|
Oops was I supposed to IP restrict phpmyadmin.twitter.com??
|
#
?
Jul 16, 2020 00:38
|
|
|
|
| # ? Apr 18, 2024 09:00 |
|
|
Well that's boring.
|
|
#
?
Jul 16, 2020 00:40
|
|
|
quote:Two former Twitter employees previously abused their access to spy on users for the Saudi regime, according to the Justice Department. 
|
|
#
?
Jul 16, 2020 01:11
|
|
|
When you can do a select * from mytables where userID is like "enemey of the state", there isn't much you can't get away with.
|
|
#
?
Jul 16, 2020 02:05
|
|
|
xtal posted:We should bet on the outcome. Send your stake to the pool at bxysksjcjwwngodbauxivneoeidm I put $50 on it. E: poo poo, shoulda refreshed
|
|
#
?
Jul 16, 2020 03:31
|
|
|
What we all kind of expected https://twitter.com/har00ga/status/1283595146706247681?s=19
|
|
#
?
Jul 16, 2020 03:54
|
|
|
 https://betanews.com/2020/07/15/ufo-vpn-data-leak/
|
|
#
?
Jul 19, 2020 01:29
|
|
|
https://twitter.com/AlexJamesFitz/status/1286485734644482049
|
|
#
?
Jul 24, 2020 03:20
|
|
|
Least privileged access? Not in my social network management
|
|
#
?
Jul 24, 2020 03:23
|
|
|
CommieGIR posted:Least privileged access? Not in my social network management more than one org I have been in ended up giving the most access to the lowest ranking people, due to breadth of their duties and laziness of the implementers. They may not do much with it, but its common for them to have, say, root access so that they can fix user accounts in LDAP just because someone didn't know how to do permissions based on group for the access, or felt it was overkill. I know one fortune 500 company I worked at you had to give up a bunch of access when you got promoted from tier 2(tasked with doing all kinds of crap across the whole org) to tier 3(technical ownership of a silo) so this is likely pretty common.
|
|
#
?
Jul 24, 2020 05:01
|
|
|
Hey let's be fair and real, this poo poo is hard. Fine grained authorization is very difficult problem, not only technically (which is the easy part) but moreso organizationally. It's very hard to keep track of who needs to do what exactly, and to keep that information up to date.
|
|
#
?
Jul 24, 2020 06:49
|
|
|
Good to see nothing was learned from the Uber fiasco where the entire company had (still has?) access to tools that could find and track anybody’s location in real time. And a culture of using it inappropriately and bragging about it. http://valleywag.gawker.com/uber-allegedly-used-god-view-to-stalk-vip-users-as-a-1642197313 and so on
|
|
#
?
Jul 24, 2020 15:47
|
|
|
what do you think RIM/blackberry employees used to do back in the day?
|
|
#
?
Jul 24, 2020 18:09
|
|
|
Bonzo posted:what do you think RIM/blackberry employees used to do back in the day? Drink and pronounce words Canadianish?
|
|
#
?
Jul 24, 2020 18:14
|
|
|
spankmeister posted:Hey let's be fair and real, this poo poo is hard. Fine grained authorization is very difficult problem, not only technically (which is the easy part) but moreso organizationally. It's very hard to keep track of who needs to do what exactly, and to keep that information up to date. Yeah, every single org out there has issues with Least Privilege access, and I guarantee you that every org has lower level employees with elevated rights that they shouldn't have. Twitter, Uber, MS, your own company, etc.
|
|
#
?
Jul 24, 2020 18:22
|
|
|
CLAM DOWN posted:Yeah, every single org out there has issues with Least Privilege access, and I guarantee you that every org has lower level employees with elevated rights that they shouldn't have. Twitter, Uber, MS, your own company, etc. Nope, sorry Clam, my company is perfect in its privilege access. I have access to do and see everything, and everyone else doesn't 
|
|
#
?
Jul 24, 2020 18:24
|
|
|
CLAM DOWN posted:Yeah, every single org out there has issues with Least Privilege access, and I guarantee you that every org has lower level employees with elevated rights that they shouldn't have. Twitter, Uber, MS, your own company, etc. One issue I'm battling now is that our consultants are allowed to log in with a SHARED WINDOWS ACCOUNT so when an undocumented change is added and break poo poo, all we can see this shared account logging into Windows. Of no one at all made the change when questioned. Yes I know it could be audited if I really wanted to but A) it's not my department, not my employees to discipline and B) you can only complain to upper-upper-management so much before you start to become annoying. Bonzo fucked around with this message at 18:34 on Jul 24, 2020 |
|
#
?
Jul 24, 2020 18:32
|
|
|
RFC2324 posted:more than one org I have been in ended up giving the most access to the lowest ranking people, due to breadth of their duties and laziness of the implementers. They may not do much with it, but its common for them to have, say, root access so that they can fix user accounts in LDAP just because someone didn't know how to do permissions based on group for the access, or felt it was overkill. Yeah this is terrifying to me. Its well worth it to get group permissions worked out rather than giving blanket access like that.
|
|
#
?
Jul 24, 2020 18:51
|
|
|
CommieGIR posted:Yeah this is terrifying to me. Its well worth it to get group permissions worked out rather than giving blanket access like that. I work in a Windows shop and I hear "Just add the EVERYONE user and give it full perms" wayyyyyy too often.
|
|
#
?
Jul 24, 2020 18:58
|
|
|
Bonzo posted:I work in a Windows shop and I hear "Just add the EVERYONE user and give it full perms" wayyyyyy too often. send them this Garmin services and production go down after ransomware attack
|
|
#
?
Jul 24, 2020 19:31
|
|
|
Internet Explorer posted:send them this They also lmao, the fishing community appears to be up in arms about this too since they make fishing electronics. Amazing stuff.
|
|
#
?
Jul 24, 2020 19:35
|
|
|
Wonder if that affects the InReach products. I can imagine someone in the backcountry with an emergency situation might be kind of grumpy if their lifeline is unavailable.
|
|
#
?
Jul 24, 2020 19:45
|
|
|
Sir Bobert Fishbone posted:I can imagine someone in the backcountry with an emergency situation might be kind of grumpy if their lifeline is unavailable. Probably not for very long, though?
|
|
#
?
Jul 24, 2020 19:46
|
|
|
Schadenboner posted:Probably not for very long, though? Depends on how much water or urine they have access to
|
|
#
?
Jul 24, 2020 20:41
|
|
|
A talk on Sandworm given by Google's Threat Analysis Group at last year's CYBERWARCON was posted to YouTube today: https://www.youtube.com/watch?v=xoNSbm1aX_w This is the group from Andy Greenberg's book of the same name.
|
|
#
?
Jul 24, 2020 20:41
|
|
|
CommieGIR posted:Least privileged access? Not in my social network management Not anywhere except very specific industries. Every company I've worked at, which includes some of the largest in the world, has let me access or impersonate every customer. One of them had logging, but since I built the logging code, it couldn't stop me very much. Sort of like physical access to a machine is root, developers are always going to be able to access data. You might have hidden it from the internal admin page with access controls. But the developer can still go query the database. Or if they can't, they can ship code changes that result in those queries. It should be assumed that when you host information with a company, everyone at that company has access to all the information. This is why we've been preaching decentralization for the last few decades. The idea that any employee can read all your data is challenging to laypeople. They can either go full FOSS or build up some imaginary scenario about how their data is protected by access controls. Even though those do not exist. The only access control is when you control what you give them. BTW, I also worked for a telco, and those thousands of minimum wage employees can look up the phone call records, change SIMs, of any person they want as well. xtal fucked around with this message at 21:34 on Jul 24, 2020 |
|
#
?
Jul 24, 2020 21:27
|
|
|
Anyone here using Zerotier? Opinions? Toying with alternatives to Wireguard that don't rely on DDNS.
|
|
#
?
Jul 24, 2020 21:49
|
|
|
Checked out tailscale?
|
|
#
?
Jul 24, 2020 22:02
|
|
|
We use zerotier, I do not have to admin it at all, but it seems to work just fine from what I can tell. Our architect evaluated quite a few products prior to implementing which was at least 2 years ago, maybe more and chose it so must not be too bad to deal with. I just use it so I can connect to a TS without using a VPN; I believe we are still at the free tier level.
|
|
#
?
Jul 24, 2020 22:35
|
|
|
Yeah, I'm just giving it a test-run. Works nicely, but the UI is pretty meh.Subjunctive posted:Checked out tailscale? 
Combat Pretzel fucked around with this message at 22:51 on Jul 24, 2020 |
|
#
?
Jul 24, 2020 22:45
|
|
|
CommieGIR posted:Yeah this is terrifying to me. Its well worth it to get group permissions worked out rather than giving blanket access like that. At my old job I had administrator access to Jira, both the software and the server it ran on. Jira had write access to LDAP. Through the Jira group management, I could add any LDAP group to any account, and it would automatically sync back to the controller, essentially granting me admin access to any service which used an LDAP group to grant it, with no trace since I also controlled the machine the logs were on. Services that relied on LDAP: literally all of them. Pretty sure I could've messed with payroll. They're bankrupt now, unrelatedly.
|
|
#
?
Jul 24, 2020 22:59
|
|
|
Combat Pretzel posted:Yeah, I'm just giving it a test-run. Works nicely, but the UI is pretty meh. Make your own network on my.zerotier and pick your own address space. It's self service/self assigend.
|
|
#
?
Jul 24, 2020 23:38
|
|
|
Biowarfare posted:Make your own network on my.zerotier and pick your own address space. It's self service/self assigend.
|
|
#
?
Jul 24, 2020 23:42
|
|
|
I'm grumpy that apple has locked TLS to internet-connected servers listening on TCP with a valid cert chain to a trusted root. Used to be able to use it with low-level read/write callbacks on a non-TCP transport but they say that API is not for use with new apps and should be phased out of existing apps. I just wanted to talk to non-network connected devices that don't speak TCP, and pin their cert with verification during the setup process. https://doc.libsodium.org/secret-key_cryptography/secretstream looks to have better properties for the domain I'm working in (individual messages on a radio network) but secretstream doesn't have great binding support yet so that should be many shades of fun and exciting.
|
|
#
?
Jul 25, 2020 02:31
|
|
|
Daily reminder that it doesn't matter how good your security is. Your staff are always the weakest link. Education, zero trust and trying to get across the point that security is everyone's responsibility. Do the fundamentals right before chucking loads of SaaS solutions at it.
|
|
|
#
?
Jul 25, 2020 08:22
|
|
|
CyberPingu posted:Daily reminder that it doesn't matter how good your security is. Your staff are always the weakest link. Also, that gets the added benefit that huge companies like Amazon don't blame their biggest downtime incident on a single employee, when it's the fault of the entire team including management that it could've happened in the first place. But no, devops gotta devops all over everything.
|
|
#
?
Jul 25, 2020 09:09
|
|
D. Ebdrup posted:Implementing a two-person-rule for every administrative change above a certain threshold, just like banks have had for decades upon decades, whereby any withdrawl above a certain amount has to be confirmed by a separate employee out back. Yep, every branch should require a PR from someone else before it can be merged.
|
|
|
#
?
Jul 25, 2020 09:12
|
|
|
https://twitter.com/ortegaalfredo/status/1286805693526409216?s=21Bonzo posted:I work in a Windows shop and I hear "Just add the EVERYONE user and give it full perms" wayyyyyy too often.
|
|
#
?
Jul 25, 2020 10:52
|
|
|
Combat Pretzel posted:Anyone here using Zerotier? Opinions? Toying with alternatives to Wireguard that don't rely on DDNS. Currently using Zerotier to network all of our compute. I haven't really had a problem beyond learning how to do the initial setup. The biggest annoyance is remembering to prune network entries when we shut down end points so we don't accidentally fill up our allowance of entries.
|
|
#
?
Jul 25, 2020 16:21
|
|
|
|
| # ? Apr 18, 2024 09:00 |
|
|
CommieGIR posted:Yeah this is terrifying to me. Its well worth it to get group permissions worked out rather than giving blanket access like that. To be kinda fair to that f500, quite a few of the systems in place predated the concept of group permission. They had been updated so the systems in question supported it in theory, but refactoring access to take advantage of that just never ended up happening, and eventually it fell back into "it's always been that way"
|
|
#
?
Jul 25, 2020 16:40
|
|