|
LOL if your password isn't a 16 character long leet speak reference to the song catalog of Foreigner
|
# ? Jun 16, 2015 16:08 |
|
|
# ? May 24, 2024 23:28 |
|
ElGroucho posted:LOL if your password isn't a 16 character long leet speak reference to the song catalog of Foreigner I prefer Boston, but to each their own I'm not really worried about the LastPass incident. I have 2FA turned on, and use a master password I don't use anywhere else. I need a new master PW but I can live with that, better than changing 120+ passwords I have stored in there. In the last 3 years my identity and/or PII has possibly been compromised at least 3 times from various businesses, this is the one I'm least worried about to be honest.
|
# ? Jun 16, 2015 16:29 |
|
Use classic Yes lyrics. Even the plain text lyrics have no discernible meaning, so it's another layer of security!
|
# ? Jun 16, 2015 20:28 |
|
Has anyone used Pleasant Password Server? It uses Keepass as the client but adds ACLs. Sounds cool but I haven't had a chance to try it. Keepass files on a network share have multi user functionality to prevent simultaneous edits, but it seems you lose that if they're stored in Dropbox. There's a period of time before changes sync out from one user to the team where another user could overwrite.
|
# ? Jun 16, 2015 20:51 |
|
KS posted:Has anyone used Pleasant Password Server? If you want a shared, on-premise password server/vault, you could do a lot worse than Secret Server. We use it and it's pretty great.
|
# ? Jun 16, 2015 20:53 |
|
Secret Server also has the 100 users and 1000 secret license available for until tomorrow.
|
# ? Jun 16, 2015 21:05 |
|
Thanks Ants posted:Secret Server also has the 100 users and 1000 secret license available for until tomorrow. I'm convinced this is a permanent "promotion". Over the last couple years, I've literally never NOT seen it active but "about to end" But in any case it's an incredible deal compared to the list price, so I'm not complaining.
|
# ? Jun 16, 2015 22:41 |
|
Thanks Ants posted:Secret Server also has the 100 users and 1000 secret license available for until forever. Fixed that for you. It's a perpetual promotion that never really ends. Anyways, there's no reason to stop using Lastpass after this. Keep in mind that the master hash stored on their servers can in no way give you access to the passwords even if they DID have access to the password vault. Lastpass' flow is like this <enter master password> *5000 iterations of PBKDF2* <hash is used to encrypt db on client side> *addition iteration of PBKDF2* <hash is transmitted to lastpass> *thousands more iternations of PBKDF2* <lastpass stores hash> So, hackers got that last bit along with some other info like questions. Even if they managed to brute force those passwords, the best they would be able to do is log into Lastpass and download the passwordDB for that user. They still wouldn't have access TO that DB since the hash used to encrypt it was never transmitted to Lastpass in the first place and sits only on the client side. In the end, compromise of Lastpass passwords requires a brute force attack on the password DB itself. In that way, it is functionally the same as any local stored password DB such as Keypass that you happen to store a copy of in Dropbox or Drive.
|
# ? Jun 16, 2015 22:46 |
|
SIR FAT JONY IVES posted:Care to expound? If you want to see a password management tool that's actually designed sanely, take a look at Vault. (First person to design a sane GUI for it that isn't also horribly insecure gets a cookie.) LastPass isn't badly-designed at all unless an endpoint gets compromised. Vulture Culture fucked around with this message at 22:55 on Jun 16, 2015 |
# ? Jun 16, 2015 22:52 |
|
Got a call about the virtualization position out at Langley AFB this morning - they wanted to get a gauge on how serious I am about the position, so I told him that to do that I'd need to know what kind of pay I was looking at. Wouldn't tell me unless I was serious about the position. I responded that my interest in the position was conditional upon them being able to pay me the amount I thought was reasonable for the position. His response was that it was apparent I wasn't serious about the position. Every single interaction I've had with these guys has been something of a pain. I don't think it's too unreasonable to want to know what the pay is for a position, but they've been treating it like it's a national secret. Good thing I already got confirmation of my move to the virtualization position where I'm at now. Just nine more days to go.
|
# ? Jun 16, 2015 23:05 |
|
Daylen Drazzi posted:Got a call about the virtualization position out at Langley AFB this morning - they wanted to get a gauge on how serious I am about the position, so I told him that to do that I'd need to know what kind of pay I was looking at. Wouldn't tell me unless I was serious about the position. I responded that my interest in the position was conditional upon them being able to pay me the amount I thought was reasonable for the position. His response was that it was apparent I wasn't serious about the position. As a veteran myself, you're dealing with the circular logic of fellow idiot servicemembers. Just tell the loving guy you're super interested, and say no after he tells you everything if you don't like it. Sheesh.
|
# ? Jun 16, 2015 23:11 |
|
Question for the thread, How do you stop someone from having the key to kingdom? How do Fortune 500 companies prevent one rouge employee with root/admin credentials from bricking the entire infrastructure or exceedingly large portions?
|
# ? Jun 17, 2015 00:15 |
|
Separation of duties. No one should hold all the keys. The guys that write the software shouldn't do the deployments. The infrastructure guys maybe aren't the Windows admin guys. Configuration management should detect and report on changes to e.g. router or firewall configs. IT security should be independent and have a dotted line to report up to someone outside the IT org, and they should be watching audit logs. One of the first separations you should think about even for a smaller company is that the guy with the keys to the data should not also be the guy who can delete backups.
|
# ? Jun 17, 2015 00:42 |
|
KS posted:Separation of duties. No one should hold all the keys. The guys that write the software shouldn't do the deployments. The infrastructure guys maybe aren't the Windows admin guys. Configuration management should detect and report on changes to e.g. router or firewall configs. IT security should be independent and have a dotted line to report up to someone outside the IT org, and they should be watching audit logs. You can go even farther than that. When I was in the global security group for a bank, we had some insanely controlled access policies to passwords for mission critical systems. Chain of custody on passwords -- 64 random characters and symbols on a card in an indexed bag with tamper proof seals. Needed a 2nd party present for access to these systems. Some systems had the password split into two separate cards and one person entered one half and another entered the other half. This was for systems that managed the encryption keys for wire transfers or ATMs, or file encryption systems separate from LDAP or Active Directory administrative control to ensure the non reputability of transaction logs. That last one was pretty neat, you had to generate a hash of whatever UNIX daemon or Windows Service on a specific computer needed to write to disk and then the appliance would let ONLY those write to the directories. There was no user access to the encrypted files. If someone needed to view them, you could (for instance) assign Windows Explorer (after a hash on that specific computer was generated) read only access temporarily to copy the files to another location and then lock it down afterwards.
|
# ? Jun 17, 2015 01:02 |
|
Tab8715 posted:Question for the thread, My last job was a Fortune 500 and I had admin over the forest of 60,000 employees. I absolutely could have irrevocably destroyed the entire company beyond the reach of any disaster recovery if I felt like it. I was about 10 mouseclicks from billions in damage, I even showed my boss, like I was terrified to even poke around in there. The top admins even went in and tried to fix permissions and AD hierarchy and other stuff, to the point of mailing out an AD server to me that I was supposed to install in our server room and have no way to log in into. Guy needed it rebooted one day and flat out emailed me his own login and password, which whoops once again had god mode with no compartmentalization. Come on, NSA admins were just chucking their own passwords at Snowden without him even asking for them, lol if you think there's any way to make a Sony-size bloat company not a ticking time bomb, at least from a social engineering perspective. You can do everything perfectly but it's the other users/admins that'll get ya. flosofl posted:You can go even farther than that. When I was in the global security group for a bank, we had some insanely controlled access policies to passwords for mission critical systems. Chain of custody on passwords -- 64 random characters and symbols on a card in an indexed bag with tamper proof seals. Needed a 2nd party present for access to these systems. Some systems had the password split into two separate cards and one person entered one half and another entered the other half. That's a lot like I used in the military, pull-tape crypto and such, but then along comes Chelsea Manning and literally records all the classified material onto a CDR labeled "Lady Gaga Mixtape" Zero VGS fucked around with this message at 01:07 on Jun 17, 2015 |
# ? Jun 17, 2015 01:05 |
|
Tab8715 posted:one rouge employee with root/admin credentials Generally, you don't want red team to have any credentials.
|
# ? Jun 17, 2015 01:39 |
|
PCjr sidecar posted:Generally, you don't want red team to have any credentials. I like it.
|
# ? Jun 17, 2015 01:45 |
|
Zero VGS posted:The top admins even went in and tried to fix permissions and AD hierarchy and other stuff, to the point of mailing out an AD server to me that I was supposed to install in our server room and have no way to log in into.
|
# ? Jun 17, 2015 02:11 |
|
KS posted:Separation of duties. No one should hold all the keys. The guys that write the software shouldn't do the deployments. The infrastructure guys maybe aren't the Windows admin guys. Configuration management should detect and report on changes to e.g. router or firewall configs. IT security should be independent and have a dotted line to report up to someone outside the IT org, and they should be watching audit logs.
|
# ? Jun 17, 2015 04:12 |
|
I think the future of security would be some kind of algorithmic "sanity check" kind of thing, like "okay, does this admin really really want to factory wipe every phone in the org?" or "hey why are a whole bunch of email accounts all getting saved into PSTs and moved to a flash drive all of a sudden?" Sort of like how Spiceworks notifies you when users install Dropbox, but for more weird poo poo along those lines. Like admins could tell all their horror stores and they'd all be compiled into various triggers that will pause the action and notify a group of admins, maybe attaching a screen recording of the last ten minutes of user activity that led up to that.
|
# ? Jun 17, 2015 04:53 |
|
|
# ? Jun 17, 2015 05:45 |
|
Hey Cortana, Delete all computer objects in the Domain Controllers OU.
|
# ? Jun 17, 2015 07:38 |
|
Also prison isn't a place computer nerds do well in
|
# ? Jun 17, 2015 11:40 |
|
KS posted:Separation of duties. No one should hold all the keys. The guys that write the software shouldn't do the deployments. The infrastructure guys maybe aren't the Windows admin guys. Configuration management should detect and report on changes to e.g. router or firewall configs. IT security should be independent and have a dotted line to report up to someone outside the IT org, and they should be watching audit logs. So how do you deal with this at smaller companies though where you often have one engineer who knows everything and everyone relies on. Even in medium companies. Usually these IT departments are too small for real silos or separation of duties. We have this problem as well, but I'm the guy who has all the keys. Our department is 10 people but most of them are junior and I can't see a scenario where I wouldn't have access to something because as the architect I often have my hands in all of the pots a bit to help guide them and make sure things are being done according to plan.
|
# ? Jun 17, 2015 12:16 |
|
Zero VGS posted:I think the future of security would be some kind of algorithmic "sanity check" kind of thing, like "okay, does this admin really really want to factory wipe every phone in the org?" or "hey why are a whole bunch of email accounts all getting saved into PSTs and moved to a flash drive all of a sudden?" You should be doing this now anyway. "Unusual" activity in logs should be flagged and forwarded to security folks who can look into it, for example an above average number of logins with domain admin credentials (and any interruption in logging to protect the integrity of that system). It's not going to stop admins from deleting everything on the spot, that's what disaster recovery procedures are for. But most security breaches are ongoing, and being able to catch that is valuable.
|
# ? Jun 17, 2015 12:57 |
|
Not sure if this is the right place for this, but can any of you recommend a decent network toner that isn't too terribly expensive? I started at a new position and I need to trace some network drops (and possibly phone lines in the future) since nothing is loving labeled. I'm not too experienced with these devices so I can't pick apart what's lovely from what's not, but I don't think my manager would approve anything above $200. One of my vendors recommended this Fluke IntelliTone 200 to me, but I've used this one in the past and it seemed kind of lovely. Any suggestions would be greatly appreciated.
|
# ? Jun 17, 2015 13:25 |
|
Generally anything made by Fluke is decent networking test equipment
|
# ? Jun 17, 2015 14:55 |
|
Has anyone confirmed one way or the other as to whether this cable (Google's USB-C to MiniDisplayport) will allow a 2015 Macbook to plug into a Thunderbolt display? I don't see why it wouldn't work but I'd rather not test it by buying a Macbook for someone with them expecting to be able to continue using their Thunderbolt display. Need dat gold Macbook.
|
# ? Jun 17, 2015 15:23 |
|
syg posted:So how do you deal with this at smaller companies though where you often have one engineer who knows everything and everyone relies on. Even in medium companies. Usually these IT departments are too small for real silos or separation of duties. In the US, many small businesses simply have to accept a higher risk than what the bigger ones are willing to accept as they do not have the investment available to mitigate those risks. It comes part and parcel with even the ideal case that they're innovating in some significant way: that innovation might work well or it might completely flop and the business goes bankrupt -- no one knows because no one has tested it before. By the same token, though, a small business typically has a much smaller impact if a big security breach occurs, and overall the destructive security breaches are a tiny, tiny, tiny fraction of them. If a small business gets its data stolen, they might just clean up and move on as if noting had happened; news outlets might not even publish the story and they may not be legally obliged to disclose at all (often because they can't substantiate what even happened to make them eligible for mandatory reporting), smother affected customers may never even know.
|
# ? Jun 17, 2015 15:27 |
|
Has anyone used Binary Tree as a Domino/Exchange coexistence tool? I'm starting a huge project now where at a point in time we'll be using their solution as a step before full Domino-Exchange migration and I'm curious regarding stability and usability.
|
# ? Jun 17, 2015 15:34 |
|
No, but that's sounds super interesting.
|
# ? Jun 17, 2015 15:39 |
|
syg posted:So how do you deal with this at smaller companies though where you often have one engineer who knows everything and everyone relies on. Even in medium companies. Usually these IT departments are too small for real silos or separation of duties. I work for a smallish web/pr agency of just under 30 people. I'm the only sysa/helpdesk/whatnot there, and thus obviously simply have access to *everything* that ever existed. It's just something your boss has to be comfortable trusting you with. I more worry about what will happen if I get hit by a truck tomorrow, tbh. I have everything documented as well as possible, and all the poo poo can still be accessed by my boss in a case of emergency in my absence, but having someone new fumble around for a week after I'm gone wouldn't be pretty
|
# ? Jun 17, 2015 15:44 |
|
syg posted:So how do you deal with this at smaller companies though where you often have one engineer who knows everything and everyone relies on. Even in medium companies. Usually these IT departments are too small for real silos or separation of duties. Generally my advice is to create and use lots of service accounts. But even then you run into the scenario of you or the head of IT being the only person with the credentials to use those accounts. I think it's still worth doing, as it can help mitigate some disasters. For instance if a junior sysadmin gets access to only one service account they can generally only mess up that one service not the entire organization.
|
# ? Jun 17, 2015 15:49 |
|
BaseballPCHiker posted:Generally my advice is to create and use lots of service accounts. But even then you run into the scenario of you or the head of IT being the only person with the credentials to use those accounts. I think it's still worth doing, as it can help mitigate some disasters. For instance if a junior sysadmin gets access to only one service account they can generally only mess up that one service not the entire organization. Plus when one gets locked out it does't blow up the entire environment. Use a password vault of some form. Non-Entreprise grade ones are available for free (KeePass, PasswordSafe, LastPass) so there's no good reason not to use something.
|
# ? Jun 17, 2015 15:52 |
|
god damnit. I forgot how to audit login/logouts for accounts that validate against AD since I haven't done it in 2 years. Any suggestions? Looks like I'm starting to move into the "ok whats going on, but set up easy reports" action for my supervisors.
|
# ? Jun 17, 2015 16:26 |
|
ukrainius maximus posted:Not sure if this is the right place for this, but can any of you recommend a decent network toner that isn't too terribly expensive? I started at a new position and I need to trace some network drops (and possibly phone lines in the future) since nothing is loving labeled. I'm not too experienced with these devices so I can't pick apart what's lovely from what's not, but I don't think my manager would approve anything above $200. That is the exact toner that I own and use. I've used the poo poo out of it over the last 4 years, and never had any problems.
|
# ? Jun 17, 2015 17:02 |
|
Zero VGS posted:I think the future of security would be some kind of algorithmic "sanity check" kind of thing, like "okay, does this admin really really want to factory wipe every phone in the org?" or "hey why are a whole bunch of email accounts all getting saved into PSTs and moved to a flash drive all of a sudden?" I've heard of some companies (notably Google) implementing something like this. Not specifically to stop malicious behavior, although it would do that, too. They'll figure out a baseline for what a "normal" change looks like, for example, adding some DNS records. If the change you're trying to make exceeds that threshold, you have to enter a manual "no really, I know what the gently caress I'm doing" override which might require approval from a Director or VP or something depending on the potential for damage. This prevents you from doing something incredibly dumb like deleting all DNS records, or setting them all to the same value, or whatever. It's a hard problem, and not something I've really seen built into off-the-shelf software. But other people are thinking about it.
|
# ? Jun 17, 2015 17:07 |
|
Another question for the thread, We've all heard about American workers being replaced by H1Bs however what I don't understand how does this benefit the company? The U.S. Labor Department of labor enforces that H1Bs are paid at least equal to their local counterparts. So, where's the cost savings? Sure, you can say there's job title manipulation but that's an employer committing fraud and if you look up salaries on h1bdata.info they're often inline with local wages. Where's the benefit?
|
# ? Jun 17, 2015 17:38 |
|
Tab8715 posted:Another question for the thread, I have no idea what h1bdata.info gets their data from but it doesn't seem like close to reality. The h1's i have known weren't paid equal and it is not enforced even remotely well, if at all. You also aren't thinking about the power that a company has over an employee with a visa. They have more to lose when they get fired.
|
# ? Jun 17, 2015 17:45 |
|
|
# ? May 24, 2024 23:28 |
|
Tab8715 posted:Another question for the thread, H1B's don't have to be paid equal to the same job title worked by native workers, they just can't be paid less than the minimum wage plus a bit honestly.
|
# ? Jun 17, 2015 17:53 |