|
Chris Knight posted:lomarf lol at not having any sort of middleware at all and just letting the devices upload straight to s3, what could possibly go wrong
|
# ¿ Dec 28, 2018 00:22 |
|
|
# ¿ May 9, 2024 00:32 |
|
"intent is important, there was no intent here" I say over email
|
# ¿ Jan 2, 2019 03:52 |
|
Wiggly Wayne DDS posted:man last year had a lot of issues huh lmao at this how the gently caress do you even get to the stage where any GET parameters are passed to a shell there's not even a trick there where it's exploiting some handling or anything it's just literally ?Run this command
|
# ¿ Jan 2, 2019 03:57 |
|
Powerful Two-Hander posted:good to see the speed running community are still setting new times in Hitman
|
# ¿ Jan 19, 2019 07:55 |
|
Shame Boy posted:oh i see they had a charity raffle or something, ok. and i'm sure the prizes are completely normal and not at all wei- this seems hideously unprofessional tbf what you do in your own time is cool but it's a bit weird having dildo auctions one degree of separation away from a work conference unless I've been going to the wrong conferences
|
# ¿ Jan 25, 2019 12:12 |
|
Shifty Pony posted:https://twitter.com/chronic/status/1090399087827083264 This is absolutely mental, they need to be strung up for doing this lest other people try the same poo poo. It is absolutely totally unreasonable to expect anyone outside of IT people (and even most IT people) to understand the implications of importing a root certificate onto a device.
|
# ¿ Jan 30, 2019 05:35 |
|
Methanar posted:On the otherhand, lol at interacting with anything named Facebook Research the ad campaign to get people to sign up was specifically targeted at Instagram users aged 13-17 i mean you'd be hard pressed to come up with a less ethical practice. Facebook needs to go.
|
# ¿ Jan 30, 2019 06:08 |
|
Shame Boy posted:pretty much their selling point is "instead of a master password, you select a sequence of pictures, and pictures are unhackable!" The good thing about it being pictures is you don't have to hash the passwords because they aren't passwords they are pictures ya bozo for your cyberhealth
|
# ¿ Feb 25, 2019 23:49 |
|
something awful is extremely cool and good when compared to all the other online social outlets that's not to say it's good in comparison to literally anything else but when it goes down I'll miss having a place I can read posts from people that seem like normal human beings, that is there are some good some bad and some gross I'm on reddit because some of the tech communities there aren't bad but they are still full of weirdos and children because it's not a safe space to call people out for being stupid as hell
|
# ¿ Mar 15, 2019 05:21 |
|
Pile Of Garbage posted:not sure how much of a secfuck this is but it seems kinda dumb: earlier this month the notepad++ dev posted about how he had tried to get a new code signing cert but in the end he gave up because apparently it was too hard and code signing is just an "overpriced masturbating toy" and everything has been fine for years so why even? https://notepad-plus-plus.org/news/notepad-7.6.4-released.html what's with OSS (or in this case shareware I guess) devs being so loving snarky in public? I do as much oss dev as my free time allows and man my code sucks because I don't have enough time and money to make it not suck. I don't talk poo poo about other software because it probably has the same issues. Seems like common sense to me?
|
# ¿ Mar 18, 2019 02:50 |
|
micro segmentation in the network is an incredibly dumb idea at best and actively detrimental to security at worst. I can make an effort post if required on this. the only things in that space that looks like it could work atm is something like Consul which is, effectively, a bunch of ssl tunnels between your application components secured by client certs (as I understand it). is anyone else here getting hammered by "data sovereignty" at work lately? Literally every meeting about a new architecture or application is stalled with 20 minutes of "where is the data located. why does it have to be located there. can we not have the data there???" for some stuff it makes sense definitely but it's literally anything, we had a meeting about loving github get held up like that. I've tried requesting the paperwork on where, when, and why it's important but I never hear anything back besides very vague theoretical situations that border on conspiracy theories and in some cases literal xenophobia.
|
# ¿ Mar 23, 2019 04:14 |
|
it definitely matters a lot where you put data in certain circumstances, especially with personal data, but what I've seen in the last maybe 12 months is a huge increase in the amount of times it's mentioned and it's never backed up or put into writing anywhere. At this point it feels like an excuse to get out of doing work, to be honest. And while work-avoidance is fine by me just don't achieve it by creating a bunch of useless work for other people in the process imo On micro-segmentation - the biggest problem with it is that it relies on your ability to categorise your systems so they can be sorted into network segments and have policy applied to them. This is a very easy job on the surface but an extremely arduous and potentially impossible job in reality. This is because of a number of factors but I think the primary reason is that most networks of a reasonable size don't have a lot of homogeneity between systems. All of the tiny little differences can and will be referenced as a reason to increase the level of segmentation in the network or relax the policy, of which both options will require a lot of human intervention to make reality. For instance, you might start by making a segment for all your database servers. You allow all the *SQL ports through to it from your app servers. however, someone wants to install a mongodb server. Now, do you update the policy to also permit the mongo ports, potentially creating attack vectors to all of the other servers in the segment? Do you make a bespoke rule just for the mongo server? Do you put it on it's on "web-scale" segment? There's a bullet full of work in every chamber! Very quickly either the policy or the network (or both, in some circumstances) will become hilariously over-complicated. Luckily, by this point, VMWARE or CISCO or whomever sold you on the micro-segmentation piece are well on their way out the door. If you read that and thought "well sure, only if you're some sort of stupid dumb dumb idiot who doesn't know how to automate stuff" not so fast hot stuff - all those changes I mentioned previously are extremely hard to automate because it involves loving with network gear which sits on the scale of terrible -> literally impossible even in this day and age. Generally it's fairly easy to use automation to stand up new stuff but ongoing cleanups and sanity-checking requires a lot of complicated logic that is hard to implement - ask anyone who is using Ansible (for example) for network automation how do they detect and then cleanup stuff when it's decommissioned and you'll get some interesting responses. Can you guess what happens when new changes are easy to automate but old policy is very hard to get rid of? Can it ever work? Actually, yes, in the following scenarios: - you don't give a gently caress about denying new systems access to the network i.e Tax office, Defense, banks. Using the mongo example, whomever tried to pull that one would get flat out rejected with a 'we don't use mongodb, that is not supported.' - you have a very narrow suite of applications you support and you know exactly how they work i.e Google, Facebook. These places can get away with it because they can make massive sweeping generalisations like "if your app won't work through a forward proxy then it's not allowed on the network" - you are a service provider who doesn't implement policy above layer 3, i.e the entire point of segmentation is to keep customer IP space from communicating with each other when it's inside your environment. So if someone asks you about why you aren't deploying ACI or NSX or good ol' 4096 vlans with a firewall between 'em, the best response is to talk about all the other, far better and more productive things you could be spending that time on. If you are concerned about your hosts being vulnerable to east-west attacks, you should be targeting the hosts themselves FIRST to determine where the concern lies. 9/10 I've had this conversation it has brought up some extremely stupid/irresponsible design decisions like "oh well this application uses a version of apache that has a bunch of active vulnerabilities in it, that's why we wanted to make sure it was segmented off because we don't want to patch it". In other words, micro-segmentation is often proposed as a solution to operational problems that should not exist in the first place.
|
# ¿ Mar 24, 2019 09:12 |
|
crazypenguin posted:I'm about to accept (I think) a new job where my task might be to fix this mess for the whole industry. I'd say more, but I don't really know yet and/or am under NDA. The issue is vendors can't get their poo poo together when it comes to interfacing with their operating systems. I don't expect everyone to agree on a single API spec but at least some standard methodology for device configuration beyond "use the CLI" needs to happen. The leading vendors like Juniper/Palo support a HTTP API and because of that, they are relatively easy to program around - the configuration schema is real gross thought because it's written with a lot of technical debt saddling it, so you get calls like this: code:
If you're writing middleware loving r.i.p seriously welcome to a literal nightmare If you're writing a NOS or NOS software then you have a chance. The ideal solution would be a NOS that provides: - stateless configuration files (think Apache or Nginx style) - A REST api (JSON or XML)
|
# ¿ Mar 24, 2019 20:44 |
|
Methanar posted:sudo iptables -A PREROUTING -t nat -p tcp --dport 3306 -j REDIRECT --to-ports 27017 This illustrates the other issue which I didn't even mention; firewalls are poo poo garbage at actually restricting access and most micro-segmentation implementations don't even go above L4. This is the level of policy you achieve after spending x million of dollars on the solution lmao
|
# ¿ Mar 25, 2019 00:32 |
|
Methanar posted:lmao you can beat packet inspection with like netcat and sed my point was regardless of what layer you are doing "firewalling" it's always terrible but the microseg solutions don't even try going above layer 4 so it's even worse than usual
|
# ¿ Mar 25, 2019 00:52 |
|
BangersInMyKnickers posted:its pretty trivial if you have things documented (you should) and you're using a process-aware firewall (you should). don't make excuses for creating vulnerable zones with a bunch of unchecked layer 2 traffic Show me a "process aware" firewall that works accurately and I might agree with you. You should not use micro-segmentation as a way to avoid good security practices on your endpoints. If you do that already, microsegmentation will gain you little if any practical benefit for a massive increase in complexity and a decrease in the performance of your network. Essentially, if you consider traffic between two endpoints on the same vlan "unchecked" you've already hosed up
|
# ¿ Mar 25, 2019 03:15 |
|
ewiley posted:I don't get the hate for microsegmentation, I mean it's already baked-in to AWS and Azure, NSX is expensive but it's not insanely complex to implement once you get past the vSwitches that you should be using anyway. aws and azure are infinitely easier to manipulate than network firewalls. If you really think it's worth popping a firewall between nodes on the same segment for whatever reason my argument is that it's far more transparent to implement it at the OS layer rather than the hypervisor or network. yoloer420 posted:Little Snitch my man! Or alternately windows firewall. Whatever works for you. I meant network firewalls, I should have clarified. EDR's like carbonblack also offer some pretty impressive network flow collection which tie network traffic to processes, users, etc.
|
# ¿ Mar 26, 2019 10:15 |
|
ErIog posted:Thirding this. All configuration is a transition from some state to another state, and the concept of idempotence with regard to configuration just seems like either pretending the starting state doesn't exist or implicitly assuming a known clean starting state. I like Ansible for configuration automation, but the idempotent paradigm is stupid and I don't use it. I thought I was stupid or that I must have been using Ansible wrong. I may still be stupid, but it seems pretty clear to me after a few years of using it that Ansible itself misunderstands the nature of their own project. it seems to me that a key part of Ansible is to discourage people writing their own code, evidenced by the plugin system that actually works perfectly well but is completely 100% undocumented. I used ansible for a bit over two years and I went back to shell/python scripts because it's just easier by every possible metric. The real massive win for me was, during that time, becoming comfortable with CD and various tooling to accomplish that.
|
# ¿ Mar 28, 2019 22:15 |
|
you aren't wrong but the issue I found was that you still run into the same logic issues you would coding it but ansible doesn't give you many ways to resolve them without it becoming unreadable people are cooling off on ansible in a big way as well, everyone I know that was all over it 1-2 years ago have ditched it or are actively looking for alternatives
|
# ¿ Mar 29, 2019 01:11 |
|
fuckin lmao clowns: "hi, we're about to install some ERP software on your network. we need a windows server with outbound filesharing, rdp, and SQL ports." IT people: "Uh what? no? That's hideously insecure and a terrible idea" clowns: "goddamn time wasting IT staff!! Why is it the same story with every single customer!!! Nothing but time wasters!!!"
|
# ¿ Mar 29, 2019 01:46 |
|
secure network, no inbound RDP. Oh these IT timewasters got this all screwed up Secure network? No, inbound RDP!
|
# ¿ Mar 29, 2019 09:14 |
|
you can pause any openSSH session by hitting enter and then ~. I find a combination of that and a couple of putty windows is pretty good!
|
# ¿ Mar 30, 2019 04:46 |
|
I agree that gender is a bad term so I organised a "sex reveal party" for my son and let me tell you we had some miscommunications
|
# ¿ Apr 4, 2019 08:25 |
|
Had an interesting meeting with a cybersec researcher yesterday and apparently: - cybercrime is now a 1.3 trillion dollar industry - the official word from interpol is that they don't give a gently caress about any amount less than 1 million dollars being stolen electronically and they have no known way of tracking individuals so as long as every individual amount stolen is less than that you're gucci - the biggest emerging threat to business is literally randomly invoicing people and something called ego-phishing, which is where you send out invites for speaking arrangements at conferences (with a one time administration fee of course). computers make you stupid, i guess. He went through a bunch of the most sophisticated attacks he'd seen and they were all variations of "make user click this button that owns all their poo poo"
|
# ¿ Apr 4, 2019 22:01 |
|
DELETE CASCADE posted:we've gotten those fake invoices sent to our head of finance with the body text and headers faked to look like it was coming from the ceo, they're pretty slick We get those as well. The most sophisticated actors will either buy a compromised email server or try to first compromise a legitimate-but-poorly-run business and then use it as jumping off point. We had a office supply invoice that looked identical to a real one, except it was for chairs that never existed. But this is apparently way too much work for most and it's equally as effective to send a wide lovely net The other interesting thing was how much he stressed that, based on the outcomes of their research, they had determined without a shadow of a doubt that there existed multiple large entities out of only a small number of countries that were hacking people for no reason other than to cause political destabilization and globally, nobody seems to care about this
|
# ¿ Apr 4, 2019 23:43 |
|
Varkk posted:The false invoice scam is not new. When fax machines first came out people were faxing false invoices and demands for payment. Even better is half the time local cops say it is a civil matter and won’t get involved. You don’t even need Apparently it's big time on the rise and has usurped all other forms of attack for campaigns that are monetarily motivated
|
# ¿ Apr 5, 2019 01:00 |
|
Cocoa Crispies posted:refresh me, what’s an F5? Nailed it
|
# ¿ Apr 7, 2019 07:07 |
|
there's not really any vendor that does everything like cisco does so unless you want to manage 4-5 different network operating systems just to keep the lights on it's a pretty good sell regardless of how terrible it is
|
# ¿ Apr 7, 2019 22:58 |
|
juniper makes good routers which is why they are big in the telco space, where you need big routers and little else. cumulus and arista have taken over modern data centres so I would say you're pretty much spot on (enterprise/corporate is still a massive space ofc)
|
# ¿ Apr 8, 2019 09:46 |
|
Lutha Mahtin posted:this is something that security researchers deal with all the time, even for malware that doesn't come on a piece of hardware. a decent malware writer has checks in their code to figure out if it might be running in a test environment, and it will refuse to do its tricky bits if it thinks this is the case I liked the one that was flash embedded in a word document and they put it on the third page so it would never be picked up by sandboxing but it had an extremely high hit rate with actual people because if you see more than one blank page the first thing you do is scroll down
|
# ¿ Apr 8, 2019 22:46 |
|
|
# ¿ May 9, 2024 00:32 |
|
Stolen cars are used for crimes all the time because contrary to popular belief cops don't give a gently caress about people stealing your poo poo
|
# ¿ Apr 17, 2019 23:22 |