|
Zero VGS posted:Nah, I use security groups in AWS so that only our whitelisted office IPs can communicate with the PBX. Dear lord almighty.
|
# ? May 22, 2020 16:15 |
|
|
# ? Apr 25, 2024 07:27 |
|
I don’t have the words
|
# ? May 22, 2020 16:16 |
|
Zero VGS posted:Nah, I use security groups in AWS so that only our whitelisted office IPs can communicate with the PBX. Hahahaha
|
# ? May 22, 2020 16:19 |
|
What amazing exploit are you guys coming up with for a server that can't hear from anything except the physical desk phones in our physical offices?
|
# ? May 22, 2020 16:22 |
|
I can guarantee that you are making a bad assumption there.
|
# ? May 22, 2020 16:22 |
|
wolrah posted:Uh, there have definitely been some important patches in that time period that you should have which require a reboot to install. Whoo boy there sure have been. Bypass-auth remote code execution fix was only like 6 or 7 months ago even.
|
# ? May 22, 2020 16:26 |
My boss would agree if that helps. "All security is network based"
|
|
# ? May 22, 2020 16:27 |
|
I don't think a PBX would be very useful if it can only talk to the phones in your office and nothing else. I feel like there is an important step missing there in the network considerations. The good news is that unpatched PBX's are one of the highest demand systems out there. They make good money.
|
# ? May 22, 2020 16:29 |
|
GnarlyCharlie4u posted:Whoo boy there sure have been. I do remember one years back where you could actually hijack the IVR to make a call at the company's expense, so there was that one. Anyway no one is going to make it back into the office to use these phones for at least a year. Sickening posted:I don't think a PBX would be very useful if it can only talk to the phones in your office and nothing else. I feel like there is an important step missing there in the network considerations. Yeah and outbound to the SIP trunk (which is in the same AWS datacenter). I have to manually top up the minutes so there's not much monetary exposure.
|
# ? May 22, 2020 16:31 |
|
Zero VGS posted:I do remember one years back where you could actually hijack the IVR to make a call at the company's expense, so there was that one. Anyway no one is going to make it back into the office to use these phones for at least a year. Seems like a great time to patch...?
|
# ? May 22, 2020 16:32 |
|
Zero VGS posted:What amazing exploit are you guys coming up with for a server that can't hear from anything except the physical desk phones in our physical offices? You're putting a whole lot of faith in AWS there. That point aside, if anything on your network is compromised, it's not terribly difficult for anyone to pivot from there and take complete control of your very vulnerable PBX. Also, how does your PBX make outbound calls if it can't reach the internet? E: beaten. ^^^
|
# ? May 22, 2020 16:33 |
|
Internet Explorer posted:Seems like a great time to patch...? That's what I was thinking but I kinda don't wanna give you nerds the satisfaction.
|
# ? May 22, 2020 16:33 |
|
Zero VGS posted:That's what I was thinking but I kinda don't wanna give you nerds the satisfaction. You don't have to worry, our opinions on how to do IT couldn't be further apart. Shine on you crazy diamond. [Edit: Just to be clear, "our" being mine and Zero VGS. Not trying to rope anyone else into this statement.] Internet Explorer fucked around with this message at 16:53 on May 22, 2020 |
# ? May 22, 2020 16:34 |
|
Zero VGS posted:That's what I was thinking but I kinda don't wanna give you nerds the satisfaction. loving lol
|
# ? May 22, 2020 16:35 |
|
Grandstream recently had a issue where the management login screen for some of their devices had a SQL injection vulnerability. Their forums filled up with people who had their systems hacked shortly before the problem was announced. It is amazing the amount of people who will expose such systems to the internet without any type of firewall. Why the hell would you allow the management interface be publicly accessible!?
|
# ? May 22, 2020 16:35 |
|
GnarlyCharlie4u posted:You're putting a whole lot of faith in AWS there. Trusting AWS on their security controls is actually well founded. Misusing those controls isn't their fault.
|
# ? May 22, 2020 16:39 |
|
Zero VGS posted:
You are putting a lot of blind trust in those networks. You are underestimating the level of exposure you put those systems into. Not patching the PBX is purposeful neglect.
|
# ? May 22, 2020 16:43 |
|
Speaking of networking, the network admins insisted I set up a host-based firewall on a new server, despite my weak protest that the campus-wide firewall was sufficient, as it was already restricting traffic to our building's subnet. They said, "Well what if somebody compromises one of your office computers and then uses it to attack your new server?" Ok, guys, I'll set up the host-based firewall that restricts traffic to the same subnet that the campus-wide firewall does, in case somebody finds their way onto that subnet and is therefore allowed through both firewalls anyway! Whatever.
|
# ? May 22, 2020 17:03 |
|
CPColin posted:Speaking of networking, the network admins insisted I set up a host-based firewall on a new server, despite my weak protest that the campus-wide firewall was sufficient, as it was already restricting traffic to our building's subnet. They said, "Well what if somebody compromises one of your office computers and then uses it to attack your new server?" There is some merit to what your network admin is asking. Its a really good habit to lock down remote access/management of your servers to only your bastions. Depending on how your network is setup, sometimes host based firewalls are part of that locking down process. I usually would only advise this in instances where you can centrally manage them, like windows firewall for example. Does your buildings subnet only have servers that should be the same logical network? Or is it workstations, servers, printers, and everything else as I would expect on a campus network vlan/subnet?
|
# ? May 22, 2020 17:16 |
|
Sickening posted:
It's got everything on it. What the netadmins are asking is fine, it's just the justification that's silly, because anybody who's already gotten through the campus-wide firewall is obviously also going to get through a host-based firewall that has the same rules.
|
# ? May 22, 2020 17:25 |
|
I know we should be using them but everyone acted like I'd failed them when I said the only way they could access the firewall management was through a terminal server on the VPN instead of directly from their laptops.
|
# ? May 22, 2020 17:28 |
|
CPColin posted:It's got everything on it. What the netadmins are asking is fine, it's just the justification that's silly, because anybody who's already gotten through the campus-wide firewall is obviously also going to get through a host-based firewall that has the same rules. This isn't true and is a fairly outdated mindset. Individual servers and endpoints should have their own firewalls. Expecting the perimeter firewall to save you completely is not good. Read up on Zero Trust Architecture, Microsegmentation, etc. But it has been the case for a long, long time that your internal devices should have firewalls. Like, Windows XP SP2 days. Folks, good security is like an onion, it has layers.
|
# ? May 22, 2020 17:33 |
|
Also, I know everyone hates backups and they're never perfect but I absolutely cannot stand awful backup setups. I feel like every place I've ever walked into has had garbage backups and redoing it every single time is always so exhausting. How do these people sleep at night? Relatedly, Microsoft Azure Backup Server (renamed System Center Data Protection Manager) sucks.
|
# ? May 22, 2020 17:39 |
|
CPColin posted:It's got everything on it. Well in that case then you have to protect your servers for things already in your perimeter. Having everything in the same subnet means that you have a lot of different ways systems can be compromised. The justification is pretty sound CPColin posted:What the netadmins are asking is fine, it's just the justification that's silly, because anybody who's already gotten through the campus-wide firewall is obviously also going to get through a host-based firewall that has the same rules. That isn't really true.
|
# ? May 22, 2020 17:41 |
|
Seems like as good a time as any to plug the InfoSec thread. Even if your job isn't "InfoSec," you should be keeping up as someone in the IT field. https://forums.somethingawful.com/showthread.php?threadid=3750534
|
# ? May 22, 2020 17:57 |
|
Internet Explorer posted:Also, I know everyone hates backups and they're never perfect but I absolutely cannot stand awful backup setups. I feel like every place I've ever walked into has had garbage backups and redoing it every single time is always so exhausting. How do these people sleep at night? My dream is that one day Microsoft just buys out Veeam. That would solve so many problems.
|
# ? May 22, 2020 19:47 |
|
Scientist Al Gore posted:My dream is that one day Microsoft just buys out Veeam. That would solve so many problems. I don't think that would solve Veeam's support issues.
|
# ? May 22, 2020 19:52 |
|
The Fool posted:I don't think that would solve Veeam's support issues. What kind of support issues have you had? I haven't work with them in a while but I thought their products were great and worked. The same cannot be said for other backup solutions.
|
# ? May 22, 2020 21:30 |
|
Interviewing is the absolute worst. Code interviews are the worst. Reverse a string in place. gently caress you. I’ll shell to the os and let it do it. gently caress your rules.
|
# ? May 22, 2020 22:40 |
|
Code interviews are legit garbage. I can't believe anybody actually thinks they're a good enough idea to keep doing them after the first. Mini take home assignments you have a week to do are fine. I'll never do a live code interview again.
|
# ? May 22, 2020 22:48 |
|
Fizz buzz man. You can call it whatever you want but it’s still fizz buzz. I’m over this. I’m just gonna live on the dole and hope bernie wins somehow.
|
# ? May 22, 2020 23:02 |
|
It's reasonable to expect some level of like, socket programming, for an SRE role where you typically deal with distributed systems or things that talk over a network. You should know that, for example, by default you cant bind to an IP address that isn't configured on your node without setting whatever kernel flag allows nonlocal binds. You should know udp is connectionless, probably something about nf_conntrack or whatever the windows version of that is. For someone with k8s on their resume I would expect a cursory explanation of the iptables insanity going on inside your typical k8s cluster, or at least some indicator that the CNI exists. If you have a language on your resume you should know when to use a set/hashmap/whatever vs when to use an array or list, and should be able to demonstrate some basic competency in parsing nested data structures in whatever language. The softball AWS threw at me a while back was writing an extremely simple firewall rule evaluator as a live coding exercise, I thought that was fantastic because it starts off with a bunch of really obvious really bad mistakes you can make, and then you can move on into optimizations like not checking things you've already checked due to subnet masks, and then maybe some sorting bullshit or whatever. Reversing a string is just lazy, and filters for the exact kind of person you don't want to hire into an SRE role unless you really want to hear about someone re-discovering what source NAT does to IP addresses every 3 months, forever.
|
# ? May 22, 2020 23:32 |
|
Unpopular opinion, If you can't writeboard pseudcode, write a small script during an interview with a projector while I'm watching or walk me through how this PowerShell Loop works then I'm going to have a hard time justifying hiring you no matter how great your resume looks.
|
# ? May 23, 2020 00:08 |
|
Scientist Al Gore posted:Unpopular opinion, I have a hard time justifying working for someone who needs to put me on the spot and demand I write code without Google. Also, someone who can't spell whiteboard.
|
# ? May 23, 2020 00:31 |
|
KillHour posted:I have a hard time justifying working for someone who needs to put me on the spot and demand I write code without Google. Also, someone who can't spell whiteboard. I love you
|
# ? May 23, 2020 00:32 |
|
I am literally incapable of writing code without some sort of autocomplete/intellisense
|
# ? May 23, 2020 00:33 |
|
The Fool posted:I am literally incapable of writing code without some sort of autocomplete/intellisense Amen. Like, I can’t even loving spell anymore. Auto complete takes care of all of that for me. Google takes care of the rest. It’s time to live in the future.
|
# ? May 23, 2020 00:36 |
|
In a similar vein, I was very self-conscious about my Powershell abilities because when I need to do reporting I generally just filter left as much as I can and dump poo poo into a CSV so I can manipulate it in Excel but you know what? gently caress it, it's way faster for me so if people don't like it they can gently caress off.
|
# ? May 23, 2020 00:42 |
|
Internet Explorer posted:Also, I know everyone hates backups and they're never perfect but I absolutely cannot stand awful backup setups. I feel like every place I've ever walked into has had garbage backups and redoing it every single time is always so exhausting. How do these people sleep at night? I had to have a come to Jesus meeting with my boss this week after I discovered the state of backups for my team's servers and I'm pretty sure nothing will change unless I decide to become the backup czar and ughhhhhhh I know exactly what you mean.
|
# ? May 23, 2020 00:47 |
|
|
# ? Apr 25, 2024 07:27 |
|
I forget how to type entirely when somebody is looking over my shoulder for the explicit purpose of judging me. Maybe I'm just bad and actually an unhirable unskilled piece of poo poo but Okta wanted me to do some situation where I made and then pretended a nested dictionary was a database and update some subset of 'records' with a new pattern to simulate a schema update and a few other bullet points. Couldn't do it on the spot as I'm being stared at with a clock in the corner of the screen. I probably could have done it just fine in the expected amount of time if I were doing it on my own. Somebody else wanted me to instrument a prebuilt toy golang webapp with the prometheus library to get timeseries metrics for tracking response times or whatever in a take home project. That I'm fine with. Live coding exercises are extremely dumb. If anybody ever tries to watch me work I'll tell them to stop looking at me so I can actually do it. Methanar fucked around with this message at 01:15 on May 23, 2020 |
# ? May 23, 2020 01:07 |