18:35 |
|
CommieGIR posted:Security people like this piss me off and makes it really hard to work in the field. I think part of the problem is that there isn't really a such thing as entry level security but that conflicts with corporate notions of career progression and the sort of people they actually need don't even exist in the sort of numbers required to meet demand.
|
# ? Dec 6, 2023 18:59 |
|
I mean, I won't even put my work laptop on my internal wifi network, it gets punted to the guest network.
|
# ? Dec 6, 2023 19:43 |
|
Sickening posted:Its more a security toolset and a developer having it on their workstation would raise some questions. Its not proof of wickedness but its out of place. I wasn't commenting on the product. It looks legit. I was commenting on the name, and especially the name of the company, being right out of GTA.
|
# ? Dec 6, 2023 20:37 |
|
it has for sure raised some eyebrows come budget time, great tool though their enterprise offering is the cheap too, though you do have to self-host and there is no dedicated support (but their support distro is fairly responsive)
|
# ? Dec 6, 2023 21:42 |
|
Internet Old One posted:I think part of the problem is that there isn't really a such thing as entry level security but that conflicts with corporate notions of career progression and the sort of people they actually need don't even exist in the sort of numbers required to meet demand. And assuming there is a path upward (or laterally) from another team, you assume it won't force a relocation, or that you won't be taken out for lunch by two fellas on that team you know socially, who tell you they like you too much to see you get destroyed by a sexist boss. Hope those guys are well, they were real as hell and I miss them.
|
# ? Dec 7, 2023 00:30 |
|
Subjunctive posted:If I worked with you, it would really worry me that you might believe that.
|
# ? Dec 7, 2023 00:38 |
|
my work laptop is also my seedbox
|
# ? Dec 7, 2023 01:06 |
|
FungiCap posted:Where I've seen high friction between IT and security has usually been in organizations where IT was underfunded and understaffed where they're too stressed to just keep the lights on then to worry about TLS 1.2 vs TLS 1.3. I spent some time assigned to a security team as an endpoint guy and ops really, really seems to appreciate "hey we found these issues, also we have an SCCM/Intune/salt/jamf/whatever guy who forked/copied some of your prod policies to test a hypothetical fix with you that might actually work with the rest of what you're doing"
|
# ? Dec 7, 2023 01:27 |
|
imo security really ought to know how and why endpoints are configured the way that they are. if your security team can answer 80% of the questions that might be fielded to your ops or dev teams, you're probably doing great in terms of picking up institutional knowledge and actually being able to help architect stuff lol who cares anymore, it's 2023 and you're just as likely to get laid off for great quarterly performance as the company doing shittily
|
# ? Dec 7, 2023 01:34 |
|
Subjunctive posted:If I worked with you, it would really worry me that you might believe that. Gonna highlight this - I NEVER ever claimed I was too clever to be at risk. Please give me some credit here at least. Please don't just go assuming things about me because I made a joke (although I am the Red Team lead). That is a massive assumption on your part, and frankly is incredibly insulting. To paraphrase Plato - "I know that I know nothing" and that applies to any security person. You are never too smart to be risk free, and you are never to experienced to get yourself into trouble. Of course there's risk involved with having a corporate image on my laptop. Plenty of it. Given that your average VM has about as much protection as a VDI - its as much of a controlled risk as a hardware endpoint. The VM had our full security suite on it, and was encrypted via Bitlocker. Again - we were assuming this VM would be given to contractors, many of whom we know nothing about their security stack on their contracting laptop. So, in other words, assume the worst. Sickening posted:Turns out the employee is an extreme privacy nut in their personal life and don't have the impulse control to not let it spill over into their working life. Jesus loving christ.... CommieGIR fucked around with this message at 02:09 on Dec 7, 2023 |
# ? Dec 7, 2023 01:44 |
|
Yeah I’ve really worked to divest my work machine completely from anything person. If I want to browse or shitpost, I have guacamole running in an instance on a box at home I can hit via a browser. Much easier.
|
# ? Dec 7, 2023 02:09 |
|
AlternateAccount posted:Yeah I’ve really worked to divest my work machine completely from anything person. If I want to browse or shitpost, I have guacamole running in an instance on a box at home I can hit via a browser. Much easier. Yeah there's nothing in my work machine related to my personal. In fact they just started requiring Intune on Personal Devices to have Teams and Email, so I uninstalled both and said they could either pay a stipend to have work stuff on my personal phone or provide a phone, and they are going to start issuing company phones it seems like.
|
# ? Dec 7, 2023 02:10 |
|
CommieGIR posted:Gonna highlight this - I NEVER ever claimed I was too clever to be at risk. Please give me some credit here at least. Please don't just go assuming things about me because I made a joke (although I am the Red Team lead). That is a massive assumption on your part, and frankly is incredibly insulting. To paraphrase Plato - "I know that I know nothing" and that applies to any security person. You are never too smart to be risk free, and you are never to experienced to get yourself into trouble. Of course there's risk involved with having a corporate image on my laptop. Plenty of it. You forgot the most important reason to keep your own poo poo locked down; making sure blue doesn’t know what the Meme Theme of the next engagement presentation is
|
# ? Dec 7, 2023 02:27 |
|
Ellipson posted:You forgot the most important reason to keep your own poo poo locked down; making sure blue doesn’t know what the Meme Theme of the next engagement presentation is No matter how many times we try 'Open the meeting with a joke', it never carries well with the executive team.
|
# ? Dec 7, 2023 02:30 |
|
CommieGIR posted:Yeah there's nothing in my work machine related to my personal. In fact they just started requiring Intune on Personal Devices to have Teams and Email, so I uninstalled both and said they could either pay a stipend to have work stuff on my personal phone or provide a phone, and they are going to start issuing company phones it seems like. Mustache Ride clued me into an Android app called Shelter in order to silo off work related stuff on my phone, really really helpful for non Apple people like myself.
|
# ? Dec 7, 2023 17:53 |
|
Jiro posted:Mustache Ride clued me into an Android app called Shelter in order to silo off work related stuff on my phone, really really helpful for non Apple people like myself. Neat I'll check it out.
|
# ? Dec 7, 2023 18:18 |
|
CommieGIR posted:Neat I'll check it out. https://f-droid.org/en/packages/net.typeblog.shelter/
|
# ? Dec 7, 2023 18:18 |
|
Jiro posted:Mustache Ride clued me into an Android app called Shelter in order to silo off work related stuff on my phone, really really helpful for non Apple people like myself. Is this really only necessary for organizations that don't have it setup so that their instances are accessed using the native work profile feature in Android?
|
# ? Dec 7, 2023 18:22 |
|
|
# ? May 25, 2024 13:06 |
|
I believe newer versions of Android have guest or regular profiles you can make. My GrapheneOS Pixel 7 lets me create new profiles and they are all sandboxed.
|
# ? Dec 7, 2023 18:32 |