secfuck v18.509 issuance of thread title with short validity period. update: we will not be revoking

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > secfuck v18.509 issuance of thread title with short validity period. update: we will not be revoking

«‹›938 »

Bulgakov: Mar 8, 2009; рукописи не горят

reading a few of those posts tho the people don�t seem so smart about using computers and at least one I found ended up being someone being reminded they had logged in once upon a time with their own apple id

not gonna put anything past tim, tho!

# ? Nov 11, 2019 00:20

Adbot: ADBOT LOVES YOU

# ? Apr 27, 2024 21:07

big shtick energy: May 27, 2004

yeah I mean on the one hand software is garbage

on the other hand idiots REALLY want to share apple IDs. like it is their favourite thing

# ? Nov 11, 2019 00:37

Bulgakov: Mar 8, 2009; рукописи не горят

it�s pretty understandable that regular people might not understand how the keychain model works tho. it�s not the most intuitive.

# ? Nov 11, 2019 00:43

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

infernal machines posted:

i wonder if this is related to their wifi password sharing mechanism, just you know, all of the keychain rather than that specific subset

gently caress that stupid mechanism

# ? Nov 11, 2019 01:16

~Coxy: Dec 9, 2003; R.I.P. Inter-OS Sass - b.2000AD d.2003AD

The wifi password sharing thing is a good feature in theory but for how many people do you have their apple ID email address stored to their contact card?

# ? Nov 11, 2019 02:59

Agile Vector: May 21, 2007; scrum bored

~Coxy posted:

The wifi password sharing thing is a good feature in theory but for how many people do you have their apple ID email address stored to their contact card?

i think it works for numbers attached to apple ids as well since we were a signing into a new corporate wifi network at work and my phone offered to share the password to my coworker and all i have is his phone and work details

# ? Nov 11, 2019 07:14

~Coxy: Dec 9, 2003; R.I.P. Inter-OS Sass - b.2000AD d.2003AD

huh; I've only ever had it work once in my life so I assumed that was the limitation. (I guess it's even more mundane than that and the answer is it just doesn't work all that well.)

# ? Nov 11, 2019 07:17

Powerful Two-Hander: Mar 10, 2004; Mods please change my name to "Tooter Skeleton" TIA.

toiletbrush posted:

My project at my last job got audited twice.

The second one was pretty cool though - it turned out some of our code fell under some sort of gambling law in Australia that meant the code had to be audited to make sure it met some particular set of criteria. The auditors not only pointed out a bunch of issues with the code in question but also did a really good job of explaining exactly why it was wrong and exactly how to fix it.

i have had auditors do an actual code review twice, the first one flagged legit stuff which I respect and we fixed. the second said "oh, this is more complicated than I thought it would be" and we never heard anything again.

# ? Nov 11, 2019 10:17

Bulgakov: Mar 8, 2009; рукописи не горят

Powerful Two-Hander posted:

...

the second said "oh, this is more complicated than I thought it would be" and we never heard anything again.

lmao

# ? Nov 11, 2019 10:30

ewiley: Jul 9, 2003; More trash for the trash fire

Powerful Two-Hander posted:

serious question: how do people handle account password changes for services or process that depend on the account for access to resources?

currently our most common approach is "disable password expiry and leave it" but I was arguing with our "governance" department who wanted this to be changed but can't/won't provide any mechanism to manage it.

they either a) don't know that accounts can be used in multiple places and can be running continuous services that will fail if the pw expires or b) don't care and think that "manually re-enter creds" is the way to handle it even though that will inevitably lead to lock outs

i feel like there should be a way of doing it that doesn't involve someone getting the passwords in plaintext and running around typing them in though

edit: my thinking was that it's possible to do something in AD that handles this if the accounts are set to logon as a service but idk if I'm making that up or not

Chiming in to support GMSA's for Windows services, they're a very tidy solution and also are very easy to audit if your service supports them. If you've got cyberark, thycotic, or PMP they generally have services that are installed on the server to manage service account passwords and even restart services/IIS processes after a password change if needed, so no typing passwords etc, just give the service access and pray it doesn't get compromised. These tools are usually very good at producing audit reporting that auditors like (like who has access to certain account passwords stored in the vault, logs of authorizations to access them, and scripts to change them, etc).

Look into Azure Key Vault for credentials for your cloudy services if you run Az; scripts can consume credentials, private keys, etc without actually exposing them directly. They also produce lots of reporting with respect to key changes and who has access to creds, logs of accesses, etc.

# ? Nov 11, 2019 13:33

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

Powerful Two-Hander posted:

the second said "oh, this is more complicated than I thought it would be" and we never heard anything again.

Doing my code reviews I see.

# ? Nov 11, 2019 14:52

cinci zoo sniper: Mar 15, 2013

Volmarias posted:

Doing my code reviews I see.

watch out, we have a 10x coder over here

# ? Nov 11, 2019 15:53

Vomik: Jul 29, 2003; This post is dedicated to the brave Mujahideen fighters of Afghanistan

*smugly* yeah it�s written in brainfuck

# ? Nov 11, 2019 15:54

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

I never said the code was any good.

# ? Nov 11, 2019 16:14

Powerful Two-Hander: Mar 10, 2004; Mods please change my name to "Tooter Skeleton" TIA.

gMSAs are bang on the solution we need for this, I look forward to nothing happening to implement this just like the last few times I've submitted tangible improvements that would actually fix security issues as opposed to just writing "we are secure" on a piece of paper which is the current approach

Volmarias posted:

I never said the code was any good.

woah where did you get my response to the reviews of my code?

j/k nobody reviews my code

Powerful Two-Hander fucked around with this message at 18:12 on Nov 11, 2019

# ? Nov 11, 2019 18:10

Jowj: Dec 25, 2010; My favourite player and idol. His battles with his wrists mirror my own battles with the constant disgust I feel towards my zerg bugs.

Powerful Two-Hander posted:

j/k nobody reviews my code

same

# ? Nov 11, 2019 19:02

mystes: May 31, 2006

A+++ would compile again.

# ? Nov 11, 2019 19:54

Tankakern: Jul 25, 2007

mystes posted:

A+++ would compile again.

# ? Nov 11, 2019 20:41

Perplx: Jun 26, 2004; Best viewed on Orgasma Plasma; Lipstick Apathy

Jowj posted:

same

same

i don't even have another coworker that can even read code let alone help me write it or review it

# ? Nov 11, 2019 21:05

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

mystes posted:

C+++ would compile again.

# ? Nov 11, 2019 21:34

mystes: May 31, 2006

Captain Foo posted:

C+++ would compile again.

Oh sure, it will compile.

# ? Nov 11, 2019 21:42

Methanar: Sep 26, 2013; by the sex ghost

My code reviews regularly have nitpicky bullshit that makes absolutely no difference and have things denied because 'ehh idk just not feeling it' or 'this isn't exactly how I would have done it'

# ? Nov 11, 2019 22:54

Methanar: Sep 26, 2013; by the sex ghost

I'm the fuckup. I just deleted a terraform statefile that I needed and now I need to go through and manually find and delete like 80 resources.

:waycool:

# ? Nov 12, 2019 01:28

abigserve: Sep 13, 2009; this is a better avatar than what I had before

Methanar posted:

I'm the fuckup. I just deleted a terraform statefile that I needed and now I need to go through and manually find and delete like 80 resources.

Terraform is really good because you can instantly delete or corrupt days worth of work

# ? Nov 12, 2019 04:04

Methanar: Sep 26, 2013; by the sex ghost

abigserve posted:

Terraform is really good because you can instantly delete or corrupt days worth of work

Yeah its great I have some general support terraform that creates the s3 bucket that holds the remote statefiles of other relevant projects and our naming is hosed so I actually did the initial support terraform stuff wrong which cascaded down into several naming conventions being incorrect. okay so I'll redo the support terraform because that's first and then the sub project terraform oh woops I can't destroy the sub project terraform because I already destroyed the bucket holding the state lol

# ? Nov 12, 2019 04:13

Hed: Mar 31, 2004; Fun Shoe

abigserve posted:

Terraform is really good because you can instantly delete or corrupt days worth of work

According to myth, cryptolocker can destroy in six days. Now watch out! Here comes Terraform, we'll do it for ya in six minutes.

# ? Nov 12, 2019 04:56

Methanar: Sep 26, 2013; by the sex ghost

I hate manually fixing corrupted TF states. Something about instances recreating cloudwatch log groups as soon as they log anything which terraform freaks out about and same for the abomination affront to god that is every component comprising iam.

e;

code:


1 error occurred:
	* module.worker-pool-general.aws_cloudwatch_log_group.worker_pool: 1 error occurred:
	* aws_cloudwatch_log_group.worker_pool: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
	status code: 400, request id: b92407ea-d38f-416d-8fd8-d87b132fdd04:

gently caress

ee;

I made a mistake and instantiated two modules that were too similar and ended up both creating the same assets indirectly with the same names - due to being too similar - while the creation of the resources twice was indirect in such a way the fact there were 2 was not computable by the graph engine

code:

Apply complete! Resources: 88 added, 0 changed, 0 destroyed.

piece of poo poo

tldr i regret everything i've ever done to arrive to this moment

Methanar fucked around with this message at 08:12 on Nov 12, 2019

# ? Nov 12, 2019 07:00

Chris Knight: Jun 5, 2002; me @ ur posts; Fun Shoe

did you instantiate the babby?

# ? Nov 12, 2019 14:05

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

terrorform

# ? Nov 12, 2019 14:53

Blinkz0rz: May 27, 2001; MY CONTEMPT FOR MY OWN EMPLOYEES IS ONLY MATCHED BY MY LOVE FOR TOM BRADY'S SWEATY MAGA BALLS

Methanar posted:

I hate manually fixing corrupted TF states. Something about instances recreating cloudwatch log groups as soon as they log anything which terraform freaks out about and same for the abomination affront to god that is every component comprising iam.

e;
code:
1 error occurred:
	* module.worker-pool-general.aws_cloudwatch_log_group.worker_pool: 1 error occurred:
	* aws_cloudwatch_log_group.worker_pool: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
	status code: 400, request id: b92407ea-d38f-416d-8fd8-d87b132fdd04:
gently caress

ee;

I made a mistake and instantiated two modules that were too similar and ended up both creating the same assets indirectly with the same names - due to being too similar - while the creation of the resources twice was indirect in such a way the fact there were 2 was not computable by the graph engine
code:
Apply complete! Resources: 88 added, 0 changed, 0 destroyed.
piece of poo poo

tldr i regret everything i've ever done to arrive to this moment

you can import existing resources to reconcile state rather than destroying and rebuilding

# ? Nov 12, 2019 14:57

Blockade: Oct 22, 2008

Powerful Two-Hander posted:

j/k nobody reviews my code

Though a third party auditor they brought in did review some of my code once, his first question was "... so why did you do this?"

# ? Nov 12, 2019 15:27

Volmarias: Dec 31, 2002; EMAIL... THE INTERNET... SEARCH ENGINES...

Absurd Alhazred posted:

Soldiers with top-secret clearances say they were forced to use an app that could endanger them

quote:
In late October, the commander of Fort Hood’s 504th Military Intelligence Brigade told her soldiers a new app could solve a lot of their communication issues.

It could relay information on weather, training changes and other logistics, Army Col. Deitra L. Trotter said. She then told the soldiers to download it onto their personal smartphones, according to the Texas-based soldiers in the unit.

But the soldiers — many of whom hold top-secret clearances with jobs in interrogation, human intelligence and counterintelligence — soon noticed that the app’s terms of service said it could collect substantial personal data and that the developer has a presence overseas.

That prompted concerns that sensitive data of intelligence soldiers could be harnessed by adversary governments, putting individuals and missions worldwide at risk, soldiers in the unit told The Washington Post.

“We do top-secret work,” said one noncommissioned officer, who like others spoke on the condition of anonymity out of fear of retribution by their chain of command. “If our personal information is being put out there to a foreign power, what can they get from our brigade?”

...

The concern among service members circulated on Reddit and the Army WTF! moments Facebook page, a popular digital hangout for soldiers. Soldiers deleted the app in revolt. Trotter called another formation Wednesday to address the controversy, admonishing whomever talked about the issue online, soldiers in the unit said.

My favorite blurbs

quote:

The app developer, Straxis LLC, is based in Tulsa but has a subsidiary in southern India. User data wasn’t stored on foreign servers and third parties do not have access to data, a company spokesperson said.

Questions about security reviews during development, what user data was collected and development costs were referred to the 504th Military Intelligence Brigade, which did not address them or make Trotter available.

quote:

The app was later removed from both Apple’s App Store and the Google Play Store.

The app was removed for a “preplanned maintenance update” and will return to the app stores

Lmao

# ? Nov 12, 2019 15:55

Stabby McDamage: Dec 11, 2005; Doctor Rope

https://krebsonsecurity.com/2019/11/retailer-orvis-com-leaked-hundreds-of-internal-passwords-on-pastebin/

Krebs posted:

a file containing a staggering number of internal usernames and passwords for Orvis had been posted to Pastebin.
...
this enormous passwords file was actually posted to Pastebin on two separate occasions last month
...
For instance, included in the Pastebin files from Orvis were plaintext usernames and passwords for just about every kind of online service or security product the company has used, including:

-Antivirus engines
-Data backup services
-Multiple firewall products
-Linux servers
-Cisco routers
-Netflow data
-Call recording services
-DNS controls
-Orvis wireless networks (public and private)
-Employee wireless phone services
-Oracle database servers
-Microsoft 365 services
-Microsoft Active Directory accounts and passwords
-Battery backup systems
-Security cameras
-Encryption certificates
-Mobile payment services
-Door and Alarm Codes
-FTP credentials
-Apple ID credentials
-Door controllers

The Orvis credentials file even contained the combination to a locked safe in the company� server room.

The only clue about the source of the Orvis password file is a notation at the top of the document that reads �VT Technical Services.�

You can read between the lines and imagine the exact mixture of incompetence that led to this.

# ? Nov 12, 2019 16:39

Vomik: Jul 29, 2003; This post is dedicated to the brave Mujahideen fighters of Afghanistan

Blockade posted:

Though a third party auditor they brought in did review some of my code once, his first question was "... so why did you do this?"

response: why not?

auditor: ok great seems reasonable think we have all the docs we need.

# ? Nov 12, 2019 16:40

Subjunctive: Sep 12, 2006; ✨sparkle and shine✨

Vomik posted:

response: why not?

auditor: ok great seems reasonable think we have all the docs we need.

"because it is in compliance with our documented policy"

# ? Nov 12, 2019 16:45

Powerful Two-Hander: Mar 10, 2004; Mods please change my name to "Tooter Skeleton" TIA.

Stabby McDamage posted:

https://krebsonsecurity.com/2019/11/retailer-orvis-com-leaked-hundreds-of-internal-passwords-on-pastebin/

You can read between the lines and imagine the exact mixture of incompetence that led to this.

i hope that locked server room safe has a gun in it to ensure data destruction in the event of compromise

# ? Nov 12, 2019 17:53

Powerful Two-Hander: Mar 10, 2004; Mods please change my name to "Tooter Skeleton" TIA.

oh and password/gMSA update: it pinged around a bit to a guy I know who went "yeah, just set it to non expire that's the standard process, I know it sucks but whatcha gonna do?"

apparently as long as i personally don't know the pw and we could in theory change it if we had to it's deemed OK :negative:

# ? Nov 12, 2019 17:56

Rooney McNibnug: Sep 2, 2008; "Life always hopes. When a definite object cannot be outlined, the indomitable spirit of hope still impels the living mass to move toward something--something that shall somehow be better."

ratbert90 posted:

HOO loving BOY!

SADDLE UP BOYS! It's time for ~*~*SECURITY AUDIT*~*~ SEASON!

The company doing the audit? They want our AWS server private keys.

What the gently caress? Why do you ask?
Because they use Alienvault which needs a private key!
Fine I say, how about YOU generate a private key and give us your public key, then I can add you to the authorized_key's of our servers.
The result is the email chain so far:

I'm sorry, I just wanted to say please inject this type of horrible poo poo directly into my veins :five:

# ? Nov 12, 2019 20:11

duz: Jul 11, 2005; Come on Ilhan, lets go bag us a shitpost

Stabby McDamage posted:

https://krebsonsecurity.com/2019/11/retailer-orvis-com-leaked-hundreds-of-internal-passwords-on-pastebin/

You can read between the lines and imagine the exact mixture of incompetence that led to this.

my_passwords.txt

# ? Nov 12, 2019 20:20

Adbot: ADBOT LOVES YOU

# ? Apr 27, 2024 21:07

cinci zoo sniper: Mar 15, 2013

semi serious question: let�s say that one is to buy a custom-built online shop software. what are some it security things that should be asked to the vendor, who may also be the initial system administrator for some period of time?

# ? Nov 12, 2019 20:21

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > secfuck v18.509 issuance of thread title with short validity period. update: we will not be revoking

«‹›938 »